"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "manpages/shorewall-policy.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

shorewall-policy.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):shorewall-policy.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
skipping to change at line 30 skipping to change at line 30
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall[6]/policy</command> <command>/etc/shorewall[6]/policy</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file defines the high-level policy for connections between <para>This file defines the high-level policy for connections between
zones defined in <ulink zones defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).</para> url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
<important> <important>
<para>The order of entries in this file is important</para> <para>The order of entries in this file is important</para>
<para>This file determines what to do with a new connection request if <para>This file determines what to do with a new connection request if
we don't get a match from the <ulink we don't get a match from the <ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5) or url="shorewall-blrules.html">shorewall-blrules</ulink>(5) or
<ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) <ulink url="shorewall-rules.html">shorewall-rules</ulink>(5)
files. For each source/destination pair, the file is processed in order files. For each source/destination pair, the file is processed in order
until a match is found ("all" will match any source or until a match is found ("all" will match any source or
destination).</para> destination).</para>
</important> </important>
<important> <important>
<para>Intra-zone policies are pre-defined</para> <para>Intra-zone policies are pre-defined</para>
<para>For $FW and for all of the zones defined in <ulink <para>For $FW and for all of the zones defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), the url="shorewall-zones.html">shorewall-zones</ulink>(5), the
POLICY for connections from the zone to itself is ACCEPT (with no POLICY for connections from the zone to itself is ACCEPT (with no
logging or TCP connection rate limiting) but may be overridden by an logging or TCP connection rate limiting) but may be overridden by an
entry in this file. The overriding entry must be explicit (specifying entry in this file. The overriding entry must be explicit (specifying
the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
4.5.17 or later).</para> 4.5.17 or later).</para>
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in <ulink <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then the url="shorewall.conf.html">shorewall.conf</ulink>(5), then the
implicit policy to/from any sub-zone is CONTINUE. These implicit implicit policy to/from any sub-zone is CONTINUE. These implicit
CONTINUE policies may also be overridden by an explicit entry in this CONTINUE policies may also be overridden by an explicit entry in this
file.</para> file.</para>
</important> </important>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para> the alternate specification syntax).</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>[,...[+]]|<emphasis <emphasis>zone</emphasis>[,...[+]]|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">$FW</emphasis>|<emphasis
role="bold">all[+][!<replaceable>ezone</replaceable>[,...]]</emphasis></ term> role="bold">all[+][!<replaceable>ezone</replaceable>[,...]]</emphasis></ term>
<listitem> <listitem>
<para>Source zone. Must be the name of a zone defined in <ulink <para>Source zone. Must be the name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), url="shorewall-zones.html">shorewall-zones</ulink>(5),
$FW, "all" or "all+".</para> $FW, "all" or "all+".</para>
<para>Support for <emphasis role="bold">all+</emphasis> was added in <para>Support for <emphasis role="bold">all+</emphasis> was added in
Shorewall 4.5.17. <emphasis role="bold">all</emphasis> does not Shorewall 4.5.17. <emphasis role="bold">all</emphasis> does not
override the implicit intra-zone ACCEPT policy while <emphasis override the implicit intra-zone ACCEPT policy while <emphasis
role="bold">all+</emphasis> does.</para> role="bold">all+</emphasis> does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas. As above, if '+' is specified after two or more separated by commas. As above, if '+' is specified after two or more
zone names, then the policy overrides the implicit intra-zone ACCEPT zone names, then the policy overrides the implicit intra-zone ACCEPT
skipping to change at line 103 skipping to change at line 103
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>[,...[+]]|<emphasis <emphasis>zone</emphasis>[,...[+]]|<emphasis
role="bold">$FW</emphasis>|all[+][!<replaceable>ezone</replaceable>[,... ]]</term> role="bold">$FW</emphasis>|all[+][!<replaceable>ezone</replaceable>[,... ]]</term>
<listitem> <listitem>
<para>Destination zone. Must be the name of a zone defined in <ulink <para>Destination zone. Must be the name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), url="shorewall-zones.html">shorewall-zones</ulink>(5),
$FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
must be "all", "all+", another bport zone associated with the same must be "all", "all+", another bport zone associated with the same
bridge, or it must be an ipv4 zone that is associated with only the bridge, or it must be an ipv4 zone that is associated with only the
same bridge.</para> same bridge.</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+" not override the implicit intra-zone ACCEPT policy while "all+"
does.</para> does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
skipping to change at line 149 skipping to change at line 149
<listitem> <listitem>
<para>Policy if no match from the rules file is found.</para> <para>Policy if no match from the rules file is found.</para>
<para>If the policy is neither CONTINUE nor NONE then the policy may <para>If the policy is neither CONTINUE nor NONE then the policy may
be followed by ":" and one of the following:</para> be followed by ":" and one of the following:</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>The word "None" or "none". This causes any default action <para>The word "None" or "none". This causes any default action
defined in <ulink defined in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to url="shorewall.conf.html">shorewall.conf</ulink>(5) to
be omitted for this policy.</para> be omitted for this policy.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The name of an action with optional parameters enclosed in <para>The name of an action with optional parameters enclosed in
parentheses. The action will be invoked before the policy is parentheses. The action will be invoked before the policy is
enforced.</para> enforced.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
skipping to change at line 174 skipping to change at line 174
applied to each rule in the action or body that does not already applied to each rule in the action or body that does not already
have a log level.</para> have a log level.</para>
<para>Beginning with Shorewall 5.1.2, multiple <para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>] <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
specification may be listeded, separated by commas. The actions are specification may be listeded, separated by commas. The actions are
invoked in the order listed. Also beginning with Shorewall 5.1.2, invoked in the order listed. Also beginning with Shorewall 5.1.2,
the policy-action list can be prefixed with a plus sign ("+") the policy-action list can be prefixed with a plus sign ("+")
indicating that the listed actions are in addition to those listed indicating that the listed actions are in addition to those listed
in the related _DEFAULT setting in <ulink in the related _DEFAULT setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>Possible policies are:</para> <para>Possible policies are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ACCEPT</emphasis></term> <term><emphasis role="bold">ACCEPT</emphasis></term>
<listitem> <listitem>
<para>Accept the connection.</para> <para>Accept the connection.</para>
</listitem> </listitem>
skipping to change at line 210 skipping to change at line 210
ICMP.</para> ICMP.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">BLACKLIST</emphasis></term> <term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 5.1.1 and requires that the <para>Added in Shorewall 5.1.1 and requires that the
DYNAMIC_BLACKLIST setting in <ulink DYNAMIC_BLACKLIST setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="shorewall.conf.html">shorewall.conf</ulink>(5)
specifies ipset-based dynamic blacklisting. The SOURCE IP specifies ipset-based dynamic blacklisting. The SOURCE IP
address is added to the blacklist ipset and the connection address is added to the blacklist ipset and the connection
request is ignored.</para> request is ignored.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">QUEUE</emphasis></term> <term><emphasis role="bold">QUEUE</emphasis></term>
<listitem> <listitem>
skipping to change at line 262 skipping to change at line 262
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONTINUE</emphasis></term> <term><emphasis role="bold">CONTINUE</emphasis></term>
<listitem> <listitem>
<para>Pass the connection request past any other rules that it <para>Pass the connection request past any other rules that it
might also match (where the source or destination zone in might also match (where the source or destination zone in
those rules is a superset of the SOURCE or DEST in this those rules is a superset of the SOURCE or DEST in this
policy). See <ulink policy). See <ulink
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink> (5) url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
for additional information.</para> for additional information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">NONE</emphasis></term> <term><emphasis role="bold">NONE</emphasis></term>
<listitem> <listitem>
<para>Assume that there will never be any packets from this <para>Assume that there will never be any packets from this
SOURCE to this DEST. Shorewall will not create any SOURCE to this DEST. Shorewall will not create any
skipping to change at line 302 skipping to change at line 302
default POLICY is logged at that level. If not supplied, no log default POLICY is logged at that level. If not supplied, no log
message is generated. See syslog.conf(5) for a description of log message is generated. See syslog.conf(5) for a description of log
levels.</para> levels.</para>
<para>You may also specify ULOG or NFLOG (must be in upper case). <para>You may also specify ULOG or NFLOG (must be in upper case).
This will log to the ULOG or NFLOG target and will send to a This will log to the ULOG or NFLOG target and will send to a
separate log through use of ulogd (<ulink separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.ne tfilter.org/projects/ulogd/index.html</ulink>).</para> url="http://www.netfilter.org/projects/ulogd/index.html">http://www.ne tfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>For a description of logging, see <ulink <para>For a description of logging, see <ulink
url="/shorewall_logging.html">shorewall-logging(5)</ulink>.</para> url="../shorewall_logging.html">shorewall-logging(5)</ulink>.</para>
<para>If you don't want to log but need to specify the following <para>If you don't want to log but need to specify the following
column, place "-" here.</para> column, place "-" here.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">RATE</emphasis> (rate) - <term><emphasis role="bold">RATE</emphasis> (rate) -
[-|<replaceable>limit</replaceable>]</term> [-|<replaceable>limit</replaceable>]</term>
skipping to change at line 449 skipping to change at line 449
<para>/etc/shorewall/policy</para> <para>/etc/shorewall/policy</para>
<para>/etc/shorewall6/policy</para> <para>/etc/shorewall6/policy</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configur ation_file_basics.htm#Pairs</ulink></para> url="../configuration_file_basics.htm#Pairs">https://shorewall.org/configura tion_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8)</para> <para>shorewall(8)</para>
</refsect1> </refsect1>
</refentry> </refentry>
 End of changes. 12 change blocks. 
13 lines changed or deleted 13 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)