forked from extern/shorewall_code
Compare commits
1 Commits
5.0.3-Beta
...
5.0.2.1
| Author | SHA1 | Date | |
|---|---|---|---|
|
299d323977 |
27
Shorewall-core/configure
vendored
27
Shorewall-core/configure
vendored
@@ -91,8 +91,6 @@ for p in $@; do
|
||||
fi
|
||||
done
|
||||
|
||||
cd $(dirname $0)
|
||||
|
||||
vendor=${params[HOST]}
|
||||
|
||||
if [ -z "$vendor" ]; then
|
||||
@@ -104,7 +102,7 @@ if [ -z "$vendor" ]; then
|
||||
vendor=redhat
|
||||
;;
|
||||
debian|ubuntu)
|
||||
vendor=debian
|
||||
ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
|
||||
;;
|
||||
opensuse)
|
||||
vendor=suse
|
||||
@@ -124,6 +122,7 @@ if [ -z "$vendor" ]; then
|
||||
params[HOST]=apple
|
||||
rcfile=shorewallrc.apple
|
||||
;;
|
||||
|
||||
cygwin*|CYGWIN*)
|
||||
params[HOST]=cygwin
|
||||
rcfile=shorewallrc.cygwin
|
||||
@@ -131,7 +130,7 @@ if [ -z "$vendor" ]; then
|
||||
*)
|
||||
if [ -f /etc/debian_version ]; then
|
||||
params[HOST]=debian
|
||||
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
||||
rcfile=shorewallrc.debian.sysvinit
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
params[HOST]=redhat
|
||||
rcfile=shorewallrc.redhat
|
||||
@@ -153,32 +152,25 @@ if [ -z "$vendor" ]; then
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
vendor=${params[HOST]}
|
||||
else
|
||||
if [ $vendor = linux ]; then
|
||||
rcfile=shorewallrc.default;
|
||||
elif [ $vendor = debian -a -f /etc/debian_version ]; then
|
||||
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
||||
else
|
||||
rcfile=shorewallrc.$vendor
|
||||
fi
|
||||
|
||||
vendor=${params[HOST]}
|
||||
elif [ $vendor = linux ]; then
|
||||
rcfile=shorewallrc.default;
|
||||
else
|
||||
rcfile=shorewallrc.$vendor
|
||||
if [ ! -f $rcfile ]; then
|
||||
echo "ERROR: $vendor is not a recognized host type" >&2
|
||||
exit 1
|
||||
elif [ $vendor = default ]; then
|
||||
params[HOST]=linux
|
||||
vendor=linux
|
||||
elif [[ $vendor == debian.* ]]; then
|
||||
params[HOST]=debian
|
||||
vendor=debian
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $vendor = linux ]; then
|
||||
echo "INFO: Creating a generic Linux installation - " `date`;
|
||||
else
|
||||
echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
|
||||
echo "INFO: Creating a ${vendor}-specific installation - " `date`;
|
||||
fi
|
||||
|
||||
echo
|
||||
@@ -191,7 +183,6 @@ done
|
||||
|
||||
echo '#' > shorewallrc
|
||||
echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
|
||||
echo "# rc file: $rcfile" >> shorewallrc
|
||||
echo '#' >> shorewallrc
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
|
||||
@@ -52,9 +52,6 @@ for ( @ARGV ) {
|
||||
$params{$pn} = $pv;
|
||||
}
|
||||
|
||||
use File::Basename;
|
||||
chdir dirname($0);
|
||||
|
||||
my $vendor = $params{HOST};
|
||||
my $rcfile;
|
||||
my $rcfilename;
|
||||
@@ -84,39 +81,16 @@ unless ( defined $vendor ) {
|
||||
}
|
||||
|
||||
if ( defined $vendor ) {
|
||||
if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
|
||||
if ( -l '/sbin/init' ) {
|
||||
if ( readlink('/sbin/init') =~ /systemd/ ) {
|
||||
$rcfilename = 'shorewallrc.debian.systemd';
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
} else {
|
||||
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
|
||||
}
|
||||
|
||||
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
|
||||
unless ( -f $rcfilename ) {
|
||||
die qq("ERROR: $vendor" is not a recognized host type);
|
||||
} elsif ( $vendor eq 'default' ) {
|
||||
$params{HOST} = $vendor = 'linux';
|
||||
} elsif ( $vendor =~ /^debian\./ ) {
|
||||
$params{HOST} = $vendor = 'debian';
|
||||
}
|
||||
} else {
|
||||
if ( -f '/etc/debian_version' ) {
|
||||
$vendor = 'debian';
|
||||
if ( -l '/sbin/init' ) {
|
||||
if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
|
||||
$rcfilename = 'shorewallrc.debian.systemd';
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
} else {
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
}
|
||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||
} elsif ( -f '/etc/redhat-release' ){
|
||||
$vendor = 'redhat';
|
||||
$rcfilename = 'shorewallrc.redhat';
|
||||
@@ -173,8 +147,7 @@ my $outfile;
|
||||
|
||||
open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
|
||||
|
||||
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
|
||||
print $outfile "# rc file: $rcfilename\n#\n";
|
||||
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
|
||||
|
||||
print $outfile "# Input: @ARGV\n#\n" if @ARGV;
|
||||
|
||||
|
||||
@@ -1052,13 +1052,11 @@ show_command() {
|
||||
conntrack -f ipv6 -L $@ | show_connections_filter
|
||||
else
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
||||
echo
|
||||
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
|
||||
fi
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
||||
echo
|
||||
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
|
||||
fi
|
||||
;;
|
||||
nat)
|
||||
@@ -1626,7 +1624,7 @@ do_dump_command() {
|
||||
|
||||
echo
|
||||
|
||||
qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
|
||||
ss -${g_family}tunap
|
||||
|
||||
if [ -n "$TC_ENABLED" ]; then
|
||||
heading "Traffic Control"
|
||||
|
||||
@@ -316,7 +316,6 @@ reload_kernel_modules() {
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
local uname
|
||||
local extras
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@@ -324,25 +323,9 @@ reload_kernel_modules() {
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
|
||||
|
||||
if [ -n "$MODULESDIR" ]; then
|
||||
case "$MODULESDIR" in
|
||||
+*)
|
||||
extras="$MODULESDIR"
|
||||
extras=${extras#+}
|
||||
MODULESDIR=
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ -z "$MODULESDIR" ]; then
|
||||
uname=$(uname -r)
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
uname=$(uname -r) && \
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
if [ -n "$extras" ]; then
|
||||
for directory in $(split "$extras"); do
|
||||
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
|
||||
@@ -372,7 +355,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
local savemoduleinfo
|
||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
local uname
|
||||
local extras
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@@ -380,25 +362,9 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
|
||||
|
||||
if [ -n "$MODULESDIR" ]; then
|
||||
case "$MODULESDIR" in
|
||||
+*)
|
||||
extras="$MODULESDIR"
|
||||
extras=${extras#+}
|
||||
MODULESDIR=
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ -z "$MODULESDIR" ]; then
|
||||
uname=$(uname -r)
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
uname=$(uname -r) && \
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
if [ -n "$extras" ]; then
|
||||
for directory in $(split "$extras"); do
|
||||
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
||||
|
||||
@@ -493,7 +493,8 @@ if [ -z "$DESTDIR" ]; then
|
||||
if [ $HOST = debian ]; then
|
||||
if [ -n "$SERVICEDIR" ]; then
|
||||
if systemctl enable ${PRODUCT}.service; then
|
||||
echo "Shorewall Init will start automatically at boot"
|
||||
echo "Shorewall Init will start automatically at
|
||||
boot"
|
||||
fi
|
||||
elif mywhich insserv; then
|
||||
if insserv ${INITDIR}/shorewall-init; then
|
||||
|
||||
@@ -153,7 +153,7 @@ if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
|
||||
VERSION="$INSTALLED_VERSION"
|
||||
fi
|
||||
else
|
||||
echo "WARNING: Shorewall Lite Version $VERSION is not installed"
|
||||
echo "WARNING: Shorewal Lite Version $VERSION is not installed"
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
@@ -195,11 +195,9 @@ if [ -f "$FIREWALL" ]; then
|
||||
remove_file $FIREWALL
|
||||
fi
|
||||
|
||||
[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
|
||||
|
||||
if [ -n "$SERVICEDIR" ]; then
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
||||
rm -f $SERVICEDIR/shorewall-lite.service
|
||||
rm -f $SYSTEMD/shorewall-lite.service
|
||||
fi
|
||||
|
||||
rm -f ${SBINDIR}/shorewall-lite
|
||||
|
||||
@@ -7031,7 +7031,7 @@ sub isolate_source_interface( $ ) {
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /^(.+?):\[(.+)\]\s*$/ ||
|
||||
$source =~ /^(.+?):(!?\+.+)$/ ||
|
||||
$source =~ /^(.+?):(!?[&%~].+)$/ ||
|
||||
$source =~ /^(.+?):(!?[&%].+)$/ ||
|
||||
$source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
|
||||
) {
|
||||
$iiface = $1;
|
||||
|
||||
@@ -2245,7 +2245,7 @@ sub split_line2( $$;$$$ ) {
|
||||
|
||||
for ( @pairs ) {
|
||||
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
|
||||
my ( $column, $value ) = ( lc( $1 ), $2 );
|
||||
my ( $column, $value ) = ( lc $1, $2 );
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#####################################################################################################
|
||||
#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
#################################################################################################################
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
|
||||
# PORT(S) PORT(S) GROUP
|
||||
|
||||
@@ -5,8 +5,6 @@
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
#
|
||||
# Place '# ' below the 'C' in COMMENT followed by a comment describing
|
||||
# the action.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION OPTIONS COMMENT
|
||||
########################################################################################
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
|
||||
@@ -3,5 +3,6 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-arprules"
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST OPCODE
|
||||
##############################################################################################################
|
||||
#ACTION SOURCE DEST ARP
|
||||
# OPCODE
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
@@ -3,10 +3,11 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-conntrack"
|
||||
#
|
||||
##############################################################################################################
|
||||
?FORMAT 3
|
||||
######################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH
|
||||
|
||||
##############################################################################################################
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
?if $AUTOHELPERS && __CT_TARGET
|
||||
|
||||
?if __AMANDA_HELPER
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-ecn.html
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE HOSTS
|
||||
#INTERFACE HOST(S)
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-hosts.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE HOSTS OPTIONS
|
||||
#ZONE HOST(S) OPTIONS
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-interfaces.html
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ZONE INTERFACE OPTIONS
|
||||
|
||||
@@ -13,7 +13,6 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
local status
|
||||
status=0
|
||||
|
||||
|
||||
@@ -6,4 +6,4 @@
|
||||
# For additional information, see http://shorewall.net/MAC_Validation.html
|
||||
#
|
||||
###############################################################################
|
||||
#DISPOSITION INTERFACE MAC ADDRESSES
|
||||
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
|
||||
|
||||
@@ -11,4 +11,5 @@
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
#
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-masq.html
|
||||
#
|
||||
###################################################################################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL PROBABILITY
|
||||
# GROUP DEST
|
||||
|
||||
@@ -6,4 +6,5 @@
|
||||
# For additional information, see http://shorewall.net/NAT.htm
|
||||
#
|
||||
###############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
#############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DPORT SPORT
|
||||
##############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -22,3 +22,5 @@
|
||||
# net eth0 130.252.100.255 routefilter,norfc1918
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-policy.html
|
||||
#
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
|
||||
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
|
||||
# LEVEL BURST MASK
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-rules.html
|
||||
#
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
|
||||
@@ -8,5 +8,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
cat -
|
||||
|
||||
@@ -3,5 +3,6 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-secmarks"
|
||||
#
|
||||
############################################################################################
|
||||
#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
############################################################################################################
|
||||
#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
|
||||
@@ -8,5 +8,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
return 0
|
||||
|
||||
@@ -10,4 +10,5 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -6,4 +6,5 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE MARK RATE CEIL PRIO OPTIONS
|
||||
#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS
|
||||
# DMAX:UMAX
|
||||
|
||||
@@ -6,4 +6,5 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
#INTERFACE INTERFACES
|
||||
|
||||
@@ -5,5 +5,6 @@
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
######################################################################################
|
||||
#CLASS SOURCE DEST PROTO DPORT SPORT TOS LENGTH
|
||||
########################################################################################################
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#CLASS PORT(S) PORT(S)
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
#BAND PROTO PORT(S) ADDRESS IN-INTERFACE HELPER
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-tunnels.html
|
||||
#
|
||||
###############################################################################
|
||||
#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
#TYPE ZONE GATEWAY(S) GATEWAY
|
||||
# ZONE(S)
|
||||
|
||||
@@ -7,6 +7,6 @@
|
||||
# http://www.shorewall.net/manpages/shorewall-zones.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
|
||||
fw firewall
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
|
||||
@@ -403,15 +403,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly named DESTINATION.</para>
|
||||
|
||||
<para>Packet Destination.</para>
|
||||
|
||||
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
||||
@@ -420,7 +418,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">{any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||
@@ -430,8 +428,6 @@
|
||||
role="bold">all</emphasis>}]}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly named PROTOCOL</para>
|
||||
|
||||
<para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
|
||||
<emphasis>protocol-number</emphasis>, <emphasis
|
||||
role="bold">ipp2p</emphasis>, <emphasis
|
||||
@@ -444,8 +440,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -464,14 +460,12 @@
|
||||
("iptables -m ipp2p --help") without the leading "--". If no option
|
||||
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>This column was formerly named DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -488,22 +482,20 @@
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DPORT. Use of '=' requires multi-port match in your iptables and
|
||||
kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly named USER/GROUP and may only be
|
||||
non-empty if the <emphasis role="bold">CHAIN</emphasis> is <emphasis
|
||||
<para>This column may only be non-empty if the <emphasis
|
||||
role="bold">CHAIN</emphasis> is <emphasis
|
||||
role="bold">OUTPUT</emphasis>.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
|
||||
@@ -273,7 +273,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
|
||||
<term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional. Describes the type of frame. Possible
|
||||
|
||||
@@ -424,7 +424,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DPORT - port-number/service-name-list</term>
|
||||
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@@ -432,13 +432,11 @@
|
||||
ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SPORT - port-number/service-name-list</term>
|
||||
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@@ -448,24 +446,22 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>USER ‒
|
||||
<term>USER/GROUP (user) ‒
|
||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly named USER/GROUP and may only be
|
||||
specified if the SOURCE <replaceable>zone</replaceable> is $FW.
|
||||
Specifies the effective user id and or group id of the process
|
||||
sending the traffic.</para>
|
||||
<para>May only be specified if the SOURCE
|
||||
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
||||
id and or group id of the process sending the traffic.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -524,7 +520,8 @@
|
||||
|
||||
<para>Example 1:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
||||
|
||||
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
||||
@@ -532,12 +529,14 @@ CT:helper:ftp(expevents=new) fw - tcp
|
||||
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
DROP all-:1.2.3.4 -
|
||||
DROP all 1.2.3.4</programlisting>
|
||||
|
||||
<para>or<programlisting>FORMAT 3
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
DROP:P 1.2.3.4 -
|
||||
DROP:PO - 1.2.3.4
|
||||
</programlisting></para>
|
||||
|
||||
@@ -76,7 +76,8 @@ z2 net REJECT</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT all!z2 net tcp 22</programlisting>
|
||||
|
||||
<para>In this case, SSH connections from <emphasis
|
||||
|
||||
@@ -57,7 +57,7 @@
|
||||
<option>dst</option>. Example: myset[src,dst].</member>
|
||||
</simplelist>
|
||||
|
||||
<para>In a SOURCE or SPORT column, the following pairs are
|
||||
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@@ -66,7 +66,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In a DEST or DPORT column, the following pairs are
|
||||
<para>In a DEST or DEST PORT(S) column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@@ -570,7 +570,8 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
that problem. SAME may be used in the PREROUTING and OUTPUT
|
||||
chains. When used in PREROUTING, it causes matching
|
||||
connections from an individual local system to all use the
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
||||
80 or 443 and it has sent a packet on either of those ports in
|
||||
@@ -580,7 +581,8 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<para>When used in the OUTPUT chain, it causes all matching
|
||||
connections to an individual remote system to all use the same
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||
optional <replaceable>timeout</replaceable> parameter was
|
||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||
@@ -833,7 +835,7 @@ Normal-Service => 0x00</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis>- {<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -861,13 +863,12 @@ Normal-Service => 0x00</programlisting>
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly named DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -881,17 +882,16 @@ Normal-Service => 0x00</programlisting>
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||
'=' requires multi-port match in your iptables and kernel.</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.6.0, an
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1097,7 +1097,8 @@ Normal-Service => 0x00</programlisting>
|
||||
by the named helper module.</para>
|
||||
|
||||
<para>Example: Mark all FTP data connections with mark
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1286,7 +1287,8 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>We assume packet/connection mark 0 means unclassified.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
|
||||
@@ -1311,7 +1313,8 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<programlisting>/etc/shorewall/tcrules:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
@@ -249,7 +249,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
|
||||
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -429,14 +429,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
|
||||
<para>Only locally-generated connections will match if this column
|
||||
is non-empty.</para>
|
||||
|
||||
@@ -539,7 +538,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -550,8 +550,6 @@
|
||||
original destination address matches one of the listed addresses. It
|
||||
is useful for specifying that SNAT should occur only for connections
|
||||
that were acted on by a DNAT when they entered the firewall.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -641,7 +639,7 @@
|
||||
172.20.1.0/29 to be sent from eth0 with source IP address
|
||||
206.124.146.176.</para>
|
||||
|
||||
<programlisting> #INTERFACE SOURCE ADDRESS PROTO DPORT
|
||||
<programlisting> #INTERFACE SOURCE ADDRESS PROTO PORT(S)
|
||||
eth0 172.20.1.0/29 206.124.146.177 tcp smtp
|
||||
eth0 172.20.1.0/29 206.124.146.176</programlisting>
|
||||
|
||||
@@ -674,7 +672,8 @@
|
||||
|
||||
<programlisting>/etc/shorewall/tcrules:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
@@ -106,16 +106,15 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
|
||||
[<emphasis role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
||||
no (or left empty) then NAT will be effective only through the
|
||||
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
||||
column.</para>
|
||||
|
||||
<para>This column was formerly labelled ALL INTERFACES.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -161,7 +160,8 @@ smc eth0:10.1.10.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
10.1.10.100 eth0 172.20.1.100
|
||||
</programlisting>
|
||||
|
||||
@@ -170,7 +170,8 @@ smc eth0:10.1.10.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
|
||||
@@ -82,7 +82,7 @@
|
||||
|
||||
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
...
|
||||
DNAT sam loc:192.168.1.3 tcp ssh
|
||||
DNAT net loc:192.168.1.5 tcp www
|
||||
@@ -100,7 +100,7 @@
|
||||
Because of the way that Netfilter is constructed, this requires two rules
|
||||
as follows:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
...
|
||||
ACCEPT+ sam $FW tcp ssh
|
||||
DNAT net loc:192.168.1.3 tcp ssh
|
||||
@@ -143,7 +143,8 @@
|
||||
</itemizedlist>
|
||||
|
||||
<para>As a consequence, the following rules will have unexpected
|
||||
behavior:<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
behavior:<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT net dmz tcp 80
|
||||
REDIRECT loc 3128 tcp 80</programlisting></para>
|
||||
|
||||
@@ -172,7 +173,8 @@
|
||||
|
||||
<para>When using other Shorewall versions, another way is to rewrite the
|
||||
DNAT rule (assume that the local zone is entirely within
|
||||
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT net dmz tcp 80
|
||||
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
|
||||
|
||||
|
||||
@@ -137,7 +137,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> -
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -160,13 +160,11 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> -
|
||||
<term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -178,8 +176,6 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -173,9 +173,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>The remaining columns specify characteristics of the packet
|
||||
before rewriting. In particular, the ORIGDEST column gives the
|
||||
original destination IP address of the packet and the DPORT column
|
||||
give the original destination port(s).</para>
|
||||
before rewriting. In particular, the ORIGINAL DEST column gives the
|
||||
original destination IP address of the packet and the DEST PORT(S)
|
||||
column give the original destination port(s).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -1201,7 +1201,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1233,7 +1234,7 @@
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">SPORT</emphasis> list below:</para>
|
||||
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1244,13 +1245,12 @@
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1260,10 +1260,11 @@
|
||||
names, port numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||
'=' requires multi-port match in your iptables and kernel.</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
|
||||
<warning>
|
||||
<para>Unless you really understand IP, you should leave this
|
||||
@@ -1273,12 +1274,12 @@
|
||||
</warning>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
an <emphasis role="bold">ORIGDEST</emphasis> in the next column,
|
||||
then place "-" in this column.</para>
|
||||
an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
|
||||
column, then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">DPORT</emphasis> list above:</para>
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1289,13 +1290,12 @@
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -1344,13 +1344,11 @@
|
||||
url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
|
||||
for an example of using an entry in this column with a user-defined
|
||||
action rule.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">RATE</emphasis> -
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
|
||||
<replaceable>limit</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -1415,13 +1413,11 @@
|
||||
enforce the per-source limit and the compiler will pick a unique
|
||||
name for the hash table that tracks the per-destination
|
||||
limit.</para>
|
||||
|
||||
<para>This column was formerly labelled RATE LIMIT.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>
|
||||
|
||||
@@ -1475,8 +1471,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1632,8 +1626,6 @@
|
||||
<listitem>
|
||||
<para>where <replaceable>dd</replaceable> is an ordinal day of
|
||||
the month</para>
|
||||
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1775,8 +1767,9 @@
|
||||
<listitem>
|
||||
<para>Accept SMTP requests from the DMZ to the internet</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT dmz net tcp smtp</programlisting>
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
ACCEPT dmz net tcp smtp</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1787,7 +1780,8 @@
|
||||
<para>Forward all ssh and http connection requests from the internet
|
||||
to local system 192.168.1.3</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1798,8 +1792,9 @@
|
||||
<listitem>
|
||||
<para>Forward all http connection requests from the internet to
|
||||
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
||||
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
||||
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1811,7 +1806,8 @@
|
||||
port 3128 on the firewall (Squid running on the firewall system)
|
||||
except when the destination address is 192.168.2.2</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1823,7 +1819,8 @@
|
||||
<para>All http requests from the internet to address 130.252.100.69
|
||||
are to be forwarded to 192.168.1.3</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1835,9 +1832,10 @@
|
||||
<para>You want to accept SSH connections to your firewall only from
|
||||
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT net:130.252.100.69,130.252.100.70 \
|
||||
$FW tcp 22</programlisting>
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
||||
tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1849,7 +1847,8 @@
|
||||
firewall on port 2222 and you want to forward them to local system
|
||||
192.168.1.3, port 22</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
DNAT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1861,7 +1860,8 @@
|
||||
<para>You want to redirect connection requests to port 80 randomly
|
||||
to the port range 81-90.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
REDIRECT net $FW::81-90:random tcp www</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1897,7 +1897,8 @@
|
||||
|
||||
<para>rules:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
REDIRECT loc 3128 tcp 80 </programlisting>
|
||||
|
||||
<simpara>Note that it would have been tempting to simply define the
|
||||
@@ -1925,7 +1926,8 @@
|
||||
<para>Add the tuple (source IP, dest port, dest IP) of an incoming
|
||||
SSH connection to the ipset S:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ADD(+S:dst,src,dst) net fw tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1937,7 +1939,8 @@
|
||||
<para>You wish to limit SSH connections from remote systems to 1/min
|
||||
with a burst of three (to allow for limited retry):</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT(S) PORT(S) DEST LIMIT
|
||||
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1949,7 +1952,8 @@
|
||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
||||
is on.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1961,7 +1965,8 @@
|
||||
<para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
|
||||
and <emphasis>Satellite Provider</emphasis> address ranges:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP net:^A1,A2 fw tcp 25</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1973,7 +1978,8 @@
|
||||
<para>You want to generate your own rule involving iptables targets
|
||||
and matches not supported by Shorewall.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>The above will generate the following iptables-restore
|
||||
|
||||
@@ -93,7 +93,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CHAIN -
|
||||
<term><emphasis role="bold">CHAIN:STATE (chain) -
|
||||
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -140,8 +140,6 @@
|
||||
|
||||
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
||||
</simplelist>
|
||||
|
||||
<para>This column was formerly labelled CHAIN:STATE.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@@ -238,7 +236,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -261,13 +259,12 @@
|
||||
<para>This column is ignored if PROTOCOL = all but must be entered
|
||||
if any of the following field is supplied. In that case, it is
|
||||
suggested that this field contain "-"</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -275,8 +272,6 @@
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -393,7 +388,8 @@
|
||||
|
||||
<para><filename>/etc/shorewall/secmarks</filename>:</para>
|
||||
|
||||
<programlisting>#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
|
||||
SAVE I:N lo 127.0.0.1 tcp 3306
|
||||
RESTORE I:ER</programlisting>
|
||||
|
||||
@@ -112,7 +112,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> ‒
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -121,13 +121,11 @@
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> ‒
|
||||
<term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -138,12 +136,11 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||
'=' requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -135,7 +135,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -143,19 +143,16 @@
|
||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s).</para>
|
||||
|
||||
<para>This column was previously labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional source port.</para>
|
||||
|
||||
<para>This column was previously labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -295,7 +292,8 @@
|
||||
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
||||
protocols.</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST
|
||||
# PORT
|
||||
|
||||
IPV4
|
||||
|
||||
@@ -316,7 +314,8 @@
|
||||
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
||||
later).</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST PRIORITY
|
||||
# PORT
|
||||
|
||||
IPV4
|
||||
|
||||
|
||||
@@ -1625,11 +1625,11 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>This parameter specifies the directory/directories where your
|
||||
kernel netfilter modules may be found. If you leave the variable
|
||||
empty, Shorewall will supply the value
|
||||
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
|
||||
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||
'<command>uname -r</command>' and <emphasis
|
||||
role="bold">g_family</emphasis> holds '4'. </para>
|
||||
empty, Shorewall will supply the value "/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
|
||||
3.2.4 and "/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter" in later versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -193,11 +193,9 @@ if [ -f "$FIREWALL" ]; then
|
||||
remove_file $FIREWALL
|
||||
fi
|
||||
|
||||
[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
|
||||
|
||||
if [ -n "$SERVICEDIR" ]; then
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
||||
rm -f $SERVICEDIR/shorewall6-lite.service
|
||||
rm -f $SYSTEMD/shorewall6-lite.service
|
||||
fi
|
||||
|
||||
rm -f ${SBINDIR}/shorewall6-lite
|
||||
@@ -207,6 +205,7 @@ rm -rf ${SHAREDIR}/shorewall6-lite
|
||||
rm -rf ${LIBEXECDIR}/shorewall6-lite
|
||||
rm -f ${CONFDIR}/logrotate.d/shorewall6-lite
|
||||
rm -f ${SYSCONFDIR}/shorewall6-lite
|
||||
[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6-lite.service
|
||||
|
||||
rm -f ${MANDIR}/man5/shorewall6-lite*
|
||||
rm -f ${MANDIR}/man8/shorewall6-lite*
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=keep
|
||||
IP_FORWARDING=Off
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -160,7 +160,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=keep
|
||||
IP_FORWARDING=Off
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=keep
|
||||
IP_FORWARDING=On
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=keep
|
||||
IP_FORWARDING=On
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
###############################################################################################################
|
||||
#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC HEADERS
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC HEADERS
|
||||
# PORT(S) PORT(S) GROUP
|
||||
|
||||
@@ -5,8 +5,6 @@
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
#
|
||||
# Place '# ' below the 'C' in COMMENT followed by a comment describing
|
||||
# the action.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION OPTIONS COMMENT
|
||||
########################################################################################
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
########################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
@@ -3,10 +3,11 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall6-conntrack"
|
||||
#
|
||||
##############################################################################################################
|
||||
?FORMAT 3
|
||||
##############################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH
|
||||
|
||||
##############################################################################################################
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
?if $AUTOHELPERS && __CT_TARGET
|
||||
|
||||
?if __AMANDA_HELPER
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-hosts.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE HOSTS OPTIONS
|
||||
#ZONE HOST(S) OPTIONS
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages6/shorewall6-interfaces.html
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ZONE INTERFACE OPTIONS
|
||||
|
||||
@@ -13,7 +13,6 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
local status
|
||||
status=0
|
||||
|
||||
|
||||
@@ -6,4 +6,4 @@
|
||||
# For additional information, see http://shorewall.net/MAC_Validation.html
|
||||
#
|
||||
###############################################################################
|
||||
#DISPOSITION INTERFACE MAC ADDRESSES
|
||||
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
|
||||
|
||||
@@ -11,4 +11,5 @@
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
#
|
||||
############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages6/shorewall6-masq.html
|
||||
#
|
||||
######################################################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH
|
||||
########################################################################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
|
||||
# GROUP DEST
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-nat.html
|
||||
#
|
||||
###############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
#############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DPORT SPORT
|
||||
##############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -21,3 +21,5 @@
|
||||
# net eth0 - dhcp,nosmurfs
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-policy.html
|
||||
#
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
|
||||
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
|
||||
# LEVEL BURST MASK
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages6/shorewall6-rules.html
|
||||
#
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
|
||||
@@ -8,5 +8,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
cat -
|
||||
|
||||
@@ -3,5 +3,6 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-secmarks"
|
||||
#
|
||||
####################################################################################################
|
||||
#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
############################################################################################################
|
||||
#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -159,7 +159,7 @@ INLINE_MATCHES=No
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=keep
|
||||
IP_FORWARDING=Off
|
||||
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
|
||||
@@ -11,4 +11,5 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -6,4 +6,4 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE MARK RATE CEIL PRIO OPTIONS
|
||||
#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS
|
||||
|
||||
@@ -6,4 +6,5 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
#INTERFACE INTERFACES
|
||||
|
||||
@@ -5,5 +5,6 @@
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
######################################################################################
|
||||
#CLASS SOURCE DEST PROTO DPORT SPORT TOS LENGTH
|
||||
########################################################################################################
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#CLASS PORT(S) PORT(S)
|
||||
|
||||
@@ -8,4 +8,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
#INTERFACE TYPE IN-BANDWIDTH OUT-INTERFACE
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
#BAND PROTO PORT(S) ADDRESS IN-INTERFACE HELPER
|
||||
|
||||
@@ -7,4 +7,5 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-tunnels.html
|
||||
#
|
||||
###############################################################################
|
||||
#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
#TYPE ZONE GATEWAY(S) GATEWAY
|
||||
# ZONE(S)
|
||||
|
||||
@@ -7,6 +7,6 @@
|
||||
# http://www.shorewall.net/manpages6/shorewall6-zones.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
|
||||
fw firewall
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
|
||||
@@ -349,7 +349,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
|
||||
@@ -359,13 +359,11 @@
|
||||
|
||||
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
||||
column.</para>
|
||||
|
||||
<para>This column was formerly labelled DESTINATION.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||
@@ -383,14 +381,12 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||
comma-separated list of protocols.</para>
|
||||
|
||||
<para>This column was formerly labelled PROTOCOL.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -409,14 +405,12 @@
|
||||
("ip6tables -m ipp2p --help") without the leading "--". If no option
|
||||
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@@ -430,17 +424,16 @@
|
||||
support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
@@ -497,8 +490,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
217
Shorewall6/manpages/shorewall6-blacklist.xml
Normal file
217
Shorewall6/manpages/shorewall6-blacklist.xml
Normal file
@@ -0,0 +1,217 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-blacklist</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>blacklist</refname>
|
||||
|
||||
<refpurpose>shorewall6 Blacklist file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall6/blacklist</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>The blacklist file is used to perform static blacklisting by source
|
||||
address (IP or MAC), or by application. The use of this file is deprecated
|
||||
in favor of <ulink
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5),
|
||||
and beginning with Shorewall 4.5.7, the blacklist file is no longer
|
||||
installed. Existing blacklist files can be converted to a corresponding
|
||||
blrules file using the <command>shorewall6 update -b</command>
|
||||
command.</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Host address, network address, MAC address, IP address range
|
||||
(if your kernel and ip6tables contain iprange match support) or
|
||||
ipset name prefaced by "+" (if your kernel supports ipset match).
|
||||
Exclusion (<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
|
||||
is supported.</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
||||
|
||||
<para>A dash ("-") in this column means that any source address will
|
||||
match. This is useful if you want to blacklist a particular
|
||||
application using entries in the PROTOCOL and PORTS columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional - if specified, must be a protocol number or a
|
||||
protocol name from protocols(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>May only be specified if the protocol is TCP (6), UDP (17),
|
||||
DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
|
||||
destination port numbers or service names from services(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional - added in 4.4.12. If specified, indicates whether
|
||||
traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
|
||||
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
|
||||
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
|
||||
the ADDRESS/SUBNET column is empty, then this column has no effect
|
||||
on the generated rule.</para>
|
||||
|
||||
<note>
|
||||
<para>In Shorewall 4.4.12, the keywords from and to were used in
|
||||
place of src and dst respectively. Blacklisting was still
|
||||
restricted to traffic <emphasis>arriving</emphasis> on an
|
||||
interface that has the 'blacklist' option set. So to block traffic
|
||||
from your local network to an internet host, you had to specify
|
||||
<option>blacklist</option> on your internal interface in <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
|
||||
from this zone is passed against the entries in this file that
|
||||
have the <emphasis role="bold">src</emphasis> option
|
||||
(specified or defaulted).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
|
||||
Traffic to this zone is passed against the entries in this
|
||||
file that have the <emphasis role="bold">dst</emphasis>
|
||||
option.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</note>
|
||||
|
||||
<para>In Shorewall 4.4.20, the <emphasis
|
||||
role="bold">whitelist</emphasis> option was added. When <emphasis
|
||||
role="bold">whitelist</emphasis> is specified, packets/connections
|
||||
that match the entry are not matched against the remaining entries
|
||||
in the file.</para>
|
||||
|
||||
<para>The <emphasis role="bold">audit</emphasis> option was also
|
||||
added in 4.4.20 and causes packets matching the entry to be audited.
|
||||
The <emphasis role="bold">audit</emphasis> option may not be
|
||||
specified in whitelist entries and require AUDIT_TARGET support in
|
||||
the kernel and ip6tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>When a packet arrives on an interface that has the <emphasis
|
||||
role="bold">blacklist</emphasis> option specified in <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5),
|
||||
its source IP address and MAC address is checked against this file and
|
||||
disposed of according to the <emphasis
|
||||
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
||||
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||
<emphasis role="bold">PROTOCOL</emphasis> or <emphasis
|
||||
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
||||
are supplied, only packets matching the protocol (and one of the ports if
|
||||
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Example</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example 1:</term>
|
||||
|
||||
<listitem>
|
||||
<para>To block DNS queries from address
|
||||
fe80::2a0:ccff:fedb:31c4:</para>
|
||||
|
||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
||||
fe80::2a0:ccff:fedb:31c4/ udp 53</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 2:</term>
|
||||
|
||||
<listitem>
|
||||
<para>To block some of the nuisance applications:</para>
|
||||
|
||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 1024:1033,1434
|
||||
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall6/blacklist</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
@@ -414,7 +414,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DPORT -
|
||||
<term>DEST PORT(S) (dport) -
|
||||
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -427,13 +427,11 @@
|
||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||
in this column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SPORT -
|
||||
<term>SOURCE PORT(S) (sport) -
|
||||
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -444,28 +442,25 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT.</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||
in this column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>USER ‒
|
||||
<term>USER/GROUP (user) ‒
|
||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>May only be specified if the SOURCE
|
||||
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
||||
id and or group id of the process sending the traffic.</para>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -528,7 +523,8 @@
|
||||
itself.</para>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
||||
|
||||
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
||||
@@ -536,13 +532,15 @@ CT:helper:ftp(expevents=new) fw - tcp
|
||||
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
|
||||
|
||||
<programlisting>FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
DROP all-:2001:1.2.3::4 -
|
||||
DROP all 2001:1.2.3::4
|
||||
</programlisting>
|
||||
|
||||
<para>or<programlisting>FORMAT 3
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||||
# PORT(S) PORT(S)
|
||||
DROP:P 2001:1.2.3::4 -
|
||||
DROP:PO - 2001:1.2.3::4
|
||||
</programlisting></para>
|
||||
|
||||
@@ -56,7 +56,7 @@
|
||||
<option>dst</option>. Example: myset[src,dst].</member>
|
||||
</simplelist>
|
||||
|
||||
<para>In a SOURCE or SPORT column, the following pairs are
|
||||
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@@ -65,7 +65,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In a DEST or DPORT column, the following pairs are
|
||||
<para>In a DEST or DEST PORT(S) column, the following pairs are
|
||||
equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@@ -593,7 +593,8 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
that problem. SAME may be used in the PREROUTING and OUTPUT
|
||||
chains. When used in PREROUTING, it causes matching
|
||||
connections from an individual local system to all use the
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
||||
80 or 443 and it has sent a packet on either of those ports in
|
||||
@@ -603,7 +604,8 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<para>When used in the OUTPUT chain, it causes all matching
|
||||
connections to an individual remote system to all use the same
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||
optional <replaceable>timeout</replaceable> parameter was
|
||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||
@@ -810,7 +812,7 @@ Normal-Service => 0x00</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -833,13 +835,12 @@ Normal-Service => 0x00</programlisting>
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT </emphasis>- [<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -853,12 +854,11 @@ Normal-Service => 0x00</programlisting>
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1064,7 +1064,8 @@ Normal-Service => 0x00</programlisting>
|
||||
by the named helper module.</para>
|
||||
|
||||
<para>Example: Mark all FTP data connections with mark
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1347,7 +1348,8 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>We assume packet/connection mark 0 means unclassified.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
MARK(1):T ::/0 ::/0 icmp echo-request
|
||||
MARK(1):T ::/0 ::/0 icmp echo-reply
|
||||
RESTORE:T ::/0 ::/0 all - - - 0
|
||||
|
||||
@@ -199,7 +199,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
|
||||
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
@@ -379,7 +379,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
@@ -487,7 +488,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -498,8 +500,6 @@
|
||||
the listed addresses. It is useful for specifying that SNAT should
|
||||
occur only for connections that were acted on by a DNAT when they
|
||||
entered the firewall.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -103,16 +103,15 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
|
||||
[<emphasis role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
||||
no (or left empty) then NAT will be effective only through the
|
||||
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
||||
column.</para>
|
||||
|
||||
<para>This column was formerly labelled ALL INTERFACES.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -82,7 +82,7 @@
|
||||
|
||||
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
...
|
||||
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
|
||||
ACCEPT net loc:2001:19f0:feee::5 tcp www
|
||||
|
||||
@@ -137,7 +137,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> -
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -159,13 +159,11 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -176,8 +174,6 @@
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -1111,7 +1111,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1143,7 +1144,8 @@
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated in this list and the
|
||||
<emphasis role="bold">SPORT</emphasis> list below if:</para>
|
||||
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below
|
||||
if:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1154,13 +1156,12 @@
|
||||
<replaceable>ipset</replaceable> name can be specified in this
|
||||
column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
@@ -1170,10 +1171,11 @@
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
|
||||
<warning>
|
||||
<para>Unless you really understand IP, you should leave this
|
||||
@@ -1187,7 +1189,7 @@
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">DPORT</emphasis> list above:</para>
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@@ -1197,25 +1199,21 @@
|
||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||
in this column. This is intended to be used with
|
||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>]</term>
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis role="bold">-</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Included for compatibility with Shorewall. Enter '-' in this
|
||||
column if you need to specify one of the later columns.</para>
|
||||
|
||||
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">RATE</emphasis> -
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
|
||||
<replaceable>limit</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -1280,13 +1278,11 @@
|
||||
enforce the per-source limit and the compiler will pick a unique
|
||||
name for the hash table that tracks the per-destination
|
||||
limit.</para>
|
||||
|
||||
<para>This column was formerly labelled RATE LIMIT.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number-or-range</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number-or-range</emphasis>]</term>
|
||||
|
||||
@@ -1340,8 +1336,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1722,7 +1716,8 @@
|
||||
<listitem>
|
||||
<para>Accept SMTP requests from the DMZ to the internet</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
ACCEPT dmz net tcp smtp</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1735,7 +1730,8 @@
|
||||
internet IP addresses 2002:ce7c::92b4:1::2 and
|
||||
2002:ce7c::92b4:1::22</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
|
||||
$FW tcp 22</programlisting>
|
||||
</listitem>
|
||||
@@ -1748,7 +1744,8 @@
|
||||
<para>You wish to limit SSH connections from remote systems to 1/min
|
||||
with a burst of three (to allow for limited retry):</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT(S) PORT(S) DEST LIMIT
|
||||
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1760,7 +1757,8 @@
|
||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
||||
is set.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1772,7 +1770,8 @@
|
||||
<para>Drop all email from IP addresses in the country whose ISO-3661
|
||||
country code is ZZ.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP net:^ZZ fw tcp 25</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1784,7 +1783,8 @@
|
||||
<para>You want to generate your own rule involving ip6tables targets
|
||||
and matches not supported by Shorewall.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>The above will generate the following ip6tables-restore
|
||||
|
||||
@@ -92,7 +92,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CHAIN -
|
||||
<term><emphasis role="bold">CHAIN:STATE (chain) -
|
||||
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -139,8 +139,6 @@
|
||||
|
||||
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
||||
</simplelist>
|
||||
|
||||
<para>This column was formerly labelled CHAIN:STATE.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@@ -231,7 +229,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -251,14 +249,15 @@
|
||||
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>This column is ignored if PROTO = all but must be entered if
|
||||
any of the following field is supplied. In that case, it is
|
||||
<para>This column is ignored if PROTOCOL = all but must be entered
|
||||
if any of the following field is supplied. In that case, it is
|
||||
suggested that this field contain "-"</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
@@ -268,10 +267,11 @@
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -318,8 +318,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>This column was formerly labelled USER/GROUP.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -390,7 +388,8 @@
|
||||
|
||||
<para><filename>/etc/shorewall6/secmarks</filename>:</para>
|
||||
|
||||
<programlisting>#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
|
||||
SAVE I:N
|
||||
RESTORE I:ER</programlisting>
|
||||
|
||||
@@ -112,7 +112,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DPORT ‒
|
||||
<term>DEST PORT(S) (dport) ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -121,13 +121,11 @@
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SPORT ‒
|
||||
<term>SOURCE PORT(S) (sport) ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@@ -138,12 +136,11 @@
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DPORT column is non-empty. This causes the
|
||||
rule to match when either the source port or the destination port in
|
||||
a packet matches one of the ports specified in DPORT. Use of '='
|
||||
requires multi-port match in your iptables and kernel.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -131,7 +131,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -139,19 +139,16 @@
|
||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s).</para>
|
||||
|
||||
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional source port.</para>
|
||||
|
||||
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -289,7 +286,8 @@
|
||||
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
||||
protocols.</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST
|
||||
# PORT
|
||||
|
||||
IPV4
|
||||
|
||||
@@ -310,7 +308,8 @@
|
||||
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
||||
later).</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST PRIORITY
|
||||
# PORT
|
||||
|
||||
IPV6
|
||||
|
||||
@@ -339,6 +338,6 @@
|
||||
<para><ulink
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
1240
Shorewall6/manpages/shorewall6-tcrules.xml
Normal file
1240
Shorewall6/manpages/shorewall6-tcrules.xml
Normal file
File diff suppressed because it is too large
Load Diff
181
Shorewall6/manpages/shorewall6-tos.xml
Normal file
181
Shorewall6/manpages/shorewall6-tos.xml
Normal file
@@ -0,0 +1,181 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-tos</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>tos</refname>
|
||||
|
||||
<refpurpose>Shorewall6 Type of Service rules file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall6/tos</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
||||
<ulink url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis role="bold">all</emphasis>, may optionally be
|
||||
followed by ":" and an IP address, a MAC address, a subnet
|
||||
specification or the name of an interface.</para>
|
||||
|
||||
<para>Example: all:2002:ce7c::92b4:1::2</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Example: 2002:ce7c::92b4:1::2</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> -
|
||||
<emphasis>proto-name-or-number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Protocol name or number.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> -
|
||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port or port range. If all ports, use "-".</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination port or port range. If all ports, use "-"</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TOS</emphasis> -
|
||||
<emphasis>tos</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be one of the following;</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">tos-minimize-delay</emphasis> (16)
|
||||
<emphasis role="bold">tos-maximize-throughput</emphasis> (8)
|
||||
<emphasis role="bold">tos-maximize-reliability</emphasis> (4)
|
||||
<emphasis role="bold">tos-minimize-cost</emphasis> (2)
|
||||
<emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
|
||||
|
||||
<para>To specify more than one flag, add their values together and
|
||||
specify the numeric result.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Inverts the test (not equal)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>value</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Value of the packet or connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>mask</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A mask to be applied to the mark before testing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">:C</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall6/tos</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
@@ -1442,11 +1442,9 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>This parameter specifies the directory/directories where your
|
||||
kernel netfilter modules may be found. If you leave the variable
|
||||
empty, Shorewall will supply the value
|
||||
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
|
||||
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||
'<command>uname -r</command>' and <emphasis
|
||||
role="bold">g_family</emphasis> holds '6'.</para>
|
||||
empty, Shorewall6 will supply "/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
|
||||
-r`/kernel/net/ipv4/netfilter".</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -306,6 +306,24 @@
|
||||
<para><emphasis role="bold">If you need to change a file in
|
||||
/usr/share/shorewall/, copy it to <filename>/etc/shorewall</filename> and
|
||||
modify the copy</emphasis></para>
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">Note to Debian and Ubuntu
|
||||
Users</emphasis></para>
|
||||
|
||||
<para>If you install using the .deb or using the tarball installers with
|
||||
the default <filename>shorewallrc.debian</filename> file, you will find
|
||||
that your <filename class="directory">/etc/shorewall</filename>
|
||||
directory is practially empty. This is intentional. When you install the
|
||||
.deb, the released configuration file skeletons may be found on your
|
||||
system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>. If
|
||||
you install using the tarball installers, the files are in the
|
||||
<filename>/usr/share/shorewall/configfiles</filename> sub-directory.
|
||||
Simply copy the files you need from the appropriate directory to
|
||||
<filename class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section id="Manpages">
|
||||
@@ -553,10 +571,8 @@ ACCEPT net:\
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In Shorewall 5.0.3, the sample configuration files and the man pages
|
||||
were updated to use the same column names in both the column headings and
|
||||
in the alternate specification format. The following table shows the
|
||||
column names for each of the table-oriented configuration files.</para>
|
||||
<para>The following table shows the column names for each of the
|
||||
table-oriented configuration files.</para>
|
||||
|
||||
<note>
|
||||
<para>Column names are <emphasis
|
||||
|
||||
Reference in New Issue
Block a user