forked from extern/shorewall_code
1413 lines
59 KiB
XML
1413 lines
59 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall-rules</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>rules</refname>
|
|
|
|
<refpurpose>Shorewall rules file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall/rules</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>Entries in this file govern connection establishment by defining
|
|
exceptions to the policies layed out in <ulink
|
|
url="shorewall-policy.html">shorewall-policy</ulink>(5). By default,
|
|
subsequent requests and responses are automatically allowed using
|
|
connection tracking. For any particular (source,dest) pair of zones, the
|
|
rules are evaluated in the order in which they appear in this file and the
|
|
first terminating match is the one that determines the disposition of the
|
|
request. All rules are terminating except LOG and COUNT rules.</para>
|
|
|
|
<warning>
|
|
<para>If you masquerade or use SNAT from a local system to the internet,
|
|
you cannot use an ACCEPT rule to allow traffic from the internet to that
|
|
system. You <emphasis role="bold">must</emphasis> use a DNAT rule
|
|
instead.</para>
|
|
</warning>
|
|
|
|
<para>The rules file is divided into sections. Each section is introduced
|
|
by a "Section Header" which is a line beginning with SECTION and followed
|
|
by the section name.</para>
|
|
|
|
<para>Sections are as follows and must appear in the order listed:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the ESTABLISHED state are processed by rules in
|
|
this section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">RELATED</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the RELATED state are processed by rules in this
|
|
section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">NEW</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the NEW, INVALID and UNTRACKED states are processed
|
|
by rules in this section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<note>
|
|
<para>If you are not familiar with Netfilter to the point where you are
|
|
comfortable with the differences between the various connection tracking
|
|
states, then it is suggested that you omit the <emphasis
|
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
role="bold">RELATED</emphasis> sections and place all of your rules in
|
|
the NEW section (That's after the line that reads SECTION NEW').</para>
|
|
</note>
|
|
|
|
<warning>
|
|
<para>If you specify FASTACCEPT=Yes in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
|
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
role="bold">RELATED</emphasis> sections must be empty.</para>
|
|
</warning>
|
|
|
|
<para>You may omit any section that you don't need. If no Section Headers
|
|
appear in the file then all rules are assumed to be in the NEW
|
|
section.</para>
|
|
|
|
<para>When defining rules that rewrite the destination IP address and/or
|
|
port number (namely DNAT and REDIRECT rules), it is important to keep
|
|
straight which columns in the file specify the packet before rewriting and
|
|
which specify how the packet will look after rewriting.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The DEST column specifies the final destination for the packet
|
|
after rewriting and can include the final IP address and/or port
|
|
number.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The remaining columns specify characteristics of the packet
|
|
before rewriting. In particular, the ORIGINAL DEST column gives the
|
|
original destination IP address of the packet and the DEST PORT(S)
|
|
column give the original destination port(s).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACTION</emphasis> - <emphasis
|
|
role="bold"><replaceable>target</replaceable>[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
|
|
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
|
|
role="bold">!</emphasis></emphasis>][<emphasis
|
|
role="bold">:</emphasis><emphasis>tag</emphasis>]]</term>
|
|
|
|
<listitem>
|
|
<para>Specifies the action to be taken if the connection request
|
|
matches the rule. <replaceable>target</replaceable> must be one of
|
|
the following.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Allow the connection request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT+</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like ACCEPT but also excludes the connection from any
|
|
subsequent matching <emphasis
|
|
role="bold">DNAT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] or <emphasis
|
|
role="bold">REDIRECT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] rules</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like ACCEPT but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">NONAT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Excludes the connection from any subsequent <emphasis
|
|
role="bold">DNAT</emphasis>[-] or <emphasis
|
|
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
|
|
a rule to accept the traffic.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DROP</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Ignore the request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DROP!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like DROP but exempts the rule from being suppressed by
|
|
OPTIMIZE=1 in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>disallow the request and return an icmp-unreachable or
|
|
an RST packet.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REJECT!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like REJECT but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DNAT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Forward the request to another system (and optionally
|
|
another port).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DNAT-</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para>Like <emphasis role="bold">DNAT</emphasis> but only
|
|
generates the <emphasis role="bold">DNAT</emphasis> iptables
|
|
rule and not the companion <emphasis
|
|
role="bold">ACCEPT</emphasis> rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REDIRECT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Redirect the request to a server running on the
|
|
firewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REDIRECT-</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
|
|
generates the <emphasis role="bold">REDIRECT</emphasis>
|
|
iptables rule and not the companion <emphasis
|
|
role="bold">ACCEPT</emphasis> rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>For experts only.</para>
|
|
|
|
<para>Do not process any of the following rules for this
|
|
(source zone,destination zone). If the source and/or
|
|
destination IP address falls into a zone defined later in
|
|
<ulink url="shorewall-zones.html">shorewall-zones</ulink>(5)
|
|
or in a parent zone of the source or destination zones, then
|
|
this connection request will be passed to the rules defined
|
|
for that (those) zone(s). See <ulink
|
|
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
|
additional information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONTINUE!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like CONTINUE but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">LOG</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Simply log the packet and continue with the next
|
|
rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">QUEUE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Queue the packet to a user-space application such as
|
|
ftwall (http://p2pwall.sf.net). The application may reinsert
|
|
the packet for further processing.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">QUEUE!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like QUEUE but exempts the rule from being suppressed by
|
|
OPTIMIZE=1 in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>NFQUEUE[(<replaceable>queuenumber</replaceable>)]</term>
|
|
|
|
<listitem>
|
|
<para>Queues the packet to a user-space application using the
|
|
nfnetlink_queue mechanism. If a
|
|
<replaceable>queuenumber</replaceable> is not specified, queue
|
|
zero (0) is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>COUNT</term>
|
|
|
|
<listitem>
|
|
<para>Simply increment the rule's packet and byte count and
|
|
pass the packet to the next rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">COMMENT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>the rest of the line will be attached as a comment to
|
|
the Netfilter rule(s) generated by the following entries. The
|
|
comment will appear delimited by "/* ... */" in the output of
|
|
"shorewall show <chain>". To stop the comment from being
|
|
attached to further rules, simply include COMMENT on a line by
|
|
itself.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>action</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of an <emphasis>action</emphasis> declared in
|
|
<ulink
|
|
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
|
|
in /usr/share/shorewall/actions.std.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>macro</emphasis><emphasis
|
|
role="bold">[(<replaceable>macrotarget</replaceable>)]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of a macro defined in a file named
|
|
macro.<emphasis>macro</emphasis>. If the macro accepts an
|
|
action parameter (Look at the macro source to see if it has
|
|
PARAM in the TARGET column) then the
|
|
<emphasis>macro</emphasis> name is followed by the
|
|
parenthesized <emphasis>macrotarget</emphasis> (<emphasis
|
|
role="bold">ACCEPT</emphasis>, <emphasis
|
|
role="bold">DROP</emphasis>, <emphasis
|
|
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
|
parameter.</para>
|
|
|
|
<para>Example: FTP(ACCEPT).</para>
|
|
|
|
<para>The older syntax where the macro name and the target are
|
|
separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
|
|
deprecated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.12. Causes addresses and/or port
|
|
numbers to be added to the named
|
|
<replaceable>ipset</replaceable>. The
|
|
<replaceable>flags</replaceable> specify the address or tupple
|
|
to be added to the set and must match the type of ipset
|
|
involved. For example, for an iphash ipset, either the SOURCE
|
|
or DESTINATION address can be added using
|
|
<replaceable>flags</replaceable> <emphasis
|
|
role="bold">src</emphasis> or <emphasis
|
|
role="bold">dst</emphasis> respectively (see the -A command in
|
|
ipset (8)).</para>
|
|
|
|
<para>ADD is non-terminating. Even if a packet matches the
|
|
rule, it is passed on to the next rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.12. Causes an entry to be deleted
|
|
from the named <replaceable>ipset</replaceable>. The
|
|
<replaceable>flags</replaceable> specify the address or tupple
|
|
to be deleted from the set and must match the type of ipset
|
|
involved. For example, for an iphash ipset, either the SOURCE
|
|
or DESTINATION address can be deletec using
|
|
<replaceable>flags</replaceable> <emphasis
|
|
role="bold">src</emphasis> or <emphasis
|
|
role="bold">dst</emphasis> respectively (see the -D command in
|
|
ipset (8)).</para>
|
|
|
|
<para>DEL is non-terminating. Even if a packet matches the
|
|
rule, it is passed on to the next rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>The <replaceable>target</replaceable> may optionally be
|
|
followed by ":" and a syslog log level (e.g, REJECT:info or
|
|
Web(ACCEPT):debug). This causes the packet to be logged at the
|
|
specified level. Note that if the <emphasis
|
|
role="bold">ACTION</emphasis> involves destination network address
|
|
translation (DNAT, REDIRECT, etc.) then the packet is logged
|
|
<emphasis role="bold">before</emphasis> the destination address is
|
|
rewritten.</para>
|
|
|
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
|
<emphasis>action</emphasis> declared in <ulink
|
|
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
|
/usr/share/shorewall/actions.std then:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If the log level is followed by "!' then all rules in the
|
|
action are logged at the log level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If the log level is not followed by "!" then only those
|
|
rules in the action that do not specify logging are logged at
|
|
the specified level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The special log level <emphasis
|
|
role="bold">none!</emphasis> suppresses logging by the
|
|
action.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You may also specify <emphasis role="bold">ULOG</emphasis> or
|
|
<emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
|
|
log level.This will log to the ULOG or NFLOG target for routing to a
|
|
separate log through use of ulogd (<ulink
|
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
|
|
|
<para>Actions specifying logging may be followed by a log tag (a
|
|
string of alphanumeric characters) which is appended to the string
|
|
generated by the LOGPREFIX (in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
|
|
|
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
|
the log prefix generated by the LOGPREFIX setting.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE</emphasis> -
|
|
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
|
|
role="bold">all</emphasis>|<emphasis
|
|
role="bold">any</emphasis>}[<emphasis
|
|
role="bold">+</emphasis>][<emphasis
|
|
role="bold">-</emphasis>]}<emphasis
|
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
|
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
|
|
|
<listitem>
|
|
<para>Source hosts to which the rule applies. May be a
|
|
<replaceable>zone</replaceable> declared in /etc/shorewall/zones,
|
|
<emphasis role="bold">$FW</emphasis> to indicate the firewall
|
|
itself, <emphasis role="bold">all</emphasis>, <emphasis
|
|
role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
|
|
<emphasis role="bold">all+-</emphasis> or <emphasis
|
|
role="bold">none</emphasis>.</para>
|
|
|
|
<para>Beginning with Shorewall 4.4.13, you may use a
|
|
<replaceable>zone-list </replaceable>which consists of a
|
|
comma-separated list of zones declared in <ulink
|
|
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
|
|
<replaceable>zone-list</replaceable> may be optionally followed by
|
|
"+" to indicate that the rule is to apply to intra-zone traffic as
|
|
well as inter-zone traffic.</para>
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
|
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
|
means "All Zones, except the firewall itself". When <emphasis
|
|
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
|
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
|
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
|
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
|
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
|
<ulink
|
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
|
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
|
<emphasis role="bold">any</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
specified, clients may be further restricted to a list of networks
|
|
and/or hosts by appending ":" and a comma-separated list of network
|
|
and/or host addresses. Hosts may be specified by IP or MAC address;
|
|
mac addresses must begin with "~" and must use "-" as a
|
|
separator.</para>
|
|
|
|
<para>The above restriction on <emphasis
|
|
role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
|
|
<emphasis role="bold">any</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
removed in Shorewall-4.4.13.</para>
|
|
|
|
<para><emphasis role="bold">any</emphasis> is equivalent to
|
|
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
|
When there are nested zones, <emphasis role="bold">any</emphasis>
|
|
only refers to top-level zones (those with no parent zones). Note
|
|
that <emphasis role="bold">any</emphasis> excludes all vserver
|
|
zones, since those zones are nested within the firewall zone.</para>
|
|
|
|
<para>Hosts may also be specified as an IP address range using the
|
|
syntax
|
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
This requires that your kernel and iptables contain iprange match
|
|
support. If your kernel and iptables have ipset match support then
|
|
you may give the name of an ipset prefaced by "+". The ipset name
|
|
may be optionally followed by a number from 1 to 6 enclosed in
|
|
square brackets ([]) to indicate the number of levels of source
|
|
bindings to be matched.</para>
|
|
|
|
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
|
firewall interface can be specified by an apersand ('&')
|
|
followed by the logican name of the interface as found in the
|
|
INTERFACE column of <ulink
|
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
|
(5).</para>
|
|
|
|
<para>You may exclude certain hosts from the set already defined
|
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>dmz:192.168.2.2</term>
|
|
|
|
<listitem>
|
|
<para>Host 192.168.2.2 in the DMZ</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:155.186.235.0/24</term>
|
|
|
|
<listitem>
|
|
<para>Subnet 155.186.235.0/24 on the Internet</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>loc:192.168.1.1,192.168.1.2</term>
|
|
|
|
<listitem>
|
|
<para>Hosts 192.168.1.1 and 192.168.1.2 in the local
|
|
zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>loc:~00-A0-C9-15-39-78</term>
|
|
|
|
<listitem>
|
|
<para>Host in the local zone with MAC address
|
|
00:A0:C9:15:39:78.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:192.0.2.11-192.0.2.17</term>
|
|
|
|
<listitem>
|
|
<para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:!192.0.2.11-192.0.2.17</term>
|
|
|
|
<listitem>
|
|
<para>All hosts in the net zone except for
|
|
192.0.2.11-192.0.2.17.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:155.186.235.0/24!155.186.235.16/28</term>
|
|
|
|
<listitem>
|
|
<para>Subnet 155.186.235.0/24 on the Internet except for
|
|
155.186.235.16/28</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>$FW:&eth0</term>
|
|
|
|
<listitem>
|
|
<para>The primary IP address of eth0 in the firewall zone
|
|
(Shorewall 4.4.17 and later).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DEST</emphasis> -
|
|
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
|
|
role="bold">all</emphasis>|<emphasis
|
|
role="bold">any</emphasis>}[<emphasis
|
|
role="bold">+</emphasis>][<emphasis
|
|
role="bold">-</emphasis>]}<emphasis
|
|
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
|
role="bold">random</emphasis>]]</term>
|
|
|
|
<listitem>
|
|
<para>Location of Server. May be a zone declared in <ulink
|
|
url="shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
|
|
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
|
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
|
<emphasis role="bold">none</emphasis>.</para>
|
|
|
|
<para>Beginning with Shorewall 4.4.13, you may use a
|
|
<replaceable>zone-list </replaceable>which consists of a
|
|
comma-separated list of zones declared in <ulink
|
|
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
|
|
<replaceable>zone-list</replaceable> may be optionally followed by
|
|
"+" to indicate that the rule is to apply to intra-zone traffic as
|
|
well as inter-zone traffic.</para>
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
<para>When <emphasis role="bold">all</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column intra-zone traffic is not
|
|
affected. When <emphasis role="bold">all+</emphasis> is used,
|
|
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
|
|
exclusion is supported -- see see <ulink
|
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
|
|
|
<para><emphasis role="bold">any</emphasis> is equivalent to
|
|
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
|
When there are nested zones, <emphasis role="bold">any</emphasis>
|
|
only refers to top-level zones (those with no parent zones).</para>
|
|
|
|
<para>The <replaceable>zone</replaceable> should be omitted in
|
|
DNAT-, REDIRECT- and NONAT rules.</para>
|
|
|
|
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
|
then either:<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>the SOURCE must be <option>all[+][-]</option>, or</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>the SOURCE <replaceable>zone</replaceable> must be
|
|
another bport zone associated with the same bridge, or</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>the SOURCE <replaceable>zone</replaceable> must be an
|
|
ipv4 zone that is associated with only the same bridge.</para>
|
|
</listitem>
|
|
</orderedlist></para>
|
|
|
|
<blockquote>
|
|
<para></para>
|
|
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
role="bold">+]|[-</emphasis>] is specified, the server may be
|
|
further restricted to a particular network, host or interface by
|
|
appending ":" and the network, host or interface. See <emphasis
|
|
role="bold">SOURCE</emphasis> above.</para>
|
|
|
|
<para>You may exclude certain hosts from the set already defined
|
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
|
|
|
<para>Restrictions:</para>
|
|
|
|
<para>1. MAC addresses are not allowed (this is a Netfilter
|
|
restriction).</para>
|
|
|
|
<para>2. You may not specify both an interface and an
|
|
address.</para>
|
|
|
|
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
|
you may specify a range of IP addresses using the syntax
|
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
role="bold">DNAT</emphasis> or <emphasis
|
|
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
|
addresses in the range in a round-robin fashion.</para>
|
|
|
|
<para>If you kernel and iptables have ipset match support then you
|
|
may give the name of an ipset prefaced by "+". The ipset name may
|
|
be optionally followed by a number from 1 to 6 enclosed in square
|
|
brackets ([]) to indicate the number of levels of destination
|
|
bindings to be matched. Only one of the <emphasis
|
|
role="bold">SOURCE</emphasis> and <emphasis
|
|
role="bold">DEST</emphasis> columns may specify an ipset
|
|
name.</para>
|
|
|
|
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
|
firewall interface can be specified by an apersand ('&')
|
|
followed by the logical name of the interface as found in the
|
|
INTERFACE column of <ulink
|
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
|
(5).</para>
|
|
|
|
<para>The <replaceable>port</replaceable> that the server is
|
|
listening on may be included and separated from the server's IP
|
|
address by ":". If omitted, the firewall will not modifiy the
|
|
destination port. A destination port may only be included if the
|
|
<emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
role="bold">DNAT</emphasis> or <emphasis
|
|
role="bold">REDIRECT</emphasis>.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Example:</term>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
|
|
specifies a local server at IP address 192.168.1.3 and
|
|
listening on port 3128.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>The <emphasis>port</emphasis> may be specified as a service
|
|
name. You may specify a port range in the form
|
|
<emphasis>lowport-highport</emphasis> to cause connections to be
|
|
assigned to ports in the range in round-robin fashion. When a port
|
|
range is specified, <emphasis>lowport</emphasis> and
|
|
<emphasis>highport</emphasis> must be given as integers; service
|
|
names are not permitted. Additionally, the port range may be
|
|
optionally followed by <emphasis role="bold">:random</emphasis>
|
|
which causes assignment to ports in the list to be random.</para>
|
|
|
|
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
role="bold">REDIRECT</emphasis> or <emphasis
|
|
role="bold">REDIRECT-</emphasis>, this column needs only to
|
|
contain the port number on the firewall that the request should be
|
|
redirected to. That is equivalent to specifying
|
|
<option>$FW</option>::<replaceable>port</replaceable>.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
|
|
role="bold">-</emphasis>|<emphasis
|
|
role="bold">tcp:syn</emphasis>|<emphasis
|
|
role="bold">ipp2p</emphasis>|<emphasis
|
|
role="bold">ipp2p:udp</emphasis>|<emphasis
|
|
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
|
|
role="bold">all}</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
|
|
ipp2p match support in your kernel and iptables. <emphasis
|
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
|
RST,ACK and FIN flags must be reset.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) -
|
|
{<emphasis
|
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
|
|
|
<listitem>
|
|
<para>Destination Ports. A comma-separated list of Port names (from
|
|
services(5)), port numbers or port ranges; if the protocol is
|
|
<emphasis role="bold">icmp</emphasis>, this column is interpreted as
|
|
the destination icmp-type(s). ICMP types may be specified as a
|
|
numeric type, a numberic type and code separated by a slash (e.g.,
|
|
3/4), or a typename. See <ulink
|
|
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
|
|
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
|
this column is interpreted as an ipp2p option without the leading
|
|
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
|
If no port is given, <emphasis role="bold">ipp2p</emphasis> is
|
|
assumed.</para>
|
|
|
|
<para>A port range is expressed as
|
|
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
|
|
|
|
<para>This column is ignored if <emphasis
|
|
role="bold">PROTO</emphasis> = <emphasis role="bold">all</emphasis>
|
|
but must be entered if any of the following columns are supplied. In
|
|
that case, it is suggested that this field contain a dash (<emphasis
|
|
role="bold">-</emphasis>).</para>
|
|
|
|
<para>If your kernel contains multi-port match support, then only a
|
|
single Netfilter rule will be generated if in this list and the
|
|
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
<para>2. No port ranges are included or your kernel and iptables
|
|
contain extended multiport match support.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
|
{<emphasis
|
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
|
|
|
<listitem>
|
|
<para>Port(s) used by the client. If omitted, any source port is
|
|
acceptable. Specified as a comma- separated list of port names, port
|
|
numbers or port ranges.</para>
|
|
|
|
<warning>
|
|
<para>Unless you really understand IP, you should leave this
|
|
column empty or place a dash (<emphasis role="bold">-</emphasis>)
|
|
in the column. Most people who try to use this column get it
|
|
wrong.</para>
|
|
</warning>
|
|
|
|
<blockquote>
|
|
<para>If you don't want to restrict client ports but need to
|
|
specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the
|
|
next column, then place "-" in this column.</para>
|
|
|
|
<para>If your kernel contains multi-port match support, then only
|
|
a single Netfilter rule will be generated if in this list and the
|
|
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
<para>2. No port ranges are included or your kernel and iptables
|
|
contain extended multiport match support.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
|
|
[<emphasis
|
|
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] or <emphasis
|
|
role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
|
|
then if this column is included and is different from the IP address
|
|
given in the <emphasis role="bold">DEST</emphasis> column, then
|
|
connections destined for that address will be forwarded to the IP
|
|
and port specified in the <emphasis role="bold">DEST</emphasis>
|
|
column.</para>
|
|
|
|
<para>A comma-separated list of addresses may also be used. This is
|
|
most useful with the <emphasis role="bold">REDIRECT</emphasis>
|
|
target where you want to redirect traffic destined for particular
|
|
set of hosts. Finally, if the list of addresses begins with "!"
|
|
(<emphasis>exclusion</emphasis>) then the rule will be followed only
|
|
if the original destination address in the connection request does
|
|
not match any of the addresses listed.</para>
|
|
|
|
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
|
firewall interface can be specified by an apersand ('&')
|
|
followed by the logical name of the interface as found in the
|
|
INTERFACE column of <ulink
|
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
|
(5).</para>
|
|
|
|
<para>For other actions, this column may be included and may contain
|
|
one or more addresses (host or network) separated by commas. Address
|
|
ranges are not allowed. When this column is supplied, rules are
|
|
generated that require that the original destination address matches
|
|
one of the listed addresses. This feature is most useful when you
|
|
want to generate a filter rule that corresponds to a <emphasis
|
|
role="bold">DNAT-</emphasis> or <emphasis
|
|
role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
|
|
addresses should not begin with "!".</para>
|
|
|
|
<para>It is also possible to specify a set of addresses then exclude
|
|
part of those addresses. For example, <emphasis
|
|
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
|
|
addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
|
|
See <ulink
|
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
|
|
|
<para>See <ulink
|
|
url="../PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
|
|
for an example of using an entry in this column with a user-defined
|
|
action rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) -
|
|
[<emphasis role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
|
|
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
|
|
role="bold">/</emphasis>{<emphasis
|
|
role="bold">sec</emphasis>|<emphasis
|
|
role="bold">min</emphasis>|<emphasis
|
|
role="bold">hour</emphasis>|<emphasis
|
|
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>You may rate-limit the rule by placing a value in this
|
|
column:</para>
|
|
|
|
<para><emphasis>rate</emphasis> is the number of connections per
|
|
interval (<emphasis role="bold">sec</emphasis> or <emphasis
|
|
role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
|
|
largest burst permitted. If no <emphasis>burst</emphasis> is given,
|
|
a value of 5 is assumed. There may be no no whitespace embedded in
|
|
the specification.</para>
|
|
|
|
<para>Example: <emphasis role="bold">10/sec:20</emphasis></para>
|
|
|
|
<para>When <option>s:</option> or <option>d:</option> is specified,
|
|
the rate applies per source IP address or per destination IP address
|
|
respectively. The <replaceable>name</replaceable> may be chosen by
|
|
the user and specifies a hash table to be used to count matching
|
|
connections. If not given, the name <emphasis
|
|
role="bold">shorewallN</emphasis> (where N is a unique integer) is
|
|
assumed. Where more than one rule specifies the same name, the
|
|
connections counts for the rules are aggregated and the individual
|
|
rates apply to the aggregated count.</para>
|
|
|
|
<para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
|
[<emphasis
|
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>This column may only be non-empty if the SOURCE is the
|
|
firewall itself.</para>
|
|
|
|
<para>When this column is non-empty, the rule applies only if the
|
|
program generating the output is running under the effective
|
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
|
specified (or is NOT running under that id if "!" is given).</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>joe</term>
|
|
|
|
<listitem>
|
|
<para>program must be run by joe</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>:kids</term>
|
|
|
|
<listitem>
|
|
<para>program must be run by a member of the 'kids'
|
|
group</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>!:kids</term>
|
|
|
|
<listitem>
|
|
<para>program must not be run by a member of the 'kids'
|
|
group</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>+upnpd</term>
|
|
|
|
<listitem>
|
|
<para>program named upnpd</para>
|
|
|
|
<important>
|
|
<para>The ability to specify a program name was removed from
|
|
Netfilter in kernel version 2.6.14.</para>
|
|
</important>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
|
|
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
|
role="bold">:C</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>Defines a test on the existing packet or connection mark. The
|
|
rule will match only if the test returns true.</para>
|
|
|
|
<para>If you don't want to define a test but need to specify
|
|
anything in the following columns, place a "-" in this field.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>!</term>
|
|
|
|
<listitem>
|
|
<para>Inverts the test (not equal)</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>value</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Value of the packet or connection mark.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>mask</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>A mask to be applied to the mark before testing.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">:C</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Designates a connection mark. If omitted, the packet
|
|
mark's value is tested.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
|
|
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>May be used to limit the number of simultaneous connections
|
|
from each individual host to <replaceable>limit</replaceable>
|
|
connections. Requires connlimit match in your kernel and iptables.
|
|
While the limit is only checked on rules specifying CONNLIMIT, the
|
|
number of current connections is calculated over all current
|
|
connections from the SOURCE host. By default, the limit is applied
|
|
to each host but can be made to apply to networks of hosts by
|
|
specifying a <replaceable>mask</replaceable>. The
|
|
<replaceable>mask</replaceable> specifies the width of a VLSM mask
|
|
to be applied to the source address; the number of current
|
|
connections is then taken over all hosts in the subnet
|
|
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
|
|
When<option> !</option> is specified, the rule matches when the
|
|
number of connection exceeds the
|
|
<replaceable>limit</replaceable>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">TIME</emphasis> -
|
|
<emphasis>timeelement</emphasis>[&<emphasis>timelement</emphasis>...]</term>
|
|
|
|
<listitem>
|
|
<para>May be used to limit the rule to a particular time period each
|
|
day, to particular days of the week or month, or to a range defined
|
|
by dates and times. Requires time match support in your kernel and
|
|
iptables.</para>
|
|
|
|
<para><replaceable>timeelement</replaceable> may be:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the starting time of day.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the ending time of day.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>utc</term>
|
|
|
|
<listitem>
|
|
<para>Times are expressed in Greenwich Mean Time.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>localtz</term>
|
|
|
|
<listitem>
|
|
<para>Times are expressed in Local Civil Time
|
|
(default).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>weekdays=ddd[,ddd]...</term>
|
|
|
|
<listitem>
|
|
<para>where <replaceable>ddd</replaceable> is one of
|
|
<option>Mon</option>, <option>Tue</option>,
|
|
<option>Wed</option>, <option>Thu</option>,
|
|
<option>Fri</option>, <option>Sat</option> or
|
|
<option>Sun</option></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>monthdays=dd[,dd],...</term>
|
|
|
|
<listitem>
|
|
<para>where <replaceable>dd</replaceable> is an ordinal day of
|
|
the month</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the starting date and time.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the ending date and time.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Example 1:</term>
|
|
|
|
<listitem>
|
|
<para>Accept SMTP requests from the DMZ to the internet</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
ACCEPT dmz net tcp smtp</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 2:</term>
|
|
|
|
<listitem>
|
|
<para>Forward all ssh and http connection requests from the internet
|
|
to local system 192.168.1.3</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 3:</term>
|
|
|
|
<listitem>
|
|
<para>Forward all http connection requests from the internet to
|
|
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
|
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
# PORT PORT(S) DEST LIMIT
|
|
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 4:</term>
|
|
|
|
<listitem>
|
|
<para>Redirect all locally-originating www connection requests to
|
|
port 3128 on the firewall (Squid running on the firewall system)
|
|
except when the destination address is 192.168.2.2</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 5:</term>
|
|
|
|
<listitem>
|
|
<para>All http requests from the internet to address 130.252.100.69
|
|
are to be forwarded to 192.168.1.3</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 6:</term>
|
|
|
|
<listitem>
|
|
<para>You want to accept SSH connections to your firewall only from
|
|
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
|
tcp 22</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 7:</term>
|
|
|
|
<listitem>
|
|
<para>You wish to accept connections from the internet to your
|
|
firewall on port 2222 and you want to forward them to local system
|
|
192.168.1.3, port 22</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
DNAT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 8:</term>
|
|
|
|
<listitem>
|
|
<para>You want to redirect connection requests to port 80 randomly
|
|
to the port range 81-90.</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
REDIRECT net $FW::81-90:random tcp www</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 9:</term>
|
|
|
|
<listitem>
|
|
<para>Shorewall does not impose as much structure on the Netfilter
|
|
rules in the 'nat' table as it does on those in the filter table. As
|
|
a consequence, when using Shorewall versions before 4.1.4, care must
|
|
be exercised when using DNAT and REDIRECT rules with zones defined
|
|
with wildcard interfaces (those ending with '+'. Here is an
|
|
example:</para>
|
|
|
|
<para><ulink
|
|
url="shorewall-zones.html">shorewall-zones</ulink>(8):<programlisting> #ZONE TYPE OPTIONS
|
|
fw firewall
|
|
net ipv4
|
|
dmz ipv4
|
|
loc ipv4</programlisting></para>
|
|
|
|
<para><ulink
|
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
|
net ppp0
|
|
loc eth1 detect
|
|
dmz eth2 detect
|
|
- ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para>
|
|
|
|
<para><ulink
|
|
url="shorewall-hosts.html">shorewall-host</ulink>(8):<programlisting> #ZONE HOST(S) OPTIONS
|
|
loc ppp+:192.168.3.0/24</programlisting></para>
|
|
|
|
<para>rules:</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
|
# PORT(S)
|
|
REDIRECT loc 3128 tcp 80 </programlisting>
|
|
|
|
<simpara>Note that it would have been tempting to simply define the
|
|
loc zone entirely in shorewall-interfaces(8):</simpara>
|
|
|
|
<para><programlisting> #******************* INCORRECT *****************
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
net ppp0
|
|
loc eth1 detect
|
|
loc ppp+
|
|
dmz eth2</programlisting></para>
|
|
|
|
<para>This would have made it impossible to run a
|
|
internet-accessible web server in the DMZ because all traffic
|
|
entering ppp+ interfaces would have been redirected to port 3128 on
|
|
the firewall and there would have been no net->fw ACCEPT rule for
|
|
that traffic.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 10:</term>
|
|
|
|
<listitem>
|
|
<para>Add the tupple (source IP, dest port, dest IP) of an incoming
|
|
SSH connection to the ipset S:</para>
|
|
|
|
<programlisting> ADD(+S:dst,src,dst) net fw tcp 22</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall/rules</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para><ulink
|
|
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
|
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
|
|
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
|
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
|
shorewall-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|