| shorewall-zones.xml (shorewall-docs-xml-5.2.3.6.tar.bz2) | : | shorewall-zones.xml (shorewall-docs-xml-5.2.6.tar.bz2) |
|---|
| | |
| skipping to change at line 50 | | skipping to change at line 50 |
|---|
| <emphasis>zone</emphasis>[<emphasis | | <emphasis>zone</emphasis>[<emphasis |
| role="bold">:</emphasis><emphasis>parent-zone</emphasis>[<emphasis | | role="bold">:</emphasis><emphasis>parent-zone</emphasis>[<emphasis |
| role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term> | | role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term> |
| | |
| <listitem> | | <listitem> |
| <para>Name of the <emphasis>zone</emphasis>. Must start with a | | <para>Name of the <emphasis>zone</emphasis>. Must start with a |
| letter and consist of letters, digits or '_'. The names "all", | | letter and consist of letters, digits or '_'. The names "all", |
| "none", "any", "SOURCE" and "DEST" are reserved and may not be used | | "none", "any", "SOURCE" and "DEST" are reserved and may not be used |
| as zone names. The maximum length of a zone name is determined by | | as zone names. The maximum length of a zone name is determined by |
| the setting of the LOGFORMAT option in <ulink | | the setting of the LOGFORMAT option in <ulink |
|
| url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With | | url="shorewall.conf.html">shorewall.conf</ulink>(5). With |
| the default LOGFORMAT, zone names can be at most 5 characters | | the default LOGFORMAT, zone names can be at most 5 characters |
| long.</para> | | long.</para> |
| | |
| <blockquote> | | <blockquote> |
| <para>The maximum length of an iptables log prefix is 29 bytes. As | | <para>The maximum length of an iptables log prefix is 29 bytes. As |
| explained in <ulink | | explained in <ulink |
|
| url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5), | | url="shorewall.conf.html">shorewall.conf</ulink> (5), |
| the legacy default LOGPREFIX formatting string is | | the legacy default LOGPREFIX formatting string is |
| “Shorewall:%s:%s:” where the first %s is replaced by the chain | | “Shorewall:%s:%s:” where the first %s is replaced by the chain |
| name and the second is replaced by the disposition.</para> | | name and the second is replaced by the disposition.</para> |
| | |
| <itemizedlist> | | <itemizedlist> |
| <listitem> | | <listitem> |
| <para>The "Shorewall:%s:%s:" formatting string has 12 fixed | | <para>The "Shorewall:%s:%s:" formatting string has 12 fixed |
| characters ("Shorewall" and three colons).</para> | | characters ("Shorewall" and three colons).</para> |
| </listitem> | | </listitem> |
| | |
| | |
| skipping to change at line 125 | | skipping to change at line 125 |
|---|
| </itemizedlist> | | </itemizedlist> |
| </blockquote> | | </blockquote> |
| | |
| <para>The order in which Shorewall matches addresses from packets to | | <para>The order in which Shorewall matches addresses from packets to |
| zones is determined by the order of zone declarations. Where a zone | | zones is determined by the order of zone declarations. Where a zone |
| is nested in one or more other zones, you may either ensure that the | | is nested in one or more other zones, you may either ensure that the |
| nested zone precedes its parents in this file, or you may follow the | | nested zone precedes its parents in this file, or you may follow the |
| (sub)zone name by ":" and a comma-separated list of the parent | | (sub)zone name by ":" and a comma-separated list of the parent |
| zones. The parent zones must have been declared in earlier records | | zones. The parent zones must have been declared in earlier records |
| in this file. See <ulink | | in this file. See <ulink |
|
| url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) | | url="shorewall-nesting.html">shorewall-nesting</ulink>(5) |
| for additional information.</para> | | for additional information.</para> |
| | |
| <para>Example:</para> | | <para>Example:</para> |
| | |
| <programlisting>#ZONE TYPE OPTIONS IN OPTIONS O
UT OPTIONS | | <programlisting>#ZONE TYPE OPTIONS IN OPTIONS O
UT OPTIONS |
| a ip | | a ip |
| b ip | | b ip |
| c:a,b ip</programlisting> | | c:a,b ip</programlisting> |
| | |
| <para>Currently, Shorewall uses this information to reorder the zone | | <para>Currently, Shorewall uses this information to reorder the zone |
| list so that parent zones appear after their subzones in the list. | | list so that parent zones appear after their subzones in the list. |
| The IMPLICIT_CONTINUE option in <ulink | | The IMPLICIT_CONTINUE option in <ulink |
|
| url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can | | url="shorewall.conf.html">shorewall.conf</ulink>(5) can |
| also create implicit CONTINUE policies to/from the subzone.</para> | | also create implicit CONTINUE policies to/from the subzone.</para> |
| | |
| <para>Where an <emphasis role="bold">ipsec</emphasis> zone is | | <para>Where an <emphasis role="bold">ipsec</emphasis> zone is |
| explicitly included as a child of an <emphasis | | explicitly included as a child of an <emphasis |
| role="bold">ip</emphasis> zone, the ruleset allows CONTINUE policies | | role="bold">ip</emphasis> zone, the ruleset allows CONTINUE policies |
| (explicit or implicit) to work as expected.</para> | | (explicit or implicit) to work as expected.</para> |
| | |
| <para>In the future, Shorewall may make additional use of nesting | | <para>In the future, Shorewall may make additional use of nesting |
| information.</para> | | information.</para> |
| </listitem> | | </listitem> |
| | |
| skipping to change at line 165 | | skipping to change at line 165 |
|---|
| <variablelist> | | <variablelist> |
| <varlistentry> | | <varlistentry> |
| <term><emphasis role="bold">ip</emphasis></term> | | <term><emphasis role="bold">ip</emphasis></term> |
| | |
| <listitem> | | <listitem> |
| <para>This is the standard Shorewall zone type and is the | | <para>This is the standard Shorewall zone type and is the |
| default if you leave this column empty or if you enter "-" in | | default if you leave this column empty or if you enter "-" in |
| the column. Communication with some zone hosts may be | | the column. Communication with some zone hosts may be |
| encrypted. Encrypted hosts are designated using the 'ipsec' | | encrypted. Encrypted hosts are designated using the 'ipsec' |
| option in <ulink | | option in <ulink |
|
| url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). | | url="shorewall-hosts.html">shorewall-hosts</ulink>(5). |
| For clarity, this zone type may be specified as | | For clarity, this zone type may be specified as |
| <option>ipv4</option> in IPv4 configurations and | | <option>ipv4</option> in IPv4 configurations and |
| <option>ipv6</option> in IPv6 configurations.</para> | | <option>ipv6</option> in IPv6 configurations.</para> |
| </listitem> | | </listitem> |
| </varlistentry> | | </varlistentry> |
| | |
| <varlistentry> | | <varlistentry> |
| <term><emphasis role="bold">ipsec</emphasis></term> | | <term><emphasis role="bold">ipsec</emphasis></term> |
| | |
| <listitem> | | <listitem> |
| | |
| skipping to change at line 215 | | skipping to change at line 215 |
|---|
| </listitem> | | </listitem> |
| </varlistentry> | | </varlistentry> |
| | |
| <varlistentry> | | <varlistentry> |
| <term><emphasis role="bold">vserver</emphasis></term> | | <term><emphasis role="bold">vserver</emphasis></term> |
| | |
| <listitem> | | <listitem> |
| <para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of | | <para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of |
| Linux-vserver guests. The zone contents must be defined in | | Linux-vserver guests. The zone contents must be defined in |
| <ulink | | <ulink |
|
| url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink> | | url="shorewall-hosts.html">shorewall-hosts</ulink> |
| (5).</para> | | (5).</para> |
| | |
| <para>Vserver zones are implicitly handled as subzones of the | | <para>Vserver zones are implicitly handled as subzones of the |
| firewall zone.</para> | | firewall zone.</para> |
| </listitem> | | </listitem> |
| </varlistentry> | | </varlistentry> |
| | |
| <varlistentry> | | <varlistentry> |
| <term><emphasis role="bold">loopback</emphasis></term> | | <term><emphasis role="bold">loopback</emphasis></term> |
| | |
| | |
| skipping to change at line 243 | | skipping to change at line 243 |
|---|
| <listitem> | | <listitem> |
| <para>By default, all traffic through the interface is | | <para>By default, all traffic through the interface is |
| ACCEPTed.</para> | | ACCEPTed.</para> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <para>If a $FW -> $FW policy is defined or $FW -> | | <para>If a $FW -> $FW policy is defined or $FW -> |
| $FW rules are defined, they are placed in a chain named | | $FW rules are defined, they are placed in a chain named |
| ${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' ) | | ${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' ) |
| depending on the ZONE2ZONE setting in <ulink | | depending on the ZONE2ZONE setting in <ulink |
|
| url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5
).</para> | | url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <para>$FW -> $FW traffic is only filtered in the OUTPUT | | <para>$FW -> $FW traffic is only filtered in the OUTPUT |
| chain.</para> | | chain.</para> |
| </listitem> | | </listitem> |
| </itemizedlist> | | </itemizedlist> |
| | |
| <para>By defining a <emphasis role="bold">loopback</emphasis> | | <para>By defining a <emphasis role="bold">loopback</emphasis> |
| zone and associating it with the loopback interface in | | zone and associating it with the loopback interface in |
| | |
| skipping to change at line 322 | | skipping to change at line 322 |
|---|
| | |
| <variablelist> | | <variablelist> |
| <varlistentry> | | <varlistentry> |
| <term><emphasis role="bold">dynamic_shared</emphasis></term> | | <term><emphasis role="bold">dynamic_shared</emphasis></term> |
| | |
| <listitem> | | <listitem> |
| <para>Added in Shorewall 4.5.9. May only be specified in the | | <para>Added in Shorewall 4.5.9. May only be specified in the |
| OPTIONS column and indicates that only a single ipset should | | OPTIONS column and indicates that only a single ipset should |
| be created for this zone if it has multiple dynamic entries in | | be created for this zone if it has multiple dynamic entries in |
| <ulink | | <ulink |
|
| url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). | | url="shorewall-hosts.html">shorewall-hosts</ulink>(5). |
| Without this option, a separate ipset is created for each | | Without this option, a separate ipset is created for each |
| interface.</para> | | interface.</para> |
| </listitem> | | </listitem> |
| </varlistentry> | | </varlistentry> |
| | |
| <varlistentry> | | <varlistentry> |
| <term><emphasis | | <term><emphasis |
| role="bold">reqid=</emphasis><emphasis>number</emphasis></term> | | role="bold">reqid=</emphasis><emphasis>number</emphasis></term> |
| | |
| <listitem> | | <listitem> |
| | |
| skipping to change at line 366 | | skipping to change at line 366 |
|---|
| </listitem> | | </listitem> |
| </varlistentry> | | </varlistentry> |
| | |
| <varlistentry> | | <varlistentry> |
| <term><emphasis | | <term><emphasis |
| role="bold">mss=</emphasis><emphasis>number</emphasis></term> | | role="bold">mss=</emphasis><emphasis>number</emphasis></term> |
| | |
| <listitem> | | <listitem> |
| <para>sets the MSS field in TCP packets. If you supply this | | <para>sets the MSS field in TCP packets. If you supply this |
| option, you should also set FASTACCEPT=No in <ulink | | option, you should also set FASTACCEPT=No in <ulink |
|
| url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) | | url="shorewall.conf.html">shorewall.conf</ulink>(5) |
| to insure that both the SYN and SYN,ACK packets have their MSS | | to insure that both the SYN and SYN,ACK packets have their MSS |
| field adjusted.</para> | | field adjusted.</para> |
| </listitem> | | </listitem> |
| </varlistentry> | | </varlistentry> |
| | |
| <varlistentry> | | <varlistentry> |
| <term><emphasis role="bold">mode=</emphasis><emphasis | | <term><emphasis role="bold">mode=</emphasis><emphasis |
| role="bold">transport</emphasis>|<emphasis | | role="bold">transport</emphasis>|<emphasis |
| role="bold">tunnel</emphasis></term> | | role="bold">tunnel</emphasis></term> |
| | |
| | |
| skipping to change at line 441 | | skipping to change at line 441 |
|---|
| | |
| <para>/etc/shorewall/zones</para> | | <para>/etc/shorewall/zones</para> |
| | |
| <para>/etc/shorewall6/zones</para> | | <para>/etc/shorewall6/zones</para> |
| </refsect1> | | </refsect1> |
| | |
| <refsect1> | | <refsect1> |
| <title>See ALSO</title> | | <title>See ALSO</title> |
| | |
| <para><ulink | | <para><ulink |
|
| url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</uli
nk>.</para> | | url="../Multiple_Zones.html">https://shorewall.org/Multiple_Zones.html</ulin
k>.</para> |
| | |
| <para><ulink | | <para><ulink |
|
| url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configur
ation_file_basics.htm#Pairs</ulink></para> | | url="../configuration_file_basics.htm#Pairs">https://shorewall.org/configura
tion_file_basics.htm#Pairs</ulink></para> |
| | |
| <para>shorewall(8)</para> | | <para>shorewall(8)</para> |
| </refsect1> | | </refsect1> |
| </refentry> | | </refentry> |
| | | |
| End of changes. 11 change blocks. |
|---|
| 11 lines changed or deleted | | 11 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 