Provided by: sanewall-doc_1.0.2+ds-2_all
NAME
sanewall-router - create a router definition
SYNOPSIS
router name [rule-params]
DESCRIPTION
A router definition consists of a set of rules for traffic passing through the host running the firewall. The default policy for router definitions is RETURN, meaning packets are not dropped by any particular router. Packets not matched by any router are dropped at the end of the firewall. The behaviour of the defined router is controlled by adding subcommands (listed in the section called “SEE ALSO”).
PARAMETERS
name This is a name for this router. You should use short names (10 characters maximum) without spaces or other symbols. A name should be unique for all Sanewall interface and router definitions. rule-params The set of rule parameters to further restrict the traffic that is matched to this router. See optional rule parameters: sanewall-rule-params(5) for information on the parameters that can be used. Some examples: router mylan inface ppp+ outface eth0 src not ${UNROUTABLE_IPS} router myrouter See Sanewall configuration: sanewall.conf(5) for an explanation of ${UNROUTABLE_IPS}.
WORKING WITH ROUTERS
Routers create stateful iptables rules which match traffic in both directions. To match some client or server traffic, the input/output interface or source/destination of the request must be specified. All inface/outface and src/dstoptional rule parameters: sanewall-rule-params(5) can be given on the router statement (in which case they will be applied to all subcommands for the router) or just within the subcommands of the router. For example, to define a router which matches requests from any PPP interface and destined for eth0, and on this allowing HTTP servers (on eth0) to be accessed by clients (from PPP) and SMTP clients (from eth0) to access any servers (on PPP): router mylan inface ppp+ outface eth0 server http accept client smtp accept Note The client subcommand reverses any optional rule parameters passed to the router, in this case the inface and outface. Equivalently, to define a router which matches all forwarded traffic and within the the router allow HTTP servers on eth0 to be accessible to PPP and any SMTP servers on PPP to be accessible from eth0: router mylan server http accept inface ppp+ outface eth0 server smtp accept inface eth0 outface ppp Note In this instance two server subcommands are used since there are no parameters on the router to reverse. Avoid the use of the client subcommand in routers unless the inputs and outputs are defined as part of the router. Any number of routers can be defined and the traffic they match can overlap. Since the default policy is RETURN, any traffic that is not matched by any rules in one will proceed to the next, in order, until none are left.
SEE ALSO
Sanewall program: sanewall(1) Sanewall configuration: sanewall.conf(5) interface definition: sanewall-interface(5) policy command: sanewall-policy(5) protection command: sanewall-protection(5) client command: sanewall-client(5) server, route commands: sanewall-server(5) group command: sanewall-group(5) iptables helper: sanewall-iptables(5) masquerade helper: sanewall-masquerade(5) tcpmss helper: sanewall-tcpmss(5)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>