Context Navigation

Changes between Version 2 and Version 3 of Rules

Timestamp:: 09/01/07 13:54:00 (16 years ago)
Author:: Victor Julien
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Rules

-              v2
+              v3
 ||logprefix||this text will be added to the trafficlog for this rule.||
 ||loglimit||a limitation per second of the number of logmessages for this rule.||
 ||limit||a limitation per second of the number of new connections on this rule. This is to prevent DoS attacks.||
+||limit||a limitation per time unit of the number of new connections on this rule. This is to prevent DoS attacks. Time unit can be sec, min, hour or day.||
 ||burst||a burst value for the 'Rule Limit'.||
 ||nfmark||a mark is set on the packets that match this rule. The mark never leaves the firewall, but can be used for traffic shaping or routing. Because of the way Vuurmuur handles ESTABLISHED packets for ACCEPT and for QUEUE, all packets rules with action ACCEPT need to have a mark between 0 and 9.999.999. QUEUE rules need to have a mark between 20.000.000 and 29.999.999. If no mark is set, ACCEPT rules will have no mark (which equals mark 0) and QUEUE rules will have 20.000.000.||
 ||rejecttype||when the action is REJECT the user can select a type of reject: tcp-reset (resets a tcp-connection), icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachable, icmp-port-unreachable, icmp-net-prohibited, icmp-host-prohibited.||
 ||listenport||when using PORTFW the firewall can be told to listen on another port than issued by the service. For example, you can let the firewall listen on port 1022 and portfw this to a remote machine on port 22.||
 ||remoteport||when using PORTFW the firewall can be told to forward the connection to another port than issued by the service. For example, if the firewall listens on port 22 the connection can be forwarded to a remote machine on port 1022.||
 ||markiptstate||this option is for use with QUEUE and is especially designed for use with Snort_inline 2.2.0. It is a way to help the tcp-state-engine of Snort (Note: Snort_inline 2.3.x won't use this).||
+||listenport||when using PORTFW/DNAT the firewall can be told to listen on another port than issued by the service. For example, you can let the firewall listen on port 1022 and portfw this to a remote machine on port 22.||
+||remoteport||when using PORTFW/DNAT the firewall can be told to forward the connection to another port than issued by the service. For example, if the firewall listens on port 22 the connection can be forwarded to a remote machine on port 1022.||
+||markiptstate||this option is for use with QUEUE and is especially designed for use with Snort_inline 2.2.0. It is a way to help the tcp-state-engine of Snort (Note: this option has been removed in 0.5.73 alpha 3).||
 ||queue||by default PORTFW and REDIRECT create ACCEPT rules in addition to the DNAT/REDIRECT rules. This option forces Vuurmuur to use 'QUEUE' instead of ACCEPT.||
 ||in_int||if your firewall has more than one interface in the same network, you might want to use only one of them. Press SPACE to select the one you want.||
 ||out_int||if your firewall has more than one interface in the same network, you might want to use only one of them. Press SPACE to select the one you want.||
 ||via_int||Mandatory option for use with the BOUNCE action. Press SPACE to select the interface containing the public ipaddress on which you try to reach the server in your local network.||
+||in_int||if your firewall has more than one interface in the same network, you might want to use only one of them.||
+||out_int||if your firewall has more than one interface in the same network, you might want to use only one of them.||
+||via_int||Mandatory option for use with the BOUNCE action. Select the interface containing the public ipaddress on which you try to reach the server in your local network.||
 ||chain||Name of the chain for use with the CHAIN action.||
 ||redirectport||Port to redirect to using the REDIRECT action.||