forked from extern/shorewall_code
Compare commits
25 Commits
5.0.2.1
...
5.0.3-Beta
| Author | SHA1 | Date | |
|---|---|---|---|
|
fc426923b1 | ||
|
|
af6fc399e5 | ||
|
|
5bc471ff03 | ||
|
|
532d5c7e50 | ||
|
|
8429f68897 | ||
|
|
3ddc2a8f8b | ||
|
|
0bc250ba11 | ||
|
|
1d79cbc54e | ||
|
|
4b893b2fd6 | ||
|
|
09af9130df | ||
|
|
4139c932a4 | ||
|
|
8e7f001f7e | ||
|
|
98b4ab5ceb | ||
|
|
592de3e6fc | ||
|
|
46434e45b6 | ||
|
|
f4fef3a931 | ||
|
|
2c1786422e | ||
|
|
b087cee7f0 | ||
|
948175124b | ||
|
|
7b479d3569 | ||
|
|
42db58c4d6 | ||
|
|
211a00da86 | ||
|
|
dab780368f | ||
|
|
b25a8e4b2d | ||
|
|
355d3e2dec |
25
Shorewall-core/configure
vendored
25
Shorewall-core/configure
vendored
@@ -91,6 +91,8 @@ for p in $@; do
|
||||
fi
|
||||
done
|
||||
|
||||
cd $(dirname $0)
|
||||
|
||||
vendor=${params[HOST]}
|
||||
|
||||
if [ -z "$vendor" ]; then
|
||||
@@ -102,7 +104,7 @@ if [ -z "$vendor" ]; then
|
||||
vendor=redhat
|
||||
;;
|
||||
debian|ubuntu)
|
||||
ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
|
||||
vendor=debian
|
||||
;;
|
||||
opensuse)
|
||||
vendor=suse
|
||||
@@ -122,7 +124,6 @@ if [ -z "$vendor" ]; then
|
||||
params[HOST]=apple
|
||||
rcfile=shorewallrc.apple
|
||||
;;
|
||||
|
||||
cygwin*|CYGWIN*)
|
||||
params[HOST]=cygwin
|
||||
rcfile=shorewallrc.cygwin
|
||||
@@ -130,7 +131,7 @@ if [ -z "$vendor" ]; then
|
||||
*)
|
||||
if [ -f /etc/debian_version ]; then
|
||||
params[HOST]=debian
|
||||
rcfile=shorewallrc.debian.sysvinit
|
||||
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
params[HOST]=redhat
|
||||
rcfile=shorewallrc.redhat
|
||||
@@ -152,25 +153,32 @@ if [ -z "$vendor" ]; then
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
vendor=${params[HOST]}
|
||||
elif [ $vendor = linux ]; then
|
||||
rcfile=shorewallrc.default;
|
||||
else
|
||||
rcfile=shorewallrc.$vendor
|
||||
if [ $vendor = linux ]; then
|
||||
rcfile=shorewallrc.default;
|
||||
elif [ $vendor = debian -a -f /etc/debian_version ]; then
|
||||
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
||||
else
|
||||
rcfile=shorewallrc.$vendor
|
||||
fi
|
||||
|
||||
if [ ! -f $rcfile ]; then
|
||||
echo "ERROR: $vendor is not a recognized host type" >&2
|
||||
exit 1
|
||||
elif [ $vendor = default ]; then
|
||||
params[HOST]=linux
|
||||
vendor=linux
|
||||
elif [[ $vendor == debian.* ]]; then
|
||||
params[HOST]=debian
|
||||
vendor=debian
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $vendor = linux ]; then
|
||||
echo "INFO: Creating a generic Linux installation - " `date`;
|
||||
else
|
||||
echo "INFO: Creating a ${vendor}-specific installation - " `date`;
|
||||
echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
|
||||
fi
|
||||
|
||||
echo
|
||||
@@ -183,6 +191,7 @@ done
|
||||
|
||||
echo '#' > shorewallrc
|
||||
echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
|
||||
echo "# rc file: $rcfile" >> shorewallrc
|
||||
echo '#' >> shorewallrc
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
|
||||
@@ -52,6 +52,9 @@ for ( @ARGV ) {
|
||||
$params{$pn} = $pv;
|
||||
}
|
||||
|
||||
use File::Basename;
|
||||
chdir dirname($0);
|
||||
|
||||
my $vendor = $params{HOST};
|
||||
my $rcfile;
|
||||
my $rcfilename;
|
||||
@@ -81,16 +84,39 @@ unless ( defined $vendor ) {
|
||||
}
|
||||
|
||||
if ( defined $vendor ) {
|
||||
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
|
||||
if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
|
||||
if ( -l '/sbin/init' ) {
|
||||
if ( readlink('/sbin/init') =~ /systemd/ ) {
|
||||
$rcfilename = 'shorewallrc.debian.systemd';
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
} else {
|
||||
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
|
||||
}
|
||||
|
||||
unless ( -f $rcfilename ) {
|
||||
die qq("ERROR: $vendor" is not a recognized host type);
|
||||
} elsif ( $vendor eq 'default' ) {
|
||||
$params{HOST} = $vendor = 'linux';
|
||||
} elsif ( $vendor =~ /^debian\./ ) {
|
||||
$params{HOST} = $vendor = 'debian';
|
||||
}
|
||||
} else {
|
||||
if ( -f '/etc/debian_version' ) {
|
||||
$vendor = 'debian';
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
if ( -l '/sbin/init' ) {
|
||||
if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
|
||||
$rcfilename = 'shorewallrc.debian.systemd';
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
} elsif ( -f '/etc/redhat-release' ){
|
||||
$vendor = 'redhat';
|
||||
$rcfilename = 'shorewallrc.redhat';
|
||||
@@ -147,7 +173,8 @@ my $outfile;
|
||||
|
||||
open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
|
||||
|
||||
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
|
||||
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
|
||||
print $outfile "# rc file: $rcfilename\n#\n";
|
||||
|
||||
print $outfile "# Input: @ARGV\n#\n" if @ARGV;
|
||||
|
||||
|
||||
@@ -1052,11 +1052,13 @@ show_command() {
|
||||
conntrack -f ipv6 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && usage 1
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
||||
echo
|
||||
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
|
||||
if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
||||
echo
|
||||
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
nat)
|
||||
@@ -1624,7 +1626,7 @@ do_dump_command() {
|
||||
|
||||
echo
|
||||
|
||||
ss -${g_family}tunap
|
||||
qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
|
||||
|
||||
if [ -n "$TC_ENABLED" ]; then
|
||||
heading "Traffic Control"
|
||||
|
||||
@@ -316,6 +316,7 @@ reload_kernel_modules() {
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
local uname
|
||||
local extras
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@@ -323,9 +324,25 @@ reload_kernel_modules() {
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
|
||||
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
uname=$(uname -r) && \
|
||||
if [ -n "$MODULESDIR" ]; then
|
||||
case "$MODULESDIR" in
|
||||
+*)
|
||||
extras="$MODULESDIR"
|
||||
extras=${extras#+}
|
||||
MODULESDIR=
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ -z "$MODULESDIR" ]; then
|
||||
uname=$(uname -r)
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
if [ -n "$extras" ]; then
|
||||
for directory in $(split "$extras"); do
|
||||
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
|
||||
@@ -355,6 +372,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
local savemoduleinfo
|
||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
local uname
|
||||
local extras
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@@ -362,9 +380,25 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
|
||||
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
uname=$(uname -r) && \
|
||||
if [ -n "$MODULESDIR" ]; then
|
||||
case "$MODULESDIR" in
|
||||
+*)
|
||||
extras="$MODULESDIR"
|
||||
extras=${extras#+}
|
||||
MODULESDIR=
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ -z "$MODULESDIR" ]; then
|
||||
uname=$(uname -r)
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
if [ -n "$extras" ]; then
|
||||
for directory in $(split "$extras"); do
|
||||
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
||||
|
||||
@@ -493,8 +493,7 @@ if [ -z "$DESTDIR" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "$SERVICEDIR" ]; then
|
||||
if systemctl enable ${PRODUCT}.service; then
|
||||
echo "Shorewall Init will start automatically at
|
||||
boot"
|
||||
echo "Shorewall Init will start automatically at boot"
|
||||
fi
|
||||
elif mywhich insserv; then
|
||||
if insserv ${INITDIR}/shorewall-init; then
|
||||
|
||||
@@ -153,7 +153,7 @@ if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
|
||||
VERSION="$INSTALLED_VERSION"
|
||||
fi
|
||||
else
|
||||
echo "WARNING: Shorewal Lite Version $VERSION is not installed"
|
||||
echo "WARNING: Shorewall Lite Version $VERSION is not installed"
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
@@ -195,9 +195,11 @@ if [ -f "$FIREWALL" ]; then
|
||||
remove_file $FIREWALL
|
||||
fi
|
||||
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
|
||||
|
||||
if [ -n "$SERVICEDIR" ]; then
|
||||
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
||||
rm -f $SYSTEMD/shorewall-lite.service
|
||||
rm -f $SERVICEDIR/shorewall-lite.service
|
||||
fi
|
||||
|
||||
rm -f ${SBINDIR}/shorewall-lite
|
||||
|
||||
@@ -7031,7 +7031,7 @@ sub isolate_source_interface( $ ) {
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /^(.+?):\[(.+)\]\s*$/ ||
|
||||
$source =~ /^(.+?):(!?\+.+)$/ ||
|
||||
$source =~ /^(.+?):(!?[&%].+)$/ ||
|
||||
$source =~ /^(.+?):(!?[&%~].+)$/ ||
|
||||
$source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
|
||||
) {
|
||||
$iiface = $1;
|
||||
|
||||
@@ -2245,7 +2245,7 @@ sub split_line2( $$;$$$ ) {
|
||||
|
||||
for ( @pairs ) {
|
||||
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
|
||||
my ( $column, $value ) = ( lc $1, $2 );
|
||||
my ( $column, $value ) = ( lc( $1 ), $2 );
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
|
||||
@@ -6,6 +6,5 @@
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#################################################################################################################
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
|
||||
# PORT(S) PORT(S) GROUP
|
||||
#####################################################################################################
|
||||
#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
|
||||
@@ -5,6 +5,8 @@
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
#
|
||||
########################################################################################
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
# Place '# ' below the 'C' in COMMENT followed by a comment describing
|
||||
# the action.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION OPTIONS COMMENT
|
||||
|
||||
@@ -3,6 +3,5 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-arprules"
|
||||
#
|
||||
##############################################################################################################
|
||||
#ACTION SOURCE DEST ARP
|
||||
# OPCODE
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST OPCODE
|
||||
|
||||
@@ -6,6 +6,5 @@
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
@@ -3,11 +3,10 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-conntrack"
|
||||
#
|
||||
##############################################################################################################
|
||||
?FORMAT 3
|
||||
##############################################################################################################
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
######################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH
|
||||
|
||||
?if $AUTOHELPERS && __CT_TARGET
|
||||
|
||||
?if __AMANDA_HELPER
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-ecn.html
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#INTERFACE HOSTS
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-hosts.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#ZONE HOSTS OPTIONS
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-interfaces.html
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ZONE INTERFACE OPTIONS
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
local status
|
||||
status=0
|
||||
|
||||
|
||||
@@ -6,4 +6,4 @@
|
||||
# For additional information, see http://shorewall.net/MAC_Validation.html
|
||||
#
|
||||
###############################################################################
|
||||
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
|
||||
#DISPOSITION INTERFACE MAC ADDRESSES
|
||||
|
||||
@@ -11,5 +11,4 @@
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
#
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
|
||||
@@ -7,5 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-masq.html
|
||||
#
|
||||
###################################################################################################################################
|
||||
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL PROBABILITY
|
||||
# GROUP DEST
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
|
||||
@@ -6,5 +6,4 @@
|
||||
# For additional information, see http://shorewall.net/NAT.htm
|
||||
#
|
||||
###############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
|
||||
@@ -6,6 +6,5 @@
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
##############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
#############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DPORT SPORT
|
||||
|
||||
@@ -22,5 +22,3 @@
|
||||
# net eth0 130.252.100.255 routefilter,norfc1918
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -7,5 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-policy.html
|
||||
#
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
|
||||
# LEVEL BURST MASK
|
||||
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-rules.html
|
||||
#
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
|
||||
@@ -8,4 +8,5 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
cat -
|
||||
|
||||
@@ -3,6 +3,5 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-secmarks"
|
||||
#
|
||||
############################################################################################################
|
||||
#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
############################################################################################
|
||||
#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
|
||||
@@ -8,4 +8,5 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
return 0
|
||||
|
||||
@@ -10,5 +10,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
|
||||
@@ -6,5 +6,4 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS
|
||||
# DMAX:UMAX
|
||||
#INTERFACE MARK RATE CEIL PRIO OPTIONS
|
||||
|
||||
@@ -6,5 +6,4 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
#INTERFACE INTERFACES
|
||||
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
|
||||
@@ -5,6 +5,5 @@
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
########################################################################################################
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#CLASS PORT(S) PORT(S)
|
||||
######################################################################################
|
||||
#CLASS SOURCE DEST PROTO DPORT SPORT TOS LENGTH
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#BAND PROTO PORT(S) ADDRESS IN-INTERFACE HELPER
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
|
||||
@@ -7,5 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-tunnels.html
|
||||
#
|
||||
###############################################################################
|
||||
#TYPE ZONE GATEWAY(S) GATEWAY
|
||||
# ZONE(S)
|
||||
#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
|
||||
@@ -7,6 +7,6 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-zones.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
|
||||
fw firewall
|
||||
|
||||
@@ -403,13 +403,15 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly named DESTINATION.</para>
|
||||
|
||||
<para>Packet Destination.</para>
|
||||
|
||||
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
||||
@@ -418,7 +420,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">{any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||
@@ -428,6 +430,8 @@
|
||||
role="bold">all</emphasis>}]}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly named PROTOCOL</para>
|
||||
|
||||
<para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
|
||||
<emphasis>protocol-number</emphasis>, <emphasis
|
||||
role="bold">ipp2p</emphasis>, <emphasis
|
||||
@@ -440,8 +444,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -460,12 +464,14 @@
|
||||
("iptables -m ipp2p --help") without the leading "--". If no option
|
||||
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>This column was formerly named DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -482,20 +488,22 @@
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
DPORT. Use of '=' requires multi-port match in your iptables and
|
||||
kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column may only be non-empty if the <emphasis
|
||||
role="bold">CHAIN</emphasis> is <emphasis
|
||||
<para>This column was formerly named USER/GROUP and may only be
|
||||
non-empty if the <emphasis role="bold">CHAIN</emphasis> is <emphasis
|
||||
role="bold">OUTPUT</emphasis>.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
|
||||
@@ -273,7 +273,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
|
||||
<term>OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional. Describes the type of frame. Possible
|
||||
|
||||
@@ -424,7 +424,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
|
||||
<term>DPORT - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@@ -432,11 +432,13 @@
|
||||
ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
|
||||
<term>SPORT - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@@ -446,22 +448,24 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>USER/GROUP (user) ‒
|
||||
<term>USER ‒
|
||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>May only be specified if the SOURCE
|
||||
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
||||
id and or group id of the process sending the traffic.</para>
|
||||
<para>This column was formerly named USER/GROUP and may only be
|
||||
specified if the SOURCE <replaceable>zone</replaceable> is $FW.
|
||||
Specifies the effective user id and or group id of the process
|
||||
sending the traffic.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -520,8 +524,7 @@
|
||||
|
||||
<para>Example 1:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
||||
|
||||
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
||||
@@ -529,14 +532,12 @@ CT:helper:ftp(expevents=new) fw - tcp
|
||||
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
DROP all-:1.2.3.4 -
|
||||
DROP all 1.2.3.4</programlisting>
|
||||
|
||||
<para>or<programlisting>FORMAT 3
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
DROP:P 1.2.3.4 -
|
||||
DROP:PO - 1.2.3.4
|
||||
</programlisting></para>
|
||||
|
||||
@@ -76,8 +76,7 @@ z2 net REJECT</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT all!z2 net tcp 22</programlisting>
|
||||
|
||||
<para>In this case, SSH connections from <emphasis
|
||||
|
||||
@@ -57,7 +57,7 @@
|
||||
<option>dst</option>. Example: myset[src,dst].</member>
|
||||
</simplelist>
|
||||
|
||||
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
|
||||
<para>In a SOURCE or SPORT column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@@ -66,7 +66,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In a DEST or DEST PORT(S) column, the following pairs are
|
||||
<para>In a DEST or DPORT column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@@ -570,8 +570,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
that problem. SAME may be used in the PREROUTING and OUTPUT
|
||||
chains. When used in PREROUTING, it causes matching
|
||||
connections from an individual local system to all use the
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
||||
80 or 443 and it has sent a packet on either of those ports in
|
||||
@@ -581,8 +580,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<para>When used in the OUTPUT chain, it causes all matching
|
||||
connections to an individual remote system to all use the same
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||
optional <replaceable>timeout</replaceable> parameter was
|
||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||
@@ -835,7 +833,7 @@ Normal-Service => 0x00</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - {<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis>- {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -863,12 +861,13 @@ Normal-Service => 0x00</programlisting>
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly named DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -882,16 +881,17 @@ Normal-Service => 0x00</programlisting>
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||
'=' requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.6.0, an
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1097,8 +1097,7 @@ Normal-Service => 0x00</programlisting>
|
||||
by the named helper module.</para>
|
||||
|
||||
<para>Example: Mark all FTP data connections with mark
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1287,8 +1286,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>We assume packet/connection mark 0 means unclassified.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
|
||||
@@ -1313,8 +1311,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<programlisting>/etc/shorewall/tcrules:
|
||||
|
||||
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
@@ -249,7 +249,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">PORT</emphasis> (Optional) -
|
||||
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -429,13 +429,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
|
||||
<para>Only locally-generated connections will match if this column
|
||||
is non-empty.</para>
|
||||
|
||||
@@ -538,8 +539,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -550,6 +550,8 @@
|
||||
original destination address matches one of the listed addresses. It
|
||||
is useful for specifying that SNAT should occur only for connections
|
||||
that were acted on by a DNAT when they entered the firewall.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -639,7 +641,7 @@
|
||||
172.20.1.0/29 to be sent from eth0 with source IP address
|
||||
206.124.146.176.</para>
|
||||
|
||||
<programlisting> #INTERFACE SOURCE ADDRESS PROTO PORT(S)
|
||||
<programlisting> #INTERFACE SOURCE ADDRESS PROTO DPORT
|
||||
eth0 172.20.1.0/29 206.124.146.177 tcp smtp
|
||||
eth0 172.20.1.0/29 206.124.146.176</programlisting>
|
||||
|
||||
@@ -672,8 +674,7 @@
|
||||
|
||||
<programlisting>/etc/shorewall/tcrules:
|
||||
|
||||
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
@@ -106,15 +106,16 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
|
||||
[<emphasis role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>]</term>
|
||||
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
||||
no (or left empty) then NAT will be effective only through the
|
||||
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
||||
column.</para>
|
||||
|
||||
<para>This column was formerly labelled ALL INTERFACES.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -160,8 +161,7 @@ smc eth0:10.1.10.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
10.1.10.100 eth0 172.20.1.100
|
||||
</programlisting>
|
||||
|
||||
@@ -170,8 +170,7 @@ smc eth0:10.1.10.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
|
||||
@@ -82,7 +82,7 @@
|
||||
|
||||
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
...
|
||||
DNAT sam loc:192.168.1.3 tcp ssh
|
||||
DNAT net loc:192.168.1.5 tcp www
|
||||
@@ -100,7 +100,7 @@
|
||||
Because of the way that Netfilter is constructed, this requires two rules
|
||||
as follows:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
...
|
||||
ACCEPT+ sam $FW tcp ssh
|
||||
DNAT net loc:192.168.1.3 tcp ssh
|
||||
@@ -143,8 +143,7 @@
|
||||
</itemizedlist>
|
||||
|
||||
<para>As a consequence, the following rules will have unexpected
|
||||
behavior:<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
behavior:<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net dmz tcp 80
|
||||
REDIRECT loc 3128 tcp 80</programlisting></para>
|
||||
|
||||
@@ -173,8 +172,7 @@
|
||||
|
||||
<para>When using other Shorewall versions, another way is to rewrite the
|
||||
DNAT rule (assume that the local zone is entirely within
|
||||
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net dmz tcp 80
|
||||
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
|
||||
|
||||
|
||||
@@ -137,7 +137,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
||||
<term><emphasis role="bold">DPORT</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -160,11 +160,13 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
|
||||
<term><emphasis role="bold">SPORT</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -176,6 +178,8 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -173,9 +173,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>The remaining columns specify characteristics of the packet
|
||||
before rewriting. In particular, the ORIGINAL DEST column gives the
|
||||
original destination IP address of the packet and the DEST PORT(S)
|
||||
column give the original destination port(s).</para>
|
||||
before rewriting. In particular, the ORIGDEST column gives the
|
||||
original destination IP address of the packet and the DPORT column
|
||||
give the original destination port(s).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -1201,8 +1201,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
||||
{<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1234,7 +1233,7 @@
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
||||
<emphasis role="bold">SPORT</emphasis> list below:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1245,12 +1244,13 @@
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1260,11 +1260,10 @@
|
||||
names, port numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||
'=' requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<warning>
|
||||
<para>Unless you really understand IP, you should leave this
|
||||
@@ -1274,12 +1273,12 @@
|
||||
</warning>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
|
||||
column, then place "-" in this column.</para>
|
||||
an <emphasis role="bold">ORIGDEST</emphasis> in the next column,
|
||||
then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
||||
<emphasis role="bold">DPORT</emphasis> list above:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1290,12 +1289,13 @@
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -1344,11 +1344,13 @@
|
||||
url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
|
||||
for an example of using an entry in this column with a user-defined
|
||||
action rule.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
|
||||
<term><emphasis role="bold">RATE</emphasis> -
|
||||
<replaceable>limit</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -1413,11 +1415,13 @@
|
||||
enforce the per-source limit and the compiler will pick a unique
|
||||
name for the hash table that tracks the per-destination
|
||||
limit.</para>
|
||||
|
||||
<para>This column was formerly labelled RATE LIMIT.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>
|
||||
|
||||
@@ -1471,6 +1475,8 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1626,6 +1632,8 @@
|
||||
<listitem>
|
||||
<para>where <replaceable>dd</replaceable> is an ordinal day of
|
||||
the month</para>
|
||||
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1767,9 +1775,8 @@
|
||||
<listitem>
|
||||
<para>Accept SMTP requests from the DMZ to the internet</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
ACCEPT dmz net tcp smtp</programlisting>
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT dmz net tcp smtp</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1780,8 +1787,7 @@
|
||||
<para>Forward all ssh and http connection requests from the internet
|
||||
to local system 192.168.1.3</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1792,9 +1798,8 @@
|
||||
<listitem>
|
||||
<para>Forward all http connection requests from the internet to
|
||||
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
||||
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
||||
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1806,8 +1811,7 @@
|
||||
port 3128 on the firewall (Squid running on the firewall system)
|
||||
except when the destination address is 192.168.2.2</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1819,8 +1823,7 @@
|
||||
<para>All http requests from the internet to address 130.252.100.69
|
||||
are to be forwarded to 192.168.1.3</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1832,10 +1835,9 @@
|
||||
<para>You want to accept SSH connections to your firewall only from
|
||||
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
||||
tcp 22</programlisting>
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT net:130.252.100.69,130.252.100.70 \
|
||||
$FW tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1847,8 +1849,7 @@
|
||||
firewall on port 2222 and you want to forward them to local system
|
||||
192.168.1.3, port 22</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1860,8 +1861,7 @@
|
||||
<para>You want to redirect connection requests to port 80 randomly
|
||||
to the port range 81-90.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
REDIRECT net $FW::81-90:random tcp www</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1897,8 +1897,7 @@
|
||||
|
||||
<para>rules:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
REDIRECT loc 3128 tcp 80 </programlisting>
|
||||
|
||||
<simpara>Note that it would have been tempting to simply define the
|
||||
@@ -1926,8 +1925,7 @@
|
||||
<para>Add the tuple (source IP, dest port, dest IP) of an incoming
|
||||
SSH connection to the ipset S:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
ADD(+S:dst,src,dst) net fw tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1939,8 +1937,7 @@
|
||||
<para>You wish to limit SSH connections from remote systems to 1/min
|
||||
with a burst of three (to allow for limited retry):</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT(S) PORT(S) DEST LIMIT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1952,8 +1949,7 @@
|
||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
||||
is on.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1965,8 +1961,7 @@
|
||||
<para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
|
||||
and <emphasis>Satellite Provider</emphasis> address ranges:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
DROP net:^A1,A2 fw tcp 25</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1978,8 +1973,7 @@
|
||||
<para>You want to generate your own rule involving iptables targets
|
||||
and matches not supported by Shorewall.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>The above will generate the following iptables-restore
|
||||
|
||||
@@ -93,7 +93,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CHAIN:STATE (chain) -
|
||||
<term><emphasis role="bold">CHAIN -
|
||||
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -140,6 +140,8 @@
|
||||
|
||||
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
||||
</simplelist>
|
||||
|
||||
<para>This column was formerly labelled CHAIN:STATE.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@@ -236,7 +238,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -259,12 +261,13 @@
|
||||
<para>This column is ignored if PROTOCOL = all but must be entered
|
||||
if any of the following field is supplied. In that case, it is
|
||||
suggested that this field contain "-"</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -272,6 +275,8 @@
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -388,8 +393,7 @@
|
||||
|
||||
<para><filename>/etc/shorewall/secmarks</filename>:</para>
|
||||
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
<programlisting>#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
|
||||
SAVE I:N lo 127.0.0.1 tcp 3306
|
||||
RESTORE I:ER</programlisting>
|
||||
|
||||
@@ -112,7 +112,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> ‒
|
||||
<term><emphasis role="bold">DPORT</emphasis> ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -121,11 +121,13 @@
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> ‒
|
||||
<term><emphasis role="bold">SPORT</emphasis> ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -136,11 +138,12 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||
'=' requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -135,7 +135,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -143,16 +143,19 @@
|
||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s).</para>
|
||||
|
||||
<para>This column was previously labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional source port.</para>
|
||||
|
||||
<para>This column was previously labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -292,8 +295,7 @@
|
||||
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
||||
protocols.</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST
|
||||
# PORT
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT
|
||||
|
||||
IPV4
|
||||
|
||||
@@ -314,8 +316,7 @@
|
||||
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
||||
later).</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST PRIORITY
|
||||
# PORT
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
|
||||
|
||||
IPV4
|
||||
|
||||
|
||||
@@ -1625,11 +1625,11 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>This parameter specifies the directory/directories where your
|
||||
kernel netfilter modules may be found. If you leave the variable
|
||||
empty, Shorewall will supply the value "/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
|
||||
3.2.4 and "/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter" in later versions.</para>
|
||||
empty, Shorewall will supply the value
|
||||
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
|
||||
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||
'<command>uname -r</command>' and <emphasis
|
||||
role="bold">g_family</emphasis> holds '4'. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -193,9 +193,11 @@ if [ -f "$FIREWALL" ]; then
|
||||
remove_file $FIREWALL
|
||||
fi
|
||||
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
|
||||
|
||||
if [ -n "$SERVICEDIR" ]; then
|
||||
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
||||
rm -f $SYSTEMD/shorewall6-lite.service
|
||||
rm -f $SERVICEDIR/shorewall6-lite.service
|
||||
fi
|
||||
|
||||
rm -f ${SBINDIR}/shorewall6-lite
|
||||
@@ -205,7 +207,6 @@ rm -rf ${SHAREDIR}/shorewall6-lite
|
||||
rm -rf ${LIBEXECDIR}/shorewall6-lite
|
||||
rm -f ${CONFDIR}/logrotate.d/shorewall6-lite
|
||||
rm -f ${SYSCONFDIR}/shorewall6-lite
|
||||
[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6-lite.service
|
||||
|
||||
rm -f ${MANDIR}/man5/shorewall6-lite*
|
||||
rm -f ${MANDIR}/man8/shorewall6-lite*
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=Off
|
||||
IP_FORWARDING=keep
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -160,7 +160,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=Off
|
||||
IP_FORWARDING=keep
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
IP_FORWARDING=keep
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
IP_FORWARDING=keep
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -7,5 +7,4 @@
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
###############################################################################################################
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC HEADERS
|
||||
# PORT(S) PORT(S) GROUP
|
||||
#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC HEADERS
|
||||
|
||||
@@ -5,6 +5,8 @@
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
#
|
||||
########################################################################################
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
# Place '# ' below the 'C' in COMMENT followed by a comment describing
|
||||
# the action.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION OPTIONS COMMENT
|
||||
|
||||
@@ -6,6 +6,5 @@
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
########################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
@@ -3,11 +3,10 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall6-conntrack"
|
||||
#
|
||||
##############################################################################################################
|
||||
?FORMAT 3
|
||||
##############################################################################################################
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
##############################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH
|
||||
|
||||
?if $AUTOHELPERS && __CT_TARGET
|
||||
|
||||
?if __AMANDA_HELPER
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-hosts.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#ZONE HOSTS OPTIONS
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages6/shorewall6-interfaces.html
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ZONE INTERFACE OPTIONS
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
local status
|
||||
status=0
|
||||
|
||||
|
||||
@@ -6,4 +6,4 @@
|
||||
# For additional information, see http://shorewall.net/MAC_Validation.html
|
||||
#
|
||||
###############################################################################
|
||||
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
|
||||
#DISPOSITION INTERFACE MAC ADDRESSES
|
||||
|
||||
@@ -11,5 +11,4 @@
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
#
|
||||
############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
|
||||
@@ -6,6 +6,5 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages6/shorewall6-masq.html
|
||||
#
|
||||
########################################################################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
|
||||
# GROUP DEST
|
||||
######################################################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH
|
||||
|
||||
@@ -7,5 +7,4 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-nat.html
|
||||
#
|
||||
###############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
|
||||
@@ -6,6 +6,5 @@
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
##############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
#############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DPORT SPORT
|
||||
|
||||
@@ -21,5 +21,3 @@
|
||||
# net eth0 - dhcp,nosmurfs
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -7,5 +7,4 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-policy.html
|
||||
#
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
|
||||
# LEVEL BURST MASK
|
||||
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages6/shorewall6-rules.html
|
||||
#
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
|
||||
@@ -8,4 +8,5 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
cat -
|
||||
|
||||
@@ -3,6 +3,5 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-secmarks"
|
||||
#
|
||||
############################################################################################################
|
||||
#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK
|
||||
# PORT(S) PORT(S)
|
||||
####################################################################################################
|
||||
#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=No
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=Off
|
||||
IP_FORWARDING=keep
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -11,5 +11,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
|
||||
@@ -6,4 +6,4 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS
|
||||
#INTERFACE MARK RATE CEIL PRIO OPTIONS
|
||||
|
||||
@@ -6,5 +6,4 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
#INTERFACE INTERFACES
|
||||
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
|
||||
@@ -5,6 +5,5 @@
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
########################################################################################################
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#CLASS PORT(S) PORT(S)
|
||||
######################################################################################
|
||||
#CLASS SOURCE DEST PROTO DPORT SPORT TOS LENGTH
|
||||
|
||||
@@ -8,4 +8,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE TYPE IN-BANDWIDTH OUT-INTERFACE
|
||||
#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#BAND PROTO PORT(S) ADDRESS IN-INTERFACE HELPER
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
|
||||
@@ -7,5 +7,4 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-tunnels.html
|
||||
#
|
||||
###############################################################################
|
||||
#TYPE ZONE GATEWAY(S) GATEWAY
|
||||
# ZONE(S)
|
||||
#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
|
||||
@@ -7,6 +7,6 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-zones.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
|
||||
fw firewall
|
||||
|
||||
@@ -349,7 +349,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
|
||||
@@ -359,11 +359,13 @@
|
||||
|
||||
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
||||
column.</para>
|
||||
|
||||
<para>This column was formerly labelled DESTINATION.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
||||
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||
@@ -381,12 +383,14 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||
comma-separated list of protocols.</para>
|
||||
|
||||
<para>This column was formerly labelled PROTOCOL.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -405,12 +409,14 @@
|
||||
("ip6tables -m ipp2p --help") without the leading "--". If no option
|
||||
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -424,16 +430,17 @@
|
||||
support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
@@ -490,6 +497,8 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -1,217 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-blacklist</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>blacklist</refname>
|
||||
|
||||
<refpurpose>shorewall6 Blacklist file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall6/blacklist</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>The blacklist file is used to perform static blacklisting by source
|
||||
address (IP or MAC), or by application. The use of this file is deprecated
|
||||
in favor of <ulink
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5),
|
||||
and beginning with Shorewall 4.5.7, the blacklist file is no longer
|
||||
installed. Existing blacklist files can be converted to a corresponding
|
||||
blrules file using the <command>shorewall6 update -b</command>
|
||||
command.</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Host address, network address, MAC address, IP address range
|
||||
(if your kernel and ip6tables contain iprange match support) or
|
||||
ipset name prefaced by "+" (if your kernel supports ipset match).
|
||||
Exclusion (<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
|
||||
is supported.</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
||||
|
||||
<para>A dash ("-") in this column means that any source address will
|
||||
match. This is useful if you want to blacklist a particular
|
||||
application using entries in the PROTOCOL and PORTS columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional - if specified, must be a protocol number or a
|
||||
protocol name from protocols(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>May only be specified if the protocol is TCP (6), UDP (17),
|
||||
DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
|
||||
destination port numbers or service names from services(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional - added in 4.4.12. If specified, indicates whether
|
||||
traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
|
||||
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
|
||||
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
|
||||
the ADDRESS/SUBNET column is empty, then this column has no effect
|
||||
on the generated rule.</para>
|
||||
|
||||
<note>
|
||||
<para>In Shorewall 4.4.12, the keywords from and to were used in
|
||||
place of src and dst respectively. Blacklisting was still
|
||||
restricted to traffic <emphasis>arriving</emphasis> on an
|
||||
interface that has the 'blacklist' option set. So to block traffic
|
||||
from your local network to an internet host, you had to specify
|
||||
<option>blacklist</option> on your internal interface in <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
|
||||
from this zone is passed against the entries in this file that
|
||||
have the <emphasis role="bold">src</emphasis> option
|
||||
(specified or defaulted).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
|
||||
Traffic to this zone is passed against the entries in this
|
||||
file that have the <emphasis role="bold">dst</emphasis>
|
||||
option.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</note>
|
||||
|
||||
<para>In Shorewall 4.4.20, the <emphasis
|
||||
role="bold">whitelist</emphasis> option was added. When <emphasis
|
||||
role="bold">whitelist</emphasis> is specified, packets/connections
|
||||
that match the entry are not matched against the remaining entries
|
||||
in the file.</para>
|
||||
|
||||
<para>The <emphasis role="bold">audit</emphasis> option was also
|
||||
added in 4.4.20 and causes packets matching the entry to be audited.
|
||||
The <emphasis role="bold">audit</emphasis> option may not be
|
||||
specified in whitelist entries and require AUDIT_TARGET support in
|
||||
the kernel and ip6tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>When a packet arrives on an interface that has the <emphasis
|
||||
role="bold">blacklist</emphasis> option specified in <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5),
|
||||
its source IP address and MAC address is checked against this file and
|
||||
disposed of according to the <emphasis
|
||||
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
||||
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||
<emphasis role="bold">PROTOCOL</emphasis> or <emphasis
|
||||
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
||||
are supplied, only packets matching the protocol (and one of the ports if
|
||||
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Example</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example 1:</term>
|
||||
|
||||
<listitem>
|
||||
<para>To block DNS queries from address
|
||||
fe80::2a0:ccff:fedb:31c4:</para>
|
||||
|
||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
||||
fe80::2a0:ccff:fedb:31c4/ udp 53</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 2:</term>
|
||||
|
||||
<listitem>
|
||||
<para>To block some of the nuisance applications:</para>
|
||||
|
||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 1024:1033,1434
|
||||
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall6/blacklist</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
@@ -414,7 +414,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DEST PORT(S) (dport) -
|
||||
<term>DPORT -
|
||||
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -427,11 +427,13 @@
|
||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||
in this column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SOURCE PORT(S) (sport) -
|
||||
<term>SPORT -
|
||||
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -442,25 +444,28 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||
in this column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>USER/GROUP (user) ‒
|
||||
<term>USER ‒
|
||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>May only be specified if the SOURCE
|
||||
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
||||
id and or group id of the process sending the traffic.</para>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -523,8 +528,7 @@
|
||||
itself.</para>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
||||
|
||||
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
||||
@@ -532,15 +536,13 @@ CT:helper:ftp(expevents=new) fw - tcp
|
||||
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
DROP all-:2001:1.2.3::4 -
|
||||
DROP all 2001:1.2.3::4
|
||||
</programlisting>
|
||||
|
||||
<para>or<programlisting>FORMAT 3
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
DROP:P 2001:1.2.3::4 -
|
||||
DROP:PO - 2001:1.2.3::4
|
||||
</programlisting></para>
|
||||
|
||||
@@ -56,7 +56,7 @@
|
||||
<option>dst</option>. Example: myset[src,dst].</member>
|
||||
</simplelist>
|
||||
|
||||
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
|
||||
<para>In a SOURCE or SPORT column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@@ -65,7 +65,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In a DEST or DEST PORT(S) column, the following pairs are
|
||||
<para>In a DEST or DPORT column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@@ -593,8 +593,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
that problem. SAME may be used in the PREROUTING and OUTPUT
|
||||
chains. When used in PREROUTING, it causes matching
|
||||
connections from an individual local system to all use the
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
||||
80 or 443 and it has sent a packet on either of those ports in
|
||||
@@ -604,8 +603,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<para>When used in the OUTPUT chain, it causes all matching
|
||||
connections to an individual remote system to all use the same
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||
optional <replaceable>timeout</replaceable> parameter was
|
||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||
@@ -812,7 +810,7 @@ Normal-Service => 0x00</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -835,12 +833,13 @@ Normal-Service => 0x00</programlisting>
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">SPORT </emphasis>- [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -854,11 +853,12 @@ Normal-Service => 0x00</programlisting>
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1064,8 +1064,7 @@ Normal-Service => 0x00</programlisting>
|
||||
by the named helper module.</para>
|
||||
|
||||
<para>Example: Mark all FTP data connections with mark
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1348,8 +1347,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>We assume packet/connection mark 0 means unclassified.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
MARK(1):T ::/0 ::/0 icmp echo-request
|
||||
MARK(1):T ::/0 ::/0 icmp echo-reply
|
||||
RESTORE:T ::/0 ::/0 all - - - 0
|
||||
|
||||
@@ -199,7 +199,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">DPORT</emphasis> (Optional) -
|
||||
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -379,8 +379,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
@@ -488,8 +487,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -500,6 +498,8 @@
|
||||
the listed addresses. It is useful for specifying that SNAT should
|
||||
occur only for connections that were acted on by a DNAT when they
|
||||
entered the firewall.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -103,15 +103,16 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
|
||||
[<emphasis role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>]</term>
|
||||
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
||||
no (or left empty) then NAT will be effective only through the
|
||||
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
||||
column.</para>
|
||||
|
||||
<para>This column was formerly labelled ALL INTERFACES.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -82,7 +82,7 @@
|
||||
|
||||
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
...
|
||||
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
|
||||
ACCEPT net loc:2001:19f0:feee::5 tcp www
|
||||
|
||||
@@ -137,7 +137,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
<term><emphasis role="bold">DPORT</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -159,11 +159,13 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
<term><emphasis role="bold">SPORT</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -174,6 +176,8 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -1111,8 +1111,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
|
||||
{<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1144,8 +1143,7 @@
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated in this list and the
|
||||
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below
|
||||
if:</para>
|
||||
<emphasis role="bold">SPORT</emphasis> list below if:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1156,12 +1154,13 @@
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1171,11 +1170,10 @@
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<warning>
|
||||
<para>Unless you really understand IP, you should leave this
|
||||
@@ -1189,7 +1187,7 @@
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
||||
<emphasis role="bold">DPORT</emphasis> list above:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1199,21 +1197,25 @@
|
||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||
in this column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis role="bold">-</emphasis>]</term>
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Included for compatibility with Shorewall. Enter '-' in this
|
||||
column if you need to specify one of the later columns.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
|
||||
<term><emphasis role="bold">RATE</emphasis> -
|
||||
<replaceable>limit</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -1278,11 +1280,13 @@
|
||||
enforce the per-source limit and the compiler will pick a unique
|
||||
name for the hash table that tracks the per-destination
|
||||
limit.</para>
|
||||
|
||||
<para>This column was formerly labelled RATE LIMIT.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number-or-range</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number-or-range</emphasis>]</term>
|
||||
|
||||
@@ -1336,6 +1340,8 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1716,8 +1722,7 @@
|
||||
<listitem>
|
||||
<para>Accept SMTP requests from the DMZ to the internet</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT dmz net tcp smtp</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1730,8 +1735,7 @@
|
||||
internet IP addresses 2002:ce7c::92b4:1::2 and
|
||||
2002:ce7c::92b4:1::22</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
|
||||
$FW tcp 22</programlisting>
|
||||
</listitem>
|
||||
@@ -1744,8 +1748,7 @@
|
||||
<para>You wish to limit SSH connections from remote systems to 1/min
|
||||
with a burst of three (to allow for limited retry):</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT(S) PORT(S) DEST LIMIT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1757,8 +1760,7 @@
|
||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
||||
is set.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1770,8 +1772,7 @@
|
||||
<para>Drop all email from IP addresses in the country whose ISO-3661
|
||||
country code is ZZ.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
DROP net:^ZZ fw tcp 25</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1783,8 +1784,7 @@
|
||||
<para>You want to generate your own rule involving ip6tables targets
|
||||
and matches not supported by Shorewall.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>The above will generate the following ip6tables-restore
|
||||
|
||||
@@ -92,7 +92,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CHAIN:STATE (chain) -
|
||||
<term><emphasis role="bold">CHAIN -
|
||||
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -139,6 +139,8 @@
|
||||
|
||||
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
||||
</simplelist>
|
||||
|
||||
<para>This column was formerly labelled CHAIN:STATE.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@@ -229,7 +231,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -249,15 +251,14 @@
|
||||
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>This column is ignored if PROTOCOL = all but must be entered
|
||||
if any of the following field is supplied. In that case, it is
|
||||
<para>This column is ignored if PROTO = all but must be entered if
|
||||
any of the following field is supplied. In that case, it is
|
||||
suggested that this field contain "-"</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -267,11 +268,10 @@
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -318,6 +318,8 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -388,8 +390,7 @@
|
||||
|
||||
<para><filename>/etc/shorewall6/secmarks</filename>:</para>
|
||||
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
<programlisting>#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
|
||||
SAVE I:N
|
||||
RESTORE I:ER</programlisting>
|
||||
|
||||
@@ -112,7 +112,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DEST PORT(S) (dport) ‒
|
||||
<term>DPORT ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -121,11 +121,13 @@
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SOURCE PORT(S) (sport) ‒
|
||||
<term>SPORT ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -136,11 +138,12 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -131,7 +131,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -139,16 +139,19 @@
|
||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s).</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional source port.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -286,8 +289,7 @@
|
||||
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
||||
protocols.</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST
|
||||
# PORT
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT
|
||||
|
||||
IPV4
|
||||
|
||||
@@ -308,8 +310,7 @@
|
||||
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
||||
later).</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST PRIORITY
|
||||
# PORT
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
|
||||
|
||||
IPV6
|
||||
|
||||
@@ -338,6 +339,6 @@
|
||||
<para><ulink
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,181 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-tos</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>tos</refname>
|
||||
|
||||
<refpurpose>Shorewall6 Type of Service rules file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall6/tos</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
||||
<ulink url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis role="bold">all</emphasis>, may optionally be
|
||||
followed by ":" and an IP address, a MAC address, a subnet
|
||||
specification or the name of an interface.</para>
|
||||
|
||||
<para>Example: all:2002:ce7c::92b4:1::2</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Example: 2002:ce7c::92b4:1::2</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> -
|
||||
<emphasis>proto-name-or-number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Protocol name or number.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> -
|
||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port or port range. If all ports, use "-".</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination port or port range. If all ports, use "-"</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TOS</emphasis> -
|
||||
<emphasis>tos</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be one of the following;</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">tos-minimize-delay</emphasis> (16)
|
||||
<emphasis role="bold">tos-maximize-throughput</emphasis> (8)
|
||||
<emphasis role="bold">tos-maximize-reliability</emphasis> (4)
|
||||
<emphasis role="bold">tos-minimize-cost</emphasis> (2)
|
||||
<emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
|
||||
|
||||
<para>To specify more than one flag, add their values together and
|
||||
specify the numeric result.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Inverts the test (not equal)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>value</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Value of the packet or connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>mask</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A mask to be applied to the mark before testing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">:C</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall6/tos</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
@@ -1442,9 +1442,11 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>This parameter specifies the directory/directories where your
|
||||
kernel netfilter modules may be found. If you leave the variable
|
||||
empty, Shorewall6 will supply "/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter".</para>
|
||||
empty, Shorewall will supply the value
|
||||
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
|
||||
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||
'<command>uname -r</command>' and <emphasis
|
||||
role="bold">g_family</emphasis> holds '6'.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -306,24 +306,6 @@
|
||||
<para><emphasis role="bold">If you need to change a file in
|
||||
/usr/share/shorewall/, copy it to <filename>/etc/shorewall</filename> and
|
||||
modify the copy</emphasis></para>
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">Note to Debian and Ubuntu
|
||||
Users</emphasis></para>
|
||||
|
||||
<para>If you install using the .deb or using the tarball installers with
|
||||
the default <filename>shorewallrc.debian</filename> file, you will find
|
||||
that your <filename class="directory">/etc/shorewall</filename>
|
||||
directory is practially empty. This is intentional. When you install the
|
||||
.deb, the released configuration file skeletons may be found on your
|
||||
system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>. If
|
||||
you install using the tarball installers, the files are in the
|
||||
<filename>/usr/share/shorewall/configfiles</filename> sub-directory.
|
||||
Simply copy the files you need from the appropriate directory to
|
||||
<filename class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section id="Manpages">
|
||||
@@ -571,8 +553,10 @@ ACCEPT net:\
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The following table shows the column names for each of the
|
||||
table-oriented configuration files.</para>
|
||||
<para>In Shorewall 5.0.3, the sample configuration files and the man pages
|
||||
were updated to use the same column names in both the column headings and
|
||||
in the alternate specification format. The following table shows the
|
||||
column names for each of the table-oriented configuration files.</para>
|
||||
|
||||
<note>
|
||||
<para>Column names are <emphasis
|
||||
|
||||
Reference in New Issue
Block a user