| ipsets.xml (shorewall-docs-xml-5.2.3.6.tar.bz2) | : | ipsets.xml (shorewall-docs-xml-5.2.6.tar.bz2) |
|---|
| | |
| skipping to change at line 33 | | skipping to change at line 33 |
|---|
| <year>2008</year> | | <year>2008</year> |
| | |
| <year>2010</year> | | <year>2010</year> |
| | |
| <year>2015</year> | | <year>2015</year> |
| | |
| <year>2017</year> | | <year>2017</year> |
| | |
| <year>2019</year> | | <year>2019</year> |
| | |
|
| | <year>2020</year> |
| | |
| <holder>Thomas M. Eastep</holder> | | <holder>Thomas M. Eastep</holder> |
| </copyright> | | </copyright> |
| | |
| <legalnotice> | | <legalnotice> |
| <para>Permission is granted to copy, distribute and/or modify this | | <para>Permission is granted to copy, distribute and/or modify this |
| document under the terms of the GNU Free Documentation License, Version | | document under the terms of the GNU Free Documentation License, Version |
| 1.2 or any later version published by the Free Software Foundation; with | | 1.2 or any later version published by the Free Software Foundation; with |
| no Invariant Sections, with no Front-Cover, and with no Back-Cover | | no Invariant Sections, with no Front-Cover, and with no Back-Cover |
| Texts. A copy of the license is included in the section entitled | | Texts. A copy of the license is included in the section entitled |
| <quote><ulink url="GnuCopyright.htm">GNU Free Documentation | | <quote><ulink url="GnuCopyright.htm">GNU Free Documentation |
| | |
| skipping to change at line 163 | | skipping to change at line 165 |
|---|
| <para>You must set SAVE_IPSETS=Yes in <ulink | | <para>You must set SAVE_IPSETS=Yes in <ulink |
| url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para> | | url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <para>You must have at least one entry in the other configuration | | <para>You must have at least one entry in the other configuration |
| files that uses an ipset.</para> | | files that uses an ipset.</para> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
|
| <para>You cannot use an ipset in <ulink | | <para>You can use an ipset in <ulink |
| url="manpages/shorewall-stoppedulres.html">shorewall-stoppedrules</ulink
> | | url="manpages/shorewall-stoppedulres.html">shorewall-stoppedrules</ulink
> |
|
| (5) (<ulink | | (5), but SAVE_IPSET={Yes|ipv4} will not save such a set during 'stop' |
| url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink | | processing. Use Shorewall-init to save/restore your ipsets in this |
| > | | case (see below).</para> |
| (5)).</para> | | |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <para>The <command>restore</command> command cannot restore ipset | | <para>The <command>restore</command> command cannot restore ipset |
| contents saved by the <command>save</command> command unless the | | contents saved by the <command>save</command> command unless the |
| firewall is first stopped.</para> | | firewall is first stopped.</para> |
| </listitem> | | </listitem> |
| </orderedlist> | | </orderedlist> |
| | |
| <para>Beginning with Shorewall 4.6.4, you can save selective ipsets by | | <para>Beginning with Shorewall 4.6.4, you can save selective ipsets by |
| | |
| skipping to change at line 193 | | skipping to change at line 195 |
|---|
| ipsets to be saved. When such a list is specified, only those ipsets | | ipsets to be saved. When such a list is specified, only those ipsets |
| together with the ipsets supporting dynamic zones are saved. Shorewall6 | | together with the ipsets supporting dynamic zones are saved. Shorewall6 |
| support for the SAVE_IPSETS option was also added in 4.6.4. When | | support for the SAVE_IPSETS option was also added in 4.6.4. When |
| SAVE_IPSETS=Yes in <ulink | | SAVE_IPSETS=Yes in <ulink |
| url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, only ipv6 | | url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, only ipv6 |
| ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink | | ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink |
| url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only | | url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only |
| ipv4 ipsets are saved. Both features require ipset version 5 or | | ipv4 ipsets are saved. Both features require ipset version 5 or |
| later.</para> | | later.</para> |
| | |
|
| | <caution> |
| | <para>After setting SAVE_IPSETS, it is important to recompile the |
| | firewall script (e.g., 'shorewall compile', 'shorewall reload' or |
| | 'shorewall restart') before rebooting</para> |
| | </caution> |
| | |
| <para>Although Shorewall can save the definition of your ipsets and | | <para>Although Shorewall can save the definition of your ipsets and |
| restore them when Shorewall starts, in most cases you must use the ipset | | restore them when Shorewall starts, in most cases you must use the ipset |
| utility to initially create and load your ipsets. The exception is that | | utility to initially create and load your ipsets. The exception is that |
| Shorewall will automatically create an empty iphash ipset to back each | | Shorewall will automatically create an empty iphash ipset to back each |
|
| dynamic zone.</para> | | dynamic zone. It will also create the ipset required by the |
| | DYNAMIC_BLACKLIST=ipset:.. setting in <ulink |
| | url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink>,</para> |
| </section> | | </section> |
| | |
| <section> | | <section> |
| <title>Shorewall6 and Shorewall-init Support for Ipsets</title> | | <title>Shorewall6 and Shorewall-init Support for Ipsets</title> |
| | |
| <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para> | | <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para> |
| | |
| <para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink | | <para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink |
| url="manpages/shorewall.conf.html">shorewall6-conf(5)</ulink>. When set to | | url="manpages/shorewall.conf.html">shorewall6-conf(5)</ulink>. When set to |
| Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by | | Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by |
| | |
| skipping to change at line 221 | | skipping to change at line 231 |
|---|
| url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work | | url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work |
| correctly because it saves both IPv4 and IPv6 ipsets. To work around this | | correctly because it saves both IPv4 and IPv6 ipsets. To work around this |
| issue, Shorewall-init is capable restoring ipset contents during 'start' | | issue, Shorewall-init is capable restoring ipset contents during 'start' |
| and saving them during 'stop'. To direct Shorewall-init to save/restore | | and saving them during 'stop'. To direct Shorewall-init to save/restore |
| ipset contents, set the SAVE_IPSETS option in | | ipset contents, set the SAVE_IPSETS option in |
| /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on Debian and | | /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on Debian and |
| derivatives). The value of the option is a file name where the contents of | | derivatives). The value of the option is a file name where the contents of |
| the ipsets will be save to and restored from. Shorewall-init will create | | the ipsets will be save to and restored from. Shorewall-init will create |
| any necessary directories during the first 'save' operation.</para> | | any necessary directories during the first 'save' operation.</para> |
| | |
|
| | <caution> |
| | <para>If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init |
| | (/etc/default/shorewall-init on Debian and derivatives) when |
| | shorewall-init has not been started by systemd, then when the system is |
| | going down during reboot, the ipset contents will not be saved. You can |
| | work around that as follows:</para> |
| | |
| | <itemizedlist> |
| | <listitem> |
| | <para>Suppose that you have set |
| | SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.</para> |
| | </listitem> |
| | |
| | <listitem> |
| | <para>Before rebooting, execute this command:</para> |
| | |
| | <programlisting>ipset save > /var/lib/shorewall/init-save-ipsets</p |
| | rogramlisting> |
| | </listitem> |
| | |
| | <listitem> |
| | <para>Be sure to enable shoewall-init (e.g., <emphasis |
| | role="bold">systemctl enable shorewall-init</emphasis>).</para> |
| | </listitem> |
| | </itemizedlist> |
| | </caution> |
| | |
| <para>If you configure Shorewall-init to save/restore ipsets, be sure to | | <para>If you configure Shorewall-init to save/restore ipsets, be sure to |
| set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para> | | set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para> |
| | |
| <para>If you configure SAVE_IPSETS in <ulink | | <para>If you configure SAVE_IPSETS in <ulink |
| url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink | | url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink |
| url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then do not | | url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then do not |
| set SAVE_IPSETS in shorewall-init.</para> | | set SAVE_IPSETS in shorewall-init.</para> |
| </section> | | </section> |
| </article> | | </article> |
| | | |
| End of changes. 6 change blocks. |
|---|
| 6 lines changed or deleted | | 42 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 