summaryrefslogtreecommitdiff
path: root/templates/firewall
diff options
context:
space:
mode:
authorBob Gilligan <gilligan@vyatta.com>2008-12-09 15:57:41 -0800
committerBob Gilligan <gilligan@vyatta.com>2008-12-09 15:57:41 -0800
commita1079991df0425d8338686053602c0c5fe1e62fb (patch)
tree755aa679099075d3ae0d8584da1aed49c7f9f5ba /templates/firewall
parenta8cd93d29719ad2aab005ebbf401df23ba5754c7 (diff)
downloadvyatta-cfg-firewall-a1079991df0425d8338686053602c0c5fe1e62fb.tar.gz
vyatta-cfg-firewall-a1079991df0425d8338686053602c0c5fe1e62fb.zip
Cleanup firewall templates for readability. Update help strings to reflect IPv4.
Diffstat (limited to 'templates/firewall')
-rw-r--r--templates/firewall/broadcast-ping/node.def39
-rw-r--r--templates/firewall/ip-src-route/node.def37
-rw-r--r--templates/firewall/log-martians/node.def33
-rw-r--r--templates/firewall/modify/node.def3
-rw-r--r--templates/firewall/modify/node.tag/description/node.def1
-rw-r--r--templates/firewall/modify/node.tag/rule/node.def3
-rw-r--r--templates/firewall/name/node.def3
-rw-r--r--templates/firewall/name/node.tag/description/node.def1
-rw-r--r--templates/firewall/name/node.tag/rule/node.def3
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/action/node.def2
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/description/node.def1
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def8
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def2
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def2
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def2
-rw-r--r--templates/firewall/node.def12
-rw-r--r--templates/firewall/receive-redirects/node.def33
-rw-r--r--templates/firewall/send-redirects/node.def33
-rw-r--r--templates/firewall/syn-cookies/node.def23
19 files changed, 190 insertions, 51 deletions
diff --git a/templates/firewall/broadcast-ping/node.def b/templates/firewall/broadcast-ping/node.def
index e92d08a..594786c 100644
--- a/templates/firewall/broadcast-ping/node.def
+++ b/templates/firewall/broadcast-ping/node.def
@@ -1,11 +1,34 @@
type: txt
-help: Set ignorance of all ICMP ECHO and TIMESTAMP requests sent via broadcast/multicast (default: disable)
+
+help: Set handling of broadcast IPv4 ICMP echo and timestamp requests
+
+comp_help:Possible completions:
+ disable\tDisable processing of broadcast IPv4 ICMP echo/timestamp requests
+ enable\tEnable processing of broadcast IPv4 ICMP echo/timestamp requests
+
default: "disable"
+
syntax:expression: $VAR(@) in "enable", "disable"; "broadcast-ping must be enable or disable"
-create:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; fi"
-update:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; fi"
-delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\""
+
+create:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > \
+ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
+ else
+ sudo sh -c "echo 0 > \
+ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
+ fi
+
+update:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > \
+ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
+ else
+ sudo sh -c "echo 0 > \
+ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
+ fi
+
+delete:
+ sudo sh -c "echo 0 > \
+ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
+
diff --git a/templates/firewall/ip-src-route/node.def b/templates/firewall/ip-src-route/node.def
index 1f813dc..c9e777c 100644
--- a/templates/firewall/ip-src-route/node.def
+++ b/templates/firewall/ip-src-route/node.def
@@ -1,11 +1,32 @@
type: txt
-help: Set acceptance for packets with SRR option (default: disable)
+
+help: Set policy for handling IPv4 packets with source route option
+
+comp_help:Possible completions:
+ enable\tEnable processing of IPv4 packets with source route option
+ disable\tDisable processing of IPv4 packets with source route option
+
default: "disable"
+
syntax:expression: $VAR(@) in "enable", "disable"; "ip-src-route must be enable or disable"
-create:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; fi"
-update:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; fi"
-delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\""
+
+create:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > \
+ /proc/sys/net/ipv4/conf/all/accept_source_route"
+ else
+ sudo sh -c "echo 0 > \
+ /proc/sys/net/ipv4/conf/all/accept_source_route"
+ fi
+
+update:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > \
+ /proc/sys/net/ipv4/conf/all/accept_source_route"
+ else
+ sudo sh -c "echo 0 > \
+ /proc/sys/net/ipv4/conf/all/accept_source_route"
+ fi
+
+delete:
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route"
diff --git a/templates/firewall/log-martians/node.def b/templates/firewall/log-martians/node.def
index 4a31e68..cee3e6a 100644
--- a/templates/firewall/log-martians/node.def
+++ b/templates/firewall/log-martians/node.def
@@ -1,11 +1,28 @@
type: txt
-help: Set syslog logging of packets with impossible addresses (default: enable)
+
+help: Set policy for logging IPv4 packets with invalid addresses
+
+comp_help:Possible completions:
+ enable\tEnable logging of IPv4 packets with invalid addresses
+ disable\tDisable logging of Ipv4 packets with invalid addresses
+
default: "enable"
+
syntax:expression: $VAR(@) in "enable", "disable"; "log-martians must be enable or disable"
-create:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\"; fi"
-update:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\"; fi"
-delete:expression: "sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\""
+
+create:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
+ else
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians"
+ fi
+
+update:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
+ else
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians"
+ fi
+
+delete:
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def
index 6fb513f..7e9046f 100644
--- a/templates/firewall/modify/node.def
+++ b/templates/firewall/modify/node.def
@@ -1,4 +1,7 @@
tag:
+
type: txt
+
syntax:expression: pattern $VAR(@) "^[^-]" ; "Modify rule set name cannot start with \"-\""
+
help: Set modify rule set name
diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def
index d5d4dba..fbf2144 100644
--- a/templates/firewall/modify/node.tag/description/node.def
+++ b/templates/firewall/modify/node.tag/description/node.def
@@ -1,2 +1,3 @@
type: txt
+
help: Set modify rule set description
diff --git a/templates/firewall/modify/node.tag/rule/node.def b/templates/firewall/modify/node.tag/rule/node.def
index f2e7c6f..19c467b 100644
--- a/templates/firewall/modify/node.tag/rule/node.def
+++ b/templates/firewall/modify/node.tag/rule/node.def
@@ -1,4 +1,7 @@
tag:
+
type: u32
+
help: Set modify rule number (1-1024)
+
syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "modify rule number must be between 1 and 1024"
diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def
index 491fe71..b82683d 100644
--- a/templates/firewall/name/node.def
+++ b/templates/firewall/name/node.def
@@ -1,4 +1,7 @@
tag:
+
type: txt
+
syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
+
help: Set firewall rule set name
diff --git a/templates/firewall/name/node.tag/description/node.def b/templates/firewall/name/node.tag/description/node.def
index 678e325..d181e33 100644
--- a/templates/firewall/name/node.tag/description/node.def
+++ b/templates/firewall/name/node.tag/description/node.def
@@ -1,2 +1,3 @@
type: txt
+
help: Set firewall description
diff --git a/templates/firewall/name/node.tag/rule/node.def b/templates/firewall/name/node.tag/rule/node.def
index 010f808..c3c7b43 100644
--- a/templates/firewall/name/node.tag/rule/node.def
+++ b/templates/firewall/name/node.tag/rule/node.def
@@ -1,4 +1,7 @@
tag:
+
type: u32
+
help: Set firewall rule number (1-1024)
+
syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "firewall rule number must be between 1 and 1024"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/action/node.def b/templates/firewall/name/node.tag/rule/node.tag/action/node.def
index 7bb7278..9391bda 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/action/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/action/node.def
@@ -1,4 +1,6 @@
type: txt
+
help: Set firewall rule action
+
syntax:expression: $VAR(@) in "drop", "reject", "accept", "inspect";
"action must be one of drop, reject, accept, or inspect"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/description/node.def b/templates/firewall/name/node.tag/rule/node.tag/description/node.def
index 9c0c2bb..b49b91e 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/description/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/description/node.def
@@ -1,2 +1,3 @@
type: txt
+
help: Set rule description
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
index e25da77..e78fd70 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
@@ -1,9 +1,11 @@
type: txt
+
help: Set destination IP address, subnet, or range
+
comp_help: Possible completions:
- <x.x.x.x> IP address to match
- <x.x.x.x/x> Subnet to match
- <x.x.x.x>-<x.x.x.x> IP range to match
+ <x.x.x.x> IPv4 address to match
+ <x.x.x.x/x> IPv4 Subnet to match
+ <x.x.x.x>-<x.x.x.x> IPv4 range to match
!<x.x.x.x> Match everything except the specified address
!<x.x.x.x/x> Match everything except the specified subnet
!<x.x.x.x>-<x.x.x.x> Match everything except the specified range
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def
index 65170b2..b292864 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def
@@ -1,5 +1,7 @@
type: txt
+
help: Set destination port
+
comp_help: Destination port(s) can be specified as a comma-separated list of:
<port name> Named port (any name in /etc/services, e.g., http)
<1-65535> Numbered port
diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def
index 71bacfc..8ff1c09 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def
@@ -1,3 +1,5 @@
type: u32; "ICMP code must be between 0 and 255"
+
help: Set ICMP code (0-255)
+
syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def
index 6275a64..9cd72b3 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def
@@ -1,3 +1,5 @@
type: u32; "ICMP type must be between 0 and 255"
+
help: Set ICMP type (0-255)
+
syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255"
diff --git a/templates/firewall/node.def b/templates/firewall/node.def
index ead7027..a849d50 100644
--- a/templates/firewall/node.def
+++ b/templates/firewall/node.def
@@ -1,4 +1,10 @@
help: Configure firewall
-end:expression: "sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules"
-create:expression: "sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup"
-delete:expression: "sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown"
+
+end:
+ sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules
+
+create:
+ sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup
+
+delete:
+ sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown
diff --git a/templates/firewall/receive-redirects/node.def b/templates/firewall/receive-redirects/node.def
index 59996ec..94410c7 100644
--- a/templates/firewall/receive-redirects/node.def
+++ b/templates/firewall/receive-redirects/node.def
@@ -1,11 +1,28 @@
type: txt
-help: Set receive ICMP redirects (default: disable)
+
+help: Set policy for handling received IPv4 ICMP redirect messages
+
+comp_help:Possible completions:
+ enable\tEnable processing of received IPv4 ICMP redirect messages
+ disable\tDisable processing of received IPv4 ICMP redirect messages
+
default: "disable"
+
syntax:expression: $VAR(@) in "enable", "disable"; "receive-redirects must be enable or disable"
-create:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; fi"
-update:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; fi"
-delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\""
+
+create:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects"
+ else
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
+ fi
+
+update:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects"
+ else
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
+ fi
+
+delete:
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
diff --git a/templates/firewall/send-redirects/node.def b/templates/firewall/send-redirects/node.def
index a83fa45..9a36554 100644
--- a/templates/firewall/send-redirects/node.def
+++ b/templates/firewall/send-redirects/node.def
@@ -1,11 +1,28 @@
type: txt
-help: Set send ICMP redirects (default: disable)
+
+help: Set policy for sending IPv4 ICMP redirect messages
+
+comp_help:Possible completions:
+ enable\tEnable sending IPv4 ICMP redirect messages
+ disable\tDisable sending IPv4 ICMP redirect messages
+
default: "disable"
+
syntax:expression: $VAR(@) in "enable", "disable"; "send-redirects must be enable or disable"
-create:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\"; fi"
-update:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\"; fi"
-delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\""
+
+create:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects"
+ else
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects"
+ fi
+
+update:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects"
+ else
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects"
+ fi
+
+delete:
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects"
diff --git a/templates/firewall/syn-cookies/node.def b/templates/firewall/syn-cookies/node.def
index 9521f12..d85c84d 100644
--- a/templates/firewall/syn-cookies/node.def
+++ b/templates/firewall/syn-cookies/node.def
@@ -1,8 +1,21 @@
type: txt
-help: Set use TCP syn cookies (default: enable)
+
+help: Set policy for using TCP SYN cookies with IPv4
+
+comp_help:Possible completions:
+ enable\tEnable use of TCP SYN cookies with IPv4
+ disable\tDisable use of TCP SYN cookies with IPv4
+
default: "enable"
+
syntax:expression: $VAR(@) in "enable", "disable"; "syn-cookies must be enable or disable"
-update:expression: "if [ x$VAR(@) == xenable ]; \
- then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/tcp_syncookies\"; \
- else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/tcp_syncookies\"; fi"
-delete:expression: "sudo sh -c \"echo 1 > /proc/sys/net/ipv4/tcp_syncookies\""
+
+update:
+ if [ x$VAR(@) == xenable ]; then
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/tcp_syncookies"
+ else
+ sudo sh -c "echo 0 > /proc/sys/net/ipv4/tcp_syncookies"
+ fi
+
+delete:
+ sudo sh -c "echo 1 > /proc/sys/net/ipv4/tcp_syncookies"