"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "configuration_file_basics.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

configuration_file_basics.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):configuration_file_basics.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
skipping to change at line 21 skipping to change at line 21
<author> <author>
<firstname>Tom</firstname> <firstname>Tom</firstname>
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
</authorgroup> </authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2001-2019</year> <year>2001-2020</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
<legalnotice> <legalnotice>
<para>Permission is granted to copy, distribute and/or modify this <para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
skipping to change at line 59 skipping to change at line 59
</caution> </caution>
<section> <section>
<title id="Intro">Introduction</title> <title id="Intro">Introduction</title>
<para>This article offers hints about how to accomplish common tasks with <para>This article offers hints about how to accomplish common tasks with
Shorewall. The <ulink url="Introduction.html">Introduction to Shorewall. The <ulink url="Introduction.html">Introduction to
Shorewall</ulink> is required reading for being able to use this article Shorewall</ulink> is required reading for being able to use this article
effectively. For information about setting up your first Shorewall-based effectively. For information about setting up your first Shorewall-based
firewall, see the <ulink url="GettingStarted.html">Quickstart firewall, see the <ulink url="GettingStarted.html">Quickstart
Guides</ulink>.in</para> Guides</ulink>.</para>
</section> </section>
<section id="Files"> <section id="Files">
<title>Files</title> <title>Files</title>
<para><itemizedlist> <para><itemizedlist>
<listitem> <listitem>
<para><filename>/etc/shorewall/shorewall.conf</filename> - used to <para><filename>/etc/shorewall/shorewall.conf</filename> - used to
set global firewall parameters.</para> set global firewall parameters.</para>
</listitem> </listitem>
skipping to change at line 330 skipping to change at line 330
<para>Example — To view the manual page for <para>Example — To view the manual page for
<filename>/etc/shorewall/interfaces</filename>:</para> <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>man shorewall-interfaces</programlisting> <programlisting>man shorewall-interfaces</programlisting>
<para>The /etc/shorewall/shorewall.conf file is an exception -- the man <para>The /etc/shorewall/shorewall.conf file is an exception -- the man
page for that file is 'shorewall.conf':</para> page for that file is 'shorewall.conf':</para>
<programlisting>man shorewall.conf</programlisting> <programlisting>man shorewall.conf</programlisting>
<para>Parts of this and other articles are also available as
manpages:</para>
<itemizedlist>
<listitem>
<para>shorewall-addresses(5)</para>
</listitem>
<listitem>
<para>shorewall-exclusion(5)</para>
</listitem>
<listitem>
<para>shorewall-files(5)</para>
</listitem>
<listitem>
<para>shorewall-ipsets(5)</para>
</listitem>
<listitem>
<para>shorewall-logging(5)</para>
</listitem>
<listitem>
<para>shorewall-names(5)</para>
</listitem>
<listitem>
<para>shorewall-nesting(5)</para>
</listitem>
</itemizedlist>
</section> </section>
<section id="Comments"> <section id="Comments">
<title>Comments</title> <title>Comments</title>
<para>You may place comments in configuration files by making the first <para>You may place comments in configuration files by making the first
non-whitespace character a pound sign (<quote>#</quote>). You may also non-whitespace character a pound sign (<quote>#</quote>). You may also
place comments at the end of any line, again by delimiting the comment place comments at the end of any line, again by delimiting the comment
from the rest of the line with a pound sign.</para> from the rest of the line with a pound sign.</para>
skipping to change at line 537 skipping to change at line 570
<para>The pairs must be followed by a right curly bracket <para>The pairs must be followed by a right curly bracket
("}").</para> ("}").</para>
<para>The value may optionally be enclosed in double quotes.</para> <para>The value may optionally be enclosed in double quotes.</para>
<para>The pairs must be separated by white space, but you can add a <para>The pairs must be separated by white space, but you can add a
comma adjacent to the <replaceable>values</replaceable> for comma adjacent to the <replaceable>values</replaceable> for
readability as in:</para> readability as in:</para>
<simplelist> <simplelist>
<member><emphasis role="bold">{ proto=&gt;udp, port=1024 <member><emphasis role="bold">{ proto=&gt;udp, dport=1024
}</emphasis></member> }</emphasis></member>
</simplelist> </simplelist>
</listitem> </listitem>
<listitem> <listitem>
<para>You can also separate the pairs from columns by using a <para>You can also separate the pairs from columns by using a
semicolon:</para> semicolon:</para>
<simplelist> <simplelist>
<member><emphasis role="bold">; proto:udp, <member><emphasis role="bold">; proto:udp,
port:1024</emphasis></member> dport:1024</emphasis></member>
</simplelist> </simplelist>
<important> <important>
<para>This form is incompatible with INLINE_MATCHES=Yes. See the <para>This form is incompatible with INLINE_MATCHES=Yes. See the
INLINE_MATCHES option in <ulink INLINE_MATCHES option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para> url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, if you
are running a version of Shorewall earlier than 5.0..</para>
</important> </important>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>In Shorewall 5.0.3, the sample configuration files and the man pages <para>In Shorewall 5.0.3, the sample configuration files and the man pages
were updated to use the same column names in both the column headings and were updated to use the same column names in both the column headings and
in the alternate specification format. The following table shows the in the alternate specification format. The following table shows the
column names for each of the table-oriented configuration files.</para> column names for each of the table-oriented configuration files.</para>
<note> <note>
skipping to change at line 632 skipping to change at line 666
<row> <row>
<entry>maclist</entry> <entry>maclist</entry>
<entry>disposition,interface,mac,addresses</entry> <entry>disposition,interface,mac,addresses</entry>
</row> </row>
<row> <row>
<entry>mangle</entry> <entry>mangle</entry>
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,con nbytes,helper,headers</entry> <entry>action,source,dest,proto,dport,sport,user,test,length,tos,con nbytes,helper,headers,probability,dscp,switch</entry>
</row> </row>
<row> <row>
<entry>masq</entry> <entry>masq</entry>
<entry>interface,source,address,proto,port,ipsec,mark,user,switch</e ntry> <entry>interface,source,address,proto,port,ipsec,mark,user,switch</e ntry>
</row> </row>
<row> <row>
<entry>nat</entry> <entry>nat</entry>
skipping to change at line 708 skipping to change at line 742
<entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark, connlimit,time,headers,switch,helper</entry> <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark, connlimit,time,headers,switch,helper</entry>
</row> </row>
<row> <row>
<entry>secmarks</entry> <entry>secmarks</entry>
<entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry> <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
</row> </row>
<row> <row>
<entry>snat</entry>
<entry>action,source,dest,proto,port,sport,ipsec,mark,user,switch,or
igdest,probability
(Note: 'port' may be specified as 'dport', beginning with
Shorewall 5.2.6).</entry>
</row>
<row>
<entry>tcclasses</entry> <entry>tcclasses</entry>
<entry>interface,mark,rate,ceil,prio,options</entry> <entry>interface,mark,rate,ceil,prio,options</entry>
</row> </row>
<row> <row>
<entry>tcdevices</entry> <entry>tcdevices</entry>
<entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry> <entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
</row> </row>
skipping to change at line 1512 skipping to change at line 1554
<member>VERSION</member> <member>VERSION</member>
</simplelist> </simplelist>
<para>Example:</para> <para>Example:</para>
<blockquote> <blockquote>
<programlisting>    /etc/shorewall/params <programlisting>    /etc/shorewall/params
NET_IF=eth0 NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,routefilter NET_OPTIONS=routefilter,routefilter
    /etc/shorewall/interfaces record:     /etc/shorewall/interfaces record:
net $NET_IF $NET_BCAST $NET_OPTIONS net $NET_IF $NET_OPTIONS
    The result will be the same as if the record had been written     The result will be the same as if the record had been written
net eth0 130.252.100.255 routefilter,routefilter net eth0 routefilter,routefilter
</programlisting> </programlisting>
</blockquote> </blockquote>
<para>Variables may be used anywhere in the other configuration <para>Variables may be used anywhere in the other configuration
files.<note> files.<note>
<para>If you use "$FW" on the right side of assignments in the <para>If you use "$FW" on the right side of assignments in the
<filename>/etc/shorewall/params</filename> file, you must also set the <filename>/etc/shorewall/params</filename> file, you must also set the
FW variable in that file.</para> FW variable in that file.</para>
<para>Example:<programlisting>/etc/shorewall/zones: <para>Example:<programlisting>/etc/shorewall/zones:
skipping to change at line 1837 skipping to change at line 1878
<listitem> <listitem>
<para><ulink url="Actions.html">Action</ulink> files</para> <para><ulink url="Actions.html">Action</ulink> files</para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink <para><ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para> url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>They may also be used as the parameter to SNAT() in <ulink
url="manpages/shorewall-snat.html">shorewall-snat</ulink>(5).</para>
<para>For optional interfaces, if the interface is not usable at the time <para>For optional interfaces, if the interface is not usable at the time
that the firewall starts, one of two approaches are taken, depending on that the firewall starts, one of two approaches are taken, depending on
the context:</para> the context:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>the all-zero address will be used (0.0.0.0 in IPv4 and :: in <para>the all-zero address will be used (0.0.0.0 in IPv4 and :: in
IPv6), resulting in no packets matching the rule (or all packets if IPv6), resulting in no packets matching the rule (or all packets if
used with exclusion).</para> used with exclusion).</para>
</listitem> </listitem>
skipping to change at line 2196 skipping to change at line 2240
</listitem> </listitem>
<listitem> <listitem>
<para>options set in the <filename>shorewallrc</filename> file when <para>options set in the <filename>shorewallrc</filename> file when
Shorewall Core was installed.</para> Shorewall Core was installed.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<important> <important>
<para>Beginning with Shorewall 4.5.11, the compiler's environmental <para>Beginning with Shorewall 4.5.11, the compiler's environmental
variables are search last rather than first.</para> variables are searched last rather than first.</para>
</important> </important>
<para>If the <replaceable>variable</replaceable> is still not <para>If the <replaceable>variable</replaceable> is still not
found:</para> found:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>if it begins with '__', then those leading characters are <para>if it begins with '__', then those leading characters are
stripped off.</para> stripped off.</para>
</listitem> </listitem>
skipping to change at line 2707 skipping to change at line 2751
<programlisting>192.168.1.0/24!192.168.1.3,192.168.1.12,192.168.1.32/27</pro gramlisting> <programlisting>192.168.1.0/24!192.168.1.3,192.168.1.12,192.168.1.32/27</pro gramlisting>
<para>The above list refers to "All addresses in 192.168.1.0-192.168.1.255 <para>The above list refers to "All addresses in 192.168.1.0-192.168.1.255
except 192.168.1.3, 192.168.1.12 and 192.168.1.32-192.168.1.63.</para> except 192.168.1.3, 192.168.1.12 and 192.168.1.32-192.168.1.63.</para>
</section> </section>
<section id="IPRanges"> <section id="IPRanges">
<title>IP Address Ranges</title> <title>IP Address Ranges</title>
<para>If you kernel and iptables have iprange match support, you may use <para>If you kernel and iptables have <emphasis>iprange</emphasis>
IP address ranges in Shorewall configuration file entries; IP address <emphasis>match</emphasis> <emphasis>support</emphasis>, you may use IP
ranges have the syntax &lt;<emphasis>low IP address ranges in Shorewall configuration file entries; IP address ranges
have the syntax &lt;<emphasis>low IP
address</emphasis>&gt;-&lt;<emphasis>high IP address</emphasis>&gt;. address</emphasis>&gt;-&lt;<emphasis>high IP address</emphasis>&gt;.
Example: 192.168.1.5-192.168.1.12.</para> Example: 192.168.1.5-192.168.1.12.</para>
<para>To see if your kernel and iptables have the required support, use <para>To see if your kernel and iptables have the required support, use
the <command>shorewall show capabilities</command> command:</para> the <command>shorewall show capabilities</command> command:</para>
<programlisting>&gt;~ <command>shorewall show capabilities</command> <programlisting>&gt;~ <command>shorewall show capabilities</command>
...
Shorewall has detected the following iptables/netfilter capabilities: Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available ACCOUNT Target (ACCOUNT_TARGET): Not available
Packet Mangling: Available Address Type Match (ADDRTYPE): Available
Multi-port Match: Available Amanda Helper: Available
Connection Tracking Match: Available ...
Packet Type Match: Not available IPMARK Target (IPMARK_TARGET): Not available
Policy Match: Available IPP2P Match (IPP2P_MATCH): Not available
Physdev Match: Available <emphasis role="bold">IP range Match(IPRANGE_MATCH): Available</emphasis> <em
<emphasis role="bold">IP range Match: Available &lt;--------------</emphasis> phasis
</programlisting> role="bold">&lt;================</emphasis></programlisting>
</section> </section>
<section id="Ports"> <section id="Ports">
<title>Protocol Number/Names and Port Numbers/Service Names</title> <title>Protocol Number/Names and Port Numbers/Service Names</title>
<para>Unless otherwise specified, when giving a protocol number you can <para>Unless otherwise specified, when giving a protocol number you can
use either an integer or a protocol name from use either an integer or a protocol name from
<filename>/etc/protocols</filename>. Similarly, when giving a port number <filename>/etc/protocols</filename>. Similarly, when giving a port number
you can use either an integer or a service name from you can use either an integer or a service name from
<filename>/etc/services</filename>.<note> <filename>/etc/services</filename>.<note>
skipping to change at line 2863 skipping to change at line 2907
unknown-header-type =&gt; 4/1 unknown-header-type =&gt; 4/1
unknown-option =&gt; 4/2 unknown-option =&gt; 4/2
echo-request =&gt; 128 echo-request =&gt; 128
echo-reply =&gt; 129 echo-reply =&gt; 129
router-solicitation =&gt; 133 router-solicitation =&gt; 133
router-advertisement =&gt; 134 router-advertisement =&gt; 134
neighbour-solicitation =&gt; 135 neighbour-solicitation =&gt; 135
neighbour-advertisement =&gt; 136 neighbour-advertisement =&gt; 136
redirect =&gt; 137</programlisting> redirect =&gt; 137</programlisting>
<para>Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to <para>Shorewall 4.4 does not accept lists of ICMP (ICMP6) types prior to
Shorewall 4.4.19.</para> Shorewall 4.4.19.</para>
</section> </section>
<section id="MAC"> <section id="MAC">
<title>Using MAC Addresses</title> <title>Using MAC Addresses</title>
<para>Media Access Control (MAC) addresses can be used to specify packet <para>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. In order to control traffic source in several of the configuration files. In order to control traffic
to/from a host by its MAC address, the host must be on the same network as to/from a host by its MAC address, the host must be on the same network as
the firewall.</para> the firewall.</para>
skipping to change at line 3135 skipping to change at line 3179
</section> </section>
<section id="Switches"> <section id="Switches">
<title>Switches</title> <title>Switches</title>
<para>There are times when you would like to enable or disable one or more <para>There are times when you would like to enable or disable one or more
rules in the configuration without having to do a <command>shorewall rules in the configuration without having to do a <command>shorewall
reload</command> or <command>shorewall restart</command>. This may be reload</command> or <command>shorewall restart</command>. This may be
accomplished using the SWITCH column in <ulink accomplished using the SWITCH column in <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Using url="manpages/shorewall-rules.html">shorewall6-rules</ulink> (5). Using
this column requires that your kernel and iptables include this column requires that your kernel and iptables include
<firstterm>Condition Match Support</firstterm> and you must be running <firstterm>Condition Match Support</firstterm> and you must be running
Shorewall 4.4.24 or later. See the output of <command>shorewall show Shorewall 4.4.24 or later. See the output of <command>shorewall show
capabilities</command> and <command>shorewall version</command> to capabilities</command> and <command>shorewall version</command> to
determine if you can use this feature.</para> determine if you can use this feature.</para>
<para>The SWITCH column contains the name of a <para>The SWITCH column contains the name of a
<firstterm>switch.</firstterm> Each switch is initially in the <emphasis <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
role="bold">off</emphasis> position. You can turn on the switch named role="bold">off</emphasis> position. You can turn on the switch named
<emphasis>switch1</emphasis> by:</para> <emphasis>switch1</emphasis> by:</para>
 End of changes. 18 change blocks. 
25 lines changed or deleted 70 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)