"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "manpages/shorewall-rules.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

shorewall-rules.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):shorewall-rules.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
skipping to change at line 30 skipping to change at line 30
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall[6]/rules</command> <command>/etc/shorewall[6]/rules</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>Entries in this file govern connection establishment by defining <para>Entries in this file govern connection establishment by defining
exceptions to the policies laid out in <ulink exceptions to the policies laid out in <ulink
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By url="shorewall-policy.html">shorewall-policy</ulink>(5). By
default, subsequent requests and responses are automatically allowed using default, subsequent requests and responses are automatically allowed using
connection tracking. For any particular (source,dest) pair of zones, the connection tracking. For any particular (source,dest) pair of zones, the
rules are evaluated in the order in which they appear in this file and the rules are evaluated in the order in which they appear in this file and the
first terminating match is the one that determines the disposition of the first terminating match is the one that determines the disposition of the
request. All rules are terminating except LOG and COUNT rules.</para> request. All rules are terminating except LOG and COUNT rules.</para>
<warning> <warning>
<para>If you masquerade or use SNAT from a local system to the internet, <para>If you masquerade or use SNAT from a local system to the internet,
you cannot use an ACCEPT rule to allow traffic from the internet to that you cannot use an ACCEPT rule to allow traffic from the internet to that
system. You <emphasis role="bold">must</emphasis> use a DNAT rule system. You <emphasis role="bold">must</emphasis> use a DNAT rule
skipping to change at line 89 skipping to change at line 89
<listitem> <listitem>
<para>Packets in the RELATED state are processed by rules in this <para>Packets in the RELATED state are processed by rules in this
section.</para> section.</para>
<para>The only ACTIONs allowed in this section are ACCEPT, DROP, <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
REJECT, LOG, NFLOG, NFQUEUE and QUEUE</para> REJECT, LOG, NFLOG, NFQUEUE and QUEUE</para>
<para>There is an implicit rule added at the end of this section <para>There is an implicit rule added at the end of this section
that invokes the RELATED_DISPOSITION (<ulink that invokes the RELATED_DISPOSITION (<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">INVALID</emphasis></term> <term><emphasis role="bold">INVALID</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Packets in the INVALID state are <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
processed by rules in this section.</para> processed by rules in this section.</para>
<para>The only Actions allowed in this section are ACCEPT, DROP, <para>The only Actions allowed in this section are ACCEPT, DROP,
REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para> REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para>
<para>There is an implicit rule added at the end of this section <para>There is an implicit rule added at the end of this section
that invokes the INVALID_DISPOSITION (<ulink that invokes the INVALID_DISPOSITION (<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">UNTRACKED</emphasis></term> <term><emphasis role="bold">UNTRACKED</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
processed by rules in this section.</para> processed by rules in this section.</para>
<para>The only Actions allowed in this section are ACCEPT, DROP, <para>The only Actions allowed in this section are ACCEPT, DROP,
REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para> REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para>
<para>There is an implicit rule added at the end of this section <para>There is an implicit rule added at the end of this section
that invokes the UNTRACKED_DISPOSITION (<ulink that invokes the UNTRACKED_DISPOSITION (<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">NEW</emphasis></term> <term><emphasis role="bold">NEW</emphasis></term>
<listitem> <listitem>
<para>Packets in the NEW state are processed by rules in this <para>Packets in the NEW state are processed by rules in this
section. If the INVALID and/or UNTRACKED sections are empty or not section. If the INVALID and/or UNTRACKED sections are empty or not
included, then the packets in the corresponding state(s) are also included, then the packets in the corresponding state(s) are also
skipping to change at line 146 skipping to change at line 146
<note> <note>
<para>If you are not familiar with Netfilter to the point where you are <para>If you are not familiar with Netfilter to the point where you are
comfortable with the differences between the various connection tracking comfortable with the differences between the various connection tracking
states, then it is suggested that you place all of your rules in the NEW states, then it is suggested that you place all of your rules in the NEW
section (That's after the line that reads ?SECTION NEW').</para> section (That's after the line that reads ?SECTION NEW').</para>
</note> </note>
<warning> <warning>
<para>If you specify FASTACCEPT=Yes in <ulink <para>If you specify FASTACCEPT=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the url="shorewall.conf.html">shorewall.conf</ulink>(5) then the
<emphasis role="bold">ALL, ESTABLISHED</emphasis> and <emphasis <emphasis role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections must be empty.</para> role="bold">RELATED</emphasis> sections must be empty.</para>
<para>An exception is made if you are running Shorewall 4.4.27 or later <para>An exception is made if you are running Shorewall 4.4.27 or later
and you have specified a non-default value for RELATED_DISPOSITION or and you have specified a non-default value for RELATED_DISPOSITION or
RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED
section of this file.</para> section of this file.</para>
</warning> </warning>
<para>You may omit any section that you don't need. If no Section Headers <para>You may omit any section that you don't need. If no Section Headers
skipping to change at line 226 skipping to change at line 226
Shorewall 4.5.14 or later.</para> Shorewall 4.5.14 or later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ACCEPT!</emphasis></term> <term><emphasis role="bold">ACCEPT!</emphasis></term>
<listitem> <listitem>
<para>like ACCEPT but exempts the rule from being suppressed <para>like ACCEPT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</ para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis>action</emphasis></term> <term><emphasis>action</emphasis></term>
<listitem> <listitem>
<para>The name of an <emphasis>action</emphasis> declared in <para>The name of an <emphasis>action</emphasis> declared in
<ulink <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink> (5) url="shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall[6]/actions.std.</para> or in /usr/share/shorewall[6]/actions.std.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flag s</replaceable>[:<replaceable>timeout</replaceable>])</emphasis></term> role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flag s</replaceable>[:<replaceable>timeout</replaceable>])</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.12. Causes addresses and/or port <para>Added in Shorewall 4.4.12. Causes addresses and/or port
skipping to change at line 353 skipping to change at line 353
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONTINUE</emphasis></term> <term><emphasis role="bold">CONTINUE</emphasis></term>
<listitem> <listitem>
<para>For experts only.</para> <para>For experts only.</para>
<para>Do not process any of the following rules for this <para>Do not process any of the following rules for this
(source zone,destination zone). If the source and/or (source zone,destination zone). If the source and/or
destination IP address falls into a zone defined later in destination IP address falls into a zone defined later in
<ulink <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) url="shorewall-zones.html">shorewall-zones</ulink>(5)
or in a parent zone of the source or destination zones, then or in a parent zone of the source or destination zones, then
this connection request will be passed to the rules defined this connection request will be passed to the rules defined
for that (those) zone(s). See <ulink for that (those) zone(s). See <ulink
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink> (5) url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
for additional information.</para> for additional information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONTINUE!</emphasis></term> <term><emphasis role="bold">CONTINUE!</emphasis></term>
<listitem> <listitem>
<para>like CONTINUE but exempts the rule from being suppressed <para>like CONTINUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</ para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">COUNT</emphasis></term> <term><emphasis role="bold">COUNT</emphasis></term>
<listitem> <listitem>
<para>Simply increment the rule's packet and byte count and <para>Simply increment the rule's packet and byte count and
pass the packet to the next rule.</para> pass the packet to the next rule.</para>
</listitem> </listitem>
skipping to change at line 440 skipping to change at line 440
<para>Ignore the request.</para> <para>Ignore the request.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DROP!</emphasis></term> <term><emphasis role="bold">DROP!</emphasis></term>
<listitem> <listitem>
<para>like DROP but exempts the rule from being suppressed by <para>like DROP but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink OPTIMIZE=1 in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</ para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HELPER</emphasis></term> <term><emphasis role="bold">HELPER</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.7. This action requires that the <para>Added in Shorewall 4.5.7. This action requires that the
HELPER column contains the name of the Netfilter helper to be HELPER column contains the name of the Netfilter helper to be
associated with connections matching this connection. May only associated with connections matching this connection. May only
skipping to change at line 471 skipping to change at line 471
<listitem> <listitem>
<para>Added in Shorewall 4.5.16. This action allows you to <para>Added in Shorewall 4.5.16. This action allows you to
construct most of the rule yourself using iptables syntax. The construct most of the rule yourself using iptables syntax. The
part that you specify must follow two semicolons (';;') and is part that you specify must follow two semicolons (';;') and is
completely free-form. If the target of the rule (the part completely free-form. If the target of the rule (the part
following 'j') is something that Shorewall supports in the following 'j') is something that Shorewall supports in the
ACTION column, then you may enclose it in parentheses (e.g., ACTION column, then you may enclose it in parentheses (e.g.,
INLINE(ACCEPT)). Otherwise, you can include it after the INLINE(ACCEPT)). Otherwise, you can include it after the
semicolon(s). In this case, you must declare the target as a semicolon(s). In this case, you must declare the target as a
builtin action in <ulink builtin action in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink> (5).</para> url="shorewall-actions.html">shorewall-actions</ulink>(5).</para >
<para>Some considerations when using INLINE:</para> <para>Some considerations when using INLINE:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The <option>p</option>, <option>s</option>, <para>The <option>p</option>, <option>s</option>,
<option>d</option>, <option>i</option>, <option>d</option>, <option>i</option>,
<option>o</option>, <option>policy</option>, and state <option>o</option>, <option>policy</option>, and state
match (<option>state</option> or <option>conntrack match (<option>state</option> or <option>conntrack
--ctstate</option>) matches will always appear in the --ctstate</option>) matches will always appear in the
skipping to change at line 515 skipping to change at line 515
target with options (e.g., 'IPTABLES(MARK --set-xmark target with options (e.g., 'IPTABLES(MARK --set-xmark
0x01/0xff)'. If the <replaceable>iptables-target</replaceable> 0x01/0xff)'. If the <replaceable>iptables-target</replaceable>
is not one recognized by Shorewall, the following error is not one recognized by Shorewall, the following error
message will be issued:</para> message will be issued:</para>
<programlisting> ERROR: Unknown target (<replaceable>iptables -target</replaceable>)</programlisting> <programlisting> ERROR: Unknown target (<replaceable>iptables -target</replaceable>)</programlisting>
<para>This error message may be eliminated by adding the <para>This error message may be eliminated by adding the
<replaceable>iptables-</replaceable><replaceable>target</replace able> <replaceable>iptables-</replaceable><replaceable>target</replace able>
as a builtin action in <ulink as a builtin action in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink> (5).</para> url="shorewall-actions.html">shorewall-actions</ulink>(5).</para >
<important> <important>
<para>If you specify REJECT as the <para>If you specify REJECT as the
<replaceable>iptables-target</replaceable>, the target of <replaceable>iptables-target</replaceable>, the target of
the rule will be the iptables REJECT target and not the rule will be the iptables REJECT target and not
Shorewall's builtin 'reject' chain which is used when REJECT Shorewall's builtin 'reject' chain which is used when REJECT
(see below) is specified as the (see below) is specified as the
<replaceable>target</replaceable> in the ACTION <replaceable>target</replaceable> in the ACTION
column.</para> column.</para>
</important> </important>
skipping to change at line 548 skipping to change at line 548
<replaceable>ip6tables-target</replaceable> is not one <replaceable>ip6tables-target</replaceable> is not one
recognized by Shorewall, the following error message will be recognized by Shorewall, the following error message will be
issued:</para> issued:</para>
<programlisting> ERROR: Unknown target (<replaceable>ip6table s-target</replaceable>)</programlisting> <programlisting> ERROR: Unknown target (<replaceable>ip6table s-target</replaceable>)</programlisting>
<para>This error message may be eliminated by adding <para>This error message may be eliminated by adding
the<replaceable> the<replaceable>
ip6tables-</replaceable><replaceable>target</replaceable> as a ip6tables-</replaceable><replaceable>target</replaceable> as a
builtin action in <ulink builtin action in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink> (5).</para> url="shorewall-actions.html">shorewall-actions</ulink>(5).</para >
<important> <important>
<para>If you specify REJECT as the <para>If you specify REJECT as the
<replaceable>ip6tables-target</replaceable>, the target of <replaceable>ip6tables-target</replaceable>, the target of
the rule will be the i6ptables REJECT target and not the rule will be the i6ptables REJECT target and not
Shorewall's builtin 'reject' chain which is used when REJECT Shorewall's builtin 'reject' chain which is used when REJECT
(see below) is specified as the (see below) is specified as the
<replaceable>target</replaceable> in the ACTION <replaceable>target</replaceable> in the ACTION
column.</para> column.</para>
</important> </important>
skipping to change at line 633 skipping to change at line 633
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</repla ceable>)]</term> role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</repla ceable>)]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
back end logging daemon via a netlink socket then continues to back end logging daemon via a netlink socket then continues to
the next rule. See <ulink the next rule. See <ulink
url="/shorewall_logging.html">http://www.shorewall.net/shorewall _logging.html</ulink>.</para> url="../shorewall_logging.html">https://shorewall.org/shorewall_ logging.html</ulink>.</para>
<para>The <replaceable>nflog-parameters</replaceable> are a <para>The <replaceable>nflog-parameters</replaceable> are a
comma-separated list of up to 3 numbers:</para> comma-separated list of up to 3 numbers:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The first number specifies the netlink group <para>The first number specifies the netlink group
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
0 is assumed.</para> 0 is assumed.</para>
</listitem> </listitem>
skipping to change at line 703 skipping to change at line 703
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold"><emphasis <term><emphasis role="bold"><emphasis
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</repla ceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasi s></term> role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</repla ceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasi s></term>
<listitem> <listitem>
<para>like NFQUEUE but exempts the rule from being suppressed <para>like NFQUEUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</ para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">NONAT</emphasis></term> <term><emphasis role="bold">NONAT</emphasis></term>
<listitem> <listitem>
<para>Excludes the connection from any subsequent <emphasis <para>Excludes the connection from any subsequent <emphasis
role="bold">DNAT</emphasis>[-] or <emphasis role="bold">DNAT</emphasis>[-] or <emphasis
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
skipping to change at line 735 skipping to change at line 735
the packet for further processing.</para> the packet for further processing.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">QUEUE!</emphasis></term> <term><emphasis role="bold">QUEUE!</emphasis></term>
<listitem> <listitem>
<para>like QUEUE but exempts the rule from being suppressed by <para>like QUEUE but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink OPTIMIZE=1 in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</ para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis> </term> role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis> </term>
<listitem> <listitem>
<para>disallow the request and return an icmp-unreachable or <para>disallow the request and return an icmp-unreachable or
an RST packet. If no option is passed, Shorewall selects the an RST packet. If no option is passed, Shorewall selects the
skipping to change at line 804 skipping to change at line 804
</simplelist> </simplelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">REJECT!</emphasis></term> <term><emphasis role="bold">REJECT!</emphasis></term>
<listitem> <listitem>
<para>like REJECT but exempts the rule from being suppressed <para>like REJECT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</ para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">REDIRECT</emphasis></term> <term><emphasis role="bold">REDIRECT</emphasis></term>
<listitem> <listitem>
<para>Redirect the request to a server running on the <para>Redirect the request to a server running on the
firewall. Use with IPv6 requires Shorewall 4.5.14 or firewall. Use with IPv6 requires Shorewall 4.5.14 or
later.</para> later.</para>
skipping to change at line 933 skipping to change at line 933
followed by ":" and a syslog log level (e.g, REJECT:info or followed by ":" and a syslog log level (e.g, REJECT:info or
Web(ACCEPT):debug). This causes the packet to be logged at the Web(ACCEPT):debug). This causes the packet to be logged at the
specified level. Note that if the <emphasis specified level. Note that if the <emphasis
role="bold">ACTION</emphasis> involves destination network address role="bold">ACTION</emphasis> involves destination network address
translation (DNAT, REDIRECT, etc.) then the packet is logged translation (DNAT, REDIRECT, etc.) then the packet is logged
<emphasis role="bold">before</emphasis> the destination address is <emphasis role="bold">before</emphasis> the destination address is
rewritten.</para> rewritten.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> names an <para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink <emphasis>action</emphasis> declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) url="shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std then:</para> or in /usr/share/shorewall/actions.std then:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>If the log level is followed by "!' then all rules in the <para>If the log level is followed by "!' then all rules in the
action are logged at the log level.</para> action are logged at the log level.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>If the log level is not followed by "!" then only those <para>If the log level is not followed by "!" then only those
skipping to change at line 964 skipping to change at line 964
<para>You may also specify <emphasis role="bold">ULOG</emphasis> <para>You may also specify <emphasis role="bold">ULOG</emphasis>
(IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in (IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
upper case) as a log level.This will log to the ULOG or NFLOG target upper case) as a log level.This will log to the ULOG or NFLOG target
for routing to a separate log through use of ulogd (<ulink for routing to a separate log through use of ulogd (<ulink
url="shorewall-logging.html">shorewall-logging(5)</ulink>).</para> url="shorewall-logging.html">shorewall-logging(5)</ulink>).</para>
<para>Actions specifying logging may be followed by a log tag (a <para>Actions specifying logging may be followed by a log tag (a
string of alphanumeric characters) which is appended to the string string of alphanumeric characters) which is appended to the string
generated by the LOGPREFIX (in <ulink generated by the LOGPREFIX (in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of <para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
the log prefix generated by the LOGPREFIX setting.</para> the log prefix generated by the LOGPREFIX setting.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE - <term><emphasis role="bold">SOURCE -
<replaceable>source-spec</replaceable>[,...]</emphasis></term> <replaceable>source-spec</replaceable>[,...]</emphasis></term>
skipping to change at line 988 skipping to change at line 988
<para><replaceable>source-spec</replaceable> is one of the <para><replaceable>source-spec</replaceable> is one of the
following:</para> following:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></t erm> role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></t erm>
<listitem> <listitem>
<para>The name of a zone defined in <ulink <para>The name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). url="shorewall-zones.html">shorewall-zones</ulink>(5).
When only the zone name is specified, the packet source may be When only the zone name is specified, the packet source may be
any host in that zone.</para> any host in that zone.</para>
<para>zone may also be one of the following:</para> <para>zone may also be one of the following:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>all[+]</term> <term>all[+]</term>
<listitem> <listitem>
skipping to change at line 1054 skipping to change at line 1054
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable></term> <term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable></term>
<listitem> <listitem>
<para>When this form is used, <para>When this form is used,
<replaceable>interface</replaceable> must be the name of an <replaceable>interface</replaceable> must be the name of an
interface associated with the named interface associated with the named
<replaceable>zone</replaceable> in either <ulink <replaceable>zone</replaceable> in either <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ ulink>(5) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink or <ulink
url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5). url="shorewall.hosts.html">shorewall-hosts</ulink>(5).
Only packets from hosts in the <replaceable>zone</replaceable> Only packets from hosts in the <replaceable>zone</replaceable>
that arrive through the named interface will match the that arrive through the named interface will match the
rule.</para> rule.</para>
<para>Beginning with Shorweall 5.2.1, the <para>Beginning with Shorweall 5.2.1, the
<replaceable>interface</replaceable> may be preceded with '!' <replaceable>interface</replaceable> may be preceded with '!'
which matches all interfaces associated with the zone except which matches all interfaces associated with the zone except
the one specified.</para> the one specified.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
skipping to change at line 1078 skipping to change at line 1078
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>address</replac eable>[,...]</term> <term><replaceable>zone</replaceable>:<replaceable>address</replac eable>[,...]</term>
<listitem> <listitem>
<para>where address can be:</para> <para>where address can be:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>A host or network IP address. A network address may <para>A host or network IP address. A network address may
be followed by exclusion (see <ulink be followed by exclusion (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion </ulink>(5)).</para> url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5 )).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>An address range, specified using the syntax <para>An address range, specified using the syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</empha sis>.</para> <emphasis>lowaddress</emphasis>-<emphasis>highaddress</empha sis>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>+<replaceable>ipset</replaceable> where <para>+<replaceable>ipset</replaceable> where
<replaceable>ipset</replaceable> is the name of an ipset <replaceable>ipset</replaceable> is the name of an ipset
skipping to change at line 1116 skipping to change at line 1116
<replaceable>country-code-list</replaceable> is a <replaceable>country-code-list</replaceable> is a
comma-separated list of up to 15 ISO-3661 country codes comma-separated list of up to 15 ISO-3661 country codes
enclosed in square brackets ("[...]").</para> enclosed in square brackets ("[...]").</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The primary IP address of a firewall interface can <para>The primary IP address of a firewall interface can
be specified by an ampersand ('&amp;') followed by the be specified by an ampersand ('&amp;') followed by the
logical name of the interface as found in the INTERFACE logical name of the interface as found in the INTERFACE
column of <ulink column of <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfac es</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para> (5).</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>interface</repl aceable>:<replaceable>address</replaceable>[,...]</term> <term><replaceable>zone</replaceable>:<replaceable>interface</repl aceable>:<replaceable>address</replaceable>[,...]</term>
<listitem> <listitem>
skipping to change at line 1138 skipping to change at line 1138
both the incoming interface and source address match.</para> both the incoming interface and source address match.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>exclusion</repl aceable></term> <term><replaceable>zone</replaceable>:<replaceable>exclusion</repl aceable></term>
<listitem> <listitem>
<para>This form matches if the host IP address does not match <para>This form matches if the host IP address does not match
any of the entries in the exclusion (see <ulink any of the entries in the exclusion (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ul ink>(5)).</para> url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).< /para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>interface</repl aceable>:<replaceable>exclusion</replaceable></term> <term><replaceable>zone</replaceable>:<replaceable>interface</repl aceable>:<replaceable>exclusion</replaceable></term>
<listitem> <listitem>
<para>This form matches packets from the named <para>This form matches packets from the named
<replaceable>zone</replaceable> entering through the specified <replaceable>zone</replaceable> entering through the specified
<replaceable>interface</replaceable> where the source address <replaceable>interface</replaceable> where the source address
skipping to change at line 1352 skipping to change at line 1352
<para><replaceable>dest-spec</replaceable> is one of the <para><replaceable>dest-spec</replaceable> is one of the
following:</para> following:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></t erm> role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></t erm>
<listitem> <listitem>
<para>The name of a zone defined in <ulink <para>The name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). url="shorewall-zones.html">shorewall-zones</ulink>(5).
When only the zone name is specified, the packet destination When only the zone name is specified, the packet destination
may be any host in that zone.</para> may be any host in that zone.</para>
<para>zone may also be one of the following:</para> <para>zone may also be one of the following:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>all[+]</term> <term>all[+]</term>
<listitem> <listitem>
skipping to change at line 1418 skipping to change at line 1418
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable></term> <term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable></term>
<listitem> <listitem>
<para>When this form is used, <para>When this form is used,
<replaceable>interface</replaceable> must be the name of an <replaceable>interface</replaceable> must be the name of an
interface associated with the named interface associated with the named
<replaceable>zone</replaceable> in either <ulink <replaceable>zone</replaceable> in either <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ ulink>(5) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink or <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). url="shorewall-hosts.html">shorewall-hosts</ulink>(5).
Only packets to hosts in the <replaceable>zone</replaceable> Only packets to hosts in the <replaceable>zone</replaceable>
that are sent through the named interface will match the that are sent through the named interface will match the
rule.</para> rule.</para>
<para>Beginning with Shorweall 5.2.1, the <para>Beginning with Shorweall 5.2.1, the
<replaceable>interface</replaceable> may be preceded with '!' <replaceable>interface</replaceable> may be preceded with '!'
which matches all interfaces associated with the zone except which matches all interfaces associated with the zone except
the one specified.</para> the one specified.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
skipping to change at line 1442 skipping to change at line 1442
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>address</replac eable>[,...]</term> <term><replaceable>zone</replaceable>:<replaceable>address</replac eable>[,...]</term>
<listitem> <listitem>
<para>where address can be:</para> <para>where address can be:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>A host or network IP address. A network address may <para>A host or network IP address. A network address may
be followed by exclusion (see <ulink be followed by exclusion (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion </ulink>(5)).</para> url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5 )).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>An address range, specified using the syntax <para>An address range, specified using the syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</empha sis>.</para> <emphasis>lowaddress</emphasis>-<emphasis>highaddress</empha sis>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>+<replaceable>ipset</replaceable> where <para>+<replaceable>ipset</replaceable> where
<replaceable>ipset</replaceable> is the name of an ipset <replaceable>ipset</replaceable> is the name of an ipset
skipping to change at line 1474 skipping to change at line 1474
<replaceable>country-code-list</replaceable> is a <replaceable>country-code-list</replaceable> is a
comma-separated list of up to 15 ISO-3661 country codes comma-separated list of up to 15 ISO-3661 country codes
enclosed in square brackets ("[...]").</para> enclosed in square brackets ("[...]").</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The primary IP address of a firewall interface can <para>The primary IP address of a firewall interface can
be specified by an ampersand ('&amp;') followed by the be specified by an ampersand ('&amp;') followed by the
logical name of the interface as found in the INTERFACE logical name of the interface as found in the INTERFACE
column of <ulink column of <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfac es</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para> (5).</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable>:<replaceable>address</replaceable>[,...]</term> <term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable>:<replaceable>address</replaceable>[,...]</term>
<listitem> <listitem>
skipping to change at line 1502 skipping to change at line 1502
the one specified.</para> the one specified.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>exclusion</repl aceable></term> <term><replaceable>zone</replaceable>:<replaceable>exclusion</repl aceable></term>
<listitem> <listitem>
<para>This form matches if the host IP address does not match <para>This form matches if the host IP address does not match
any of the entries in the exclusion (see <ulink any of the entries in the exclusion (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ul ink>(5)).</para> url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).< /para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable>:<replaceable>exclusion</replaceable></term> <term><replaceable>zone</replaceable>:[!]<replaceable>interface</r eplaceable>:<replaceable>exclusion</replaceable></term>
<listitem> <listitem>
<para>This form matches packets to the named <para>This form matches packets to the named
<replaceable>zone</replaceable> leaving through the specified <replaceable>zone</replaceable> leaving through the specified
<replaceable>interface</replaceable> where the destination <replaceable>interface</replaceable> where the destination
skipping to change at line 1763 skipping to change at line 1763
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[ <emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[ <emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]. ..|+<replaceable>ipset</replaceable>}</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]. ..|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional destination Ports. A comma-separated list of Port <para>Optional destination Ports. A comma-separated list of Port
names (from services(5)), port numbers or port ranges; if the names (from services(5)), port numbers or port ranges; if the
protocol is <emphasis role="bold">icmp</emphasis>, this column is protocol is <emphasis role="bold">icmp</emphasis>, this column is
interpreted as the destination icmp-type(s). ICMP types may be interpreted as the destination icmp-type(s). ICMP types may be
specified as a numeric type, a numeric type and code separated by a specified as a numeric type, a numeric type and code separated by a
slash (e.g., 3/4), or a typename. See <ulink slash (e.g., 3/4), or a typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/con figuration_file_basics.htm#ICMP</ulink>. url="../configuration_file_basics.htm#ICMP">https://shorewall.org/conf iguration_file_basics.htm#ICMP</ulink>.
Note that prior to Shorewall 4.4.19, only a single ICMP type may be Note that prior to Shorewall 4.4.19, only a single ICMP type may be
listed.</para> listed.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>, <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading this column is interpreted as an ipp2p option without the leading
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent). "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
If no port is given, <emphasis role="bold">ipp2p</emphasis> is If no port is given, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para> assumed.</para>
<para>A port range is expressed as <para>A port range is expressed as
skipping to change at line 1871 skipping to change at line 1871
target where you want to redirect traffic destined for particular target where you want to redirect traffic destined for particular
set of hosts. Finally, if the list of addresses begins with "!" set of hosts. Finally, if the list of addresses begins with "!"
(<emphasis>exclusion</emphasis>) then the rule will be followed only (<emphasis>exclusion</emphasis>) then the rule will be followed only
if the original destination address in the connection request does if the original destination address in the connection request does
not match any of the addresses listed.</para> not match any of the addresses listed.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a <para>Beginning with Shorewall 4.4.17, the primary IP address of a
firewall interface can be specified by an ampersand ('&amp;') firewall interface can be specified by an ampersand ('&amp;')
followed by the logical name of the interface as found in the followed by the logical name of the interface as found in the
INTERFACE column of <ulink INTERFACE column of <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para> (5).</para>
<para>For other actions, this column may be included and may contain <para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are ranges are not allowed. When this column is supplied, rules are
generated that require that the original destination address matches generated that require that the original destination address matches
one of the listed addresses. This feature is most useful when you one of the listed addresses. This feature is most useful when you
want to generate a filter rule that corresponds to a <emphasis want to generate a filter rule that corresponds to a <emphasis
role="bold">DNAT-</emphasis> or <emphasis role="bold">DNAT-</emphasis> or <emphasis
role="bold">REDIRECT-</emphasis> rule. In this usage, the list of role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
addresses should not begin with "!".</para> addresses should not begin with "!".</para>
<para>It is also possible to specify a set of addresses then exclude <para>It is also possible to specify a set of addresses then exclude
part of those addresses. For example, <emphasis part of those addresses. For example, <emphasis
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255. addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
See <ulink See <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5 ).</para> url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>See <ulink <para>See <ulink
url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</u link> url="../PortKnocking.html">https://shorewall.org/PortKnocking.html</ul ink>
for an example of using an entry in this column with a user-defined for an example of using an entry in this column with a user-defined
action rule.</para> action rule.</para>
<para>This column was formerly labelled ORIGINAL DEST.</para> <para>This column was formerly labelled ORIGINAL DEST.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">RATE</emphasis> - <term><emphasis role="bold">RATE</emphasis> -
<replaceable>limit</replaceable></term> <replaceable>limit</replaceable></term>
skipping to change at line 2345 skipping to change at line 2345
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SWITCH - <term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term> [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.24 and allows enabling and disabling <para>Added in Shorewall 4.4.24 and allows enabling and disabling
the rule without requiring <command>shorewall the rule without requiring <command>shorewall
restart</command>.</para> reload</command>.</para>
<para>The rule is enabled if the value stored in <para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable ></filename> <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable ></filename>
is 1. The rule is disabled if that file contains 0 (the default). If is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled '!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para> if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and <para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a '@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...' added. The <replaceable>switch-name</replaceable> (after '@...'
skipping to change at line 2376 skipping to change at line 2376
</simplelist> </simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para> <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist> <simplelist>
<member><command>echo 0 &gt; <member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></comma nd></member> /proc/net/nf_condition/<replaceable>switch-name</replaceable></comma nd></member>
</simplelist> </simplelist>
<para>Switch settings are retained over <command>shorewall <para>Switch settings are retained over <command>shorewall
restart</command>.</para> reload</command>.</para>
<para>Beginning with Shorewall 4.5.10, when the <para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is <option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the <command>start</command> command. Other commands do not affect the
switch setting.</para> switch setting.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
skipping to change at line 2429 skipping to change at line 2429
<member><option>sane</option></member> <member><option>sane</option></member>
<member><option>sip</option></member> <member><option>sip</option></member>
<member><option>snmp</option></member> <member><option>snmp</option></member>
<member><option>tftp</option></member> <member><option>tftp</option></member>
</simplelist> </simplelist>
<para>If the HELPERS option is specified in <ulink <para>If the HELPERS option is specified in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then url="shorewall.conf.html">shorewall.conf</ulink>(5), then
any module specified in this column must be listed in the HELPERS any module specified in this column must be listed in the HELPERS
setting.</para> setting.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Examples</title> <title>Examples</title>
skipping to change at line 2550 skipping to change at line 2550
<listitem> <listitem>
<para>Shorewall does not impose as much structure on the Netfilter <para>Shorewall does not impose as much structure on the Netfilter
rules in the 'nat' table as it does on those in the filter table. As rules in the 'nat' table as it does on those in the filter table. As
a consequence, when using Shorewall versions before 4.1.4, care must a consequence, when using Shorewall versions before 4.1.4, care must
be exercised when using DNAT and REDIRECT rules with zones defined be exercised when using DNAT and REDIRECT rules with zones defined
with wildcard interfaces (those ending with '+'. Here is an with wildcard interfaces (those ending with '+'. Here is an
example:</para> example:</para>
<para><ulink <para><ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5):<progr amlisting> #ZONE TYPE OPTIONS url="shorewall-zones.html">shorewall-zones</ulink>(5):<programlisting> #ZONE TYPE OPTIONS
fw firewall fw firewall
net ipv4 net ipv4
dmz ipv4 dmz ipv4
loc ipv4</programlisting></para> loc ipv4</programlisting></para>
<para><ulink <para><ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5):<progr amlisting> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0 net ppp0
loc eth1 detect loc eth1 detect
dmz eth2 detect dmz eth2 detect
- ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para> - ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para>
<para><ulink <para><ulink
url="/manpages/shorewall-hosts.html">shorewall-host</ulink>(5):<progra mlisting> #ZONE HOST(S) OPTIONS url="shorewall-hosts.html">shorewall-host</ulink>(5):<programlisting> #ZONE HOST(S) OPTIONS
loc ppp+:192.168.3.0/24</programlisting></para> loc ppp+:192.168.3.0/24</programlisting></para>
<para>rules:</para> <para>rules:</para>
<programlisting> #ACTION SOURCE DEST PROTO DPORT <programlisting> #ACTION SOURCE DEST PROTO DPORT
REDIRECT loc 3128 tcp 80 </programlisting> REDIRECT loc 3128 tcp 80 </programlisting>
<simpara>Note that it would have been tempting to simply define the <simpara>Note that it would have been tempting to simply define the
loc zone entirely in shorewall-interfaces(8):</simpara> loc zone entirely in shorewall-interfaces(8):</simpara>
skipping to change at line 2654 skipping to change at line 2654
<programlisting> #ACTION SOURCE DEST PROTO DPORT <programlisting> #ACTION SOURCE DEST PROTO DPORT
INLINE $FW net ; -p 6 -m mickey-mous e --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting> INLINE $FW net ; -p 6 -m mickey-mous e --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
<para>The above will generate the following iptables-restore <para>The above will generate the following iptables-restore
input:</para> input:</para>
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</pr ogramlisting> <programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</pr ogramlisting>
<para>Note that SECCTX must be defined as a builtin action in <ulink <para>Note that SECCTX must be defined as a builtin action in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5):</ para> url="shorewall-actions.html">shorewall-actions</ulink>(5):</para>
<programlisting> #ACTION OPTIONS <programlisting> #ACTION OPTIONS
SECCTX builtin</programlisting> SECCTX builtin</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 15:</term> <term>Example 15:</term>
<listitem> <listitem>
skipping to change at line 2692 skipping to change at line 2692
<para>/etc/shorewall6/rules</para> <para>/etc/shorewall6/rules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="shorewall-logging.html">shorewall-logging(5)</ulink></para> url="shorewall-logging.html">shorewall-logging(5)</ulink></para>
<para><ulink <para><ulink
url="/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para> url="../ipsets.html">https://shorewall.org/ipsets.html</ulink></para>
<para><ulink <para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configur ation_file_basics.htm#Pairs</ulink></para> url="../configuration_file_basics.htm#Pairs">https://shorewall.org/configura tion_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8)</para> <para>shorewall(8)</para>
</refsect1> </refsect1>
</refentry> </refentry>
 End of changes. 45 change blocks. 
45 lines changed or deleted 45 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)