diff options
author | Bob Gilligan <gilligan@vyatta.com> | 2008-12-09 15:57:41 -0800 |
---|---|---|
committer | Bob Gilligan <gilligan@vyatta.com> | 2008-12-09 15:57:41 -0800 |
commit | a1079991df0425d8338686053602c0c5fe1e62fb (patch) | |
tree | 755aa679099075d3ae0d8584da1aed49c7f9f5ba /templates/firewall | |
parent | a8cd93d29719ad2aab005ebbf401df23ba5754c7 (diff) | |
download | vyatta-cfg-firewall-a1079991df0425d8338686053602c0c5fe1e62fb.tar.gz vyatta-cfg-firewall-a1079991df0425d8338686053602c0c5fe1e62fb.zip |
Cleanup firewall templates for readability. Update help strings to reflect IPv4.
Diffstat (limited to 'templates/firewall')
19 files changed, 190 insertions, 51 deletions
diff --git a/templates/firewall/broadcast-ping/node.def b/templates/firewall/broadcast-ping/node.def index e92d08a..594786c 100644 --- a/templates/firewall/broadcast-ping/node.def +++ b/templates/firewall/broadcast-ping/node.def @@ -1,11 +1,34 @@ type: txt -help: Set ignorance of all ICMP ECHO and TIMESTAMP requests sent via broadcast/multicast (default: disable) + +help: Set handling of broadcast IPv4 ICMP echo and timestamp requests + +comp_help:Possible completions: + disable\tDisable processing of broadcast IPv4 ICMP echo/timestamp requests + enable\tEnable processing of broadcast IPv4 ICMP echo/timestamp requests + default: "disable" + syntax:expression: $VAR(@) in "enable", "disable"; "broadcast-ping must be enable or disable" -create:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; fi" -update:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"; fi" -delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\"" + +create: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" + fi + +update: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" + fi + +delete: + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" + diff --git a/templates/firewall/ip-src-route/node.def b/templates/firewall/ip-src-route/node.def index 1f813dc..c9e777c 100644 --- a/templates/firewall/ip-src-route/node.def +++ b/templates/firewall/ip-src-route/node.def @@ -1,11 +1,32 @@ type: txt -help: Set acceptance for packets with SRR option (default: disable) + +help: Set policy for handling IPv4 packets with source route option + +comp_help:Possible completions: + enable\tEnable processing of IPv4 packets with source route option + disable\tDisable processing of IPv4 packets with source route option + default: "disable" + syntax:expression: $VAR(@) in "enable", "disable"; "ip-src-route must be enable or disable" -create:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; fi" -update:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\"; fi" -delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\"" + +create: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/conf/all/accept_source_route" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/all/accept_source_route" + fi + +update: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/conf/all/accept_source_route" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/all/accept_source_route" + fi + +delete: + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route" diff --git a/templates/firewall/log-martians/node.def b/templates/firewall/log-martians/node.def index 4a31e68..cee3e6a 100644 --- a/templates/firewall/log-martians/node.def +++ b/templates/firewall/log-martians/node.def @@ -1,11 +1,28 @@ type: txt -help: Set syslog logging of packets with impossible addresses (default: enable) + +help: Set policy for logging IPv4 packets with invalid addresses + +comp_help:Possible completions: + enable\tEnable logging of IPv4 packets with invalid addresses + disable\tDisable logging of Ipv4 packets with invalid addresses + default: "enable" + syntax:expression: $VAR(@) in "enable", "disable"; "log-martians must be enable or disable" -create:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\"; fi" -update:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\"; fi" -delete:expression: "sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\"" + +create: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" + else + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" + fi + +update: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" + else + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" + fi + +delete: + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def index 6fb513f..7e9046f 100644 --- a/templates/firewall/modify/node.def +++ b/templates/firewall/modify/node.def @@ -1,4 +1,7 @@ tag: + type: txt + syntax:expression: pattern $VAR(@) "^[^-]" ; "Modify rule set name cannot start with \"-\"" + help: Set modify rule set name diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def index d5d4dba..fbf2144 100644 --- a/templates/firewall/modify/node.tag/description/node.def +++ b/templates/firewall/modify/node.tag/description/node.def @@ -1,2 +1,3 @@ type: txt + help: Set modify rule set description diff --git a/templates/firewall/modify/node.tag/rule/node.def b/templates/firewall/modify/node.tag/rule/node.def index f2e7c6f..19c467b 100644 --- a/templates/firewall/modify/node.tag/rule/node.def +++ b/templates/firewall/modify/node.tag/rule/node.def @@ -1,4 +1,7 @@ tag: + type: u32 + help: Set modify rule number (1-1024) + syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "modify rule number must be between 1 and 1024" diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def index 491fe71..b82683d 100644 --- a/templates/firewall/name/node.def +++ b/templates/firewall/name/node.def @@ -1,4 +1,7 @@ tag: + type: txt + syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\"" + help: Set firewall rule set name diff --git a/templates/firewall/name/node.tag/description/node.def b/templates/firewall/name/node.tag/description/node.def index 678e325..d181e33 100644 --- a/templates/firewall/name/node.tag/description/node.def +++ b/templates/firewall/name/node.tag/description/node.def @@ -1,2 +1,3 @@ type: txt + help: Set firewall description diff --git a/templates/firewall/name/node.tag/rule/node.def b/templates/firewall/name/node.tag/rule/node.def index 010f808..c3c7b43 100644 --- a/templates/firewall/name/node.tag/rule/node.def +++ b/templates/firewall/name/node.tag/rule/node.def @@ -1,4 +1,7 @@ tag: + type: u32 + help: Set firewall rule number (1-1024) + syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "firewall rule number must be between 1 and 1024" diff --git a/templates/firewall/name/node.tag/rule/node.tag/action/node.def b/templates/firewall/name/node.tag/rule/node.tag/action/node.def index 7bb7278..9391bda 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/action/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/action/node.def @@ -1,4 +1,6 @@ type: txt + help: Set firewall rule action + syntax:expression: $VAR(@) in "drop", "reject", "accept", "inspect"; "action must be one of drop, reject, accept, or inspect" diff --git a/templates/firewall/name/node.tag/rule/node.tag/description/node.def b/templates/firewall/name/node.tag/rule/node.tag/description/node.def index 9c0c2bb..b49b91e 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/description/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/description/node.def @@ -1,2 +1,3 @@ type: txt + help: Set rule description diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def index e25da77..e78fd70 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def @@ -1,9 +1,11 @@ type: txt + help: Set destination IP address, subnet, or range + comp_help: Possible completions: - <x.x.x.x> IP address to match - <x.x.x.x/x> Subnet to match - <x.x.x.x>-<x.x.x.x> IP range to match + <x.x.x.x> IPv4 address to match + <x.x.x.x/x> IPv4 Subnet to match + <x.x.x.x>-<x.x.x.x> IPv4 range to match !<x.x.x.x> Match everything except the specified address !<x.x.x.x/x> Match everything except the specified subnet !<x.x.x.x>-<x.x.x.x> Match everything except the specified range diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def index 65170b2..b292864 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def @@ -1,5 +1,7 @@ type: txt + help: Set destination port + comp_help: Destination port(s) can be specified as a comma-separated list of: <port name> Named port (any name in /etc/services, e.g., http) <1-65535> Numbered port diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def index 71bacfc..8ff1c09 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def @@ -1,3 +1,5 @@ type: u32; "ICMP code must be between 0 and 255" + help: Set ICMP code (0-255) + syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def index 6275a64..9cd72b3 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def @@ -1,3 +1,5 @@ type: u32; "ICMP type must be between 0 and 255" + help: Set ICMP type (0-255) + syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/firewall/node.def b/templates/firewall/node.def index ead7027..a849d50 100644 --- a/templates/firewall/node.def +++ b/templates/firewall/node.def @@ -1,4 +1,10 @@ help: Configure firewall -end:expression: "sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules" -create:expression: "sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup" -delete:expression: "sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown" + +end: + sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules + +create: + sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup + +delete: + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown diff --git a/templates/firewall/receive-redirects/node.def b/templates/firewall/receive-redirects/node.def index 59996ec..94410c7 100644 --- a/templates/firewall/receive-redirects/node.def +++ b/templates/firewall/receive-redirects/node.def @@ -1,11 +1,28 @@ type: txt -help: Set receive ICMP redirects (default: disable) + +help: Set policy for handling received IPv4 ICMP redirect messages + +comp_help:Possible completions: + enable\tEnable processing of received IPv4 ICMP redirect messages + disable\tDisable processing of received IPv4 ICMP redirect messages + default: "disable" + syntax:expression: $VAR(@) in "enable", "disable"; "receive-redirects must be enable or disable" -create:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; fi" -update:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\"; fi" -delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\"" + +create: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects" + else + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects" + fi + +update: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects" + else + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects" + fi + +delete: + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects" diff --git a/templates/firewall/send-redirects/node.def b/templates/firewall/send-redirects/node.def index a83fa45..9a36554 100644 --- a/templates/firewall/send-redirects/node.def +++ b/templates/firewall/send-redirects/node.def @@ -1,11 +1,28 @@ type: txt -help: Set send ICMP redirects (default: disable) + +help: Set policy for sending IPv4 ICMP redirect messages + +comp_help:Possible completions: + enable\tEnable sending IPv4 ICMP redirect messages + disable\tDisable sending IPv4 ICMP redirect messages + default: "disable" + syntax:expression: $VAR(@) in "enable", "disable"; "send-redirects must be enable or disable" -create:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\"; fi" -update:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\"; fi" -delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\"" + +create: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" + else + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects" + fi + +update: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" + else + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects" + fi + +delete: + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects" diff --git a/templates/firewall/syn-cookies/node.def b/templates/firewall/syn-cookies/node.def index 9521f12..d85c84d 100644 --- a/templates/firewall/syn-cookies/node.def +++ b/templates/firewall/syn-cookies/node.def @@ -1,8 +1,21 @@ type: txt -help: Set use TCP syn cookies (default: enable) + +help: Set policy for using TCP SYN cookies with IPv4 + +comp_help:Possible completions: + enable\tEnable use of TCP SYN cookies with IPv4 + disable\tDisable use of TCP SYN cookies with IPv4 + default: "enable" + syntax:expression: $VAR(@) in "enable", "disable"; "syn-cookies must be enable or disable" -update:expression: "if [ x$VAR(@) == xenable ]; \ - then sudo sh -c \"echo 1 > /proc/sys/net/ipv4/tcp_syncookies\"; \ - else sudo sh -c \"echo 0 > /proc/sys/net/ipv4/tcp_syncookies\"; fi" -delete:expression: "sudo sh -c \"echo 1 > /proc/sys/net/ipv4/tcp_syncookies\"" + +update: + if [ x$VAR(@) == xenable ]; then + sudo sh -c "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" + else + sudo sh -c "echo 0 > /proc/sys/net/ipv4/tcp_syncookies" + fi + +delete: + sudo sh -c "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" |