diff --git a/docs/6to4.xml b/docs/6to4.xml
index 94a692e58..2089b6f0e 100644
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -493,7 +493,6 @@ all all REJECT info
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
-# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
diff --git a/docs/FTP.xml b/docs/FTP.xml
index 8cd8ae9b9..d32f91922 100644
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -535,10 +535,10 @@ DNAT ACTION =
specific IP address to be forwarded to your server.
Note that you do NOT need a rule
- with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
- the mailing list and they show 20 in the DEST PORT(S) column, we will know
- that you haven't read this article and will either ignore your post or
- tell you to RTFM.
+ with 20 (ftp-data) in the DPORT column. If you post your rules on the
+ mailing list and they show 20 in the DPORT column, we will know that you
+ haven't read this article and will either ignore your post or tell you to
+ RTFM.
Shorewall includes an FTP macro that simplifies creation of FTP
rules. The macro source is in
diff --git a/docs/ManualChains.xml b/docs/ManualChains.xml
index 087322e5f..d914d52d3 100644
--- a/docs/ManualChains.xml
+++ b/docs/ManualChains.xml
@@ -195,16 +195,14 @@ sub Knock {
The rule from the Port Knocking article:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
SSHKnock net $FW tcp 22,1599,1600,1601
- becomes:PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};Similarly#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
-# PORT(S) DEST
+ becomes:PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};Similarly#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601
-SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178becomes:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
-# PORT(S) DEST
+SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178becomes:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
PERL Knock 'net', '$FW', {name => 'SSH', knocker => 1600, trap => [1599, 1601]};
diff --git a/docs/MyNetwork.xml b/docs/MyNetwork.xml
index be2007a39..596a5518c 100644
--- a/docs/MyNetwork.xml
+++ b/docs/MyNetwork.xml
@@ -494,8 +494,7 @@ tarpit inline # Wrapper for TARPIT
/etc/shorewall/action.Mirrors
- #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
-# PORT PORT(S) DEST LIMIT
+ #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
?COMMENT Accept traffic from Mirrors
?FORMAT 2
DEFAULTS -
@@ -508,8 +507,7 @@ $1 $MIRRORS
/etc/shorewall/action.tarpit
- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
-# PORT PORT(S) DEST LIMIT GROUP
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
$LOG { rate=s:1/min }
TARPIT
@@ -520,7 +518,8 @@ TARPIT
/etc/shorewall/zones
- fw firewall
+ #ZONE TYPE
+fw firewall
loc ip #Local Zone
net ipv4 #Internet
dmz ipv4 #LXC Containers
@@ -816,8 +815,7 @@ br0 - ComcastB 11000
/etc/shorewall/stoppedrules
- #TARGET HOST(S) DEST PROTO DEST SOURCE
-# PORT(S) PORT(S)
+ #TARGET HOST(S) DEST PROTO DPORT SPORT
ACCEPT INT_IF:172.20.1.0/24 $FW
NOTRACK COMB_IF - 41
NOTRACK $FW COMB_IF 41
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml
index ead31475b..95d987833 100644
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
Rules are conditionally executed based on whether the current
- packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
- CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.
+ packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
+ USER, TEST, LENGTH and TOS columns.
diff --git a/docs/Shorewall-5.xml b/docs/Shorewall-5.xml
index 5b27dc171..0af75100c 100644
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -240,15 +240,15 @@
- DEST PORT(S)
+ DPORT
- SOURCE PORT(S)
+ SPORT
- ORIGINAL DEST
+ ORIGDEST
@@ -284,8 +284,9 @@
- Notice that the first five columns of both sets are the
- same.
+ Notice that the first five columns of both sets are the same
+ (although the port-valued column names have changed, the contents are
+ the same).
In Shorewall 5, support for format-1 macros and actions has been
dropped and all macros and actions will be processed as if ?FORMAT 2
diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml
index 301e75aa6..7de871243 100644
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -314,8 +314,7 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80
Corresponding /etc/shorewall/tcrules entries are:
- #MARK SOURCE DEST PROTO DEST
-# PORT(S)
+ #MARK SOURCE DEST PROTO DPORT
202:P eth1 0.0.0.0/0 tcp 80
diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml
index 92acab9bb..5d063596b 100644
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -166,7 +166,7 @@ iface eth0 inet static
allow SSH from net to eth0:0 above
- /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S)
+ /etc/shorewall/rules#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW:206.124.146.178 tcp 22
diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml
index 9dd672580..44ce5330e 100644
--- a/docs/XenMyWay-Routed.xml
+++ b/docs/XenMyWay-Routed.xml
@@ -637,8 +637,7 @@ Mirrors # Accept traffic from Shorewall Mirrors
/etc/shorewall/action.Mirrors:
- #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
-# PORT PORT(S) DEST LIMIT
+ #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
ACCEPT $MIRRORS
/etc/shorewall/rules:
diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml
index f704f00dd..428b240d0 100644
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@@ -631,10 +631,9 @@ ACCEPT $MIRRORS
/etc/shorewall/rules:
- SECTION NEW
+ ?SECTION NEW
###############################################################################################################################################################################
-#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
-# PORT PORT(S) DEST LIMIT GROUP
+#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031
diff --git a/docs/bridge-Shorewall-perl.xml b/docs/bridge-Shorewall-perl.xml
index fc2440045..903ea0174 100644
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -941,15 +941,13 @@ ACCEPT col zone2 tcp 22 - - -
or more compactly:
- #ACTION SOURCE DEST PROTO DEST
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT col zone2 tcp 22 ; mark=net
Similarly, rules allowing traffic from the firewall to zone3:
- #ACTION SOURCE DEST PROTO DEST
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT col zone3 tcp 22 ; mark=fw
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index d58f93895..e130233a9 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -2313,8 +2313,7 @@ gmail-pop.l.google.com. 300 IN A 209.85.2
So this rule may work for five minutes then suddently stop
working:
- #ACTION SOURCE DEST PROTO DEST
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
POP(ACCEPT) loc net:pop.gmail.com
If your firewall rules include DNS names then:
diff --git a/docs/netmap.xml b/docs/netmap.xml
index 3b1dea834..b5efdd8e6 100644
--- a/docs/netmap.xml
+++ b/docs/netmap.xml
@@ -54,7 +54,7 @@
Shorewall NETMAP support is designed to supply a solution. The basic
situation is as shown in the following diagram.![]()
+ fileref="images/netmap.png"/>
While the link between the two firewalls is shown here as a VPN, it
could be any type of interconnection that allows routing of
- DEST PORT(S) (Optional - Added in
- Shorewall 4.4.23.2) -
+ DPORT (Optional - Added in Shorewall
+ 4.4.23.2) -
port-number-or-name-list
@@ -190,8 +190,8 @@
- DEST PORT(S) (Optional - Added in
- Shorewall 4.4.23.2) -
+ SPORT (Optional - Added in Shorewall
+ 4.4.23.2) -
port-number-or-name-list
@@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B192.168.1.27
-
+
@@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B192.168.1.4
-
+
@@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24IPv6 Netmap has been verified at shorewall.net using the
configuration shown below.
- ![]()
+ ![]()
IPv6 support is supplied from Hurricane Electric; the IPv6 address
block is 2001:470:b:227::/64.
diff --git a/docs/ping.xml b/docs/ping.xml
index a5c381987..9ab8d5cfb 100644
--- a/docs/ping.xml
+++ b/docs/ping.xml
@@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW
With that rule in place, if you want to ignore ping
from z1 to z2 then you need a rule of the form:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
Ping(DROP) z1 z2
@@ -88,7 +88,7 @@ Ping(DROP) z1 z2
To drop ping from the Internet, you would need this rule in
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
Ping(DROP) net $FW
diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml
index 9b9e4c1af..ebc68cac0 100644
--- a/docs/shorewall_setup_guide.xml
+++ b/docs/shorewall_setup_guide.xml
@@ -1712,8 +1712,8 @@ ACCEPT net loc:192.168.201.4 tcp www
rules.
- Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
- this section, they won't be shown
+ Since the SPORT and ORIGDEST. Columns aren't used in this
+ section, they won't be shown
You probably want to allow ping between your zones:
diff --git a/docs/simple_traffic_shaping.xml b/docs/simple_traffic_shaping.xml
index f99814983..81e187999 100644
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -194,7 +194,7 @@ eth0 External
band 2.
- When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
+ When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
column must contain '-'.
@@ -203,14 +203,14 @@ eth0 External
Assign traffic from a particular IP address to a specific
priority band:
- #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
+ #BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - 192.168.1.44
In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.
- When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
+ When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
columns must be empty.
@@ -219,7 +219,7 @@ eth0 External
Assign traffic to/from a particular application to a specific
priority band:
- #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
+ #BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 udp 1194
In that example, OpenVPN traffic is assigned to priority band
@@ -230,7 +230,7 @@ eth0 External
Assign traffic that uses a particular Netfilter helper to a
particular priority band:
- #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
+ #BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - - - sip
In this example, SIP and associated RTP traffic will be assigned
@@ -322,7 +322,7 @@ tun0 Internal
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
etc/shorewall/tcpri:
- #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
+ #BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 70.90.191.124/31
COMMENT Bit Torrent is in band 3
@@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
etc/shorewall6/tcpri:
- #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
+ #BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 2001:470:b:227::40/124
COMMENT But give a boost to DNS queries