|
 |
468261 |
From 8303e10ece79829a2abbb61f4e353ae17d995797 Mon Sep 17 00:00:00 2001
|
|
|
468261 |
From: Eric Garver <eric@garver.life>
|
|
|
468261 |
Date: Fri, 27 Mar 2020 14:25:47 -0400
|
|
|
468261 |
Subject: [PATCH] doc: clarify --set-target values "default" vs "reject"
|
|
|
468261 |
|
|
|
468261 |
Fixes: #590
|
|
|
468261 |
(cherry picked from commit 1249b741781d424e03844b35a4545db69a282dfb)
|
|
|
468261 |
(cherry picked from commit 48a80a871b3e6be9abcc195c12b2860b4958c32b)
|
|
|
468261 |
---
|
|
|
468261 |
doc/xml/firewall-cmd.xml.in | 36 ++++++++++++++++++++++++++++++++++++
|
|
|
468261 |
doc/xml/firewall-offline-cmd.xml | 38 +++++++++++++++++++++++++++++++++++++-
|
|
|
468261 |
2 files changed, 73 insertions(+), 1 deletion(-)
|
|
|
468261 |
|
|
|
468261 |
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
|
|
|
468261 |
index cd4aa47addb2..661bbdfe0c47 100644
|
|
|
468261 |
--- a/doc/xml/firewall-cmd.xml.in
|
|
|
468261 |
+++ b/doc/xml/firewall-cmd.xml.in
|
|
|
468261 |
@@ -482,6 +482,42 @@
|
|
|
468261 |
<para>
|
|
|
468261 |
Set the target of a permanent zone. <replaceable>target</replaceable> is one of: <literal>default</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
|
|
|
468261 |
</para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ <literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
|
|
|
468261 |
+ <orderedlist>
|
|
|
468261 |
+ <listitem><para>ICMP explicitly allowed</para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ At the end of the zone's ruleset ICMP packets are explicitly allowed.
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+
|
|
|
468261 |
+ <listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ For a forwarded packet that ingresses zoneA and egresses zoneB:
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ <itemizedlist>
|
|
|
468261 |
+ <listitem>
|
|
|
468261 |
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+ <listitem>
|
|
|
468261 |
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+ </itemizedlist>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+
|
|
|
468261 |
+ <listitem><para>Zone drifting from source-based zone to interface-based zone</para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ This only applies if <option>AllowZoneDrifting</option> is enabled. See <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ If a packet ingresses a source-based zone with a <replaceable>target</replaceable> of <literal>default</literal>, it may still enter an interface-based zone (including the default zone).
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+ </orderedlist>
|
|
|
468261 |
+ </para>
|
|
|
468261 |
</listitem>
|
|
|
468261 |
</varlistentry>
|
|
|
468261 |
</variablelist>
|
|
|
468261 |
diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
|
|
|
468261 |
index aeaf3dc0ebd5..9406833ed74d 100644
|
|
|
468261 |
--- a/doc/xml/firewall-offline-cmd.xml
|
|
|
468261 |
+++ b/doc/xml/firewall-offline-cmd.xml
|
|
|
468261 |
@@ -572,7 +572,43 @@
|
|
|
468261 |
<term><option>--zone</option>=<replaceable>zone</replaceable> <option>--set-target</option>=<replaceable>zone</replaceable></term>
|
|
|
468261 |
<listitem>
|
|
|
468261 |
<para>
|
|
|
468261 |
- Set the target of a permanent zone.
|
|
|
468261 |
+ Set the target of a permanent zone. <replaceable>target</replaceable> is one of: <literal>default</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ <literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
|
|
|
468261 |
+ <orderedlist>
|
|
|
468261 |
+ <listitem><para>ICMP explicitly allowed</para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ At the end of the zone's ruleset ICMP packets are explicitly allowed.
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+
|
|
|
468261 |
+ <listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ For a forwarded packet that ingresses zoneA and egresses zoneB:
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ <itemizedlist>
|
|
|
468261 |
+ <listitem>
|
|
|
468261 |
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+ <listitem>
|
|
|
468261 |
+ <para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+ </itemizedlist>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+
|
|
|
468261 |
+ <listitem><para>Zone drifting from source-based zone to interface-based zone</para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ This only applies if <option>AllowZoneDrifting</option> is enabled. See <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ <para>
|
|
|
468261 |
+ If a packet ingresses a source-based zone with a <replaceable>target</replaceable> of <literal>default</literal>, it may still enter an interface-based zone (including the default zone).
|
|
|
468261 |
+ </para>
|
|
|
468261 |
+ </listitem>
|
|
|
468261 |
+ </orderedlist>
|
|
|
468261 |
</para>
|
|
|
468261 |
</listitem>
|
|
|
468261 |
</varlistentry>
|
|
|
468261 |
--
|
|
|
468261 |
1.8.3.1
|
|
|
468261 |
|