extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Finish passing through all the documentation with a spell checker.

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
el_cubano 2008-08-15 05:03:24 +00:00
parent aac55dbac4
commit 025e97c8bb
49 changed files with 244 additions and 244 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/lib.cli
View File

@ -494,7 +494,7 @@ show_command() {
;;
classifiers|filters)
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Clasifiers at $HOSTNAME - $(date)"
echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;

12
docs/FAQ.xml
View File

@ -66,8 +66,8 @@
the Shorewall Debian Maintainer:</para>
<para><quote>For more information about Shorewall usage on Debian
system please look at /usr/share/doc/shorewall/README.Debian provided
by [the] shorewall Debian package.</quote></para>
system please look at /usr/share/doc/shorewall-common/README.Debian
provided by [the] shorewall-common Debian package.</quote></para>
</important>
<para>If you install using the .deb, you will find that your <filename
@ -89,7 +89,7 @@
class="directory">/usr/share/doc/shorewall/examples/</filename>.
Beginning with Shorewall 4.0, the samples are in the shorewall-common
package and are installed in <filename
class="directory">/usr/share/doc/shorewall-common/examples</filename>/.</para>
class="directory">/usr/share/doc/shorewall-common/examples/</filename>.</para>
</section>
</section>
@ -1255,7 +1255,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
standardized and will vary by distribution and distribution version.
But anytime you see no logging, it's time to look outside the
Shorewall configuration for the cause. As an example, recent
<trademark>SuSE</trademark> releases use syslog-ng by default and
<trademark>SUSE</trademark> releases use syslog-ng by default and
write Shorewall messages to
<filename>/var/log/firewall</filename>.</para>
@ -1861,7 +1861,7 @@ iptables: Invalid argument
<listitem>
<para>if you don't need policy match support (you are not using the
IPSEC implementation built into the 2.6 kernel) then you can rename
IPSEC implementation builtinto the 2.6 kernel) then you can rename
<filename>/lib/iptables/libipt_policy.so</filename>.</para>
</listitem>
</itemizedlist>
@ -2004,7 +2004,7 @@ iptables: Invalid argument
<title>Traffic Shaping</title>
<section id="faq67">
<title>(FAQ 67) I just configured Shorewall's built in traffic shaping
<title>(FAQ 67) I just configured Shorewall's builtin traffic shaping
and now Shorewall fails to Start.</title>
<para>The error I receive is as follows:<programlisting>RTNETLINK answers: No such file or directory

6
docs/Install.xml
View File

@ -268,9 +268,9 @@
to configure Shorewall, please heed the advice of Lorenzo Martignoni,
the Shorewall Debian Maintainer:</para>
<para><quote>For more information about Shorewall usage on Debian system
please look at /usr/share/doc/shorewall/README.Debian provided by [the]
shorewall Debian package.</quote></para>
<para><quote>For more information about Shorewall usage on Debian
system please look at /usr/share/doc/shorewall-common/README.Debian
provided by [the] shorewall-common Debian package.</quote></para>
</important>
<para>The easiest way to install Shorewall on Debian, is to use

4
docs/Introduction.xml
View File

@ -44,12 +44,12 @@
<itemizedlist>
<listitem>
<para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
packet filter facility built into the 2.4 and later Linux
packet filter facility builtinto the 2.4 and later Linux
kernels.</para>
</listitem>
<listitem>
<para>ipchains - the packet filter facility built into the 2.2 Linux
<para>ipchains - the packet filter facility builtinto the 2.2 Linux
kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains
compatibility mode.</para>

2
docs/NAT.xml
View File

@ -137,7 +137,7 @@ ACCEPT net loc:10.1.1.2 tcp 80 - 13
routers with a long ARP cache timeout. If you move a system from parallel
to your firewall to behind your firewall with one-to-one NAT, it will
probably be HOURS before that system can communicate with the
internet.</para>
Internet.</para>
<para>If you sniff traffic on the firewall's external interface, you can
see incoming traffic for the internal system(s) but the traffic is never

4
docs/OPENVPN.xml
View File

@ -57,7 +57,7 @@
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open
networks using an encrypted tunnel over the Internet. OpenVPN is an Open
Source project and is <ulink
url="http://openvpn.sourceforge.net/license.html">licensed under the
GPL</ulink>. OpenVPN can be downloaded from <ulink
@ -642,7 +642,7 @@ verb 3</programlisting>
<listitem>
<para>OpenVPN GUI must be run as the Administrator. In the
Explorer, right click on the OpenVPN GUI binary and select
Properties-&gt;Compatibilty and select "Run this program as an
Properties-&gt;Compatibility and select "Run this program as an
administrator".</para>
</listitem>

12
docs/PPTP.xml
View File

@ -255,7 +255,7 @@ esac</programlisting>
<para>Here' a basic setup that treats your remote users as if they
were part of your <emphasis role="bold">loc</emphasis> zone. Note that
if your primary internet connection uses ppp0, then be sure that
if your primary Internet connection uses ppp0, then be sure that
<emphasis role="bold">loc</emphasis> follows <emphasis
role="bold">net</emphasis> in /etc/shorewall/zones.</para>
@ -275,7 +275,7 @@ loc ppp+</programlisting>
<para>If you want to place your remote users in their own zone so that
you can control connections between these users and the local network,
follow this example. Note that if your primary internet connection
follow this example. Note that if your primary Internet connection
uses ppp0 then be sure that <emphasis role="bold">vpn</emphasis>
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
as shown below.</para>
@ -312,7 +312,7 @@ vpn ppp+</programlisting>
fileref="images/MultiPPTP.png" /></para>
<para>Here's how you configure this in Shorewall. Note that if your
primary internet connection uses ppp0 then be sure that the <emphasis
primary Internet connection uses ppp0 then be sure that the <emphasis
role="bold">vpn{1-3}</emphasis> zones follows <emphasis
role="bold">net</emphasis> in /etc/shorewall/zones as shown
below.</para>
@ -600,10 +600,10 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
Modem</title>
<para>Some ADSL systems in Europe (most notably in Austria and the
Netherlands) feature a PPTP server built into an ADSL
<quote>Modem</quote>. In this setup, an ethernet interface is dedicated to
Netherlands) feature a PPTP server builtinto an ADSL
<quote>Modem</quote>. In this setup, an Ethernet interface is dedicated to
supporting the PPTP tunnel between the firewall and the
<quote>Modem</quote> while the actual internet access is through PPTP
<quote>Modem</quote> while the actual Internet access is through PPTP
(interface ppp0). If you have this type of setup, you need to modify the
sample configuration that you downloaded as described in this section.
<emphasis role="bold">These changes are in addition to those described in

2
docs/PacketHandling.xml
View File

@ -88,7 +88,7 @@
where <emphasis>zone</emphasis> is the zone where the request
originated. For packets that are part of an already established
connection, the destination rewriting takes place without any
involvement of a netfilter rule.</para>
involvement of a Netfilter rule.</para>
</listitem>
<listitem>

2
docs/PacketMarking.xml
View File

@ -399,7 +399,7 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 eth3 #Our internel nets get priority
1:110 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server
1:130 206.124.146.177 eth3 tcp - 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
docs/ProxyARP.xml
View File

@ -133,7 +133,7 @@
network associated with this address. This is the approach <ulink
url="XenMyWay.html">that I take with my DMZ</ulink>.</para>
<para>To permit internet hosts to connect to the local systems, you use
<para>To permit Internet hosts to connect to the local systems, you use
ACCEPT rules. For example, if you run a web server on 130.252.100.19 which
you have configured to be in the <emphasis role="bold">loc</emphasis> zone
then you would need this entry in /etc/shorewall/rules:</para>
@ -192,7 +192,7 @@ iface eth1 inet static
routers with a long ARP cache timeout. If you move a system from parallel
to your firewall to behind your firewall with Proxy ARP, it will probably
be <emphasis role="bold">HOURS</emphasis> before that system can
communicate with the internet.</para>
communicate with the Internet.</para>
<para>If you sniff traffic on the firewall's external interface, you can
see incoming traffic for the internal system(s) but the traffic is never

8
docs/ReleaseModel.xml
View File

@ -93,11 +93,11 @@
<listitem>
<para>When the level of functionality of the current development
release is judged adaquate, the <firstterm>Beta period</firstterm> for
release is judged adequate, the <firstterm>Beta period</firstterm> for
a new Stable release will begin. Beta releases have identifications of
the form <emphasis>x.y.0-BetaN</emphasis> where
<emphasis>x.y</emphasis> is the number of the next Stable Release and
<emphasis>N</emphasis>=1,2,3... . Betas are expected to occur rougly
<emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
once per year. Beta releases may contain new functionality not present
in the previous beta release (e.g., 2.2.0-Beta4 may contain
functionality not present in 2.2.0-Beta3). When I'm confident that the
@ -106,7 +106,7 @@
identifications of the form <emphasis>x.y.0-RCn</emphasis> where
<emphasis>x.y</emphasis> is the number of the next Stable Release and
<emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
functionailty -- they only contain bug fixes. When the stability of
functionality -- they only contain bug fixes. When the stability of
the current release candidate is judged to be sufficient then that
release candidate will be released as the new stable release (e.g.,
2.2.0). At that time, the new stable release and the prior stable
@ -165,7 +165,7 @@
<emphasis>X</emphasis>=1,b,c,... . Consequently, if a user required a
bug fix but was not running the last minor release of the associated
major release then it might be necessary to accept major new
functionailty along with the bug fix.</para>
functionality along with the bug fix.</para>
</listitem>
</orderedlist>
</section>

2
docs/ScalabilityAndPerformance.xml
View File

@ -157,7 +157,7 @@
</listitem>
<listitem>
<para>Use NONE policies whereever appropriate. This helps especially
<para>Use NONE policies wherever appropriate. This helps especially
in the rules activation phase of both script compilation and
execution.</para>
</listitem>

12
docs/Shorewall-perl.xml
View File

@ -157,7 +157,7 @@
<para>With the shell-based compiler, extension scripts were copied
into the compiled script and executed at run-time. In many cases,
this approach doesn't work with Shorewall Perl because (almost) the
entire ruleset is built by the compiler. As a result, Shorewall-perl
entire rule set is built by the compiler. As a result, Shorewall-perl
runs some extension scripts at compile-time rather than at run-time.
Because the compiler is written in Perl, your extension scripts from
earlier versions will no longer work.</para>
@ -370,7 +370,7 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
a plus sign (+) as with the shell-based compiler.</para>
<para>Shorewall is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter ruleset
scripts generated by the Perl-based Compiler, the Netfilter rule set
is never cleared. That means that there is no opportunity for
Shorewall to load/reload your ipsets since that cannot be done while
there are any current rules using ipsets.</para>
@ -381,7 +381,7 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
<listitem>
<para>Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in
<filename>/etc/shorewall/start (it works for me; your milage may
<filename>/etc/shorewall/start (it works for me; your mileage may
vary)</filename>:</para>
<programlisting>if [ "$COMMAND" = start ]; then
@ -437,7 +437,7 @@ fi</programlisting>
</listitem>
<listitem>
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire rule set is
atomically loaded with one execution of
<command>iptables-restore</command>.</para>
</listitem>
@ -677,7 +677,7 @@ ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22</programlisting>
and by the compiled program will be timestamped.<simplelist>
<member><emphasis role="bold">--debug</emphasis></member>
</simplelist>If given, when a warning or error message is issued, it
is supplimented with a stack trace. Requires the Carp Perl
is supplemented with a stack trace. Requires the Carp Perl
module.<simplelist>
<member><emphasis
role="bold">--refresh=</emphasis>&lt;<emphasis>chainlist</emphasis>&gt;</member>
@ -1055,7 +1055,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
<para>A companion function, <emphasis
role="bold">ensure_manual_chain()</emphasis>, can be called when a
manual chain of the desired name may have alread been created. If a
manual chain of the desired name may have already been created. If a
manual chain table entry with the passed name already exists, a
reference to the chain table entry is returned. Otherwise, the function
calls <emphasis role="bold">new_manual_chain()</emphasis> and returns

2
docs/Shorewall_Doesnt.xml
View File

@ -45,7 +45,7 @@
<itemizedlist>
<listitem>
<para>Act as a <quote>Personal Firewall</quote> that allows internet
<para>Act as a <quote>Personal Firewall</quote> that allows Internet
access control by application. If that's what you are looking for, try
<ulink
url="http://tuxguardian.sourceforge.net/">TuxGuardian</ulink>.</para>

4
docs/Shorewall_Squid_Usage.xml
View File

@ -104,7 +104,7 @@ httpd_accel_uses_host_header on</programlisting>
</listitem>
</orderedlist>
<para>See your distribution's Squid documenation and <ulink
<para>See your distribution's Squid documentation and <ulink
url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink>
for details.</para>
@ -188,7 +188,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be
a web server running on 192.168.1.3. It is assumed that web access is
already enabled from the local zone to the internet.</para>
already enabled from the local zone to the Internet.</para>
<orderedlist>
<listitem>

2
docs/Shorewall_and_Aliased_Interfaces.xml
View File

@ -170,7 +170,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
<para>Suppose that I had set up eth0:0 as above and I wanted to port
forward from that virtual interface to a web server running in my local
zone at 192.168.1.3. That is accomplised by a single rule in the
zone at 192.168.1.3. That is accomplished by a single rule in the
<filename>/etc/shorewall/rules</filename> file:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL

2
docs/Shorewall_and_Kazaa.xml
View File

@ -68,7 +68,7 @@
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip>
<para>Shorewall verions 2.2.0 and later also include support for the ipp2p
<para>Shorewall versions 2.2.0 and later also include support for the ipp2p
match facility which can be use to control P2P traffic. See the <ulink
url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para>
</article>

2
docs/Shorewall_and_Routing.xml
View File

@ -216,7 +216,7 @@
Later</title>
<para>Beginning with Shorewall 2.3.2, support is included for multiple
internet connections. If you wish to use this feature, we recommend
Internet connections. If you wish to use this feature, we recommend
strongly that you upgrade to version 2.4.2 or later.</para>
<para>Shorewall multi-ISP support is now covered in a <ulink

8
docs/SimpleBridge.xml
View File

@ -46,7 +46,7 @@
Interconnect (OSI) reference model, a router operates at layer 3.
Shorewall may also be deployed on a GNU Linux System that acts as a
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
model (think of a bridge as an ethernet switch).</para>
model (think of a bridge as an Ethernet switch).</para>
<para>Some differences between routers and bridges are:</para>
@ -54,7 +54,7 @@
<listitem>
<para>Routers determine packet destination based on the destination IP
address while bridges route traffic based on the destination MAC
address in the ethernet frame.</para>
address in the Ethernet frame.</para>
</listitem>
<listitem>
@ -93,9 +93,9 @@
bridge-specific changes are restricted to the
<filename>/etc/shorewall/interfaces</filename> file.</para>
<para>This example illustrates the bridging of two ethernet devices but
<para>This example illustrates the bridging of two Ethernet devices but
the types of the devices really isn't important. What is shown here would
apply equally to bridging an ethernet device to an <ulink
apply equally to bridging an Ethernet device to an <ulink
url="OPENVPN.html">OpenVPN</ulink> tap device (e.g.,
<filename>tap0</filename>) or to a wireless device
(<filename>ath0</filename> or <filename>wlan0</filename>).</para>

2
docs/SplitDNS.xml
View File

@ -89,7 +89,7 @@
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localneta
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes

2
docs/VPN.xml
View File

@ -135,7 +135,7 @@
</tgroup>
</table>
<para>The above may or may not work — your milage may vary. NAT Traversal
<para>The above may or may not work — your mileage may vary. NAT Traversal
is definitely a better solution. To use NAT traversal:<table id="Table2">
<title>/etc/shorewall/rules with NAT Traversal</title>

6
docs/XenMyWay-Routed.xml
View File

@ -436,7 +436,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
exception that I've added a fourth interface for our wireless network.
The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN
server</ulink> to provide roadwarrior access for our three laptops and a
server</ulink> to provide road warrior access for our three laptops and a
bridged OpenVPN server for the wireless network in our home. Here is the
firewall's view of the network:</para>
@ -912,7 +912,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
@ -921,7 +921,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
<para>The <filename class="devicefile">tap0</filename> device used by
the bridged OpenVPN server is created and bridged to <filename
class="devicefile">eth1</filename> using a SuSE-specific SysV init
class="devicefile">eth1</filename> using a SUSE-specific SysV init
script:</para>
<blockquote>

20
docs/XenMyWay.xml
View File

@ -66,7 +66,7 @@
class="devicefile">eth0</filename><footnote>
<para>This assumes the default Xen configuration created by
<command>xend </command>and assumes that the host system has a single
ethernet interface named <filename
Ethernet interface named <filename
class="devicefile">eth0</filename>.</para>
</footnote>in each domain. In Dom0, Xen also creates a bridge (<filename
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
@ -156,7 +156,7 @@
</listitem>
</orderedlist>
<para>Most of the Linux systems run <trademark>SuSE </trademark>10.1; my
<para>Most of the Linux systems run <trademark>SUSE </trademark>10.1; my
personal Linux desktop system and our Linux Laptop run
<trademark>Ubuntu</trademark> "Dapper Drake".</para>
@ -259,7 +259,7 @@
<filename class="devicefile">eth2</filename> (PCI 00:0a.0) are
delegated to the firewall DomU where they become <filename
class="devicefile">eth3</filename> and <filename
class="devicefile">eth4</filename> respectively. The SuSE 10.1 Xen
class="devicefile">eth4</filename> respectively. The SUSE 10.1 Xen
kernel compiles pciback as a module so the instructions for PCI
delegation in the Xen Users Manual can't be followed directly (see
<ulink
@ -292,7 +292,7 @@ extra = "3"
# network interface:
vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0', 'mac=aa:cc:00:00:00:03, bridge=xenbr1' ]
# Interfaces deletgated from Dom0
# Interfaces delegated from Dom0
pci=[ '00:09.0' , '00:0a.0' ]
# storage devices:
@ -357,7 +357,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
<para><command>ethtool -K eth0 tx off</command></para>
<para>Under SuSE 10.1, I placed the following in
<para>Under SUSE 10.1, I placed the following in
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
is executable):</para>
@ -380,13 +380,13 @@ fi</programlisting>
</caution>
<caution>
<para>Update. Under SuSE 10.2, communication from a domU works okay
<para>Update. Under SUSE 10.2, communication from a domU works okay
without running ethtool <emphasis role="bold">but traffic shaping in
dom0 doesn't work!</emphasis> So it's a good idea to run it just to be
safe.</para>
</caution>
<para>SuSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The
<para>SUSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The
network interfaces that connect to the net and wifi zones are delegated
to the firewall DomU.</para>
@ -474,7 +474,7 @@ SECTION NEW
described in the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink> with the exception that I've added a fourth interface for
our wireless network. The firewall runs a routed <ulink
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
url="OPENVPN.html">OpenVPN server</ulink> to provide road warrior access
for our two laptops and a bridged OpenVPN server for the wireless
network in our home. Here is the firewall's view of the network:</para>
@ -834,7 +834,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
@ -842,7 +842,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
</blockquote>
<para>The tap0 device used by the bridged OpenVPN server is bridged to
eth0 using a SuSE-specific SysV init script:</para>
eth0 using a SUSE-specific SysV init script:</para>
<blockquote>
<programlisting>#!/bin/sh

10
docs/bridge-Shorewall-perl.xml
View File

@ -49,7 +49,7 @@
Interconnect (OSI) reference model, a router operates at layer 3,
Shorewall may also be deployed on a GNU Linux System that acts as a
<firstterm>bridge</firstterm>. Bridges are layer 2 devices in the OSI
model (think of a bridge as an ethernet switch).</para>
model (think of a bridge as an Ethernet switch).</para>
<para>Some differences between routers and bridges are:</para>
@ -57,7 +57,7 @@
<listitem>
<para>Routers determine packet destination based on the destination IP
address, while bridges route traffic based on the destination MAC
address in the ethernet frame.</para>
address in the Ethernet frame.</para>
</listitem>
<listitem>
@ -142,7 +142,7 @@
<itemizedlist>
<listitem>
<para>The Shorewall system (the Bridge/Firewall) has only a single IP
address even though it has two ethernet interfaces! The IP address is
address even though it has two Ethernet interfaces! The IP address is
configured on the bridge itself, rather than on either of the network
cards.</para>
</listitem>
@ -454,7 +454,7 @@ ifconfig most 192.168.1.31 netmask 255.255.255.0 up
#you don't use rc.inet1
#########################
3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local
3) I made rc.bridge executable and added the following line to /etc/rc.d/rc.local
/etc/rc.d/rc.bridge </programlisting>
</blockquote>
@ -563,7 +563,7 @@ rc-update add bridge boot
<filename>shorewall.conf</filename>.</para>
<para>In the scenario pictured above, there would probably be two BP zones
defined -- one for the internet and one for the local LAN so in
defined -- one for the Internet and one for the local LAN so in
<filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS

4
docs/configuration_file_basics.xml
View File

@ -203,7 +203,7 @@
<listitem>
<para><filename>/etc/shorewall/vardir</filename> - (Added in
Shoreall 4.0.0-RC2) - Determines the directory where Shorewall
Shorewall 4.0.0-RC2) - Determines the directory where Shorewall
maintains its state.</para>
</listitem>
@ -590,7 +590,7 @@ use Shorewall::Config qw/shorewall/;</programlisting>
the name to one or more IP addresses and inserts those addresses into the
rule. So changes in the DNS-&gt;IP address relationship that occur after
the firewall has started have absolutely no effect on the firewall's
ruleset.</para>
rule set.</para>
<para>If your firewall rules include DNS names then:</para>

4
docs/fallback.xml
View File

@ -95,12 +95,12 @@
<section id="Shell-Perl">
<title>Shorewall-shell and Shorewall-perl</title>
<para>Shorewall-shell and Shoreall-perl have no configuration files and
<para>Shorewall-shell and Shorewall-perl have no configuration files and
all of their released files are installed in a single directory. To
fallback to a prior release of one of these products using the tarballs,
simple re-install the older version.</para>
<para>To uninstal these products when they have been installed using the
<para>To uninstall these products when they have been installed using the
tarballs:</para>
<itemizedlist>

6
docs/ipsets.xml
View File

@ -37,7 +37,7 @@
<section id="Ipsets">
<title>What are Ipsets?</title>
<para>Ipsets are an extention to Netfilter/iptables that are currently
<para>Ipsets are an extension to Netfilter/iptables that are currently
available in Patch-O-Matic-ng (<ulink
url="http://www.netfilter.org">http://www.netfilter.org</ulink>). Using
ipsets requires that you patch your kernel and iptables and that you build
@ -50,7 +50,7 @@
<orderedlist>
<listitem>
<para>Blacklists. Ipsets provide an effecient way to represent large
<para>Blacklists. Ipsets provide an efficient way to represent large
sets of addresses and you can maintain the lists without the need to
restart or even refresh your Shorewall configuration.</para>
</listitem>
@ -90,7 +90,7 @@
<listitem>
<para>a series of "src" and "dst" options separated by commas and
inclosed in square brackets ([]). These will be passed directly to
enclosed in square brackets ([]). These will be passed directly to
iptables in the generated --set clause. See the ipset documentation
for details.</para>

4
docs/kernel.xml
View File

@ -363,9 +363,9 @@ CONFIG_IP_NF_ARP_MANGLE=m
(Ubuntu inexplicably includes connmark match support but not CONNTRACK
target support).<graphic align="center"
fileref="images/kernel-2.6.20-2.png" />The next graphic shows the IP
Netfilter Configuration -- these are the standard Ubuntu settions.<graphic
Netfilter Configuration -- these are the standard Ubuntu settings.<graphic
align="center" fileref="images/kernel-2.6.20-3.png" />Here is the
corresponding CONFIG file exerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
corresponding CONFIG file excerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_MARK=m

4
docs/netmap.xml
View File

@ -26,7 +26,7 @@
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or mify this
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
@ -232,7 +232,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
</row>
<row>
<entry>Filrewall 2</entry>
<entry>Firewall 2</entry>
<entry>192.168.1.27 in lower cloud</entry>

4
docs/ping.xml
View File

@ -48,7 +48,7 @@
<section id="Ping">
<title>'Ping' Management</title>
<para>In Shorewall , ICMP echo-request's are treated just like any other
<para>In Shorewall , ICMP echo-requests are treated just like any other
connection request.</para>
<para>In order to accept ping requests from zone z1 to zone z2 where the
@ -85,7 +85,7 @@ Ping/DROP z1 z2</programlisting>
<example id="Example2">
<title>Silently drop pings from the Internet</title>
<para>To drop ping from the internet, you would need this rule in
<para>To drop ping from the Internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)

6
docs/ports.xml
View File

@ -227,7 +227,7 @@ ICQ/ACCEPT <emphasis>&lt;source&gt;</emphasis> net</programlisting>
<title>IMAP</title>
<caution>
<para>When accessing your mail from the internet,use <emphasis
<para>When accessing your mail from the Internet, use <emphasis
role="bold">only</emphasis> <emphasis role="bold">IMAP over
SSL.</emphasis></para>
</caution>
@ -281,7 +281,7 @@ LDAPS/ACCEPT <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &
role="bold">severe security risk</emphasis>.</para>
<para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know
how to deal with the consecuences, you have been warned.</para>
how to deal with the consequences, you have been warned.</para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
@ -542,7 +542,7 @@ Whois/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
<section id="X">
<title>X/XDMCP</title>
<para>Assume that the Choser and/or X Server are running at
<para>Assume that the Chooser and/or X Server are running at
&lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X
applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para>

8
docs/quotes.xml
View File

@ -163,7 +163,7 @@
classified by the national government as secret, our security doesn't
stop by putting a fence around our company. Information security is a
hot issue. We also make use of checkpoint firewalls, but not all of the
internet servers are guarded by checkpoint, some of them are
Internet servers are guarded by checkpoint, some of them are
running....Shorewall.</emphasis></para>
</blockquote>
@ -172,7 +172,7 @@
<para><emphasis>thanx for all your efforts you put into shorewall - this
product stands out against a lot of commercial stuff i´ve been working
with in terms of flexibillity, quality &amp; support</emphasis></para>
with in terms of flexibility, quality &amp; support</emphasis></para>
</blockquote>
<blockquote>
@ -184,7 +184,7 @@
</blockquote>
<blockquote>
<attribution>RP, Guatamala</attribution>
<attribution>RP, Guatemala</attribution>
<para><emphasis>My respects... I've just found and installed Shorewall
1.3.3-1 and it is a wonderful piece of software. I've just sent out an
@ -193,7 +193,7 @@
<para><emphasis>While I had previously taken the time (maybe 40 hours)
to really understand ipchains, then spent at least an hour per server
customizing and carefully scrutinizing firewall rules, I've got
shorewall running on my home firewall, with rulesets and policies that I
shorewall running on my home firewall, with rule sets and policies that I
know make sense, in under 20 minutes.</emphasis></para>
</blockquote>
</section>

4
docs/shorewall_extension_scripts.xml
View File

@ -169,7 +169,7 @@ esac</programlisting><caution>
ADMINISABSENTMINDED=Yes.</para>
<para>The firewall state when this script is invoked is
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink
indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
@ -495,7 +495,7 @@ esac</programlisting><caution>
<para>The 'continue' script has been eliminated because it no longer
make any sense under Shorewall-perl. That script was designed to allow
you to add special temporary rules during [re]start. Shorewall-perl
doesn't need such rules since the ruleset is instantianted atomically by
doesn't need such rules since the rule set is instantiated atomically by
table.</para>
</section>
</section>

14
docs/shorewall_logging.xml
View File

@ -50,7 +50,7 @@
<orderedlist>
<listitem>
<para>The packet is part of an established connecection. While the
<para>The packet is part of an established connection. While the
packet can be logged using LOG rules in the ESTABLISHED section of
<ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
@ -100,7 +100,7 @@
<title>Where the Traffic is Logged and How to Change the
Destination</title>
<para>By default, Shorewall directs NetFilter to log using syslog (8).
<para>By default, Shorewall directs Netfilter to log using syslog (8).
Syslog classifies log messages by a <emphasis>facility</emphasis> and a
<emphasis>priority</emphasis> (using the notation
<emphasis>facility.priority</emphasis>).</para>
@ -111,7 +111,7 @@
<para>Throughout the Shorewall documentation, I will use the term
<emphasis>level</emphasis> rather than <emphasis>priority </emphasis>since
<emphasis>level</emphasis> is the term used by NetFilter. The syslog
<emphasis>level</emphasis> is the term used by Netfilter. The syslog
documentation uses the term <emphasis>priority</emphasis>.</para>
<section id="Levels">
@ -150,7 +150,7 @@
</simplelist>
<para>For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
Shorewall log messages are generated by Netfilter and are logged using
the <emphasis>kern</emphasis> facility and the level that you specify.
If you are unsure of the level to choose, 6 (info) is a safe bet. You
may specify levels by name or by number.</para>
@ -180,14 +180,14 @@
<listitem>
<para>All kernel.info messages will go to that destination and not
just those from NetFilter.</para>
just those from Netfilter.</para>
</listitem>
</orderedlist>
<para>Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also
specify a log level of ULOG (must be all caps). When ULOG is used,
Shorewall will direct netfilter to log the related messages via the ULOG
Shorewall will direct Netfilter to log the related messages via the ULOG
target which will send them to a process called <quote>ulogd</quote>.
The ulogd program is included in most distributions and is also
available from <ulink
@ -276,7 +276,7 @@ ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlis
<para><ulink
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;amp;m=106040714910563&amp;amp;w=2">Here</ulink>
is a post describing configuring syslog-ng to work with Shorewall. Recent
<trademark>SuSE</trademark> releases come preconfigured with syslog-ng
<trademark>SUSE</trademark> releases come preconfigured with syslog-ng
with Netfilter messages (including Shorewall's) are written to
<filename>/var/log/firewall</filename>.</para>
</section>

2
docs/shorewall_prerequisites.xml
View File

@ -45,7 +45,7 @@
<itemizedlist>
<listitem>
<para>A <emphasis role="bold">Linux</emphasis> kernel that supports
netfilter (No, it won't work on BSD or Solaris). I've tested with
Netfilter (No, it won't work on BSD or Solaris). I've tested with
2.4.2 - 2.6.16. Check <ulink url="kernel.htm">here</ulink> for kernel
configuration information.</para>
</listitem>

62
docs/shorewall_setup_guide.xml
View File

@ -109,14 +109,14 @@
class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found
on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
<para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall/default-config/modules to <filename
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall-common/default-config/modules to <filename
class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
</warning></para>
@ -192,7 +192,7 @@ dmz ipv4</programlisting>
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
zone names. Zones are entirely what YOU make of them. That means that you
should not expect Shorewall to do something special <quote>because this is
the internet zone</quote> or <quote>because that is the
the Internet zone</quote> or <quote>because that is the
DMZ</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
@ -286,11 +286,11 @@ all all REJECT info</programlisting>
<orderedlist>
<listitem>
<para>allow all connection requests from your local network to the
internet</para>
Internet</para>
</listitem>
<listitem>
<para>drop (ignore) all connection requests from the internet to your
<para>drop (ignore) all connection requests from the Internet to your
firewall or local network and log a message at the info level (<ulink
url="shorewall_logging.html">here is a description of log
levels</ulink>).</para>
@ -322,7 +322,7 @@ all all REJECT info</programlisting>
<itemizedlist>
<listitem>
<para>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
to isolate your internet-accessible servers from your local systems so
to isolate your Internet-accessible servers from your local systems so
that if one of those servers is compromised, you still have the
firewall between the compromised system and your local systems.</para>
</listitem>
@ -508,7 +508,7 @@ loc eth2 detect</programlisting>
Class C address 192.0.2.14, the network number is hex C00002 and the
host number is hex 0E.</para>
<para>As the internet grew, it became clear that such a gross
<para>As the Internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting
(early on, large corporations and universities were assigned their own
class A network!). After some false starts, the current technique of
@ -1067,7 +1067,7 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface
<para>One more thing needs to be emphasized -- all outgoing packet are
sent using the routing table and reply packets are not a special case.
There seems to be a common mis-conception whereby people think that
There seems to be a common misconception whereby people think that
request packets are like salmon and contain a genetic code that is
magically transferred to reply packets so that the replies follow the
reverse route taken by the request. That isn't the case; the replies may
@ -1132,7 +1132,7 @@ tcpdump: listening on eth2
<para>The leading question marks are a result of my having specified the
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
option) which causes the <quote>arp</quote> program to forego IP-&gt;DNS
option) which causes the <quote>arp</quote> program to forgo IP-&gt;DNS
name translation. Had I not given that option, the question marks would
have been replaced with the FQDN corresponding to each IP address.
Notice that the last entry in the table records the information we saw
@ -1167,7 +1167,7 @@ tcpdump: listening on eth2
somewhat unfortunate because it leads people to the erroneous conclusion
that traffic destined for one of these addresses can't be sent through a
router. This is definitely not true; private routers (including your
Shorewall-based firewall) can forward RFC 1918 addresed traffic just
Shorewall-based firewall) can forward RFC 1918 addressed traffic just
fine.</para>
<para>When selecting addresses from these ranges, there's a couple of
@ -1349,7 +1349,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
<para>With SNAT, an internal LAN segment is configured using RFC 1918
addresses. When a host <emphasis role="bold">A</emphasis> on this
internal segment initiates a connection to host <emphasis
role="bold">B</emphasis> on the internet, the firewall/router rewrites
role="bold">B</emphasis> on the Internet, the firewall/router rewrites
the IP header in the request to use one of your public IP addresses as
the source address. When <emphasis role="bold">B</emphasis> responds
and the response is received by the firewall, the firewall changes the
@ -1359,7 +1359,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
<para>Let's suppose that you decide to use SNAT on your local zone and
use public address 192.0.2.176 as both your firewall's external IP
address and the source IP address of internet requests sent from that
address and the source IP address of Internet requests sent from that
zone.</para>
<graphic align="center" fileref="images/dmz5.png" />
@ -1396,16 +1396,16 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
<section id="dnat">
<title>DNAT</title>
<para>When SNAT is used, it is impossible for hosts on the internet to
<para>When SNAT is used, it is impossible for hosts on the Internet to
initiate a connection to one of the internal systems since those
systems do not have a public IP address. DNAT provides a way to allow
selected connections from the internet.</para>
selected connections from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Suppose that your daughter wants to run a web server on her
system <quote>Local 3</quote>. You could allow connections to the
internet to her server by adding the following entry in
Internet to her server by adding the following entry in
<filename><ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
@ -1489,12 +1489,12 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
file.</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTANT
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
192.0.2.177 eth2 eth0 No
192.0.2.178 eth2 eth0 No</programlisting>
<para>Because the HAVE ROUTE column contains No, Shorewall will add
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The ethernet
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The Ethernet
interfaces on DMZ 1 and DMZ 2 should be configured to have the IP
addresses shown but should have the same default gateway as the
firewall itself -- namely 192.0.2.254. In other words, they should be
@ -1511,7 +1511,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:</para>
Internet. There are a couple of things that you can try:</para>
<orderedlist>
<listitem>
@ -1630,7 +1630,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with one-to-one NAT,
it will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:</para>
Internet. There are a couple of things that you can try:</para>
<orderedlist>
<listitem>
@ -1711,7 +1711,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>With the default policies described earlier in this document, your
local systems (Local 1-3) can access any server on the internet and the
local systems (Local 1-3) can access any server on the Internet and the
DMZ can't access any other host (including the firewall). With the
exception of DNAT rules which cause address translation and allow the
translated connection request to pass through the firewall, the way to
@ -1929,7 +1929,7 @@ options {
max-transfer-time-in 60;
allow-transfer {
// Servers allowed to request zone tranfers
// Servers allowed to request zone transfers
&lt;secondary NS IP&gt;; };
};
@ -2078,7 +2078,7 @@ view "external" {
<para>Here are the files in <filename
class="directory">/var/named</filename> (those not shown are usually
included in your bind disbribution).</para>
included in your bind distribution).</para>
<para><filename>db.192.0.2.176</filename> - This is the reverse zone for
the firewall's external interface</para>
@ -2101,7 +2101,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; Inverse Address Arpa Records (PTR's)
; ############################################################
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.</programlisting>
@ -2125,7 +2125,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; Inverse Address Arpa Records (PTR's)
; ############################################################
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.</programlisting>
@ -2150,7 +2150,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; Inverse Address Arpa Records (PTR's)
; ############################################################
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting>
@ -2175,7 +2175,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; Inverse Address Arpa Records (PTR's)
; ############################################################
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.</programlisting>
@ -2198,7 +2198,7 @@ view "external" {
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; Inverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR localhost.foobar.net.</programlisting>
@ -2221,7 +2221,7 @@ view "external" {
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; Inverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR gateway.foobar.net.
2 86400 IN PTR winken.foobar.net.
@ -2248,7 +2248,7 @@ view "external" {
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; Inverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR dmz.foobar.net.</programlisting>
@ -2416,7 +2416,7 @@ foobar.net. 86400 IN A 192.0.2.177
firewall when it is stopped.</para>
<caution>
<para>If you are connected to your firewall from the internet, do not
<para>If you are connected to your firewall from the Internet, do not
issue a <quote>shorewall stop</quote> command unless you have added an
entry for the IP address that you are connected from to <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.

34
docs/standalone.xml
View File

@ -201,7 +201,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
@ -262,11 +262,11 @@ net ipv4</programlisting>
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
rule in that file matches the connection request then the first policy in
<filename>/etc/shorewall/policy</filename> that matches the request is
applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon
applied. If there is a <ulink url="shorewall_extension_scripts.htm">common
action</ulink> defined for the policy in
<filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the policy is applied. The purpose of the common action is
performed before the policy is applied. The purpose of the common action is
two-fold:</para>
<itemizedlist>
@ -295,11 +295,11 @@ all all REJECT info</programlisting>
<orderedlist>
<listitem>
<para>allow all connection requests from the firewall to the
internet</para>
Internet</para>
</listitem>
<listitem>
<para>drop (ignore) all connection requests from the internet to your
<para>drop (ignore) all connection requests from the Internet to your
firewall</para>
</listitem>
@ -310,9 +310,9 @@ all all REJECT info</programlisting>
</orderedlist>
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
last two policies indicates that packets droped or rejected under those
last two policies indicates that packets dropped or rejected under those
policies should be <ulink url="shorewall_logging.html">logged at that
leve</ulink>l.</para>
level</ulink>.</para>
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
and make any changes that you wish.</para>
@ -324,7 +324,7 @@ all all REJECT info</programlisting>
<para>The firewall has a single network interface. Where Internet
connectivity is through a cable or <acronym>DSL</acronym>
<quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be
the ethernet adapter (<filename class="devicefile">eth0</filename>) that
the Ethernet adapter (<filename class="devicefile">eth0</filename>) that
is connected to that <quote>Modem</quote> <emphasis
role="underline">unless</emphasis> you connect via
<emphasis>Point-to-Point Protocol over Ethernet</emphasis>
@ -412,7 +412,7 @@ root@lists:~# </programlisting>
<acronym>ISP</acronym>s are assigning these addresses then using
<emphasis>Network Address Translation</emphasis> <emphasis>-
</emphasis><acronym>NAT</acronym>) to rewrite packet headers when
forwarding to/from the internet.</para>
forwarding to/from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -453,7 +453,7 @@ root@lists:~# </programlisting>
<itemizedlist>
<listitem>
<para><command>shorewall show log</command> (Displays the last 20
netfilter log messages)</para>
Netfilter log messages)</para>
</listitem>
<listitem>
@ -476,12 +476,12 @@ root@lists:~# </programlisting>
<para>Most commonly, Netfilter messages are logged to
<filename>/var/log/messages</filename>. Recent
<trademark>SuSE/OpenSuSE</trademark> releases come preconfigured with
syslog-ng and log netfilter messages to
syslog-ng and log Netfilter messages to
<filename>/var/log/firewall</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If you are running a distribution that logs netfilter messages to a
<para>If you are running a distribution that logs Netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the
LOGFILE setting in <filename>/etc/shorewall/shorewall.conf</filename> to
specify the name of your log.</para>
@ -501,7 +501,7 @@ root@lists:~# </programlisting>
in your version of Shorewall using the command <command>ls
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
<para>If you wish to enable connections from the internet to your firewall
<para>If you wish to enable connections from the Internet to your firewall
and you find an appropriate macro in
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule
in <filename>/etc/shorewall/rules</filename> is:</para>
@ -544,9 +544,9 @@ ACCEPT net $FW tcp 143</programlisting></para>
uses, see <ulink url="ports.htm">here</ulink>.</para>
<important>
<para>I don't recommend enabling telnet to/from the internet because it
<para>I don't recommend enabling telnet to/from the Internet because it
uses clear text (even for login!). If you want shell access to your
firewall from the internet, use <acronym>SSH</acronym>:</para>
firewall from the Internet, use <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT net $FW </programlisting>
@ -594,7 +594,7 @@ SSH/ACCEPT net $FW </programlisting>
<quote><command>shorewall clear</command></quote>.</para>
<warning>
<para>If you are connected to your firewall from the internet, do not
<para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command unless
you have added an entry for the IP address that you are connected from
to <ulink
@ -641,4 +641,4 @@ SSH/ACCEPT net $FW </programlisting>
page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para>
</section>
</article>
</article>

8
docs/standalone_ru.xml
View File

@ -169,15 +169,15 @@
директория <filename class="directory">/etc/shorewall</filename>
пуста. Это сделано специально. Поставляемые шаблоны файлов
конфигурации Вы найдете на вашей системе в директории <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Просто скопируйте нужные Вам файлы из этой директории в <filename
class="directory">/etc/shorewall</filename> и отредактируйте
копии.</para>
<para>Заметьте, что Вы должны скопировать <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
и <filename
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
в <filename class="directory">/etc/shorewall</filename> даже если Вы
не будете изменять эти файлы.</para>
</warning><inlinegraphic fileref="images/BD21298_.gif"
@ -215,7 +215,7 @@
<listitem>
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
директории <filename
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>.</para>
class="directory">/usr/share/doc/shorewall-common/examples/one-interface</filename>.</para>
</listitem>
</orderedlist>

6
docs/starting_and_stopping_shorewall.xml
View File

@ -148,7 +148,7 @@
<important>
<para>The <command>shorewall stop</command> command does not remove
all netfilter rules and open your firewall for all traffic to pass.
all Netfilter rules and open your firewall for all traffic to pass.
It rather places your firewall in a safe state defined by the
contents of your <ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
@ -179,7 +179,7 @@
<para>Because of the different requirements of distribution packaging
systems, the behavior of <filename>/etc/init.d/shorewall</filename> and
<filename>/etc/init.d/shorewall-lite</filename> is not consistent between
distributions. As an example, when using the distributon Shorewall
distributions. As an example, when using the distribution Shorewall
packages on <trademark>Debian</trademark> and
<trademark>Ubuntu</trademark> systems, running
<command>/etc/init.d/shorewall stop</command> will actually execute the
@ -617,7 +617,7 @@
<section id="State">
<title>Shorewall State Diagram</title>
<para>The Shorewall State Diargram is depicted below.</para>
<para>The Shorewall State Diagram is depicted below.</para>
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>

8
docs/support.xml
View File

@ -274,9 +274,9 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
<para>If Shorewall is starting successfully and your problem is that
some set of <emphasis role="bold">connections</emphasis> to/from or
through your firewall <emphasis role="bold">isn't working</emphasis>
(examples: local systems can't access the internet, you can't send
(examples: local systems can't access the Internet, you can't send
email through the firewall, you can't surf the web from the firewall,
connections that you are certain should be rejected are mysterously
connections that you are certain should be rejected are mysteriously
accepted, etc.) or <emphasis role="bold">you are having problems with
traffic shaping</emphasis> then please perform the following six
steps:</para>
@ -313,7 +313,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
<listitem>
<para>Otherwise:</para>
<para>Shorewall is starting successfuly and you have <emphasis
<para>Shorewall is starting successfully and you have <emphasis
role="bold">no connection problems</emphasis> and you have <emphasis
role="bold">no traffic shaping problems</emphasis>. Your problem is
with performance, logging, etc. Please include the following:</para>
@ -409,7 +409,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
</listitem>
<listitem>
<para>The author gratefully acknowleges that the above list was
<para>The author gratefully acknowledges that the above list was
heavily plagiarized from the excellent LEAF document by <emphasis>Ray
Olszewski</emphasis> found <ulink
url="http://leaf-project.org/index.php?module=pagemaster&amp;PAGE_user_op=view_page&amp;PAGE_id=6&amp;MMN_position=21:21">here</ulink>.</para>

36
docs/three-interface.xml
View File

@ -76,7 +76,7 @@
</listitem>
<listitem>
<para>DMZ connected to a separate ethernet interface. The purpose of a
<para>DMZ connected to a separate Ethernet interface. The purpose of a
DMZ is to isolate those servers that are exposed to the Internet from
your local systems so that if one of those servers is compromised
there is still a firewall between the hacked server and your local
@ -185,7 +185,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found
on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
@ -286,10 +286,10 @@ dmz ipv4</programlisting>Zone names are defined in
If no rule in that file matches the connection request then the first
policy in <filename>/etc/shorewall/policy</filename> that matches the
request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied. The purpose of the common action is
performed before the action is applied. The purpose of the common action is
two-fold:</para>
<itemizedlist>
@ -316,7 +316,7 @@ all all REJECT info</programlisting>
<important>
<para>In the three-interface sample, the line below is included but
commented out. If you want your firewall system to have full access to
servers on the internet, uncomment that line.</para>
servers on the Internet, uncomment that line.</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT</programlisting>
@ -327,17 +327,17 @@ $FW net ACCEPT</programlisting>
<orderedlist>
<listitem>
<para>allow all connection requests from your local network to the
internet</para>
Internet</para>
</listitem>
<listitem>
<para>drop (ignore) all connection requests from the internet to your
<para>drop (ignore) all connection requests from the Internet to your
firewall or local network</para>
</listitem>
<listitem>
<para>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</para>
the Internet (if you uncomment the additional policy)</para>
</listitem>
<listitem>
@ -346,9 +346,9 @@ $FW net ACCEPT</programlisting>
</orderedlist>
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
DROP and REJECT policies indicates that packets droped or rejected under
DROP and REJECT policies indicates that packets dropped or rejected under
those policies should be <ulink url="shorewall_logging.html">logged at
that leve</ulink>l.</para>
that level</ulink>.</para>
<para>It is important to note that Shorewall policies (and rules) refer to
<emphasis role="bold">connections</emphasis> and not packet flow. With the
@ -379,7 +379,7 @@ $FW net ACCEPT</programlisting>
<para>The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL <quote>Modem</quote>, the External
Interface will be the ethernet adapter that is connected to that
Interface will be the Ethernet adapter that is connected to that
<quote>Modem</quote> (e.g., <filename class="devicefile">eth0</filename>)
unless you connect via <emphasis>Point-to-Point Protocol</emphasis> over
Ethernet (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis>
@ -424,7 +424,7 @@ root@lists:~# </programlisting>
<varname>CLAMPMSS=yes</varname> in
<filename>/etc/shorewall/shorewall.conf</filename>.</emphasis></para>
<para>Your Local Interface will be an ethernet adapter (<filename
<para>Your Local Interface will be an Ethernet adapter (<filename
class="devicefile">eth0</filename>, <filename
class="devicefile">eth1</filename> or <filename
class="devicefile">eth2</filename>) and will be connected to a hub or
@ -432,7 +432,7 @@ root@lists:~# </programlisting>
If you have only a single local system, you can connect the firewall
directly to the computer using a cross-over cable).</para>
<para>Your DMZ Interface will also be an ethernet adapter (<filename
<para>Your DMZ Interface will also be an Ethernet adapter (<filename
class="devicefile">eth0</filename>, <filename
class="devicefile">eth1</filename> or <filename
class="devicefile">eth2</filename>) and will be connected to a hub or
@ -604,7 +604,7 @@ root@lists:~# </programlisting>
Routing</quote>, Thomas A. Maufer, Prentice-Hall, 1999, ISBN
0-13-975483-0.</para>
<para>The remainder of this quide will assume that you have configured
<para>The remainder of this guide will assume that you have configured
your network as shown here:</para>
<figure id="Figure3">
@ -641,14 +641,14 @@ root@lists:~# </programlisting>
<para>The addresses reserved by RFC 1918 are sometimes referred to as
non-routable because the Internet backbone routers don't forward packets
which have an RFC-1918 destination address. When one of your local systems
(let's assume local computer 1) sends a connection request to an internet
(let's assume local computer 1) sends a connection request to an Internet
host, the firewall must perform Network Address Translation (NAT). The
firewall rewrites the source address in the packet to be the address of
the firewall's external interface; in other words, the firewall makes it
look as if the firewall itself is initiating the connection. This is
necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed accross the internet).
address is reserved by RFC 1918 can't be routed across the Internet).
When the firewall receives a return packet, it rewrites the destination
address back to 10.10.10.1 and forwards the packet on to local computer
1.</para>
@ -736,7 +736,7 @@ DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<e
<important>
<para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTON NEW.</emphasis></para>
role="bold">SECTION NEW.</emphasis></para>
</important>
<example id="Example1">
@ -975,7 +975,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<itemizedlist>
<listitem>
<para><command>shorewall show log</command> (Displays the last 20
netfilter log messages)</para>
Netfilter log messages)</para>
</listitem>
<listitem>

8
docs/three-interface_ru.xml
View File

@ -185,15 +185,15 @@
директория <filename class="directory">/etc/shorewall</filename>
пуста. Это сделано специально. Поставляемые шаблоны файлов
конфигурации Вы найдете на вашей системе в директории <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Просто скопируйте нужные Вам файлы из этой директории в <filename
class="directory">/etc/shorewall</filename> и отредактируйте
копии.</para>
<para>Заметьте, что Вы должны скопировать <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
и <filename
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
в <filename class="directory">/etc/shorewall</filename> даже если Вы
не будете изменять эти файлы.</para>
</warning><inlinegraphic fileref="images/BD21298_.gif"
@ -233,7 +233,7 @@
<listitem>
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
директории<filename
class="directory">/usr/share/doc/shorewall/examples/three-interface</filename>.</para>
class="directory">/usr/share/doc/shorewall-common/examples/three-interface</filename>.</para>
</listitem>
</orderedlist>

58
docs/traffic_shaping.xml
View File

@ -48,7 +48,7 @@
<important>
<para>Traffic shaping is complex and the Shorewall community is not well
equiped to answer traffic shaping questions. So if you are the type of
equipped to answer traffic shaping questions. So if you are the type of
person who needs "insert tab A into slot B" instructions for everything
that you do, then please don't try to implement traffic shaping using
Shorewall. You will just frustrate yourself and we won't be able to help
@ -92,7 +92,7 @@
traffic shaping and control. Before this version, the support was quite
limited. You were able to use your own tcstart script (and you still are),
but besides the tcrules file it was not possible to define classes or
queueing discplines inside the Shorewall config files.</para>
queuing disciplines inside the Shorewall config files.</para>
<para>The support for traffic shaping and control still does not cover all
options available (and especially all algorithms that can be used to queue
@ -108,7 +108,7 @@
<title>Linux traffic shaping and control</title>
<para>This section gives a brief introduction of how controlling traffic
with the linux kernel works. Although this might be enough for configuring
with the Linux kernel works. Although this might be enough for configuring
it in the Shorewall configuration files, we strongly recommend that you
take a deeper look into the <ulink url="http://lartc.org/howto/">Linux
Advanced Routing and Shaping HOWTO</ulink>. At the time of writing this,
@ -119,7 +119,7 @@
traffic before it leaves an interface. The standard one is called pfifo
and is (as the name suggests) of the type First In First out. This means,
that it does not shape anything, if you have a connection that eats up all
your bandwidth, this qeueing algorithm will not stop it from doing
your bandwidth, this queuing algorithm will not stop it from doing
so.</para>
<para>For Shorewall traffic shaping we use two algorithms, one is called
@ -127,9 +127,9 @@
is easy to explain: it just tries to track your connections (tcp or udp
streams) and balances the traffic between them. This normally works well.
HTB allows you to define a set of classes, and you can put the traffic you
want into these classes. You can define minimum and maximum bandwitdh
settings for those classes and order them hierachically (the less
priorized classes only get bandwitdth if the more important have what they
want into these classes. You can define minimum and maximum bandwidth
settings for those classes and order them hierarchically (the less
prioritized classes only get bandwidth if the more important have what they
need). Shorewall builtin traffic shaping allows you to define these
classes (and their bandwidth limits), and it uses SFQ inside these classes
to make sure, that different data streams are handled equally.</para>
@ -148,7 +148,7 @@
outgoing interface as fast as possible.</para>
<para>There is one exception, though. Limiting incoming traffic to a
value a bit slower than your actual line speed will avoid queueing on
value a bit slower than your actual line speed will avoid queuing on
the other end of that connection. This is mostly useful if you don't
have access to traffic control on the other side and if this other
side has a faster network connection than you do (the line speed
@ -160,16 +160,16 @@
has not (but the protocol over UDP might recognize it , if there is
any).</para>
<para>The reason why queing is bad in these cases is, that you might
have packets which need to be priorized over others, e.g. VoIP or ssh.
<para>The reason why queuing is bad in these cases is, that you might
have packets which need to be prioritized over others, e.g. VoIP or ssh.
For this type of connections it is important that packets arrive in a
certain amount of time. For others like http downloads, it does not
certain amount of time. For others like HTTP downloads, it does not
really matter if it takes a few seconds more.</para>
<para>If you have a large queue on the other side and the router there
does not care about QoS or the QoS bits are not set properly, your
important packets will go into the same queue as your less
timecritical download packets which will result in a large
time critical download packets which will result in a large
delay.</para>
</blockquote></para>
@ -211,7 +211,7 @@
<para>RATE - The minimum bandwidth this class should get, when the
traffic load rises. Classes with a higher priority (lower PRIORITY
value) are served even if there are others that have a guaranteed
bandwith but have a lower priority (higher PRIORITY value).</para>
bandwidth but have a lower priority (higher PRIORITY value).</para>
</listitem>
<listitem>
@ -338,7 +338,7 @@
the facility. Again, please see the links at top of this article.</para>
<para>For defining bandwidths (for either devices or classes) please use
kbit or kbps(for Kilobytes per second) and make sure there is <emphasis
kbit or kbps (for Kilobytes per second) and make sure there is <emphasis
role="bold">NO</emphasis> space between the number and the unit (it is
100kbit <emphasis role="bold">not</emphasis> 100 kbit). Using mbit, mbps
or a raw number (which means bytes) could be used, but note that only
@ -414,7 +414,7 @@
</listitem>
<listitem>
<para>OUT-BANDWIDTH - Specifiy the outgoing bandwidth of that
<para>OUT-BANDWIDTH - Specify the outgoing bandwidth of that
interface. This is the maximum speed your connection can handle. It
is also the speed you can refer as "full" if you define the tc
classes. Outgoing traffic above this rate will be dropped.</para>
@ -488,7 +488,7 @@ ppp0 6000kbit 500kbit</programlisting>
<listitem>
<para>MARK - The mark value which is an integer in the range 1-255.
You define these marks in the tcrules file, marking the traffic you
want to go into the queueing classes defined in here. You can use
want to go into the queuing classes defined in here. You can use
the same marks for different Interfaces. You must specify "-' in
this column if the device specified in the INTERFACE column has the
<emphasis role="bold">classify</emphasis> option in
@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>RATE - The minimum bandwidth this class should get, when the
traffic load rises. Please note that first the classes which equal
or a lesser priority value are served even if there are others that
have a guaranteed bandwith but a lower priority. <emphasis
have a guaranteed bandwidth but a lower priority. <emphasis
role="bold">If the sum of the RATEs for all classes assigned to an
INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the
OUT-BANDWIDTH limit will not be honored.</emphasis></para>
@ -517,7 +517,7 @@ ppp0 6000kbit 500kbit</programlisting>
<listitem>
<para>PRIORITY - you have to define a priority for the class.
packets in a class with a higher priority (=lesser value) are
handled before less priorized onces. You can just define the mark
handled before less prioritized ones. You can just define the mark
value here also, if you are increasing the mark values with lesser
priority.</para>
</listitem>
@ -749,7 +749,7 @@ ppp0 6000kbit 500kbit</programlisting>
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the MARK column
specificies a classification of the form &lt;major&gt;:&lt;minor&gt;
specifies a classification of the form &lt;major&gt;:&lt;minor&gt;
then this column may also contain an interface name.</para>
</listitem>
@ -791,7 +791,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>[!][&lt;user name or number&gt;]:[&lt;group name or
number&gt;][+&lt;program name&gt;]</para>
<para>The colon is optionnal when specifying only a user.</para>
<para>The colon is optional when specifying only a user.</para>
<para>Examples:</para>
@ -833,7 +833,7 @@ ppp0 6000kbit 500kbit</programlisting>
match.</para>
<para>You must have iptables length support for this to work. If you
let it empy or place an "-" here, no length match will be
let it empty or place an "-" here, no length match will be
done.</para>
<para>Examples: 1024, 64:1500, :100</para>
@ -861,7 +861,7 @@ ppp0 6000kbit 500kbit</programlisting>
<listitem>
<para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
Names one of the Netfiler protocol helper modules such as
Names one of the Netfilter protocol helper modules such as
<emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
<emphasis>amanda</emphasis>, etc.</para>
</listitem>
@ -939,7 +939,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
<para>The last four rules can be translated as:</para>
<blockquote>
<para>"If a packet hasn't been classifed (packet mark is 0), copy
<para>"If a packet hasn't been classified (packet mark is 0), copy
the connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark."</para>
@ -966,10 +966,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
<section id="ppp">
<title>ppp devices</title>
<para>If you use ppp/pppoe/pppoa) to connect to your internet provider
<para>If you use ppp/pppoe/pppoa) to connect to your Internet provider
and you use traffic shaping you need to restart shorewall traffic
shaping. The reason for this is, that if the ppp connection gets
restarted (and it usally does this at least daily), all
restarted (and it usually does this at least daily), all
<quote>tc</quote> filters/qdiscs related to that interface are
deleted.</para>
@ -994,7 +994,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
Please note that they are just examples and need to be adjusted to
work for you. In this example it is assumed that your interface for
you internet connection is ppp0 (for DSL), if you use another
your Internet connection is ppp0 (for DSL), if you use another
connection type, you have to change it. You also need to change the
settings in the tcdevices.wondershaper file to reflect your line
speed. The relevant lines of the config files follow here. Please note
@ -1071,7 +1071,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
<section id="simiple">
<title>A simple setup</title>
<para>This is a simple setup for people sharing an internet connection
<para>This is a simple setup for people sharing an Internet connection
and using different computers for this. It just basically shapes
between 2 hosts which have the ip addresses 192.168.2.23 and
192.168.2.42</para>
@ -1167,7 +1167,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
<itemizedlist>
<listitem>
<para>Traffic being forwarded from the internet</para>
<para>Traffic being forwarded from the Internet</para>
</listitem>
<listitem>
@ -1687,4 +1687,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
<para>At least one Shorewall user has found this tool helpful: <ulink
url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
</section>
</article>
</article>

2
docs/troubleshoot.xml
View File

@ -140,7 +140,7 @@ gateway:~/test # </programlisting>This information is useful to Shorewall
<para>The end of the compile phase is signaled by a message such as the
following:<programlisting>Shorewall configuration compiled to /var/lib/shorewall/.restart</programlisting>Errors
occuring past that point are said to occur at
occurring past that point are said to occur at
<firstterm>run-time</firstterm> because they occur during the running of
the compiled firewall script (/var/lib/shorewall/.restart in the case of
the above message).</para>

52
docs/two-interface.xml
View File

@ -164,7 +164,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found
on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
@ -269,10 +269,10 @@ loc ipv4</programlisting>Zones are defined in the <ulink
first policy in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
that matches the request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied. The purpose of the common action is
performed before the action is applied. The purpose of the common action is
two-fold:</para>
<itemizedlist>
@ -296,32 +296,32 @@ loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>In the two-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment
firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT</programlisting> The above policy will:
<itemizedlist>
<listitem>
<para>Allow all connection requests from your local network to the
internet</para>
Internet</para>
</listitem>
<listitem>
<para>Drop (ignore) all connection requests from the internet to
<para>Drop (ignore) all connection requests from the Internet to
your firewall or local network</para>
</listitem>
<listitem>
<para>Optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</para>
the Internet (if you uncomment the additional policy)</para>
</listitem>
<listitem>
<para>reject all other connection requests.</para>
</listitem>
</itemizedlist> The word <firstterm>info</firstterm> in the LOG LEVEL
column for the DROP and REJECT policies indicates that packets droped or
column for the DROP and REJECT policies indicates that packets dropped or
rejected under those policies should be <ulink
url="shorewall_logging.html">logged at that leve</ulink>l.</para>
url="shorewall_logging.html">logged at that level</ulink>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -349,7 +349,7 @@ $FW net ACCEPT</programlisting> The above policy will:
<para>The firewall has two network interfaces. Where Internet connectivity
is through a cable or <acronym>DSL</acronym> <quote>Modem</quote>, the
<emphasis>External Interface</emphasis> will be the ethernet adapter that
<emphasis>External Interface</emphasis> will be the Ethernet adapter that
is connected to that <quote>Modem</quote> (e.g., <filename
class="devicefile">eth0</filename>) unless you connect via
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet
@ -395,7 +395,7 @@ root@lists:~# </programlisting>
<varname>CLAMPMSS=yes</varname> in <filename
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename></emphasis>.</para>
<para>Your <emphasis>Internal Interface</emphasis> will be an ethernet
<para>Your <emphasis>Internal Interface</emphasis> will be an Ethernet
adapter (<filename class="devicefile">eth1</filename> or <filename
class="devicefile">eth0</filename>) and will be connected to a hub or
switch. Your other computers will be connected to the same hub/switch
@ -565,7 +565,7 @@ root@lists:~# </programlisting>
(<ulink
url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para>
<para id="Diagram">The remainder of this quide will assume that you have
<para id="Diagram">The remainder of this guide will assume that you have
configured your network as shown here: <mediaobject>
<imageobject>
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
@ -588,14 +588,14 @@ root@lists:~# </programlisting>
don't forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume computer 1 in the <link
linkend="Diagram">above diagram</link>) sends a connection request to an
internet host, the firewall must perform <emphasis>Network Address
Internet host, the firewall must perform <emphasis>Network Address
Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the
source address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it appear to the destination
internet host as if the firewall itself is initiating the connection. This
Internet host as if the firewall itself is initiating the connection. This
is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so the
address is reserved by RFC 1918 can't be routed across the Internet so the
remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to
<systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the
@ -662,7 +662,7 @@ root@lists:~# </programlisting>
<para>One of your goals may be to run one or more servers on your local
computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It is
possible for clients on the Internet to connect directly to them. It is
rather necessary for those clients to address their connection requests to
the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
@ -682,7 +682,7 @@ root@lists:~# </programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important>
<para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTON NEW.</emphasis></para>
role="bold">SECTION NEW.</emphasis></para>
</important><important>
<para>The server must have a static IP address. If you assign IP
addresses to your local system using DHCP, you need to configure your
@ -822,7 +822,7 @@ DNS/ACCEPT $FW net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
allowing all connections from the firewall to the internet.</para>
allowing all connections from the firewall to the Internet.</para>
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
@ -863,8 +863,8 @@ Web/ACCEPT loc $FW </programlisting>Those two rules would of
</example> If you don't know what port and protocol a particular
application uses, look <ulink url="ports.htm">here</ulink>. <important>
<para>I don't recommend enabling <command>telnet</command> to/from the
internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use
Internet because it uses clear text (even for login!). If you want
shell access to your firewall from the Internet, use
<acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
@ -1022,7 +1022,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
access to/from other hosts, change <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
accordingly. <warning>
<para>If you are connected to your firewall from the internet, do not
<para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command
unless you have added an entry for the <acronym>IP</acronym> address
that you are connected from to <filename
@ -1073,11 +1073,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<para>Once you have the two-interface setup working, the next logical step
is to add a Wireless Network. The first step involves adding an additional
network card to your firewall, either a Wireless card or an ethernet card
network card to your firewall, either a Wireless card or an Ethernet card
that is connected to a Wireless Access Point.<caution>
<para>When you add a network card, it won't necessarily be detected as
the next highest ethernet interface. For example, if you have two
ethernet cards in your system (<filename
the next highest Ethernet interface. For example, if you have two
Ethernet cards in your system (<filename
class="devicefile">eth0</filename> and <filename
class="devicefile">eth1</filename>) and you add a third card that uses
the same driver as one of the other two, that third card won't
@ -1130,7 +1130,7 @@ loc wlan0 detect maclist</programlisting>
url="MAC_Validation.html">maclist option</ulink> for the wireless
segment. By adding entries for computers 3 and 4 in
<filename>/etc/shorewall/maclist</filename>, you help ensure that your
neighbors aren't getting a free ride on your internet connection.
neighbors aren't getting a free ride on your Internet connection.
Start by omitting that option; when you have everything working, then
add the option and configure your
<filename>/etc/shorewall/maclist</filename> file.</para>
@ -1139,7 +1139,7 @@ loc wlan0 detect maclist</programlisting>
<listitem>
<para>You need to add an entry to the
<filename>/etc/shorewall/masq</filename> file to masquerade traffic
from the wireless network to the internet. If your internet interface
from the wireless network to the Internet. If your Internet interface
is <filename class="devicefile">eth0</filename> and your wireless
interface is <filename class="devicefile">wlan0</filename>, the entry
would be:</para>

10
docs/two-interface_ru.xml
View File

@ -173,15 +173,15 @@
директория <filename class="directory">/etc/shorewall</filename>
пуста. Это сделано специально. Поставляемые шаблоны файлов
конфигурации Вы найдете на вашей системе в директории <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Просто скопируйте нужные Вам файлы из этой директории в <filename
class="directory">/etc/shorewall</filename> и отредактируйте
копии.</para>
<para>Заметьте, что Вы должны скопировать <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
и <filename
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
class="directory">/usr/share/doc/shorewall=common/default-config/modules</filename>
в <filename class="directory">/etc/shorewall</filename> даже если Вы
не будете изменять эти файлы.</para>
</warning><inlinegraphic fileref="images/BD21298_.gif"
@ -221,7 +221,7 @@
<listitem>
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
директории<filename
class="directory">/usr/share/doc/shorewall/examples/two-interface</filename>.</para>
class="directory">/usr/share/doc/shorewall-common/examples/two-interface</filename>.</para>
</listitem>
</orderedlist>
@ -1068,4 +1068,4 @@ eth0 wlan0</programlisting>
Вашем файерволе потребует правил, перечисленных в <ulink
url="samba.htm">документации Shorewall/Samba</ulink>.</para>
</section>
</article>
</article>

4
docs/upgrade_issues.xml
View File

@ -167,7 +167,7 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
<para>Insure correct operation. Default actions can also avoid
common pitfalls like dropping connection requests on TCP port 113.
If these connections are dropped (rather than rejected) then you
may encounter problems connecting to internet services that
may encounter problems connecting to Internet services that
utilize the AUTH protocol of client authentication.</para>
</listitem>
</orderedlist>
@ -485,7 +485,7 @@ all all REJECT:MyReject info</programlisting>
<listitem>
<para>Beginning with this release, the way in which packet marking in
the PREROUTING chain interracts with the 'track' option in
the PREROUTING chain interacts with the 'track' option in
/etc/shorewall/providers has changed in two ways:</para>
<orderedlist numeration="loweralpha">

4
docs/useful_links.xml
View File

@ -42,7 +42,7 @@
</row>
<row rowsep="0" valign="middle">
<entry align="left">NetFilter Site: <ulink
<entry align="left">Netfilter Site: <ulink
url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></entry>
</row>
@ -79,7 +79,7 @@
<row rowsep="0" valign="middle">
<entry>Debian apt-get sources for Shorewall: <ulink
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
url="http://people.connexer.com/~roberto/debian/"></ulink>http://people.connexer.com/~roberto/debian/</entry>
</row>
<row rowsep="0" valign="middle">

4
docs/whitelisting_under_shorewall.xml
View File

@ -42,7 +42,7 @@
</listitem>
<listitem>
<para>The local network uses <acronym>SNAT</acronym> to the internet and
<para>The local network uses <acronym>SNAT</acronym> to the Internet and
is comprised of the Class B network <literal>10.10.0.0/16</literal>
(Note: While this example uses an RFC 1918 local network, the technique
described here in no way depends on that or on <acronym>SNAT</acronym>.
@ -90,7 +90,7 @@ dmz ipv4</programlisting>
<bridgehead renderas="sect4">Interfaces File</bridgehead>
<programlisting>#ZONE INTERFACE BROACAST OPTIONS
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 &lt;whatever&gt; ...
dmz eth1 &lt;whatever&gt; ...
- eth2 10.10.255.255</programlisting>