forked from extern/shorewall_code
b66929a65e
1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
70 lines
2.5 KiB
Plaintext
70 lines
2.5 KiB
Plaintext
#
|
|
# Shorewall version 2.6 - Macro Template File
|
|
#
|
|
# /usr/share/shorewall/macro.template
|
|
#
|
|
# Macro files are similar to template files with the following exceptions:
|
|
#
|
|
# - A macro file is not processed unless the marcro that it defines is referenced in the
|
|
# /etc/shorewall/rules file or in an action definition file.
|
|
#
|
|
# - Macros are translated directly into one or more rules whereas actions become their own
|
|
# chain.
|
|
#
|
|
# - All entries in a macro undergo substitution when the macro is invoked in the rules file.
|
|
#
|
|
# - Macros may not invoke other macros.
|
|
#
|
|
# The columns in a macro definition are the same as those in the action.template file.
|
|
# A few examples should help show how Macros work.
|
|
#
|
|
# /etc/shorewall/macro.FwdFTP:
|
|
#
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
# # PORT PORT(S) LIMIT GROUP
|
|
# DNAT - - tcp 21
|
|
#
|
|
# /etc/shorewall/rules:
|
|
#
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# # PORT PORT(S) DEST LIMIT GROUP
|
|
# FwdFTP net loc:192.168.1.5
|
|
#
|
|
# The result is equivalent to:
|
|
#
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# # PORT PORT(S) DEST LIMIT GROUP
|
|
# DNAT net loc:192.168.1.5 tcp 21
|
|
#
|
|
# The substitution rules are as follows:
|
|
#
|
|
# ACTION column If in the invocation of the macro, the macro name is followed by
|
|
# slash ("/") and a second name, the second name is substituted for
|
|
# each entry in the macro whose ACTION is PARAM
|
|
#
|
|
# For example, if macro FOO is invoked as FOO/ACCEPT then when
|
|
# expanding macro.FOO, Shorewall will substitute ACCEPT in each
|
|
# entry in macro.FOO whose ACTION column contains PARAM. PARAM may
|
|
# be optionally followed by a colon and a log level.
|
|
#
|
|
# Any logging specified when the macro is invoked is applied to each
|
|
# entry in the macros.
|
|
#
|
|
# SOURCE and DEST If the column in the macro is empty then the value in the rules
|
|
# columns file is used. If the column in the macro is non-empty then any
|
|
# value in the rules file is appended with a ":" separator.
|
|
#
|
|
# Example: Macro File DNAT net loc tcp 21
|
|
# rules File FwdFTP - 192.168.1.5
|
|
# Result DNAT net loc:192.168.1.5 tcp 21
|
|
#
|
|
# Remaining Any value in the rules file REPLACES the value given in the macro
|
|
# columns file.
|
|
#
|
|
#
|
|
#
|
|
####################################################################################################
|
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
# PORT PORT(S) LIMIT GROUP
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|