(The Shoreline Firewall) is an iptables based firewall Requires the Shorewall package and adds the capability to create an IPv6 firewall.
| policy.annotated (shorewall6-5.2.3.4.tgz) | : | policy.annotated (shorewall6-5.2.3.5.tar.bz2) |
|---|
| | |
| skipping to change at line 75 | | skipping to change at line 75 |
|---|
| # the implicit intra-zone ACCEPT policy while "all+" does. | | # the implicit intra-zone ACCEPT policy while "all+" does. |
| # | | # |
| # Beginning with Shorewall 5.0.12, multiple zones may be listed separated by | | # Beginning with Shorewall 5.0.12, multiple zones may be listed separated by |
| # commas. As above, if '+' is specified after two or more zone names, then | | # commas. As above, if '+' is specified after two or more zone names, then |
| # the policy overrides the implicit intra-zone ACCEPT policy if the same zon
e | | # the policy overrides the implicit intra-zone ACCEPT policy if the same zon
e |
| # appears in both the SOURCE and DEST columns. | | # appears in both the SOURCE and DEST columns. |
| # | | # |
| # Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones | | # Beginning with Shorewall 5.2.3, a comma-separated list of excluded zones |
| # preceded by "!" may follow all or all+. | | # preceded by "!" may follow all or all+. |
| # | | # |
|
| # POLICY - {ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[: | | # POLICY - {ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[([queuenumber1[: |
| # queuenumber2])]|NONE}[:{[+]policy-action[:level][,...]|None}] | | # queuenumber2[c]][,bypass]]|bypass)]|NONE}[:{[+]policy-action[:level][,...] |
| | | |
| | # None}] |
| # | | # |
| # Policy if no match from the rules file is found. | | # Policy if no match from the rules file is found. |
| # | | # |
| # If the policy is neither CONTINUE nor NONE then the policy may be followed | | # If the policy is neither CONTINUE nor NONE then the policy may be followed |
| # by ":" and one of the following: | | # by ":" and one of the following: |
| # | | # |
| # a. The word "None" or "none". This causes any default action defined in | | # a. The word "None" or "none". This causes any default action defined in |
| # shorewall.conf(5) to be omitted for this policy. | | # shorewall.conf(5) to be omitted for this policy. |
| # | | # |
| # b. The name of an action with optional parameters enclosed in parentheses
. | | # b. The name of an action with optional parameters enclosed in parentheses
. |
| | |
| skipping to change at line 136 | | skipping to change at line 137 |
|---|
| # | | # |
| # NFQUEUE | | # NFQUEUE |
| # | | # |
| # Queue the request for a user-space application using the | | # Queue the request for a user-space application using the |
| # nfnetlink_queue mechanism. If a queuenumber1 is not given, queue zero | | # nfnetlink_queue mechanism. If a queuenumber1 is not given, queue zero |
| # (0) is assumed. Beginning with Shorewall 4.6.10, a second queue number | | # (0) is assumed. Beginning with Shorewall 4.6.10, a second queue number |
| # (queuenumber2) may be given. This specifies a range of queues to use. | | # (queuenumber2) may be given. This specifies a range of queues to use. |
| # Packets are then balanced across the given queues. This is useful for | | # Packets are then balanced across the given queues. This is useful for |
| # multicore systems: start multiple instances of the userspace program o
n | | # multicore systems: start multiple instances of the userspace program o
n |
| # queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same | | # queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same |
|
| # connection are put into the same nfqueue. | | # connection are put into the same nfqueue. Beginning with Shorewall |
| | # 5.1.0, queuenumber2 may be followed by the letter 'c' to indicate that |
| | # the CPU ID will be used as an index to map packets to the queues. The |
| | # idea is that you can improve performance if there's a queue per CPU. |
| | # Requires the NFQUEUE CPU Fanout capability in your kernel and iptables |
| | . |
| | # |
| | # Beginning with Shorewall 4.6.10, the keyword bypass can be given. By |
| | # default, if no userspace program is listening on an NFQUEUE, then all |
| | # packets that are to be queued are dropped. When this option is used, |
| | # the NFQUEUE rule behaves like ACCEPT instead. |
| # | | # |
| # CONTINUE | | # CONTINUE |
| # | | # |
| # Pass the connection request past any other rules that it might also | | # Pass the connection request past any other rules that it might also |
| # match (where the source or destination zone in those rules is a | | # match (where the source or destination zone in those rules is a |
| # superset of the SOURCE or DEST in this policy). See shorewall-nesting | | # superset of the SOURCE or DEST in this policy). See shorewall-nesting |
| # (5) for additional information. | | # (5) for additional information. |
| # | | # |
| # NONE | | # NONE |
| # | | # |
| | | |
| End of changes. 2 change blocks. |
|---|
| 3 lines changed or deleted | | 15 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 