(The Shoreline Firewall) is an iptables based firewall Requires the Shorewall package and adds the capability to create an IPv6 firewall.
| rules.annotated (shorewall6-5.2.3.6.tar.bz2) | : | rules.annotated (shorewall6-5.2.6.tar.bz2) |
|---|
| | |
| skipping to change at line 369 | | skipping to change at line 369 |
|---|
| # | | # |
| # The mark value may be optionally followed by "/" and a mask value (use
d | | # The mark value may be optionally followed by "/" and a mask value (use
d |
| # to determine those bits of the connection mark to actually be set). | | # to determine those bits of the connection mark to actually be set). |
| # When a mask is specified, the result of logically ANDing the mark valu
e | | # When a mask is specified, the result of logically ANDing the mark valu
e |
| # with the mask must be the same as the mark value. | | # with the mask must be the same as the mark value. |
| # | | # |
| # NFLOG[(nflog-parameters)] | | # NFLOG[(nflog-parameters)] |
| # | | # |
| # Added in Shorewall 4.5.9.3. Queues matching packets to a back end | | # Added in Shorewall 4.5.9.3. Queues matching packets to a back end |
| # logging daemon via a netlink socket then continues to the next rule. | | # logging daemon via a netlink socket then continues to the next rule. |
|
| # See http://www.shorewall.net/shorewall_logging.html. | | # See https://shorewall.org/shorewall_logging.html. |
| # | | # |
| # The nflog-parameters are a comma-separated list of up to 3 numbers: | | # The nflog-parameters are a comma-separated list of up to 3 numbers: |
| # | | # |
| # ☆ The first number specifies the netlink group (0-65535). If omitted | | # ☆ The first number specifies the netlink group (0-65535). If omitted |
| # (e.g., NFLOG(,0,10)) then a value of 0 is assumed. | | # (e.g., NFLOG(,0,10)) then a value of 0 is assumed. |
| # | | # |
| # ☆ The second number specifies the maximum number of bytes to copy. I
f | | # ☆ The second number specifies the maximum number of bytes to copy. I
f |
| # omitted, 0 (no limit) is assumed. | | # omitted, 0 (no limit) is assumed. |
| # | | # |
| # ☆ The third number specifies the number of log messages that should | | # ☆ The third number specifies the number of log messages that should |
| | |
| skipping to change at line 966 | | skipping to change at line 966 |
|---|
| # | | # |
| # Beginning with Shorewall 4.4.19, this column can contain a comma-separated | | # Beginning with Shorewall 4.4.19, this column can contain a comma-separated |
| # list of protocol-numbers and/or protocol names. | | # list of protocol-numbers and/or protocol names. |
| # | | # |
| # DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} | | # DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} |
| # | | # |
| # Optional destination Ports. A comma-separated list of Port names (from | | # Optional destination Ports. A comma-separated list of Port names (from |
| # services(5)), port numbers or port ranges; if the protocol is icmp, this | | # services(5)), port numbers or port ranges; if the protocol is icmp, this |
| # column is interpreted as the destination icmp-type(s). ICMP types may be | | # column is interpreted as the destination icmp-type(s). ICMP types may be |
| # specified as a numeric type, a numeric type and code separated by a slash | | # specified as a numeric type, a numeric type and code separated by a slash |
|
| # (e.g., 3/4), or a typename. See http://www.shorewall.net/ | | # (e.g., 3/4), or a typename. See https://shorewall.org/ |
| # configuration_file_basics.htm#ICMP. Note that prior to Shorewall 4.4.19, | | # configuration_file_basics.htm#ICMP. Note that prior to Shorewall 4.4.19, |
| # only a single ICMP type may be listed. | | # only a single ICMP type may be listed. |
| # | | # |
| # If the protocol is ipp2p, this column is interpreted as an ipp2p option | | # If the protocol is ipp2p, this column is interpreted as an ipp2p option |
| # without the leading "--" (example bit for bit-torrent). If no port is | | # without the leading "--" (example bit for bit-torrent). If no port is |
| # given, ipp2p is assumed. | | # given, ipp2p is assumed. |
| # | | # |
| # A port range is expressed as lowport:highport. | | # A port range is expressed as lowport:highport. |
| # | | # |
| # This column is ignored if PROTO = all but must be entered if any of the | | # This column is ignored if PROTO = all but must be entered if any of the |
| | |
| skipping to change at line 1059 | | skipping to change at line 1059 |
|---|
| # that the original destination address matches one of the listed addresses. | | # that the original destination address matches one of the listed addresses. |
| # This feature is most useful when you want to generate a filter rule that | | # This feature is most useful when you want to generate a filter rule that |
| # corresponds to a DNAT- or REDIRECT- rule. In this usage, the list of | | # corresponds to a DNAT- or REDIRECT- rule. In this usage, the list of |
| # addresses should not begin with "!". | | # addresses should not begin with "!". |
| # | | # |
| # It is also possible to specify a set of addresses then exclude part of | | # It is also possible to specify a set of addresses then exclude part of |
| # those addresses. For example, 192.168.1.0/24!192.168.1.16/28 specifies the | | # those addresses. For example, 192.168.1.0/24!192.168.1.16/28 specifies the |
| # addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255. See | | # addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255. See |
| # shorewall-exclusion(5). | | # shorewall-exclusion(5). |
| # | | # |
|
| # See http://www.shorewall.net/PortKnocking.html for an example of using an | | # See https://shorewall.org/PortKnocking.html for an example of using an |
| # entry in this column with a user-defined action rule. | | # entry in this column with a user-defined action rule. |
| # | | # |
| # This column was formerly labelled ORIGINAL DEST. | | # This column was formerly labelled ORIGINAL DEST. |
| # | | # |
| # RATE - limit | | # RATE - limit |
| # | | # |
| # where limit is one of: | | # where limit is one of: |
| # | | # |
| # [-|[{s|d}[/vlsm]:[name[(ht-buckets,ht-max)]:]rate/{sec|min|hour|day}[:burs
t | | # [-|[{s|d}[/vlsm]:[name[(ht-buckets,ht-max)]:]rate/{sec|min|hour|day}[:burs
t |
| # ] | | # ] |
| | |
| skipping to change at line 1289 | | skipping to change at line 1289 |
|---|
| # If any: is specified, the rule will match if any of the listed headers are | | # If any: is specified, the rule will match if any of the listed headers are |
| # present. If exactly: is specified, the will match packets that exactly | | # present. If exactly: is specified, the will match packets that exactly |
| # include all specified headers. If neither is given, any: is assumed. | | # include all specified headers. If neither is given, any: is assumed. |
| # | | # |
| # If ! is entered, the rule will match those packets which would not be | | # If ! is entered, the rule will match those packets which would not be |
| # matched when ! is omitted. | | # matched when ! is omitted. |
| # | | # |
| # SWITCH - [!]switch-name[={0|1}] | | # SWITCH - [!]switch-name[={0|1}] |
| # | | # |
| # Added in Shorewall 4.4.24 and allows enabling and disabling the rule | | # Added in Shorewall 4.4.24 and allows enabling and disabling the rule |
|
| # without requiring shorewall restart. | | # without requiring shorewall reload. |
| # | | # |
| # The rule is enabled if the value stored in /proc/net/nf_condition/ | | # The rule is enabled if the value stored in /proc/net/nf_condition/ |
| # switch-name is 1. The rule is disabled if that file contains 0 (the | | # switch-name is 1. The rule is disabled if that file contains 0 (the |
| # default). If '!' is supplied, the test is inverted such that the rule is | | # default). If '!' is supplied, the test is inverted such that the rule is |
| # enabled if the file contains 0. | | # enabled if the file contains 0. |
| # | | # |
| # Within the switch-name, '@0' and '@{0}' are replaced by the name of the | | # Within the switch-name, '@0' and '@{0}' are replaced by the name of the |
| # chain to which the rule is a added. The switch-name (after '@...' | | # chain to which the rule is a added. The switch-name (after '@...' |
| # expansion) must begin with a letter and be composed of letters, decimal | | # expansion) must begin with a letter and be composed of letters, decimal |
| # digits, underscores or hyphens. Switch names must be 30 characters or less | | # digits, underscores or hyphens. Switch names must be 30 characters or less |
| # in length. | | # in length. |
| # | | # |
| # Switches are normally off. To turn a switch on: | | # Switches are normally off. To turn a switch on: |
| # | | # |
| # echo 1 > /proc/net/nf_condition/switch-name | | # echo 1 > /proc/net/nf_condition/switch-name |
| # | | # |
| # To turn it off again: | | # To turn it off again: |
| # | | # |
| # echo 0 > /proc/net/nf_condition/switch-name | | # echo 0 > /proc/net/nf_condition/switch-name |
| # | | # |
|
| # Switch settings are retained over shorewall restart. | | # Switch settings are retained over shorewall reload. |
| # | | # |
| # Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or | | # Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or |
| # =1, then the switch is initialized to off or on respectively by the start | | # =1, then the switch is initialized to off or on respectively by the start |
| # command. Other commands do not affect the switch setting. | | # command. Other commands do not affect the switch setting. |
| # | | # |
| # HELPER - [helper] | | # HELPER - [helper] |
| # | | # |
| # Added in Shorewall 4.5.7. | | # Added in Shorewall 4.5.7. |
| # | | # |
| # In the NEW section, causes the named conntrack helper to be associated wit
h | | # In the NEW section, causes the named conntrack helper to be associated wit
h |
| | | |
| End of changes. 5 change blocks. |
|---|
| 5 lines changed or deleted | | 5 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 