forked from extern/shorewall_code
Compare commits
37 Commits
4.6.8.1
...
4.6.9-base
| Author | SHA1 | Date | |
|---|---|---|---|
|
3bb1f74283 | ||
|
87eca92b10 | ||
|
|
b58aadad01 | ||
|
|
6dcd8174ee | ||
|
|
fe37844455 | ||
|
|
e248c0a3d7 | ||
|
|
3f17a8cf24 | ||
|
|
2cea78e6df | ||
|
|
0abd51c796 | ||
|
|
86e053be7a | ||
|
|
864dba2e62 | ||
|
|
75d18139f7 | ||
|
|
bebb41674a | ||
|
|
42f75f7ba2 | ||
|
|
2c9b7fbb07 | ||
|
|
119299421f | ||
|
|
aef019e16d | ||
|
|
3ae243b882 | ||
|
|
0fc58f81cc | ||
|
|
7db99832ca | ||
|
|
0e8b427778 | ||
|
|
ccccd847c8 | ||
|
|
6cb3004a39 | ||
|
|
f5aa0373cb | ||
|
|
057ad45fd9 | ||
|
|
ade24e6299 | ||
|
|
65394b9f8c | ||
|
|
b128c30813 | ||
|
|
194252afd3 | ||
|
|
3cb45f234e | ||
|
|
16e3cb1b43 | ||
|
|
27c1ffc5fb | ||
|
|
23137e5e8a | ||
|
|
0e54a86e82 | ||
|
|
4fd8aa692d | ||
|
|
8c3dda80a3 | ||
|
|
9f96f58a0d |
@@ -2475,6 +2475,7 @@ determine_capabilities() {
|
||||
local chain
|
||||
local chain1
|
||||
local arptables
|
||||
local helper
|
||||
|
||||
if [ -z "$g_tool" ]; then
|
||||
[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
|
||||
@@ -2776,21 +2777,44 @@ determine_capabilities() {
|
||||
if qt $g_tool -t raw -A $chain -j CT --notrack; then
|
||||
CT_TARGET=Yes;
|
||||
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes
|
||||
for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
|
||||
eval ${helper}_ENABLED=''
|
||||
done
|
||||
|
||||
if [ -n "$HELPERS" ]; then
|
||||
for helper in $(split_list "$HELPERS"); do
|
||||
case $helper in
|
||||
none)
|
||||
;;
|
||||
amanda|ftp|ftp0|h323|irc|irc0|netbios_ns|pptp|sane|sane0|sip|sip0|snmp|tftp|tftp0)
|
||||
eval ${helper}_ENABLED=Yes
|
||||
;;
|
||||
*)
|
||||
error_message "WARNING: Invalid helper ($helper) ignored"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
else
|
||||
for helper in amanda ftp ftp0 h323 irc irc0 netbios_ns pptp sane sane0 sip sip0 snmp tftp tftp0; do
|
||||
eval ${helper}_ENABLED=Yes
|
||||
done
|
||||
fi
|
||||
|
||||
[ -n "$amanda_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
|
||||
[ -n "$ftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
|
||||
[ -n "$ftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp-0 && FTP0_HELPER=Yes
|
||||
[ -n "$h323_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
|
||||
[ -n "$irc_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
|
||||
[ -n "$irc0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc-0 && IRC0_HELPER=Yes
|
||||
[ -n "$netbios_ns_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
|
||||
[ -n "$pptp_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
|
||||
[ -n "$sane_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
|
||||
[ -n "$sane0_ENABLED" ] && qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane-0 && SANE0_HELPER=Yes
|
||||
[ -n "$sip_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
|
||||
[ -n "$sip0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip-0 && SIP0_HELPER=Yes
|
||||
[ -n "$snmp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
|
||||
[ -n "$tftp_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
|
||||
[ -n "$tftp0_ENABLED" ] && qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp-0 && TFTP0_HELPER=Yes
|
||||
fi
|
||||
|
||||
qt $g_tool -t raw -F $chain
|
||||
@@ -3834,6 +3858,7 @@ usage() # $1 = exit status
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
|
||||
echo " reject <address> ..."
|
||||
echo " reenable <interface>"
|
||||
echo " reset [ <chain> ... ]"
|
||||
echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
|
||||
echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
|
||||
@@ -4102,7 +4127,7 @@ shorewall_cli() {
|
||||
shift
|
||||
restart_command $@
|
||||
;;
|
||||
disable|enable)
|
||||
disable|enable|reenable)
|
||||
get_config Yes
|
||||
if product_is_started; then
|
||||
run_it ${VARDIR}/firewall $g_debugging $@
|
||||
|
||||
@@ -211,6 +211,17 @@ split() {
|
||||
IFS=$ifs
|
||||
}
|
||||
|
||||
#
|
||||
# Split a comma-separated list into a space-separated list
|
||||
#
|
||||
split_list() {
|
||||
local ifs
|
||||
ifs=$IFS
|
||||
IFS=,
|
||||
echo $*
|
||||
IFS=$ifs
|
||||
}
|
||||
|
||||
#
|
||||
# Search a list looking for a match -- returns zero if a match found
|
||||
# 1 otherwise
|
||||
|
||||
@@ -6,8 +6,7 @@
|
||||
[Unit]
|
||||
Description=Shorewall IPv4 firewall (bootup security)
|
||||
Before=network.target
|
||||
Wants=network.target
|
||||
Conflicts=iptables.service firewalld.service
|
||||
Conflicts=iptables.service ip6tables.service firewalld.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
@@ -289,6 +289,20 @@
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>reenable</option></arg>
|
||||
|
||||
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
@@ -326,8 +340,6 @@
|
||||
<arg><option>-n</option></arg>
|
||||
|
||||
<arg><option>-p</option><arg><option>-C</option></arg></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -613,7 +625,10 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">add</emphasis></term>
|
||||
<term><emphasis role="bold">add </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Adds a list of hosts or subnets to a dynamic zone usually used
|
||||
@@ -638,7 +653,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">allow</emphasis></term>
|
||||
<term><emphasis role="bold">allow
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
@@ -650,7 +666,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">clear</emphasis></term>
|
||||
<term><emphasis role="bold">clear
|
||||
</emphasis>[-<option>f</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Clear will remove all rules and chains installed by
|
||||
@@ -688,7 +705,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">delete</emphasis></term>
|
||||
<term><emphasis role="bold">delete </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>The delete command reverses the effect of an earlier <emphasis
|
||||
@@ -703,7 +723,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">disable</emphasis></term>
|
||||
<term><emphasis role="bold">disable </emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Disables the optional provider
|
||||
@@ -715,7 +737,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">drop</emphasis></term>
|
||||
<term><emphasis role="bold">drop
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -724,7 +747,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">dump</emphasis></term>
|
||||
<term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>m</option>]
|
||||
[-<option>c</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Produces a verbose report about the firewall configuration for
|
||||
@@ -745,7 +770,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">enable</emphasis></term>
|
||||
<term><emphasis role="bold">enable </emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Enables the optional provider
|
||||
@@ -757,7 +784,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">forget</emphasis></term>
|
||||
<term><emphasis role="bold">forget </emphasis>[
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
|
||||
@@ -778,7 +806,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">hits</emphasis></term>
|
||||
<term><emphasis role="bold">hits </emphasis>
|
||||
[-<option>t</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Generates several reports from Shorewall-lite log messages in
|
||||
@@ -788,7 +817,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ipcalc</emphasis></term>
|
||||
<term><emphasis role="bold">ipcalc </emphasis>{ address mask |
|
||||
address/vlsm }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Ipcalc displays the network address, broadcast address,
|
||||
@@ -798,7 +828,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iprange</emphasis></term>
|
||||
<term><emphasis role="bold">iprange
|
||||
</emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Iprange decomposes the specified range of IP addresses into
|
||||
@@ -807,7 +838,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||
<term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
|
||||
match expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that causes iptables
|
||||
@@ -826,7 +858,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop</emphasis></term>
|
||||
<term><emphasis role="bold">list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>list</command> is a synonym for
|
||||
<command>show</command> -- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -837,7 +879,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logwatch</emphasis></term>
|
||||
<term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
|
||||
[<replaceable>refresh-interval</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Monitors the log file specified by the LOGFILE option in
|
||||
@@ -856,7 +899,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logreject</emphasis></term>
|
||||
<term><emphasis role="bold">logreject
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -867,7 +911,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||
<term><emphasis role="bold">ls</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>ls</command> is a synonym for <command>show</command>
|
||||
-- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
|
||||
match expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that cancels a trace
|
||||
@@ -919,16 +973,44 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset</emphasis></term>
|
||||
<term><emphasis role="bold">reenable</emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>All the packet and byte counters in the firewall are
|
||||
reset.</para>
|
||||
<para>Added in Shorewall 4.6.9. This is equivalent to a
|
||||
<command>disable</command> command followed by an
|
||||
<command>enable</command> command on the specified
|
||||
<replaceable>interface</replaceable> or
|
||||
<replaceable>provider</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restart</emphasis></term>
|
||||
<term><emphasis role="bold">reject</emphasis><replaceable>
|
||||
address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be silently rejected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
||||
...]</emphasis><acronym/></term>
|
||||
|
||||
<listitem>
|
||||
<para>Resets the packet and byte counters in the specified
|
||||
<replaceable>chain</replaceable>(s). If no
|
||||
<replaceable>chain</replaceable> is specified, all the packet and
|
||||
byte counters in the firewall are reset.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restart </emphasis>[-n] [-p]
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <emphasis role="bold">shorewall-lite
|
||||
@@ -951,7 +1033,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restore</emphasis></term>
|
||||
<term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restore Shorewall-lite to a state saved using the <emphasis
|
||||
@@ -971,6 +1055,14 @@
|
||||
different from the current values.</para>
|
||||
</caution>
|
||||
|
||||
<para>The <option>-n</option> option causes Shorewall to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
||||
<para>The <option>-p</option> option, added in Shorewall 4.6.5,
|
||||
causes the connection tracking table to be flushed; the
|
||||
<command>conntrack</command> utility must be installed to use this
|
||||
option.</para>
|
||||
|
||||
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
|
||||
If the <option>-C</option> option was specified during <emphasis
|
||||
role="bold">shorewall save</emphasis>, then the counters saved by
|
||||
@@ -979,7 +1071,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
<term><emphasis role="bold">run
|
||||
</emphasis><replaceable>command</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
@@ -996,7 +1090,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">save</emphasis></term>
|
||||
<term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The dynamic blacklist is stored in
|
||||
@@ -1036,7 +1131,8 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bl|blacklists</emphasis></term>
|
||||
<term><emphasis role="bold">bl|blacklists
|
||||
</emphasis>[-<option>x</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
|
||||
@@ -1049,7 +1145,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">capabilities</emphasis></term>
|
||||
<term>[-<option>f</option>] <emphasis
|
||||
role="bold">capabilities</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays your kernel/iptables capabilities. The
|
||||
@@ -1060,8 +1157,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
|
||||
]</term>
|
||||
<term>[-<option>b</option>] [-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
|
||||
[ <emphasis>chain</emphasis>... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The rules in each <emphasis>chain</emphasis> are
|
||||
@@ -1160,7 +1259,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">log</emphasis></term>
|
||||
<term>[-<option>m</option>] <emphasis
|
||||
role="bold">log</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the last 20 Shorewall-lite messages from the
|
||||
@@ -1172,6 +1272,20 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">mangle</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter mangle table using the command
|
||||
<emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
|
||||
The <emphasis role="bold">-x</emphasis> option is passed
|
||||
directly through to iptables and causes actual packet and byte
|
||||
counts to be displayed. Without this option, those counts are
|
||||
abbreviated.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">marks</emphasis></term>
|
||||
|
||||
@@ -1262,7 +1376,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">start</emphasis></term>
|
||||
<term><emphasis role="bold">start</emphasis> [-<option>p</option>]
|
||||
[-<option>n</option>] [<option>-f</option>]
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Start Shorewall Lite. Existing connections through
|
||||
@@ -1274,7 +1390,7 @@
|
||||
table to be flushed; the <command>conntrack</command> utility must
|
||||
be installed to use this option.</para>
|
||||
|
||||
<para>The <option>-m</option> option prevents the firewall script
|
||||
<para>The <option>-n</option> option prevents the firewall script
|
||||
from modifying the current routing configuration.</para>
|
||||
|
||||
<para>The <option>-f</option> option was added in Shorewall 4.6.5.
|
||||
|
||||
13
Shorewall/Macros/macro.Jabber
Normal file
13
Shorewall/Macros/macro.Jabber
Normal file
@@ -0,0 +1,13 @@
|
||||
#
|
||||
# Shorewall version 4 - Jabber Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.Jabber
|
||||
#
|
||||
# This macro accepts Jabber traffic.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - tcp 5222
|
||||
@@ -1,13 +1,14 @@
|
||||
#
|
||||
# Shorewall version 3.4 - JabberPlain Macro
|
||||
# Shorewall version 4 - JabberPlain Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.JabberPlain
|
||||
#
|
||||
# This macro accepts Jabber traffic (plaintext).
|
||||
# This macro accepts Jabber traffic (plaintext). This macro is
|
||||
# deprecated - use of macro.Jabber instead is recommended.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - tcp 5222
|
||||
Jabber
|
||||
|
||||
@@ -1,9 +1,11 @@
|
||||
#
|
||||
# Shorewall version 3.4 - JabberSecure (ssl) Macro
|
||||
# Shorewall version 4 - JabberSecure (SSL) Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.JabberSecure
|
||||
#
|
||||
# This macro accepts Jabber traffic (ssl).
|
||||
# This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
|
||||
# is deprecated, please configure Jabber with STARTTLS and use
|
||||
# Jabber macro instead.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
|
||||
13
Shorewall/Macros/macro.QUIC
Normal file
13
Shorewall/Macros/macro.QUIC
Normal file
@@ -0,0 +1,13 @@
|
||||
#
|
||||
# Shorewall version 4 - QUIC Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.QUIC
|
||||
#
|
||||
# This macro handles QUIC (Quick UDP Internet Connections).
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - udp 80,443
|
||||
@@ -34,6 +34,7 @@ use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
our %arp_table;
|
||||
our $arp_input;
|
||||
|
||||
@@ -260,6 +260,7 @@ our %EXPORT_TAGS = (
|
||||
get_interface_gateway
|
||||
get_interface_mac
|
||||
have_global_variables
|
||||
have_address_variables
|
||||
set_global_variables
|
||||
save_dynamic_chains
|
||||
load_ipsets
|
||||
@@ -279,7 +280,7 @@ our %EXPORT_TAGS = (
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = '4.5_18';
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
#
|
||||
# Chain Table
|
||||
@@ -5604,6 +5605,8 @@ sub have_ipset_rules() {
|
||||
|
||||
sub get_interface_address( $ );
|
||||
|
||||
sub get_interface_gateway ( $;$ );
|
||||
|
||||
sub record_runtime_address( $$;$ ) {
|
||||
my ( $addrtype, $interface, $protect ) = @_;
|
||||
|
||||
@@ -6693,11 +6696,10 @@ sub get_interface_gateway ( $;$ ) {
|
||||
$global_variables |= ALL_COMMANDS;
|
||||
|
||||
if ( interface_is_optional $logical ) {
|
||||
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
|
||||
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface));
|
||||
} else {
|
||||
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
|
||||
[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface"
|
||||
);
|
||||
[ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
|
||||
}
|
||||
|
||||
$protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
|
||||
@@ -6803,16 +6805,40 @@ sub have_global_variables() {
|
||||
have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
|
||||
}
|
||||
|
||||
sub have_address_variables() {
|
||||
( keys %interfaceaddr || keys %interfacemacs || keys %interfacegateways );
|
||||
}
|
||||
|
||||
#
|
||||
# Generate setting of run-time global shell variables
|
||||
#
|
||||
sub set_global_variables( $ ) {
|
||||
sub set_global_variables( $$ ) {
|
||||
|
||||
my $setall = shift;
|
||||
my ( $setall, $conditional ) = @_;
|
||||
|
||||
emit $_ for values %interfaceaddr;
|
||||
emit $_ for values %interfacegateways;
|
||||
emit $_ for values %interfacemacs;
|
||||
if ( $conditional ) {
|
||||
my ( $interface, $code );
|
||||
|
||||
while ( ( $interface, $code ) = each %interfaceaddr ) {
|
||||
emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
|
||||
}
|
||||
|
||||
while ( ( $interface, $code ) = each %interfacegateways ) {
|
||||
emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
|
||||
push_indent;
|
||||
emit( $code );
|
||||
pop_indent;
|
||||
emit( qq(fi\n) );
|
||||
}
|
||||
|
||||
while ( ( $interface, $code ) = each %interfacemacs ) {
|
||||
emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $code) );
|
||||
}
|
||||
} else {
|
||||
emit $_ for values %interfaceaddr;
|
||||
emit "$_\n" for values %interfacegateways;
|
||||
emit $_ for values %interfacemacs;
|
||||
}
|
||||
|
||||
if ( $setall ) {
|
||||
emit $_ for values %interfaceaddrs;
|
||||
|
||||
@@ -274,10 +274,21 @@ sub generate_script_2() {
|
||||
'detect_configuration()',
|
||||
'{' );
|
||||
|
||||
my $global_variables = have_global_variables;
|
||||
my $global_variables = have_global_variables;
|
||||
my $optional_interfaces = find_interfaces_by_option( 'optional' );
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( have_address_variables || @$optional_interfaces ) {
|
||||
emit( 'local interface',
|
||||
'',
|
||||
'interface="$1"',
|
||||
''
|
||||
);
|
||||
}
|
||||
|
||||
map_provider_to_interface if have_providers;
|
||||
|
||||
if ( $global_variables ) {
|
||||
|
||||
if ( $global_variables & NOT_RESTORE ) {
|
||||
@@ -292,7 +303,7 @@ sub generate_script_2() {
|
||||
|
||||
if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
|
||||
|
||||
set_global_variables(0);
|
||||
set_global_variables(0, 0);
|
||||
|
||||
handle_optional_interfaces(0);
|
||||
}
|
||||
@@ -306,10 +317,10 @@ sub generate_script_2() {
|
||||
push_indent;
|
||||
}
|
||||
|
||||
set_global_variables(1);
|
||||
set_global_variables(1,1);
|
||||
|
||||
if ( $global_variables & NOT_RESTORE ) {
|
||||
handle_optional_interfaces(0);
|
||||
handle_optional_interfaces(1);
|
||||
emit ';;';
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
|
||||
@@ -232,7 +232,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = '4.6.0-Beta1';
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
#
|
||||
# describe the current command, it's present progressive, and it's completion.
|
||||
@@ -880,9 +880,6 @@ sub initialize( $;$$) {
|
||||
#
|
||||
# Valid log levels
|
||||
#
|
||||
# Note that we don't include LOGMARK; that is so we can default its
|
||||
# priority to 'info' (LOGMARK itself defaults to 'warn').
|
||||
#
|
||||
%validlevels = ( DEBUG => 7,
|
||||
INFO => 6,
|
||||
NOTICE => 5,
|
||||
@@ -5020,6 +5017,10 @@ sub read_capabilities() {
|
||||
warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
|
||||
$capabilities{KERNELVERSION} = 20630;
|
||||
}
|
||||
#
|
||||
# Assume that this is available when using an old capabilities files
|
||||
#
|
||||
$capabilities{TCPMSS_TARGET} = 1 if ( ( $capabilities{CAPVERSION} || 0 ) < 40609 );
|
||||
|
||||
$helpers_aliases{ftp} = 'ftp-0', $capabilities{FTP_HELPER} = 1 if $capabilities{FTP0_HELPER};
|
||||
$helpers_aliases{irc} = 'irc-0', $capabilities{IRC_HELPER} = 1 if $capabilities{IRC0_HELPER};
|
||||
|
||||
@@ -44,9 +44,10 @@ our @EXPORT = qw( process_providers
|
||||
compile_updown
|
||||
setup_load_distribution
|
||||
have_providers
|
||||
map_provider_to_interface
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize provider_realm );
|
||||
our $VERSION = '4.4_24';
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
use constant { LOCAL_TABLE => 255,
|
||||
MAIN_TABLE => 254,
|
||||
@@ -1515,7 +1516,7 @@ EOF
|
||||
" start_provider_$provider" );
|
||||
}
|
||||
|
||||
emit ( ' else',
|
||||
emit ( ' elif [ -z "$2" ]; then',
|
||||
" startup_error \"Interface $providerref->{physical} is already enabled\"",
|
||||
' fi',
|
||||
' ;;'
|
||||
@@ -1563,7 +1564,7 @@ EOF
|
||||
}
|
||||
|
||||
emit( " stop_$providerref->{what}_$provider",
|
||||
' else',
|
||||
' elif [ -z "$2" ]; then',
|
||||
" startup_error \"Interface $providerref->{physical} is already disabled\"",
|
||||
' fi',
|
||||
' ;;'
|
||||
@@ -1588,6 +1589,35 @@ sub have_providers() {
|
||||
return our $providers;
|
||||
}
|
||||
|
||||
sub map_provider_to_interface() {
|
||||
|
||||
my $haveoptional;
|
||||
|
||||
for my $providerref ( values %providers ) {
|
||||
if ( $providerref->{optional} ) {
|
||||
unless ( $haveoptional++ ) {
|
||||
emit( 'if [ -n "$interface" ]; then',
|
||||
' case $interface in' );
|
||||
|
||||
push_indent;
|
||||
push_indent;
|
||||
}
|
||||
|
||||
emit( $providerref->{provider} . ')',
|
||||
' interface=' . $providerref->{physical},
|
||||
' ;;' );
|
||||
}
|
||||
}
|
||||
|
||||
if ( $haveoptional ) {
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
emit( ' esac',
|
||||
"fi\n"
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_providers() {
|
||||
our $providers;
|
||||
|
||||
@@ -1729,12 +1759,12 @@ sub compile_updown() {
|
||||
q( if [ "$COMMAND" = up ]; then) ,
|
||||
q( progress_message3 "Attempting enable on interface $1") ,
|
||||
q( COMMAND=enable) ,
|
||||
q( detect_configuration),
|
||||
q( detect_configuration $1),
|
||||
q( enable_provider $1),
|
||||
q( elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
|
||||
q( progress_message3 "Attempting disable on interface $1") ,
|
||||
q( COMMAND=disable) ,
|
||||
q( detect_configuration),
|
||||
q( detect_configuration $1),
|
||||
q( disable_provider $1) ,
|
||||
q( fi) ,
|
||||
q(elif [ "$COMMAND" = up ]; then) ,
|
||||
@@ -1941,6 +1971,19 @@ sub handle_optional_interfaces( $ ) {
|
||||
|
||||
emit( "$physical)" ), push_indent if $wildcards;
|
||||
|
||||
if ( $provider eq $physical ) {
|
||||
#
|
||||
# Just an optional interface, or provider and interface are the same
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
} else {
|
||||
#
|
||||
# Provider
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
}
|
||||
|
||||
push_indent;
|
||||
if ( $providerref->{gatewaycase} eq 'detect' ) {
|
||||
emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
|
||||
} else {
|
||||
@@ -1952,6 +1995,10 @@ sub handle_optional_interfaces( $ ) {
|
||||
emit( " SW_${base}_IS_USABLE=Yes" ,
|
||||
'fi' );
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( "fi\n" );
|
||||
|
||||
emit( ';;' ), pop_indent if $wildcards;
|
||||
}
|
||||
|
||||
|
||||
@@ -712,7 +712,7 @@ sub process_policies()
|
||||
#
|
||||
# Policy Rule application
|
||||
#
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
|
||||
|
||||
sub add_policy_rules( $$$$$ ) {
|
||||
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
|
||||
@@ -737,6 +737,7 @@ sub add_policy_rules( $$$$$ ) {
|
||||
process_inline( $action, #Inline
|
||||
$chainref, #Chain
|
||||
'', #Matches
|
||||
'', #Matches1
|
||||
$loglevel, #Log Level and Tag
|
||||
$default, #Target
|
||||
$param || '', #Param
|
||||
@@ -1622,7 +1623,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
'Limit' => \&Limit,
|
||||
);
|
||||
|
||||
sub process_rule ( $$$$$$$$$$$$$$$$$$$ );
|
||||
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
|
||||
|
||||
#
|
||||
# Populate an action invocation chain. As new action tuples are encountered,
|
||||
@@ -1686,6 +1687,7 @@ sub process_action($$) {
|
||||
}
|
||||
|
||||
process_rule( $chainref,
|
||||
'',
|
||||
'',
|
||||
$nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
|
||||
'',
|
||||
@@ -1874,6 +1876,7 @@ sub process_reject_action() {
|
||||
process_inline( $action, #Inline
|
||||
$rejectref, #Chain
|
||||
'', #Matches
|
||||
'', #Matches1
|
||||
'', #Log Level and Tag
|
||||
$action, #Target
|
||||
'', #Param
|
||||
@@ -1902,8 +1905,8 @@ sub process_reject_action() {
|
||||
#
|
||||
# Expand a macro rule from the rules file
|
||||
#
|
||||
sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
|
||||
my $generated = 0;
|
||||
|
||||
@@ -2002,7 +2005,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
$generated |= process_rule(
|
||||
$chainref,
|
||||
$matches,
|
||||
$matches,
|
||||
$matches1,
|
||||
$mtarget,
|
||||
$param,
|
||||
$msource,
|
||||
@@ -2035,8 +2039,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
|
||||
#
|
||||
# Expand an inline action rule from the rules file
|
||||
#
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
|
||||
my $generated = 0;
|
||||
|
||||
@@ -2126,7 +2130,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
$generated |= process_rule(
|
||||
$chainref,
|
||||
$matches,
|
||||
$matches,
|
||||
$matches1,
|
||||
$mtarget,
|
||||
$param,
|
||||
$msource,
|
||||
@@ -2179,9 +2184,10 @@ sub verify_audit($;$$) {
|
||||
# reference is also passed when rules are being generated during processing of a macro used as a default action.
|
||||
#
|
||||
|
||||
sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
|
||||
$rule, #Matches
|
||||
$matches1, #Matches after the ones generated by the columns
|
||||
$target,
|
||||
$current_param,
|
||||
$source,
|
||||
@@ -2246,6 +2252,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
my $generated = process_macro( $basictarget,
|
||||
$chainref,
|
||||
$rule . $raw_matches,
|
||||
$matches1,
|
||||
$target,
|
||||
$current_param,
|
||||
$source,
|
||||
@@ -2649,6 +2656,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
my $generated = process_inline( $basictarget,
|
||||
$chainref,
|
||||
$rule . $raw_matches,
|
||||
$matches1,
|
||||
$loglevel,
|
||||
$target,
|
||||
$current_param,
|
||||
@@ -2703,7 +2711,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
do_helper( $helper ) ,
|
||||
$raw_matches ,
|
||||
$matches1 . $raw_matches ,
|
||||
);
|
||||
} else {
|
||||
$rule .= join( '',
|
||||
@@ -2715,7 +2723,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
$raw_matches ,
|
||||
$matches1 . $raw_matches ,
|
||||
);
|
||||
}
|
||||
|
||||
@@ -2960,8 +2968,8 @@ sub merge_target( $$ ) {
|
||||
#
|
||||
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
|
||||
#
|
||||
sub perl_action_helper($$;$) {
|
||||
my ( $target, $matches, $isstatematch ) = @_;
|
||||
sub perl_action_helper($$;$$) {
|
||||
my ( $target, $matches, $isstatematch , $matches1 ) = @_;
|
||||
my $action = $actparms{action};
|
||||
my $chainref = $actparms{0};
|
||||
my $result;
|
||||
@@ -2970,6 +2978,12 @@ sub perl_action_helper($$;$) {
|
||||
|
||||
$matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
|
||||
|
||||
if ( $matches1 ) {
|
||||
$matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/;
|
||||
} else {
|
||||
$matches1 = '';
|
||||
}
|
||||
|
||||
set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' );
|
||||
|
||||
if ( $isstatematch ) {
|
||||
@@ -2993,6 +3007,7 @@ sub perl_action_helper($$;$) {
|
||||
if ( my $ref = $inlines{$action} ) {
|
||||
$result = &process_rule( $chainref,
|
||||
$matches,
|
||||
$matches1,
|
||||
merge_target( $ref, $target ),
|
||||
'', # CurrentParam
|
||||
@columns );
|
||||
@@ -3001,6 +3016,7 @@ sub perl_action_helper($$;$) {
|
||||
|
||||
$result = process_rule( $chainref,
|
||||
$matches,
|
||||
$matches1,
|
||||
merge_target( $actions{$action}, $target ),
|
||||
'', # Current Param
|
||||
'-', # Source
|
||||
@@ -3052,6 +3068,7 @@ sub perl_action_tcp_helper($$) {
|
||||
if ( my $ref = $inlines{$action} ) {
|
||||
$result = &process_rule( $chainref,
|
||||
$proto,
|
||||
'',
|
||||
merge_target( $ref, $target ),
|
||||
'',
|
||||
@columns[0,1],
|
||||
@@ -3061,6 +3078,7 @@ sub perl_action_tcp_helper($$) {
|
||||
} else {
|
||||
$result = process_rule( $chainref,
|
||||
$proto,
|
||||
'',
|
||||
merge_target( $actions{$action}, $target ),
|
||||
'', # Current Param
|
||||
'-', # Source
|
||||
@@ -3254,6 +3272,7 @@ sub process_raw_rule ( ) {
|
||||
for my $proto ( @protos ) {
|
||||
for my $user ( @users ) {
|
||||
if ( process_rule( undef,
|
||||
'',
|
||||
'',
|
||||
$target,
|
||||
'',
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
# (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This program is part of Shorewall.
|
||||
# This program is part of Shorewall.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation, either version 2 of the license or, at your
|
||||
# option, any later version.
|
||||
# Free Software Foundation, either version 2 of the license or, at your
|
||||
# option, any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
@@ -17,30 +17,41 @@
|
||||
#
|
||||
# Options are:
|
||||
#
|
||||
# -n Do not alter Routing
|
||||
# -v and -q Standard Shorewall Verbosity control
|
||||
# -t Timestamp progress messages
|
||||
# -p Purge conntrack table
|
||||
# -r Recover from failed start/restart
|
||||
# -V <verbosity> Set verbosity level explicitly
|
||||
# -R <restore> Overrides RESTOREFILE setting
|
||||
# -n Do not alter Routing
|
||||
# -v and -q Standard Shorewall Verbosity control
|
||||
# -t Timestamp progress messages
|
||||
# -p Purge conntrack table
|
||||
# -r Recover from failed start/restart
|
||||
# -V <verbosity> Set verbosity level explicitly
|
||||
# -R <restore> Overrides RESTOREFILE setting
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# start Starts the firewall
|
||||
# refresh Refresh the firewall
|
||||
# restart Restarts the firewall
|
||||
# reload Reload the firewall
|
||||
# clear Removes all firewall rules
|
||||
# stop Stops the firewall
|
||||
# status Displays firewall status
|
||||
# version Displays the version of Shorewall that
|
||||
# generated this program
|
||||
# clear Removes all firewall rules
|
||||
# disable Disable an optional interface
|
||||
# down Stop an optional interface
|
||||
# enable Enable an optional interface
|
||||
# help Show command syntax
|
||||
# reenable Disable then nable an optional
|
||||
# interface
|
||||
# refresh Refresh the firewall
|
||||
# reload Reload the firewall
|
||||
# restart Restarts the firewall
|
||||
# restore Restore a saved configuration
|
||||
# reset Reset byte and packet counters
|
||||
# run Call a function in this program
|
||||
# savesets Save the ipset contents
|
||||
# status Displays firewall status
|
||||
# start Starts the firewall
|
||||
# stop Stops the firewall
|
||||
# up Start an optional interface
|
||||
# version Displays the version of Shorewall that
|
||||
# generated this program
|
||||
#
|
||||
################################################################################
|
||||
# Functions imported from /usr/share/shorewall/lib.core
|
||||
################################################################################
|
||||
# Address family-neutral Functions
|
||||
# Address family-neutral Functions
|
||||
################################################################################
|
||||
#
|
||||
# Conditionally produce message
|
||||
|
||||
@@ -15,6 +15,7 @@ usage() {
|
||||
echo " down <interface>"
|
||||
echo " enable <interface>"
|
||||
echo " reset"
|
||||
echo " reenable <interface>"
|
||||
echo " refresh"
|
||||
echo " restart"
|
||||
echo " run <command> [ <parameter> ... ]"
|
||||
@@ -375,7 +376,7 @@ case "$COMMAND" in
|
||||
[ $# -ne 1 ] && usage 2
|
||||
mutex_on
|
||||
if product_is_started; then
|
||||
detect_configuration
|
||||
detect_configuration $1
|
||||
enable_provider $1
|
||||
fi
|
||||
mutex_off
|
||||
@@ -387,12 +388,25 @@ case "$COMMAND" in
|
||||
[ $# -ne 1 ] && usage 2
|
||||
mutex_on
|
||||
if product_is_started; then
|
||||
detect_configuration
|
||||
detect_configuration $1
|
||||
disable_provider $1
|
||||
fi
|
||||
mutex_off
|
||||
status=0
|
||||
;;
|
||||
reenable)
|
||||
[ $# -eq 1 ] && exit 0
|
||||
shift
|
||||
[ $# -ne 1 ] && usage 2
|
||||
mutex_on
|
||||
if product_is_started; then
|
||||
detect_configuration $1
|
||||
COMMAND=enable disable_provider $1 Yes
|
||||
COMMAND=disable enable_provider $1 Yes
|
||||
fi
|
||||
mutex_off
|
||||
status=0
|
||||
;;
|
||||
run)
|
||||
if [ $# -gt 1 ]; then
|
||||
shift
|
||||
|
||||
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
|
||||
set_action_name_to_caller;
|
||||
|
||||
if ( $destination eq 'dst' ) {
|
||||
perl_action_helper( $action, "-m recent --name $event --remove --rdest" );
|
||||
perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
|
||||
} else {
|
||||
perl_action_helper( $action, "-m recent --name $event --remove --rsource" );
|
||||
perl_action_helper( $action, '', '', "-m recent --name $event --remove --rsource" );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
@@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition;
|
||||
set_action_name_to_caller;
|
||||
|
||||
if ( $destination eq 'dst' ) {
|
||||
perl_action_helper( $action, "-m recent --name $event --set --rdest" );
|
||||
perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
|
||||
} else {
|
||||
perl_action_helper( $action, "-m recent --name $event --set --rsource" );
|
||||
perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
@@ -1681,6 +1681,7 @@ usage() # $1 = exit status
|
||||
fi
|
||||
|
||||
echo " open <source> <dest> [ <protocol> [ <port> ] ]"
|
||||
echo " reenable <interface>"
|
||||
echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
|
||||
echo " reject <address> ..."
|
||||
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
|
||||
|
||||
@@ -213,7 +213,7 @@ loc eth2 -</programlisting>
|
||||
changed; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
@@ -247,7 +247,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>8 - do not reply for all local addresses</para>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
@@ -255,7 +255,7 @@ loc eth2 -</programlisting>
|
||||
the INTERFACE column.</para>
|
||||
</note>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<warning>
|
||||
<para>Do not specify <emphasis
|
||||
@@ -425,7 +425,7 @@ loc eth2 -</programlisting>
|
||||
1
|
||||
teastep@lists:~$ </programlisting>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
@@ -913,7 +913,7 @@ net ppp0 -</programlisting>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
- br0 routeback</programlisting>
|
||||
- br0 bridge</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -112,7 +112,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -122,7 +122,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -132,7 +132,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -142,7 +142,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -384,6 +384,11 @@
|
||||
<para>Set AUTOHELPERS=No.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Modify the HELPERS setting (see below) to list the helpers
|
||||
that you need.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Either:</para>
|
||||
|
||||
@@ -902,9 +907,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.7. This option lists the Netfilter
|
||||
application helpers that are to be enabled. If not specified, the
|
||||
default is to enable all helpers.</para>
|
||||
<para>Added in Shorewall 4.5.7. This option specifies a
|
||||
comma-separated list naming the Netfilter application helpers that
|
||||
are to be enabled. If not specified, the default is to enable all
|
||||
helpers.</para>
|
||||
|
||||
<para>Possible values for <replaceable>helper</replaceable>
|
||||
are:</para>
|
||||
@@ -1174,7 +1180,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>If this variable is not set or is given an empty value
|
||||
@@ -1423,7 +1429,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@@ -1440,7 +1446,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@@ -1784,8 +1790,8 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The value of this option determines the possible file
|
||||
extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
|
||||
o.xz gz xz".</para>
|
||||
extensions of kernel modules. The default value is "ko ko.gz ko.xz o
|
||||
o.gz o.xz gz xz".</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2162,7 +2168,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -385,6 +385,20 @@
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>reenable</option></arg>
|
||||
|
||||
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@@ -597,7 +611,7 @@
|
||||
<arg><option>-t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
|
||||
|
||||
<arg><arg><option>chain</option></arg><arg choice="plain"
|
||||
<arg><arg choice="plain"
|
||||
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
@@ -637,8 +651,6 @@
|
||||
|
||||
<arg choice="req"><option>show | list | ls </option></arg>
|
||||
|
||||
<arg>-c</arg>
|
||||
|
||||
<arg choice="plain"><option>event</option><arg
|
||||
choice="plain"><replaceable>event</replaceable></arg></arg>
|
||||
</cmdsynopsis>
|
||||
@@ -859,7 +871,10 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">add</emphasis></term>
|
||||
<term><emphasis role="bold">add </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Adds a list of hosts or subnets to a dynamic zone usually used
|
||||
@@ -891,7 +906,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">allow</emphasis></term>
|
||||
<term><emphasis role="bold">allow</emphasis>
|
||||
<replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
@@ -903,7 +919,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">check</emphasis></term>
|
||||
<term><emphasis role="bold">check</emphasis> [-<option>e</option>]
|
||||
[-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
|
||||
[-<option>T</option>] [-<option>i</option>]
|
||||
[<replaceable>directory</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Compiles the configuration in the specified
|
||||
@@ -942,7 +961,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">clear</emphasis></term>
|
||||
<term><emphasis role="bold">clear</emphasis>
|
||||
[-<option>f</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Clear will remove all rules and chains installed by Shorewall.
|
||||
@@ -980,7 +1000,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">compile</emphasis></term>
|
||||
<term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
|
||||
[-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
|
||||
[-<option>T</option>] [-<option>i</option>] [<replaceable> directory
|
||||
</replaceable>] [<replaceable> pathname</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Compiles the current configuration into the executable file
|
||||
@@ -1037,7 +1060,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">delete</emphasis></term>
|
||||
<term><emphasis role="bold">delete </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>The delete command reverses the effect of an earlier <emphasis
|
||||
@@ -1061,7 +1087,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">disable</emphasis></term>
|
||||
<term><emphasis role="bold">disable </emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Disables the optional provider
|
||||
@@ -1080,7 +1108,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">drop</emphasis></term>
|
||||
<term><emphasis role="bold">drop</emphasis>
|
||||
<replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -1089,7 +1118,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">dump</emphasis></term>
|
||||
<term><emphasis role="bold">dump </emphasis> [-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>m</option>]
|
||||
[-<option>c</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Produces a verbose report about the firewall configuration for
|
||||
@@ -1111,7 +1142,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">enable</emphasis></term>
|
||||
<term><emphasis role="bold">enable </emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Enables the optional provider
|
||||
@@ -1132,7 +1165,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">export</emphasis></term>
|
||||
<term><emphasis role="bold">export </emphasis>[<replaceable>
|
||||
directory1</replaceable> ] [<replaceable>
|
||||
user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
|
||||
]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory1</emphasis> is omitted, the current
|
||||
@@ -1156,7 +1192,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">forget</emphasis></term>
|
||||
<term><emphasis role="bold">forget</emphasis> [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
|
||||
@@ -1176,7 +1213,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">hits</emphasis></term>
|
||||
<term><emphasis role="bold">hits</emphasis>
|
||||
[-<option>t</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Generates several reports from Shorewall log messages in the
|
||||
@@ -1186,7 +1224,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ipcalc</emphasis></term>
|
||||
<term><emphasis role="bold">ipcalc</emphasis> { address mask |
|
||||
address/vlsm }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Ipcalc displays the network address, broadcast address,
|
||||
@@ -1196,7 +1235,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iprange</emphasis></term>
|
||||
<term><emphasis role="bold">iprange
|
||||
</emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Iprange decomposes the specified range of IP addresses into
|
||||
@@ -1205,7 +1245,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||
<term><emphasis role="bold">iptrace</emphasis> <replaceable>iptables
|
||||
match expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that causes iptables
|
||||
@@ -1223,7 +1264,20 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">load</emphasis></term>
|
||||
<term><emphasis role="bold">list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>list</command> is a synonym for
|
||||
<command>show</command> -- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">load</emphasis> [-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
@@ -1278,7 +1332,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop</emphasis></term>
|
||||
<term><emphasis role="bold">logdrop</emphasis>
|
||||
<replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -1290,7 +1345,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logwatch</emphasis></term>
|
||||
<term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
|
||||
[<replaceable> refresh-interval </replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Monitors the log file specified by the LOGFILE option in
|
||||
@@ -1308,7 +1364,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logreject</emphasis></term>
|
||||
<term><emphasis role="bold">logreject</emphasis><replaceable>
|
||||
address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -1320,7 +1377,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||
<term><emphasis role="bold">ls</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>ls</command> is a synonym for <command>show</command>
|
||||
-- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
|
||||
match expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that cancels a trace
|
||||
@@ -1372,7 +1439,24 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh</emphasis></term>
|
||||
<term><emphasis role="bold">reenable</emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.9. This is equivalent to a
|
||||
<command>disable</command> command followed by an
|
||||
<command>enable</command> command on the specified
|
||||
<replaceable>interface</replaceable> or
|
||||
<replaceable>provider</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
|
||||
[-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
|
||||
</option><replaceable>directory</replaceable> ] [
|
||||
<replaceable>chain</replaceable>... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>All steps performed by <command>restart</command> are
|
||||
@@ -1424,7 +1508,21 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload</emphasis></term>
|
||||
<term><emphasis role="bold">reject</emphasis><replaceable>
|
||||
address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be silently rejected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
@@ -1479,16 +1577,22 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset</emphasis></term>
|
||||
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
||||
...]</emphasis><acronym/></term>
|
||||
|
||||
<listitem>
|
||||
<para>All the packet and byte counters in the firewall are
|
||||
reset.</para>
|
||||
<para>Resets the packet and byte counters in the specified
|
||||
<replaceable>chain</replaceable>(s). If no
|
||||
<replaceable>chain</replaceable> is specified, all the packet and
|
||||
byte counters in the firewall are reset.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restart</emphasis></term>
|
||||
<term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
|
||||
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
|
||||
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <emphasis role="bold">shorewall
|
||||
@@ -1542,7 +1646,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restore</emphasis></term>
|
||||
<term><emphasis role="bold">restore </emphasis> [-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restore Shorewall to a state saved using the <emphasis
|
||||
@@ -1578,7 +1684,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
<term><emphasis role="bold">run
|
||||
</emphasis><replaceable>command</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
@@ -1604,7 +1712,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-restart</emphasis></term>
|
||||
<term><emphasis role="bold">safe-restart
|
||||
</emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
|
||||
</option><replaceable>timeout</replaceable> ] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Only allowed if Shorewall is running. The current
|
||||
@@ -1629,7 +1740,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-start</emphasis></term>
|
||||
<term><emphasis role="bold">safe-start</emphasis><emphasis
|
||||
role="bold"> </emphasis>[-<option>d</option>] [-<option>p</option>]
|
||||
[-<option>t</option><replaceable>timeout</replaceable> ] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall is started normally. You will then be prompted
|
||||
@@ -1651,7 +1765,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">save</emphasis></term>
|
||||
<term><emphasis role="bold">save </emphasis> [-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The dynamic blacklist is stored in /var/lib/shorewall/save.
|
||||
@@ -1701,7 +1816,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bl|blacklists</emphasis></term>
|
||||
<term><emphasis role="bold">bl|blacklists</emphasis>
|
||||
[-<option>x</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
|
||||
@@ -1714,7 +1830,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">capabilities</emphasis></term>
|
||||
<term>[-<option>f</option>] <emphasis
|
||||
role="bold">capabilities</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays your kernel/iptables capabilities. The
|
||||
@@ -1725,8 +1842,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
|
||||
]</term>
|
||||
<term>[-<option>b</option>] [-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
|
||||
[ <emphasis>chain</emphasis>... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The rules in each <emphasis>chain</emphasis> are
|
||||
@@ -1825,7 +1944,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">log</emphasis></term>
|
||||
<term>[-<option>m</option>] <emphasis
|
||||
role="bold">log</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the last 20 Shorewall messages from the log
|
||||
@@ -1847,7 +1967,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">macro</emphasis></term>
|
||||
<term><emphasis role="bold">macro
|
||||
</emphasis><replaceable>macro</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.6. Displays the file that
|
||||
@@ -1857,6 +1978,20 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">mangle</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter mangle table using the command
|
||||
<emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
|
||||
The <emphasis role="bold">-x</emphasis> option is passed
|
||||
directly through to iptables and causes actual packet and byte
|
||||
counts to be displayed. Without this option, those counts are
|
||||
abbreviated.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">marks</emphasis></term>
|
||||
|
||||
@@ -1868,7 +2003,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">nat</emphasis></term>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">nat</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter nat table using the command
|
||||
@@ -1903,7 +2039,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">routing</emphasis></term>
|
||||
<term>[-<option>c</option>]<emphasis role="bold">
|
||||
routing</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the system's IPv4 routing configuration.
|
||||
@@ -1913,7 +2050,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">raw</emphasis></term>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">raw</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter raw table using the command
|
||||
@@ -1947,7 +2085,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">start</emphasis></term>
|
||||
<term><emphasis role="bold">start </emphasis><emphasis role="bold">
|
||||
</emphasis>[-<option>n</option>] [-<option>p</option>]
|
||||
[-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
|
||||
[-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Start shorewall. Existing connections through shorewall
|
||||
@@ -2007,7 +2149,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">stop</emphasis></term>
|
||||
<term><emphasis role="bold">stop</emphasis>
|
||||
[-<option>f</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Stops the firewall. All existing connections, except those
|
||||
@@ -2029,7 +2172,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">status</emphasis></term>
|
||||
<term><emphasis role="bold">status</emphasis>
|
||||
[-<option>i</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Produces a short report about the state of the
|
||||
@@ -2042,7 +2186,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">try</emphasis></term>
|
||||
<term><emphasis role="bold">try</emphasis>
|
||||
<replaceable>directory</replaceable> [
|
||||
<replaceable>timeout</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If Shorewall is started then the firewall state is saved to a
|
||||
@@ -2077,7 +2223,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">update</emphasis></term>
|
||||
<term><emphasis role="bold">update </emphasis> [-<option>b</option>]
|
||||
[-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
|
||||
[-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
|
||||
[-<option>t</option>] [-<option>A</option>] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.21 and causes the compiler to update
|
||||
@@ -2169,7 +2319,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">version</emphasis></term>
|
||||
<term><emphasis role="bold">version</emphasis>
|
||||
[-<option>a</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays Shorewall's version. The <option>-a</option> option
|
||||
|
||||
@@ -197,37 +197,6 @@
|
||||
choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>ipcalc</option></arg>
|
||||
|
||||
<group choice="req">
|
||||
<arg choice="plain"><replaceable>address</replaceable>
|
||||
<replaceable>mask</replaceable></arg>
|
||||
|
||||
<arg
|
||||
choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
|
||||
</group>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>iprange</option></arg>
|
||||
|
||||
<arg
|
||||
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
@@ -308,6 +277,20 @@
|
||||
</arg> </arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>reenable</option></arg>
|
||||
|
||||
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
@@ -347,8 +330,6 @@
|
||||
<arg><option>-p</option></arg>
|
||||
|
||||
<arg><option>-C</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -635,7 +616,10 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">add</emphasis></term>
|
||||
<term><emphasis role="bold">add </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Adds a list of hosts or subnets to a dynamic zone usually used
|
||||
@@ -660,7 +644,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">allow</emphasis></term>
|
||||
<term><emphasis role="bold">allow
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
@@ -671,7 +656,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">clear</emphasis></term>
|
||||
<term><emphasis role="bold">clear </emphasis><emphasis role="bold">
|
||||
</emphasis>[-<option>f</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Clear will remove all rules and chains installed by
|
||||
@@ -708,7 +694,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">delete</emphasis></term>
|
||||
<term><emphasis role="bold">delete </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>The delete command reverses the effect of an earlier
|
||||
@@ -723,7 +712,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">disable</emphasis></term>
|
||||
<term><emphasis role="bold">disable </emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Disables the optional provider
|
||||
@@ -735,7 +726,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">drop</emphasis></term>
|
||||
<term><emphasis role="bold">drop
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed
|
||||
@@ -744,7 +736,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">dump</emphasis></term>
|
||||
<term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>m</option>]
|
||||
[-<option>c</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Produces a verbose report about the firewall configuration for
|
||||
@@ -766,7 +760,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">enable</emphasis></term>
|
||||
<term><emphasis role="bold">enable </emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Enables the optional provider
|
||||
@@ -778,7 +774,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">forget</emphasis></term>
|
||||
<term><emphasis role="bold">forget </emphasis>[
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deletes
|
||||
@@ -810,26 +807,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ipcalc</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Ipcalc displays the network address, broadcast address,
|
||||
network in CIDR notation and netmask corresponding to the
|
||||
input[s].</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iprange</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Iprange decomposes the specified range of IP addresses into
|
||||
the equivalent list of network/host addresses.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||
<term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
|
||||
match expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that causes iptables
|
||||
@@ -848,7 +827,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop</emphasis></term>
|
||||
<term><emphasis role="bold">list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>list</command> is a synonym for
|
||||
<command>show</command> -- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed
|
||||
@@ -860,7 +849,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logwatch</emphasis></term>
|
||||
<term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
|
||||
[<replaceable>refresh-interval</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Monitors the log file specified by the LOGFILE option in
|
||||
@@ -882,7 +872,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logreject</emphasis></term>
|
||||
<term><emphasis role="bold">logreject
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed
|
||||
@@ -894,13 +885,24 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||
<term><emphasis role="bold">ls</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>ls</command> is a synonym for <command>show</command>
|
||||
-- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace
|
||||
</emphasis><replaceable>ip6tables match
|
||||
expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that cancels a trace
|
||||
started by a preceding <command>iptrace</command> command.</para>
|
||||
|
||||
<para>The <replaceable>iptables match expression</replaceable> must
|
||||
<para>The <replaceable>ip6tables match expression</replaceable> must
|
||||
be one given in the <command>iptrace</command> command being
|
||||
canceled.</para>
|
||||
</listitem>
|
||||
@@ -946,16 +948,44 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset</emphasis></term>
|
||||
<term><emphasis role="bold">reenable</emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>All the packet and byte counters in the firewall are
|
||||
reset.</para>
|
||||
<para>Added in Shorewall 4.6.9. This is equivalent to a
|
||||
<command>disable</command> command followed by an
|
||||
<command>enable</command> command on the specified
|
||||
<replaceable>interface</replaceable> or
|
||||
<replaceable>provider</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restart</emphasis></term>
|
||||
<term><emphasis role="bold">reject</emphasis><replaceable>
|
||||
address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be silently rejected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
||||
...]</emphasis><acronym/></term>
|
||||
|
||||
<listitem>
|
||||
<para>Resets the packet and byte counters in the specified
|
||||
<replaceable>chain</replaceable>(s). If no
|
||||
<replaceable>chain</replaceable> is specified, all the packet and
|
||||
byte counters in the firewall are reset.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restart </emphasis>[-n] [-p]
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <command>shorewall6-lite start</command>
|
||||
@@ -986,7 +1016,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restore</emphasis></term>
|
||||
<term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restore shorewall6-lite to a state saved using the
|
||||
@@ -1008,7 +1040,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
<term><emphasis role="bold">run
|
||||
</emphasis><replaceable>command</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
@@ -1025,7 +1059,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">save</emphasis></term>
|
||||
<term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The dynamic blacklist is stored in
|
||||
@@ -1066,7 +1101,8 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bl|blacklists</emphasis></term>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">bl|blacklists</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
|
||||
@@ -1079,7 +1115,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">capabilities</emphasis></term>
|
||||
<term>[-<option>f</option>] <emphasis
|
||||
role="bold">capabilities</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays your kernel/iptables capabilities. The
|
||||
@@ -1090,8 +1127,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
|
||||
]</term>
|
||||
<term>[-<option>b</option>] [-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
|
||||
<emphasis>chain</emphasis>... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The rules in each <emphasis>chain</emphasis> are
|
||||
@@ -1191,7 +1230,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">log</emphasis></term>
|
||||
<term>[-<option>m</option>] <emphasis
|
||||
role="bold">log</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the last 20 shorewall6-lite messages from the
|
||||
@@ -1204,6 +1244,20 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">mangle</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter mangle table using the command
|
||||
<command>ip6tables -t mangle -L -n -v</command>.The
|
||||
<option>-x</option> option is passed directly through to
|
||||
ip6tables and causes actual packet and byte counts to be
|
||||
displayed. Without this option, those counts are
|
||||
abbreviated.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">marks</emphasis></term>
|
||||
|
||||
@@ -1225,11 +1279,12 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">nat</emphasis></term>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">nat</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter nat table using the command
|
||||
<command>iptables -t nat -L -n -v</command>.The
|
||||
<command>ip6tables -t nat -L -n -v</command>.The
|
||||
<option>-x</option> option is passed directly through to
|
||||
iptables and causes actual packet and byte counts to be
|
||||
displayed. Without this option, those counts are
|
||||
@@ -1250,17 +1305,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">routing</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the system's IPv4 routing configuration. The -c
|
||||
option causes the route cache to be displayed in addition to
|
||||
the other routing information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">raw</emphasis></term>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">raw</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter raw table using the command
|
||||
@@ -1272,6 +1318,17 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[-<option>c</option>]<emphasis role="bold">
|
||||
</emphasis><emphasis role="bold">routing</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the system's IPv4 routing configuration. The -c
|
||||
option causes the route cache to be displayed in addition to
|
||||
the other routing information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">tc</emphasis></term>
|
||||
|
||||
@@ -1294,7 +1351,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">start</emphasis></term>
|
||||
<term><emphasis role="bold">start </emphasis>[-<option>p</option>]
|
||||
[-<option>n</option>] [<option>-f</option>]
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Start Shorewall6 Lite. Existing connections through
|
||||
@@ -1306,7 +1365,7 @@
|
||||
table to be flushed; the <command>conntrack</command> utility must
|
||||
be installed to use this option.</para>
|
||||
|
||||
<para>The <option>-m</option> option prevents the firewall script
|
||||
<para>The <option>-n</option> option prevents the firewall script
|
||||
from modifying the current routing configuration.</para>
|
||||
|
||||
<para>The <option>-f</option> option was added in Shorewall 4.6.5.
|
||||
@@ -1325,7 +1384,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">stop</emphasis></term>
|
||||
<term><emphasis role="bold">stop </emphasis><emphasis role="bold">
|
||||
</emphasis>[-<option>f</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Stops the firewall. All existing connections, except those
|
||||
@@ -1359,7 +1419,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">version</emphasis></term>
|
||||
<term><emphasis role="bold">version
|
||||
</emphasis>[-<option>a</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays Shorewall's version. The <option>-a</option> option
|
||||
|
||||
@@ -628,7 +628,7 @@ dmz eth2 -</programlisting>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
- br0 routeback</programlisting>
|
||||
- br0 bridge</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -98,7 +98,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -108,7 +108,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -118,7 +118,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -128,7 +128,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -313,6 +313,11 @@
|
||||
<para>Set AUTOHELPERS=No.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Modify the HELPERS setting (see below) to list the helpers
|
||||
that you need.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Either:</para>
|
||||
|
||||
@@ -787,9 +792,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.7. This option lists the Netfilter
|
||||
application helpers that are to be enabled. If not specified, the
|
||||
default is to enable all helpers.</para>
|
||||
<para>Added in Shorewall 4.5.7. This option specifies a
|
||||
comma-separated list naming the Netfilter application helpers that
|
||||
are to be enabled. If not specified, the default is to enable all
|
||||
helpers.</para>
|
||||
|
||||
<para>Possible values for <replaceable>helper</replaceable>
|
||||
are:</para>
|
||||
@@ -1239,7 +1245,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@@ -1256,7 +1262,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@@ -1588,8 +1594,8 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The value of this option determines the possible file
|
||||
extensions of kernel modules. The default value is "ko ko.gz ko.xz o o.gz
|
||||
o.xz gz xz".</para>
|
||||
extensions of kernel modules. The default value is "ko ko.gz ko.xz o
|
||||
o.gz o.xz gz xz".</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1903,7 +1909,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1949,7 +1955,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
into.</member>
|
||||
</simplelist></para>
|
||||
|
||||
<programlisting></programlisting>
|
||||
<programlisting/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -347,8 +347,10 @@
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg
|
||||
choice="plain"><option>recover</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
|
||||
<arg choice="plain"><option>reenable</option></arg>
|
||||
|
||||
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -799,7 +801,10 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">add</emphasis></term>
|
||||
<term><emphasis role="bold">add </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
|
||||
@@ -831,7 +836,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">allow</emphasis></term>
|
||||
<term><emphasis role="bold">allow
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
@@ -843,7 +849,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">check</emphasis></term>
|
||||
<term><emphasis role="bold">check </emphasis>[-<option>e</option>]
|
||||
[-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
|
||||
[-<option>T</option>] [-<option>i</option>]
|
||||
[<replaceable>directory</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Compiles the configuration in the specified
|
||||
@@ -883,7 +892,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">clear</emphasis></term>
|
||||
<term><emphasis role="bold">clear
|
||||
</emphasis>[-<option>f</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Clear will remove all rules and chains installed by
|
||||
@@ -915,7 +925,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">compile</emphasis></term>
|
||||
<term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
|
||||
[-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
|
||||
[-<option>T</option>] [-<option>i</option>]
|
||||
[<replaceable>directory</replaceable>]
|
||||
[<replaceable>pathname</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Compiles the current configuration into the executable file
|
||||
@@ -971,7 +985,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">delete</emphasis></term>
|
||||
<term><emphasis role="bold">delete </emphasis>{
|
||||
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
||||
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
||||
<replaceable>host-list</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.21. The delete command reverses the
|
||||
@@ -996,7 +1013,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">disable</emphasis></term>
|
||||
<term><emphasis role="bold">disable </emphasis><emphasis role="bold">
|
||||
</emphasis>{ <replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Disables the optional provider
|
||||
@@ -1015,7 +1034,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">drop</emphasis></term>
|
||||
<term><emphasis role="bold">drop
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -1024,7 +1044,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">dump</emphasis></term>
|
||||
<term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>m</option>]
|
||||
[-<option>c</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Produces a verbose report about the firewall configuration for
|
||||
@@ -1046,7 +1068,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">enable</emphasis></term>
|
||||
<term><emphasis role="bold">enable </emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. Enables the optional provider
|
||||
@@ -1067,7 +1091,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">export</emphasis></term>
|
||||
<term><emphasis role="bold">export
|
||||
</emphasis>[<replaceable>directory1</replaceable> ]
|
||||
[<replaceable>user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
|
||||
]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory1</emphasis> is omitted, the current
|
||||
@@ -1091,7 +1118,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">forget</emphasis></term>
|
||||
<term><emphasis role="bold">forget </emphasis>[
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
|
||||
@@ -1112,7 +1140,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||
<term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
|
||||
match expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that causes iptables
|
||||
@@ -1131,7 +1160,20 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">load</emphasis></term>
|
||||
<term><emphasis role="bold">list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>list</command> is a synonym for
|
||||
<command>show</command> -- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">load </emphasis> [-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
@@ -1186,7 +1228,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop</emphasis></term>
|
||||
<term><emphasis role="bold">logdrop
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -1198,7 +1241,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logwatch</emphasis></term>
|
||||
<term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
|
||||
[<replaceable>refresh-interval</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Monitors the log file specified by the LOGFILE option in
|
||||
@@ -1216,7 +1260,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logreject</emphasis></term>
|
||||
<term><emphasis role="bold">logreject</emphasis>
|
||||
<replaceable>address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
@@ -1228,7 +1273,18 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||
<term><emphasis role="bold">ls</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><command>ls</command> is a synonym for <command>show</command>
|
||||
-- please see below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace
|
||||
</emphasis><replaceable>ip6tables match
|
||||
expression</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that cancels a trace
|
||||
@@ -1280,7 +1336,24 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh</emphasis></term>
|
||||
<term><emphasis role="bold">reenable</emphasis>{
|
||||
<replaceable>interface</replaceable> |
|
||||
<replaceable>provider</replaceable> }</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.9. This is equivalent to a
|
||||
<command>disable</command> command followed by an
|
||||
<command>enable</command> command on the specified
|
||||
<replaceable>interface</replaceable> or
|
||||
<replaceable>provider</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh </emphasis>[-<option>n</option>]
|
||||
[-<option>d</option>] [-<option>T</option>] [-i]
|
||||
[-<option>D</option><replaceable>directory</replaceable> ] [
|
||||
<replaceable>chain</replaceable>... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>All steps performed by <command>restart</command> are
|
||||
@@ -1332,7 +1405,21 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload</emphasis></term>
|
||||
<term><emphasis role="bold">reject</emphasis><replaceable>
|
||||
address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be silently rejected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
@@ -1388,7 +1475,7 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
||||
...]</emphasis><acronym></acronym></term>
|
||||
...]</emphasis><acronym/></term>
|
||||
|
||||
<listitem>
|
||||
<para>Resets the packet and byte counters in the specified
|
||||
@@ -1399,7 +1486,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restart</emphasis></term>
|
||||
<term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
|
||||
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
|
||||
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <command>shorewall6 start</command>
|
||||
@@ -1454,7 +1544,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">restore</emphasis></term>
|
||||
<term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restore Shorewall6 to a state saved using the
|
||||
@@ -1482,7 +1574,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
<term><emphasis role="bold">run</emphasis><emphasis role="bold">
|
||||
</emphasis><replaceable>command</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
@@ -1505,7 +1599,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-restart</emphasis></term>
|
||||
<term><emphasis role="bold">safe-restart
|
||||
</emphasis>[-<option>d</option>] [-<option>p</option>]
|
||||
[-<option>t</option><replaceable>timeout</replaceable> ] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Only allowed if Shorewall6 is running. The current
|
||||
@@ -1531,7 +1628,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-start</emphasis></term>
|
||||
<term><emphasis role="bold">safe-start
|
||||
</emphasis>[-<option>d</option>] [-<option>p</option>]
|
||||
[-<option>t</option><replaceable>timeout</replaceable> ] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall6 is started normally. You will then be prompted
|
||||
@@ -1553,7 +1653,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">save</emphasis></term>
|
||||
<term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
|
||||
<replaceable>filename</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The dynamic blacklist is stored in <filename>
|
||||
@@ -1604,7 +1705,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bl|blacklists</emphasis></term>
|
||||
<term>[-<option>x</option>] <emphasis role="bold">bl|blacklists
|
||||
</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
|
||||
@@ -1617,7 +1719,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">capabilities</emphasis></term>
|
||||
<term>[-<option>f</option>] <emphasis
|
||||
role="bold">capabilities</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays your kernel/ip6tables capabilities. The
|
||||
@@ -1628,8 +1731,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
|
||||
]</term>
|
||||
<term>[-<option>b</option>] [-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
|
||||
<emphasis>chain</emphasis>... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The rules in each <emphasis>chain</emphasis> are
|
||||
@@ -1714,7 +1819,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">log</emphasis></term>
|
||||
<term>[-<option>m</option>] <emphasis
|
||||
role="bold">log</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the last 20 Shorewall6 messages from the log
|
||||
@@ -1736,7 +1842,20 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">mangle</emphasis></term>
|
||||
<term><emphasis role="bold">macro
|
||||
</emphasis><replaceable>macro</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.6. Displays the file that
|
||||
implements the specified <replaceable>macro</replaceable>
|
||||
(usually
|
||||
<filename>/usr/share/shorewall6/macro</filename>.<replaceable>macro</replaceable>).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">mangle</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter mangle table using the command
|
||||
@@ -1758,6 +1877,20 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">nat</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter nat table using the command
|
||||
<emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.
|
||||
The <emphasis role="bold">-x</emphasis> option is passed
|
||||
directly through to ip6tables and causes actual packet and
|
||||
byte counts to be displayed. Without this option, those counts
|
||||
are abbreviated.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">opens</emphasis></term>
|
||||
|
||||
@@ -1781,7 +1914,22 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">routing</emphasis></term>
|
||||
<term>[-<option>x</option>] <emphasis
|
||||
role="bold">raw</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the Netfilter raw table using the command
|
||||
<emphasis role="bold">ip6tables -t raw -L -n -v</emphasis>.
|
||||
The <emphasis role="bold">-x</emphasis> option is passed
|
||||
directly through to ip6tables and causes actual packet and
|
||||
byte counts to be displayed. Without this option, those counts
|
||||
are abbreviated.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">[-<option>c</option>]<emphasis
|
||||
role="bold"> </emphasis>routing</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays the system's IPv6 routing configuration. The -c
|
||||
@@ -1812,7 +1960,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">start</emphasis></term>
|
||||
<term><emphasis role="bold">start </emphasis><emphasis role="bold">
|
||||
</emphasis>[-<option>n</option>] [-<option>p</option>]
|
||||
[-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
|
||||
[-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Start shorewall6. Existing connections through shorewall6
|
||||
@@ -1868,7 +2020,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">stop</emphasis></term>
|
||||
<term><emphasis role="bold">stop
|
||||
</emphasis>[-<option>f</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Stops the firewall. All existing connections, except those
|
||||
@@ -1880,6 +2033,12 @@
|
||||
is from systems listed in <ulink
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
or by ADMINISABSENTMINDED.</para>
|
||||
|
||||
<para>If <option>-f</option> is given, the command will be processed
|
||||
by the compiled script that executed the last successful <emphasis
|
||||
role="bold">start</emphasis>, <emphasis
|
||||
role="bold">restart</emphasis> or <emphasis
|
||||
role="bold">refresh</emphasis> command if that script exists.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1897,7 +2056,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">try</emphasis></term>
|
||||
<term><emphasis role="bold">try
|
||||
</emphasis><replaceable>directory</replaceable> [
|
||||
<replaceable>timeout</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If Shorewall6 is started then the firewall state is saved to a
|
||||
@@ -1931,7 +2092,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">update</emphasis></term>
|
||||
<term><emphasis role="bold">update </emphasis>[-<option>b</option>]
|
||||
[-<option>d</option>] [-<option>r</option>] [-<option>T</option>]
|
||||
[-<option>a</option>] [-<option>D</option>] [-<option>i</option>]
|
||||
[-<option>t</option>] [-<option>A</option>] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.21 and causes the compiler to update
|
||||
@@ -2023,7 +2188,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">version</emphasis></term>
|
||||
<term><emphasis role="bold">version
|
||||
[-<option>a</option>]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays Shorewall6's version. If the <option>-a</option>
|
||||
|
||||
@@ -5,8 +5,8 @@
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv6 firewall
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
Conflicts=ip6tables.service firewalld.service
|
||||
|
||||
[Service]
|
||||
|
||||
@@ -114,9 +114,11 @@
|
||||
nf_nat_<replaceable>application</replaceable>; more about that
|
||||
below.</para>
|
||||
|
||||
<para>The modules are not auto-loaded and must be loaded explicitly
|
||||
using the <command>modprob</command> or <command>insmod</command>
|
||||
utilities.</para>
|
||||
<para>Prior to Shorewall 4.5.7, helper modules were not auto-loaded and
|
||||
must be loaded explicitly using the <command>modprob</command> or
|
||||
<command>insmod</command> utilities. Beginning with Shorewall 4.5.7,
|
||||
these modules are loaded when Shorewall is determining the capabilities
|
||||
of your system.</para>
|
||||
|
||||
<para>Many of the modules allow parameters to be specified when the
|
||||
module is loaded. Among the common parameters is the ports parameter
|
||||
@@ -280,14 +282,23 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DONT_LOAD</term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a comma-separated list of modules that you
|
||||
specifically don't want Shorewall to load.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>HELPERS</term>
|
||||
|
||||
<listitem>
|
||||
<para>This option was added in Shorewall 4.5.7 and lists the
|
||||
modules to be enabled for association with connections. This
|
||||
option is fully functional only on systems running kernel 3.5 or
|
||||
later.</para>
|
||||
modules to be enabled for association with connections
|
||||
(comma-separated). This option is fully functional only on systems
|
||||
running kernel 3.5 or later.</para>
|
||||
|
||||
<para>The module names allowed in this list are <emphasis
|
||||
role="bold">amanda</emphasis>, <emphasis
|
||||
@@ -297,7 +308,19 @@
|
||||
role="bold">pptp</emphasis>, <emphasis
|
||||
role="bold">sane</emphasis>, <emphasis role="bold">sip</emphasis>,
|
||||
<emphasis role="bold">snmp</emphasis> and <emphasis
|
||||
role="bold">tftp</emphasis>.</para>
|
||||
role="bold">tftp</emphasis>. If you don't want a particular helper
|
||||
module loaded, then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>List it in the DONT_LOAD option; and</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Explicitly list those helpers that you do want in
|
||||
HELPERS.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -271,13 +271,9 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/usr/share/shorewall/modules</filename> - directs
|
||||
the firewall to load kernel modules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/usr/share/modules</filename> — Specifies the kernel
|
||||
modules to be loaded during shorewall start/restart.</para>
|
||||
<para><filename>/usr/share/shorewall/modules</filename> — Specifies
|
||||
the kernel modules to be loaded during shorewall
|
||||
start/restart.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -24,6 +24,8 @@
|
||||
|
||||
<year>2010</year>
|
||||
|
||||
<year>2015</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@@ -170,6 +172,12 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
|
||||
ipv4 ipsets are saved. Both features require ipset version 5 or
|
||||
later.</para>
|
||||
|
||||
<para>Although Shorewall can save the definition of your ipsets and
|
||||
restore them when Shorewall starts, in most cases you must use the ipset
|
||||
utility to initially create and load your ipsets. The exception is that
|
||||
Shorewall will automatically create an empty iphash ipset to back each
|
||||
dynamic zone.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
||||
Reference in New Issue
Block a user