forked from extern/shorewall_code
3040156981
Signed-off-by: Tom Eastep <teastep@shorewall.net>
414 lines
16 KiB
XML
414 lines
16 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||
<refentry>
|
||
<refmeta>
|
||
<refentrytitle>shorewall6-conntrack</refentrytitle>
|
||
|
||
<manvolnum>5</manvolnum>
|
||
</refmeta>
|
||
|
||
<refnamediv>
|
||
<refname>conntrack</refname>
|
||
|
||
<refpurpose>shorewall conntrack file</refpurpose>
|
||
</refnamediv>
|
||
|
||
<refsynopsisdiv>
|
||
<cmdsynopsis>
|
||
<command>/etc/shorewall/conntrack</command>
|
||
</cmdsynopsis>
|
||
</refsynopsisdiv>
|
||
|
||
<refsect1>
|
||
<title>Description</title>
|
||
|
||
<para>The original intent of the <emphasis role="bold">notrack</emphasis>
|
||
file was to exempt certain traffic from Netfilter connection tracking.
|
||
Traffic matching entries in the file were not to be tracked.</para>
|
||
|
||
<para>The role of the file was expanded in Shorewall 4.4.27 to include all
|
||
rules that can be added in the Netfilter <emphasis
|
||
role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
|
||
<emphasis role="bold">conntrack</emphasis>.</para>
|
||
|
||
<para>The file supports two different column layouts: FORMAT 1 and FORMAT
|
||
2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
|
||
additional leading ACTION column. When an entry in the file of this form
|
||
is encountered, the format of the following entries are assumed to be of
|
||
the specified <replaceable>format</replaceable>.</para>
|
||
|
||
<simplelist>
|
||
<member><emphasis role="bold">FORMAT</emphasis>
|
||
<replaceable>format</replaceable></member>
|
||
</simplelist>
|
||
|
||
<para>where <replaceable>format</replaceable> is either <emphasis
|
||
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
|
||
|
||
<para>Comments may be attached to Netfilter rules generated from entries
|
||
in this file through the use of COMMENT lines. These lines begin with the
|
||
word COMMENT; the remainder of the line is treated as a comment which is
|
||
attached to subsequent rules until another COMMENT line is found or until
|
||
the end of the file is reached. To stop adding comments to rules, use a
|
||
line with only the word COMMENT.</para>
|
||
|
||
<para>The columns in the file are as follows (where the column name is
|
||
followed by a different name in parentheses, the different name is used in
|
||
the alternate specification syntax).</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term><emphasis role="bold">ACTION</emphasis> - {<emphasis
|
||
role="bold">NOTRACK</emphasis>|<emphasis
|
||
role="bold">CT</emphasis>:<emphasis
|
||
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
|
||
role="bold">CT:notrack</emphasis>}</term>
|
||
|
||
<listitem>
|
||
<para>This column is only present when FORMAT = 2. Values other than
|
||
NOTRACK or DROP require <firstterm>CT Target </firstterm>support in
|
||
your iptables and kernel.</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><option>NOTRACK</option> or
|
||
<option>CT:notrack</option></para>
|
||
|
||
<para>Disables connection tracking for this packet.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>DROP</option></para>
|
||
|
||
<para>Added in Shorewall 4.5.10. Silently discard the
|
||
packet.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>helper</option>:<replaceable>name</replaceable></para>
|
||
|
||
<para>Attach the helper identified by the
|
||
<replaceable>name</replaceable> to this connection. This is more
|
||
flexible than loading the conntrack helper with preset
|
||
ports.</para>
|
||
|
||
<para>At this writing, the available helpers are:</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term>amanda</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the amanda netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>ftp</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the FTP netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>irc</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the IRC netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>netbios-ns</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the netbios_ns (sic) helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>RAS and Q.931</term>
|
||
|
||
<listitem>
|
||
<para>These require that the H323 netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>pptp</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the pptp netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term></term>
|
||
|
||
<listitem>
|
||
<para></para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>sane</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the SANE netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>sip</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the SIP netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>snmp</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the SNMP netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>tftp</term>
|
||
|
||
<listitem>
|
||
<para>Requires that the TFTP netfilter helper is
|
||
present.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<para>May be followed by an option list of
|
||
<replaceable>arg</replaceable>=<replaceable>val</replaceable>
|
||
pairs in parentheses:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
|
||
|
||
<para>Only generate the specified conntrack events for this
|
||
connection. Possible event types are: <emphasis
|
||
role="bold">new</emphasis>, <emphasis
|
||
role="bold">related</emphasis>, <emphasis
|
||
role="bold">destroy</emphasis>, <emphasis
|
||
role="bold">reply</emphasis>, <emphasis
|
||
role="bold">assured</emphasis>, <emphasis
|
||
role="bold">protoinfo</emphasis>, <emphasis
|
||
role="bold">helper</emphasis>, <emphasis
|
||
role="bold">mark</emphasis> (this is connection mark, not
|
||
packet mark), <emphasis role="bold">natseqinfo</emphasis>,
|
||
and <emphasis role="bold">secmark</emphasis>. If more than
|
||
one <emphasis>event</emphasis> is listed, the
|
||
<replaceable>event</replaceable> list must be enclosed in
|
||
parentheses (e.g., ctevents=(new,related)).</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>expevents</option><option>=new</option></para>
|
||
|
||
<para>Only generate a <emphasis role="bold">new</emphasis>
|
||
expectation events for this connection.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>When FORMAT = 1, this column is not present and the rule is
|
||
processed as if NOTRACK had been entered in this column.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>SOURCE ‒
|
||
{<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
|
||
|
||
<listitem>
|
||
<para>where <replaceable>zone</replaceable> is the name of a zone,
|
||
<replaceable>interface</replaceable> is an interface to that zone,
|
||
and <replaceable>address-list</replaceable> is a comma-separated
|
||
list of addresses (may contain exclusion - see <ulink
|
||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||
(5)).</para>
|
||
|
||
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
|
||
used as the <replaceable>zone</replaceable> name to mean
|
||
<firstterm>all zones</firstterm>.</para>
|
||
|
||
<para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
|
||
used as the <replaceable>zone</replaceable> name to mean all
|
||
<firstterm>off-firewall zone</firstterm>s.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>DEST ‒
|
||
[<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
|
||
|
||
<listitem>
|
||
<para>where <replaceable>interface</replaceable> is the name of a
|
||
network interface and <replaceable>address-list</replaceable> is a
|
||
comma-separated list of addresses (may contain exclusion - see
|
||
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||
(5)). If an interface is given:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>It must be up and configured with an IPv4 address when
|
||
Shorewall is started or restarted.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>All routes out of the interface must be configured when
|
||
Shorewall is started or restarted.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Default routes out of the interface will result in a
|
||
warning message and will be ignored.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>These restrictions are because Netfilter doesn't support
|
||
NOTRACK rules that specify a destination interface (these rules are
|
||
applied before packets are routed and hence the destination
|
||
interface is unknown). Shorewall uses the routes out of the
|
||
interface to replace the interface with an address list
|
||
corresponding to the networks routed out of the named
|
||
interface.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>PROTO ‒
|
||
<replaceable>protocol-name-or-number</replaceable></term>
|
||
|
||
<listitem>
|
||
<para>A protocol name from <filename>/etc/protocols</filename> or a
|
||
protocol number.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
|
||
|
||
<listitem>
|
||
<para>A comma-separated list of port numbers and/or service names
|
||
from <filename>/etc/services</filename>. May also include port
|
||
ranges of the form
|
||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||
if your kernel and iptables include port range support.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
|
||
|
||
<listitem>
|
||
<para>A comma-separated list of port numbers and/or service names
|
||
from <filename>/etc/services</filename>. May also include port
|
||
ranges of the form
|
||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||
if your kernel and iptables include port range support.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>USER/GROUP (user) ‒
|
||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||
|
||
<listitem>
|
||
<para>May only be specified if the SOURCE
|
||
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
||
id and or group id of the process sending the traffic.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term><emphasis role="bold">SWITCH -
|
||
[!]<replaceable>switch-name</replaceable></emphasis></term>
|
||
|
||
<listitem>
|
||
<para>Added in Shorewall 4.5.10 and allows enabling and disabling
|
||
the rule without requiring <command>shorewall
|
||
restart</command>.</para>
|
||
|
||
<para>The rule is enabled if the value stored in
|
||
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
|
||
is 1. The rule is disabled if that file contains 0 (the default). If
|
||
'!' is supplied, the test is inverted such that the rule is enabled
|
||
if the file contains 0. <replaceable>switch-name</replaceable> must
|
||
begin with a letter and be composed of letters, decimal digits,
|
||
underscores or hyphens. Switch names must be 30 characters or less
|
||
in length.</para>
|
||
|
||
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
|
||
turn a switch <emphasis role="bold">on</emphasis>:</para>
|
||
|
||
<simplelist>
|
||
<member><command>echo 1 >
|
||
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
|
||
</simplelist>
|
||
|
||
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
|
||
|
||
<simplelist>
|
||
<member><command>echo 0 >
|
||
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
|
||
</simplelist>
|
||
|
||
<para>Switch settings are retained over <command>shorewall
|
||
restart</command>.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>EXAMPLE</title>
|
||
|
||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
||
# PORT(S) PORT(S)
|
||
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>FILES</title>
|
||
|
||
<para>/etc/shorewall/notrack</para>
|
||
</refsect1>
|
||
|
||
<refsect1>
|
||
<title>See ALSO</title>
|
||
|
||
<para><ulink
|
||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||
|
||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||
shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
|
||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
|
||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||
shorewall-zones(5)</para>
|
||
</refsect1>
|
||
</refentry>
|