From 025e97c8bbc453e6680a7a5bc07980e402c2f56f Mon Sep 17 00:00:00 2001 From: el_cubano Date: Fri, 15 Aug 2008 05:03:24 +0000 Subject: [PATCH] Finish passing through all the documentation with a spell checker. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/lib.cli | 2 +- docs/FAQ.xml | 12 ++--- docs/Install.xml | 6 +-- docs/Introduction.xml | 4 +- docs/NAT.xml | 2 +- docs/OPENVPN.xml | 4 +- docs/PPTP.xml | 12 ++--- docs/PacketHandling.xml | 2 +- docs/PacketMarking.xml | 2 +- docs/ProxyARP.xml | 4 +- docs/ReleaseModel.xml | 8 +-- docs/ScalabilityAndPerformance.xml | 2 +- docs/Shorewall-perl.xml | 12 ++--- docs/Shorewall_Doesnt.xml | 2 +- docs/Shorewall_Squid_Usage.xml | 4 +- docs/Shorewall_and_Aliased_Interfaces.xml | 2 +- docs/Shorewall_and_Kazaa.xml | 2 +- docs/Shorewall_and_Routing.xml | 2 +- docs/SimpleBridge.xml | 8 +-- docs/SplitDNS.xml | 2 +- docs/VPN.xml | 2 +- docs/XenMyWay-Routed.xml | 6 +-- docs/XenMyWay.xml | 20 ++++---- docs/bridge-Shorewall-perl.xml | 10 ++-- docs/configuration_file_basics.xml | 4 +- docs/fallback.xml | 4 +- docs/ipsets.xml | 6 +-- docs/kernel.xml | 4 +- docs/netmap.xml | 4 +- docs/ping.xml | 4 +- docs/ports.xml | 6 +-- docs/quotes.xml | 8 +-- docs/shorewall_extension_scripts.xml | 4 +- docs/shorewall_logging.xml | 14 ++--- docs/shorewall_prerequisites.xml | 2 +- docs/shorewall_setup_guide.xml | 62 +++++++++++------------ docs/standalone.xml | 34 ++++++------- docs/standalone_ru.xml | 8 +-- docs/starting_and_stopping_shorewall.xml | 6 +-- docs/support.xml | 8 +-- docs/three-interface.xml | 36 ++++++------- docs/three-interface_ru.xml | 8 +-- docs/traffic_shaping.xml | 58 ++++++++++----------- docs/troubleshoot.xml | 2 +- docs/two-interface.xml | 52 +++++++++---------- docs/two-interface_ru.xml | 10 ++-- docs/upgrade_issues.xml | 4 +- docs/useful_links.xml | 4 +- docs/whitelisting_under_shorewall.xml | 4 +- 49 files changed, 244 insertions(+), 244 deletions(-) diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli index d7cbc4efd..d26b3cc38 100644 --- a/Shorewall-common/lib.cli +++ b/Shorewall-common/lib.cli @@ -494,7 +494,7 @@ show_command() { ;; classifiers|filters) [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Clasifiers at $HOSTNAME - $(date)" + echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)" echo show_classifiers ;; diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 1f68b2a83..876609286 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -66,8 +66,8 @@ the Shorewall Debian Maintainer: For more information about Shorewall usage on Debian - system please look at /usr/share/doc/shorewall/README.Debian provided - by [the] shorewall Debian package. + system please look at /usr/share/doc/shorewall-common/README.Debian + provided by [the] shorewall-common Debian package. If you install using the .deb, you will find that your /usr/share/doc/shorewall/examples/. Beginning with Shorewall 4.0, the samples are in the shorewall-common package and are installed in /usr/share/doc/shorewall-common/examples/. + class="directory">/usr/share/doc/shorewall-common/examples/. @@ -1255,7 +1255,7 @@ teastep@ursa:~$ The first number determines the maximum log standardized and will vary by distribution and distribution version. But anytime you see no logging, it's time to look outside the Shorewall configuration for the cause. As an example, recent - SuSE releases use syslog-ng by default and + SUSE releases use syslog-ng by default and write Shorewall messages to /var/log/firewall. @@ -1861,7 +1861,7 @@ iptables: Invalid argument if you don't need policy match support (you are not using the - IPSEC implementation built into the 2.6 kernel) then you can rename + IPSEC implementation builtinto the 2.6 kernel) then you can rename /lib/iptables/libipt_policy.so. @@ -2004,7 +2004,7 @@ iptables: Invalid argument Traffic Shaping
- (FAQ 67) I just configured Shorewall's built in traffic shaping + <title>(FAQ 67) I just configured Shorewall's builtin traffic shaping and now Shorewall fails to Start. The error I receive is as follows:RTNETLINK answers: No such file or directory diff --git a/docs/Install.xml b/docs/Install.xml index 1f984a7ba..87076428e 100644 --- a/docs/Install.xml +++ b/docs/Install.xml @@ -268,9 +268,9 @@ to configure Shorewall, please heed the advice of Lorenzo Martignoni, the Shorewall Debian Maintainer: - For more information about Shorewall usage on Debian system - please look at /usr/share/doc/shorewall/README.Debian provided by [the] - shorewall Debian package. + For more information about Shorewall usage on Debian + system please look at /usr/share/doc/shorewall-common/README.Debian + provided by [the] shorewall-common Debian package. The easiest way to install Shorewall on Debian, is to use diff --git a/docs/Introduction.xml b/docs/Introduction.xml index 2e20aa1d0..0bfa60adc 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -44,12 +44,12 @@ Netfilter - the - packet filter facility built into the 2.4 and later Linux + packet filter facility builtinto the 2.4 and later Linux kernels. - ipchains - the packet filter facility built into the 2.2 Linux + ipchains - the packet filter facility builtinto the 2.2 Linux kernels. Also the name of the utility program used to configure and control that facility. Netfilter can be used in ipchains compatibility mode. diff --git a/docs/NAT.xml b/docs/NAT.xml index 3ef384a85..b21596bf8 100644 --- a/docs/NAT.xml +++ b/docs/NAT.xml @@ -137,7 +137,7 @@ ACCEPT net loc:10.1.1.2 tcp 80 - 13 routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with one-to-one NAT, it will probably be HOURS before that system can communicate with the - internet. + Internet. If you sniff traffic on the firewall's external interface, you can see incoming traffic for the internal system(s) but the traffic is never diff --git a/docs/OPENVPN.xml b/docs/OPENVPN.xml index f5855e5e5..6217e5db2 100644 --- a/docs/OPENVPN.xml +++ b/docs/OPENVPN.xml @@ -57,7 +57,7 @@ OpenVPN is a robust and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private - networks using an encrypted tunnel over the internet. OpenVPN is an Open + networks using an encrypted tunnel over the Internet. OpenVPN is an Open Source project and is licensed under the GPL. OpenVPN can be downloaded from OpenVPN GUI must be run as the Administrator. In the Explorer, right click on the OpenVPN GUI binary and select - Properties->Compatibilty and select "Run this program as an + Properties->Compatibility and select "Run this program as an administrator". diff --git a/docs/PPTP.xml b/docs/PPTP.xml index 02d4785de..881b1805a 100644 --- a/docs/PPTP.xml +++ b/docs/PPTP.xml @@ -255,7 +255,7 @@ esac Here' a basic setup that treats your remote users as if they were part of your loc zone. Note that - if your primary internet connection uses ppp0, then be sure that + if your primary Internet connection uses ppp0, then be sure that loc follows net in /etc/shorewall/zones. @@ -275,7 +275,7 @@ loc ppp+ If you want to place your remote users in their own zone so that you can control connections between these users and the local network, - follow this example. Note that if your primary internet connection + follow this example. Note that if your primary Internet connection uses ppp0 then be sure that vpn follows net in /etc/shorewall/zones as shown below. @@ -312,7 +312,7 @@ vpn ppp+ fileref="images/MultiPPTP.png" /> Here's how you configure this in Shorewall. Note that if your - primary internet connection uses ppp0 then be sure that the vpn{1-3} zones follows net in /etc/shorewall/zones as shown below. @@ -600,10 +600,10 @@ restart_pptp > /dev/null 2>&1 & Modem Some ADSL systems in Europe (most notably in Austria and the - Netherlands) feature a PPTP server built into an ADSL - Modem. In this setup, an ethernet interface is dedicated to + Netherlands) feature a PPTP server builtinto an ADSL + Modem. In this setup, an Ethernet interface is dedicated to supporting the PPTP tunnel between the firewall and the - Modem while the actual internet access is through PPTP + Modem while the actual Internet access is through PPTP (interface ppp0). If you have this type of setup, you need to modify the sample configuration that you downloaded as described in this section. These changes are in addition to those described in diff --git a/docs/PacketHandling.xml b/docs/PacketHandling.xml index a528aa6ab..d6fc4e550 100644 --- a/docs/PacketHandling.xml +++ b/docs/PacketHandling.xml @@ -88,7 +88,7 @@ where zone is the zone where the request originated. For packets that are part of an already established connection, the destination rewriting takes place without any - involvement of a netfilter rule. + involvement of a Netfilter rule. diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index e01fca89f..4fa9a358d 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -399,7 +399,7 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) -1:110 192.168.0.0/22 eth3 #Our internel nets get priority +1:110 192.168.0.0/22 eth3 #Our internal nets get priority #over the server 1:130 206.124.146.177 eth3 tcp - 873 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml index 1ca3fe341..c84e1b88c 100644 --- a/docs/ProxyARP.xml +++ b/docs/ProxyARP.xml @@ -133,7 +133,7 @@ network associated with this address. This is the approach that I take with my DMZ. - To permit internet hosts to connect to the local systems, you use + To permit Internet hosts to connect to the local systems, you use ACCEPT rules. For example, if you run a web server on 130.252.100.19 which you have configured to be in the loc zone then you would need this entry in /etc/shorewall/rules: @@ -192,7 +192,7 @@ iface eth1 inet static routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will probably be HOURS before that system can - communicate with the internet. + communicate with the Internet. If you sniff traffic on the firewall's external interface, you can see incoming traffic for the internal system(s) but the traffic is never diff --git a/docs/ReleaseModel.xml b/docs/ReleaseModel.xml index 971c2c148..15c6a1243 100644 --- a/docs/ReleaseModel.xml +++ b/docs/ReleaseModel.xml @@ -93,11 +93,11 @@ When the level of functionality of the current development - release is judged adaquate, the Beta period for + release is judged adequate, the Beta period for a new Stable release will begin. Beta releases have identifications of the form x.y.0-BetaN where x.y is the number of the next Stable Release and - N=1,2,3... . Betas are expected to occur rougly + N=1,2,3... . Betas are expected to occur roughly once per year. Beta releases may contain new functionality not present in the previous beta release (e.g., 2.2.0-Beta4 may contain functionality not present in 2.2.0-Beta3). When I'm confident that the @@ -106,7 +106,7 @@ identifications of the form x.y.0-RCn where x.y is the number of the next Stable Release and n=1,2,3... . Release candidates contain no new - functionailty -- they only contain bug fixes. When the stability of + functionality -- they only contain bug fixes. When the stability of the current release candidate is judged to be sufficient then that release candidate will be released as the new stable release (e.g., 2.2.0). At that time, the new stable release and the prior stable @@ -165,7 +165,7 @@ X=1,b,c,... . Consequently, if a user required a bug fix but was not running the last minor release of the associated major release then it might be necessary to accept major new - functionailty along with the bug fix. + functionality along with the bug fix.
diff --git a/docs/ScalabilityAndPerformance.xml b/docs/ScalabilityAndPerformance.xml index ed3511d9e..9e3554c71 100644 --- a/docs/ScalabilityAndPerformance.xml +++ b/docs/ScalabilityAndPerformance.xml @@ -157,7 +157,7 @@ - Use NONE policies whereever appropriate. This helps especially + Use NONE policies wherever appropriate. This helps especially in the rules activation phase of both script compilation and execution. diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index 35c2efc13..4ea320e73 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -157,7 +157,7 @@ With the shell-based compiler, extension scripts were copied into the compiled script and executed at run-time. In many cases, this approach doesn't work with Shorewall Perl because (almost) the - entire ruleset is built by the compiler. As a result, Shorewall-perl + entire rule set is built by the compiler. As a result, Shorewall-perl runs some extension scripts at compile-time rather than at run-time. Because the compiler is written in Perl, your extension scripts from earlier versions will no longer work. @@ -370,7 +370,7 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT"; a plus sign (+) as with the shell-based compiler. Shorewall is now out of the ipset load/reload business. With - scripts generated by the Perl-based Compiler, the Netfilter ruleset + scripts generated by the Perl-based Compiler, the Netfilter rule set is never cleared. That means that there is no opportunity for Shorewall to load/reload your ipsets since that cannot be done while there are any current rules using ipsets. @@ -381,7 +381,7 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT"; Your ipsets must be loaded before Shorewall starts. You are free to try to do that with the following code in - /etc/shorewall/start (it works for me; your milage may + /etc/shorewall/start (it works for me; your mileage may vary): if [ "$COMMAND" = start ]; then @@ -437,7 +437,7 @@ fi - DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is + DELAYBLACKLISTLOAD=Yes is not supported. The entire rule set is atomically loaded with one execution of iptables-restore. @@ -677,7 +677,7 @@ ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22 and by the compiled program will be timestamped. --debug If given, when a warning or error message is issued, it - is supplimented with a stack trace. Requires the Carp Perl + is supplemented with a stack trace. Requires the Carp Perl module. --refresh=<chainlist> @@ -1055,7 +1055,7 @@ my $chainref7 = $filter_table{$name};Shorewall::Chains is A companion function, ensure_manual_chain(), can be called when a - manual chain of the desired name may have alread been created. If a + manual chain of the desired name may have already been created. If a manual chain table entry with the passed name already exists, a reference to the chain table entry is returned. Otherwise, the function calls new_manual_chain() and returns diff --git a/docs/Shorewall_Doesnt.xml b/docs/Shorewall_Doesnt.xml index 1a13f4ee3..a8c4e59c6 100644 --- a/docs/Shorewall_Doesnt.xml +++ b/docs/Shorewall_Doesnt.xml @@ -45,7 +45,7 @@ - Act as a Personal Firewall that allows internet + Act as a Personal Firewall that allows Internet access control by application. If that's what you are looking for, try TuxGuardian. diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index 04420f129..0a8f4339a 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -104,7 +104,7 @@ httpd_accel_uses_host_header on - See your distribution's Squid documenation and See your distribution's Squid documentation and http://www.squid-cache.org/ for details. @@ -188,7 +188,7 @@ REDIRECT loc 3128 tcp www - !206.124.146. transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is - already enabled from the local zone to the internet. + already enabled from the local zone to the Internet. diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml index fc26c138c..afd067a71 100644 --- a/docs/Shorewall_and_Aliased_Interfaces.xml +++ b/docs/Shorewall_and_Aliased_Interfaces.xml @@ -170,7 +170,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22 Suppose that I had set up eth0:0 as above and I wanted to port forward from that virtual interface to a web server running in my local - zone at 192.168.1.3. That is accomplised by a single rule in the + zone at 192.168.1.3. That is accomplished by a single rule in the /etc/shorewall/rules file: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL diff --git a/docs/Shorewall_and_Kazaa.xml b/docs/Shorewall_and_Kazaa.xml index ae5c9310a..4aa94cdb7 100644 --- a/docs/Shorewall_and_Kazaa.xml +++ b/docs/Shorewall_and_Kazaa.xml @@ -68,7 +68,7 @@ url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall. - Shorewall verions 2.2.0 and later also include support for the ipp2p + Shorewall versions 2.2.0 and later also include support for the ipp2p match facility which can be use to control P2P traffic. See the Shorewall IPP2P documentation for details. diff --git a/docs/Shorewall_and_Routing.xml b/docs/Shorewall_and_Routing.xml index bfd48ea02..408a7d3fa 100644 --- a/docs/Shorewall_and_Routing.xml +++ b/docs/Shorewall_and_Routing.xml @@ -216,7 +216,7 @@ Later Beginning with Shorewall 2.3.2, support is included for multiple - internet connections. If you wish to use this feature, we recommend + Internet connections. If you wish to use this feature, we recommend strongly that you upgrade to version 2.4.2 or later. Shorewall multi-ISP support is now covered in a bridge. Bridges are layer-2 devices in the OSI - model (think of a bridge as an ethernet switch). + model (think of a bridge as an Ethernet switch). Some differences between routers and bridges are: @@ -54,7 +54,7 @@ Routers determine packet destination based on the destination IP address while bridges route traffic based on the destination MAC - address in the ethernet frame. + address in the Ethernet frame. @@ -93,9 +93,9 @@ bridge-specific changes are restricted to the /etc/shorewall/interfaces file. - This example illustrates the bridging of two ethernet devices but + This example illustrates the bridging of two Ethernet devices but the types of the devices really isn't important. What is shown here would - apply equally to bridging an ethernet device to an OpenVPN tap device (e.g., tap0) or to a wireless device (ath0 or wlan0). diff --git a/docs/SplitDNS.xml b/docs/SplitDNS.xml index bb425cdf9..91228aa4e 100644 --- a/docs/SplitDNS.xml +++ b/docs/SplitDNS.xml @@ -89,7 +89,7 @@ # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback -fe00::0 ipv6-localneta +fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes diff --git a/docs/VPN.xml b/docs/VPN.xml index 4a3ea70bf..e441bed86 100644 --- a/docs/VPN.xml +++ b/docs/VPN.xml @@ -135,7 +135,7 @@ - The above may or may not work — your milage may vary. NAT Traversal + The above may or may not work — your mileage may vary. NAT Traversal is definitely a better solution. To use NAT traversal:/etc/shorewall/rules with NAT Traversal diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml index e04779e3a..e10c581bd 100644 --- a/docs/XenMyWay-Routed.xml +++ b/docs/XenMyWay-Routed.xml @@ -436,7 +436,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen' url="shorewall_setup_guide.htm">Shorewall Setup Guide with the exception that I've added a fourth interface for our wireless network. The firewall runs a routed OpenVPN - server to provide roadwarrior access for our three laptops and a + server to provide road warrior access for our three laptops and a bridged OpenVPN server for the wireless network in our home. Here is the firewall's view of the network: @@ -912,7 +912,7 @@ $EXT_IF 30 2*full/10 6*full/10 3 /etc/shorewall/tcrules#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) -1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority +1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority #over the server 1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the #Shorewall Mirrors. @@ -921,7 +921,7 @@ $EXT_IF 30 2*full/10 6*full/10 3 The tap0 device used by the bridged OpenVPN server is created and bridged to eth1 using a SuSE-specific SysV init + class="devicefile">eth1 using a SUSE-specific SysV init script:
diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml index 7e9890d22..6a38ade8f 100644 --- a/docs/XenMyWay.xml +++ b/docs/XenMyWay.xml @@ -66,7 +66,7 @@ class="devicefile">eth0 This assumes the default Xen configuration created by xend and assumes that the host system has a single - ethernet interface named eth0. in each domain. In Dom0, Xen also creates a bridge (xenbr0) and a number of virtual interfaces @@ -156,7 +156,7 @@ - Most of the Linux systems run SuSE 10.1; my + Most of the Linux systems run SUSE 10.1; my personal Linux desktop system and our Linux Laptop run Ubuntu "Dapper Drake". @@ -259,7 +259,7 @@ eth2 (PCI 00:0a.0) are delegated to the firewall DomU where they become eth3 and eth4 respectively. The SuSE 10.1 Xen + class="devicefile">eth4 respectively. The SUSE 10.1 Xen kernel compiles pciback as a module so the instructions for PCI delegation in the Xen Users Manual can't be followed directly (see ethtool -K eth0 tx off - Under SuSE 10.1, I placed the following in + Under SUSE 10.1, I placed the following in /etc/sysconfig/network/if-up.d/resettx (that file is executable): @@ -380,13 +380,13 @@ fi - Update. Under SuSE 10.2, communication from a domU works okay + Update. Under SUSE 10.2, communication from a domU works okay without running ethtool but traffic shaping in dom0 doesn't work! So it's a good idea to run it just to be safe. - SuSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The + SUSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The network interfaces that connect to the net and wifi zones are delegated to the firewall DomU. @@ -474,7 +474,7 @@ SECTION NEW described in the Shorewall Setup Guide with the exception that I've added a fourth interface for our wireless network. The firewall runs a routed OpenVPN server to provide roadwarrior access + url="OPENVPN.html">OpenVPN server to provide road warrior access for our two laptops and a bridged OpenVPN server for the wireless network in our home. Here is the firewall's view of the network: @@ -834,7 +834,7 @@ $EXT_IF 30 2*full/10 6*full/10 3 /etc/shorewall/tcrules#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) -1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority +1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority #over the server 1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the #Shorewall Mirrors. @@ -842,7 +842,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
The tap0 device used by the bridged OpenVPN server is bridged to - eth0 using a SuSE-specific SysV init script: + eth0 using a SUSE-specific SysV init script:
#!/bin/sh diff --git a/docs/bridge-Shorewall-perl.xml b/docs/bridge-Shorewall-perl.xml index f29e1c255..16b6a0e55 100644 --- a/docs/bridge-Shorewall-perl.xml +++ b/docs/bridge-Shorewall-perl.xml @@ -49,7 +49,7 @@ Interconnect (OSI) reference model, a router operates at layer 3, Shorewall may also be deployed on a GNU Linux System that acts as a bridge. Bridges are layer 2 devices in the OSI - model (think of a bridge as an ethernet switch). + model (think of a bridge as an Ethernet switch). Some differences between routers and bridges are: @@ -57,7 +57,7 @@ Routers determine packet destination based on the destination IP address, while bridges route traffic based on the destination MAC - address in the ethernet frame. + address in the Ethernet frame. @@ -142,7 +142,7 @@ The Shorewall system (the Bridge/Firewall) has only a single IP - address even though it has two ethernet interfaces! The IP address is + address even though it has two Ethernet interfaces! The IP address is configured on the bridge itself, rather than on either of the network cards. @@ -454,7 +454,7 @@ ifconfig most 192.168.1.31 netmask 255.255.255.0 up #you don't use rc.inet1 ######################### -3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local +3) I made rc.bridge executable and added the following line to /etc/rc.d/rc.local /etc/rc.d/rc.bridge
@@ -563,7 +563,7 @@ rc-update add bridge boot shorewall.conf.In the scenario pictured above, there would probably be two BP zones - defined -- one for the internet and one for the local LAN so in + defined -- one for the Internet and one for the local LAN so in /etc/shorewall/zones:#ZONE TYPE OPTIONS diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 5db742eba..d07f2cd61 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -203,7 +203,7 @@ /etc/shorewall/vardir - (Added in - Shoreall 4.0.0-RC2) - Determines the directory where Shorewall + Shorewall 4.0.0-RC2) - Determines the directory where Shorewall maintains its state. @@ -590,7 +590,7 @@ use Shorewall::Config qw/shorewall/; the name to one or more IP addresses and inserts those addresses into the rule. So changes in the DNS->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall's - ruleset. + rule set.If your firewall rules include DNS names then: diff --git a/docs/fallback.xml b/docs/fallback.xml index 6099f6603..b2bdd8769 100644 --- a/docs/fallback.xml +++ b/docs/fallback.xml @@ -95,12 +95,12 @@
Shorewall-shell and Shorewall-perl - Shorewall-shell and Shoreall-perl have no configuration files and + Shorewall-shell and Shorewall-perl have no configuration files and all of their released files are installed in a single directory. To fallback to a prior release of one of these products using the tarballs, simple re-install the older version. - To uninstal these products when they have been installed using the + To uninstall these products when they have been installed using the tarballs: diff --git a/docs/ipsets.xml b/docs/ipsets.xml index 287eff257..d1cd4db60 100644 --- a/docs/ipsets.xml +++ b/docs/ipsets.xml @@ -37,7 +37,7 @@
What are Ipsets? - Ipsets are an extention to Netfilter/iptables that are currently + Ipsets are an extension to Netfilter/iptables that are currently available in Patch-O-Matic-ng (http://www.netfilter.org). Using ipsets requires that you patch your kernel and iptables and that you build @@ -50,7 +50,7 @@ - Blacklists. Ipsets provide an effecient way to represent large + Blacklists. Ipsets provide an efficient way to represent large sets of addresses and you can maintain the lists without the need to restart or even refresh your Shorewall configuration. @@ -90,7 +90,7 @@ a series of "src" and "dst" options separated by commas and - inclosed in square brackets ([]). These will be passed directly to + enclosed in square brackets ([]). These will be passed directly to iptables in the generated --set clause. See the ipset documentation for details. diff --git a/docs/kernel.xml b/docs/kernel.xml index e2c849ee5..6a08bc07a 100644 --- a/docs/kernel.xml +++ b/docs/kernel.xml @@ -363,9 +363,9 @@ CONFIG_IP_NF_ARP_MANGLE=m (Ubuntu inexplicably includes connmark match support but not CONNTRACK target support).The next graphic shows the IP - Netfilter Configuration -- these are the standard Ubuntu settions.Here is the - corresponding CONFIG file exerpt.CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m + corresponding CONFIG file excerpt.CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m diff --git a/docs/netmap.xml b/docs/netmap.xml index 43adddabd..0eee72f03 100644 --- a/docs/netmap.xml +++ b/docs/netmap.xml @@ -26,7 +26,7 @@ - Permission is granted to copy, distribute and/or mify this + Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover @@ -232,7 +232,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B - Filrewall 2 + Firewall 2 192.168.1.27 in lower cloud diff --git a/docs/ping.xml b/docs/ping.xml index 983470e38..7dcbe305b 100644 --- a/docs/ping.xml +++ b/docs/ping.xml @@ -48,7 +48,7 @@
'Ping' Management - In Shorewall , ICMP echo-request's are treated just like any other + In Shorewall , ICMP echo-requests are treated just like any other connection request. In order to accept ping requests from zone z1 to zone z2 where the @@ -85,7 +85,7 @@ Ping/DROP z1 z2 Silently drop pings from the Internet - To drop ping from the internet, you would need this rule in + To drop ping from the Internet, you would need this rule in /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) diff --git a/docs/ports.xml b/docs/ports.xml index 30aa829d2..bf00d6944 100644 --- a/docs/ports.xml +++ b/docs/ports.xml @@ -227,7 +227,7 @@ ICQ/ACCEPT <source> net IMAP - When accessing your mail from the internet,use When accessing your mail from the Internet, use only IMAP over SSL. @@ -281,7 +281,7 @@ LDAPS/ACCEPT <source> & role="bold">severe security risk. DO NOT USE THIS if you don't know - how to deal with the consecuences, you have been warned. + how to deal with the consequences, you have been warned. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -542,7 +542,7 @@ Whois/ACCEPT <source> <destination&
X/XDMCP - Assume that the Choser and/or X Server are running at + Assume that the Chooser and/or X Server are running at <chooser> and the Display Manager/X applications are running at <apps>. diff --git a/docs/quotes.xml b/docs/quotes.xml index 45c40e3c4..e8313986e 100644 --- a/docs/quotes.xml +++ b/docs/quotes.xml @@ -163,7 +163,7 @@ classified by the national government as secret, our security doesn't stop by putting a fence around our company. Information security is a hot issue. We also make use of checkpoint firewalls, but not all of the - internet servers are guarded by checkpoint, some of them are + Internet servers are guarded by checkpoint, some of them are running....Shorewall. @@ -172,7 +172,7 @@ thanx for all your efforts you put into shorewall - this product stands out against a lot of commercial stuff i´ve been working - with in terms of flexibillity, quality & support + with in terms of flexibility, quality & support
@@ -184,7 +184,7 @@
- RP, Guatamala + RP, Guatemala My respects... I've just found and installed Shorewall 1.3.3-1 and it is a wonderful piece of software. I've just sent out an @@ -193,7 +193,7 @@ While I had previously taken the time (maybe 40 hours) to really understand ipchains, then spent at least an hour per server customizing and carefully scrutinizing firewall rules, I've got - shorewall running on my home firewall, with rulesets and policies that I + shorewall running on my home firewall, with rule sets and policies that I know make sense, in under 20 minutes.
diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 94f54d253..04fb6e31b 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -169,7 +169,7 @@ esac ADMINISABSENTMINDED=Yes. The firewall state when this script is invoked is - indeterminent. So if you have ADMINISABSENTMINDED=No in shorewall.conf(8) and output on an interface is not allowed by routestopped(8) then @@ -495,7 +495,7 @@ esac The 'continue' script has been eliminated because it no longer make any sense under Shorewall-perl. That script was designed to allow you to add special temporary rules during [re]start. Shorewall-perl - doesn't need such rules since the ruleset is instantianted atomically by + doesn't need such rules since the rule set is instantiated atomically by table.
diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml index 14acacb3a..56be5808e 100644 --- a/docs/shorewall_logging.xml +++ b/docs/shorewall_logging.xml @@ -50,7 +50,7 @@ - The packet is part of an established connecection. While the + The packet is part of an established connection. While the packet can be logged using LOG rules in the ESTABLISHED section of /etc/shorewall/rules, that @@ -100,7 +100,7 @@ Where the Traffic is Logged and How to Change the Destination - By default, Shorewall directs NetFilter to log using syslog (8). + By default, Shorewall directs Netfilter to log using syslog (8). Syslog classifies log messages by a facility and a priority (using the notation facility.priority). @@ -111,7 +111,7 @@ Throughout the Shorewall documentation, I will use the term level rather than priority since - level is the term used by NetFilter. The syslog + level is the term used by Netfilter. The syslog documentation uses the term priority.
@@ -150,7 +150,7 @@ For most Shorewall logging, a level of 6 (info) is appropriate. - Shorewall log messages are generated by NetFilter and are logged using + Shorewall log messages are generated by Netfilter and are logged using the kern facility and the level that you specify. If you are unsure of the level to choose, 6 (info) is a safe bet. You may specify levels by name or by number. @@ -180,14 +180,14 @@ All kernel.info messages will go to that destination and not - just those from NetFilter. + just those from Netfilter. Beginning with Shorewall version 1.3.12, if your kernel has ULOG target support (and most vendor-supplied kernels do), you may also specify a log level of ULOG (must be all caps). When ULOG is used, - Shorewall will direct netfilter to log the related messages via the ULOG + Shorewall will direct Netfilter to log the related messages via the ULOG target which will send them to a process called ulogd. The ulogd program is included in most distributions and is also available from Here is a post describing configuring syslog-ng to work with Shorewall. Recent - SuSE releases come preconfigured with syslog-ng + SUSE releases come preconfigured with syslog-ng with Netfilter messages (including Shorewall's) are written to /var/log/firewall.
diff --git a/docs/shorewall_prerequisites.xml b/docs/shorewall_prerequisites.xml index ad0323ce5..6e9e55722 100644 --- a/docs/shorewall_prerequisites.xml +++ b/docs/shorewall_prerequisites.xml @@ -45,7 +45,7 @@ A Linux kernel that supports - netfilter (No, it won't work on BSD or Solaris). I've tested with + Netfilter (No, it won't work on BSD or Solaris). I've tested with 2.4.2 - 2.6.16. Check here for kernel configuration information. diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml index e17fb7a48..bb2141da2 100644 --- a/docs/shorewall_setup_guide.xml +++ b/docs/shorewall_setup_guide.xml @@ -109,14 +109,14 @@ class="directory">/etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. + class="directory">/usr/share/doc/shorewall-common/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf - and /usr/share/doc/shorewall/default-config/modules to /usr/share/doc/shorewall-common/default-config/shorewall.conf + and /usr/share/doc/shorewall-common/default-config/modules to /etc/shorewall even if you do not modify those files. @@ -192,7 +192,7 @@ dmz ipv4 assigned to the firewall zone, Shorewall attaches absolutely no meaning to zone names. Zones are entirely what YOU make of them. That means that you should not expect Shorewall to do something special because this is - the internet zone or because that is the + the Internet zone or because that is the DMZ. @@ -286,11 +286,11 @@ all all REJECT info allow all connection requests from your local network to the - internet + Internet - drop (ignore) all connection requests from the internet to your + drop (ignore) all connection requests from the Internet to your firewall or local network and log a message at the info level (here is a description of log levels). @@ -322,7 +322,7 @@ all all REJECT info The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used - to isolate your internet-accessible servers from your local systems so + to isolate your Internet-accessible servers from your local systems so that if one of those servers is compromised, you still have the firewall between the compromised system and your local systems. @@ -508,7 +508,7 @@ loc eth2 detect Class C address 192.0.2.14, the network number is hex C00002 and the host number is hex 0E. - As the internet grew, it became clear that such a gross + As the Internet grew, it became clear that such a gross partitioning of the 32-bit address space was going to be very limiting (early on, large corporations and universities were assigned their own class A network!). After some false starts, the current technique of @@ -1067,7 +1067,7 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface One more thing needs to be emphasized -- all outgoing packet are sent using the routing table and reply packets are not a special case. - There seems to be a common mis-conception whereby people think that + There seems to be a common misconception whereby people think that request packets are like salmon and contain a genetic code that is magically transferred to reply packets so that the replies follow the reverse route taken by the request. That isn't the case; the replies may @@ -1132,7 +1132,7 @@ tcpdump: listening on eth2 The leading question marks are a result of my having specified the n option (Windows arp doesn't allow that - option) which causes the arp program to forego IP->DNS + option) which causes the arp program to forgo IP->DNS name translation. Had I not given that option, the question marks would have been replaced with the FQDN corresponding to each IP address. Notice that the last entry in the table records the information we saw @@ -1167,7 +1167,7 @@ tcpdump: listening on eth2 somewhat unfortunate because it leads people to the erroneous conclusion that traffic destined for one of these addresses can't be sent through a router. This is definitely not true; private routers (including your - Shorewall-based firewall) can forward RFC 1918 addresed traffic just + Shorewall-based firewall) can forward RFC 1918 addressed traffic just fine. When selecting addresses from these ranges, there's a couple of @@ -1349,7 +1349,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface With SNAT, an internal LAN segment is configured using RFC 1918 addresses. When a host A on this internal segment initiates a connection to host B on the internet, the firewall/router rewrites + role="bold">B on the Internet, the firewall/router rewrites the IP header in the request to use one of your public IP addresses as the source address. When B responds and the response is received by the firewall, the firewall changes the @@ -1359,7 +1359,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface Let's suppose that you decide to use SNAT on your local zone and use public address 192.0.2.176 as both your firewall's external IP - address and the source IP address of internet requests sent from that + address and the source IP address of Internet requests sent from that zone. @@ -1396,16 +1396,16 @@ eth0 192.168.201.0/29 192.0.2.176
DNAT - When SNAT is used, it is impossible for hosts on the internet to + When SNAT is used, it is impossible for hosts on the Internet to initiate a connection to one of the internal systems since those systems do not have a public IP address. DNAT provides a way to allow - selected connections from the internet. + selected connections from the Internet. Suppose that your daughter wants to run a web server on her system Local 3. You could allow connections to the - internet to her server by adding the following entry in + Internet to her server by adding the following entry in /etc/shorewall/rules: @@ -1489,12 +1489,12 @@ DNAT net loc:192.168.201.4 tcp www url="ProxyARP.htm">/etc/shorewall/proxyarp file. - #ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTANT + #ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT 192.0.2.177 eth2 eth0 No 192.0.2.178 eth2 eth0 No Because the HAVE ROUTE column contains No, Shorewall will add - host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The ethernet + host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The Ethernet interfaces on DMZ 1 and DMZ 2 should be configured to have the IP addresses shown but should have the same default gateway as the firewall itself -- namely 192.0.2.254. In other words, they should be @@ -1511,7 +1511,7 @@ DNAT net loc:192.168.201.4 tcp www their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will probably be HOURS before that system can communicate with the - internet. There are a couple of things that you can try: + Internet. There are a couple of things that you can try: @@ -1630,7 +1630,7 @@ ACCEPT net loc:192.168.201.4 tcp www their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with one-to-one NAT, it will probably be HOURS before that system can communicate with the - internet. There are a couple of things that you can try: + Internet. There are a couple of things that you can try: @@ -1711,7 +1711,7 @@ ACCEPT net loc:192.168.201.4 tcp www With the default policies described earlier in this document, your - local systems (Local 1-3) can access any server on the internet and the + local systems (Local 1-3) can access any server on the Internet and the DMZ can't access any other host (including the firewall). With the exception of DNAT rules which cause address translation and allow the translated connection request to pass through the firewall, the way to @@ -1929,7 +1929,7 @@ options { max-transfer-time-in 60; allow-transfer { - // Servers allowed to request zone tranfers + // Servers allowed to request zone transfers <secondary NS IP>; }; }; @@ -2078,7 +2078,7 @@ view "external" { Here are the files in /var/named (those not shown are usually - included in your bind disbribution). + included in your bind distribution). db.192.0.2.176 - This is the reverse zone for the firewall's external interface @@ -2101,7 +2101,7 @@ view "external" { @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ -; Iverse Address Arpa Records (PTR's) +; Inverse Address Arpa Records (PTR's) ; ############################################################ 176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net. @@ -2125,7 +2125,7 @@ view "external" { @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ -; Iverse Address Arpa Records (PTR's) +; Inverse Address Arpa Records (PTR's) ; ############################################################ 177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net. @@ -2150,7 +2150,7 @@ view "external" { @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ -; Iverse Address Arpa Records (PTR's) +; Inverse Address Arpa Records (PTR's) ; ############################################################ 178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net. @@ -2175,7 +2175,7 @@ view "external" { @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ -; Iverse Address Arpa Records (PTR's) +; Inverse Address Arpa Records (PTR's) ; ############################################################ 179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net. @@ -2198,7 +2198,7 @@ view "external" { @ 604800 IN NS ns1.foobar.net. ; ############################################################ -; Iverse Address Arpa Records (PTR's) +; Inverse Address Arpa Records (PTR's) ; ############################################################ 1 86400 IN PTR localhost.foobar.net. @@ -2221,7 +2221,7 @@ view "external" { ; ############################################################ @ 604800 IN NS ns1.foobar.net. ; ############################################################ -; Iverse Address Arpa Records (PTR's) +; Inverse Address Arpa Records (PTR's) ; ############################################################ 1 86400 IN PTR gateway.foobar.net. 2 86400 IN PTR winken.foobar.net. @@ -2248,7 +2248,7 @@ view "external" { @ 604800 IN NS ns1.foobar.net. ; ############################################################ -; Iverse Address Arpa Records (PTR's) +; Inverse Address Arpa Records (PTR's) ; ############################################################ 1 86400 IN PTR dmz.foobar.net. @@ -2416,7 +2416,7 @@ foobar.net. 86400 IN A 192.0.2.177 firewall when it is stopped. - If you are connected to your firewall from the internet, do not + If you are connected to your firewall from the Internet, do not issue a shorewall stop command unless you have added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. diff --git a/docs/standalone.xml b/docs/standalone.xml index 4a9d71760..49c9b88a2 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -201,7 +201,7 @@ class="directory">/etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. + class="directory">/usr/share/doc/shorewall-common/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. @@ -262,11 +262,11 @@ net ipv4 /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is - applied. If there is a comon + applied. If there is a common action defined for the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is - peformed before the policy is applied. The purpose of the common action is + performed before the policy is applied. The purpose of the common action is two-fold: @@ -295,11 +295,11 @@ all all REJECT info allow all connection requests from the firewall to the - internet + Internet - drop (ignore) all connection requests from the internet to your + drop (ignore) all connection requests from the Internet to your firewall @@ -310,9 +310,9 @@ all all REJECT info The word info in the LOG LEVEL column for the - last two policies indicates that packets droped or rejected under those + last two policies indicates that packets dropped or rejected under those policies should be logged at that - level. + level. At this point, edit your /etc/shorewall/policy and make any changes that you wish. @@ -324,7 +324,7 @@ all all REJECT info The firewall has a single network interface. Where Internet connectivity is through a cable or DSL Modem, the External Interface will be - the ethernet adapter (eth0) that + the Ethernet adapter (eth0) that is connected to that Modem unless you connect via Point-to-Point Protocol over Ethernet @@ -412,7 +412,7 @@ root@lists:~# ISPs are assigning these addresses then using Network Address Translation - NAT) to rewrite packet headers when - forwarding to/from the internet. + forwarding to/from the Internet. @@ -453,7 +453,7 @@ root@lists:~# shorewall show log (Displays the last 20 - netfilter log messages) + Netfilter log messages) @@ -476,12 +476,12 @@ root@lists:~# Most commonly, Netfilter messages are logged to /var/log/messages. Recent SuSE/OpenSuSE releases come preconfigured with - syslog-ng and log netfilter messages to + syslog-ng and log Netfilter messages to /var/log/firewall. - If you are running a distribution that logs netfilter messages to a + If you are running a distribution that logs Netfilter messages to a log other than /var/log/messages, then modify the LOGFILE setting in /etc/shorewall/shorewall.conf to specify the name of your log. @@ -501,7 +501,7 @@ root@lists:~# in your version of Shorewall using the command ls /usr/share/shorewall/macro.*. - If you wish to enable connections from the internet to your firewall + If you wish to enable connections from the Internet to your firewall and you find an appropriate macro in /etc/shorewall/macro.*, the general format of a rule in /etc/shorewall/rules is: @@ -544,9 +544,9 @@ ACCEPT net $FW tcp 143 uses, see here. - I don't recommend enabling telnet to/from the internet because it + I don't recommend enabling telnet to/from the Internet because it uses clear text (even for login!). If you want shell access to your - firewall from the internet, use SSH: + firewall from the Internet, use SSH: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) SSH/ACCEPT net $FW @@ -594,7 +594,7 @@ SSH/ACCEPT net $FW shorewall clear. - If you are connected to your firewall from the internet, do not + If you are connected to your firewall from the Internet, do not issue a shorewall stop command unless you have added an entry for the IP address that you are connected from to page -- it contains helpful tips about Shorewall features than make administering your firewall easier.
- \ No newline at end of file + diff --git a/docs/standalone_ru.xml b/docs/standalone_ru.xml index 226edc845..ca87ed255 100644 --- a/docs/standalone_ru.xml +++ b/docs/standalone_ru.xml @@ -169,15 +169,15 @@ директория /etc/shorewall пуста. Это сделано специально. Поставляемые шаблоны файлов конфигурации Вы найдете на вашей системе в директории /usr/share/doc/shorewall/default-config. + class="directory">/usr/share/doc/shorewall-common/default-config. Просто скопируйте нужные Вам файлы из этой директории в /etc/shorewall и отредактируйте копии. Заметьте, что Вы должны скопировать /usr/share/doc/shorewall/default-config/shorewall.conf + class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf и /usr/share/doc/shorewall/default-config/modules + class="directory">/usr/share/doc/shorewall-common/default-config/modules в /etc/shorewall даже если Вы не будете изменять эти файлы. Если же Вы пользовались пакетом .deb, примеры находятся в директории /usr/share/doc/shorewall/examples/one-interface. + class="directory">/usr/share/doc/shorewall-common/examples/one-interface. diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 46980a7f7..efbe15a72 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -148,7 +148,7 @@ The shorewall stop command does not remove - all netfilter rules and open your firewall for all traffic to pass. + all Netfilter rules and open your firewall for all traffic to pass. It rather places your firewall in a safe state defined by the contents of your /etc/shorewall/routestopped @@ -179,7 +179,7 @@ Because of the different requirements of distribution packaging systems, the behavior of /etc/init.d/shorewall and /etc/init.d/shorewall-lite is not consistent between - distributions. As an example, when using the distributon Shorewall + distributions. As an example, when using the distribution Shorewall packages on Debian and Ubuntu systems, running /etc/init.d/shorewall stop will actually execute the @@ -617,7 +617,7 @@
Shorewall State Diagram - The Shorewall State Diargram is depicted below. + The Shorewall State Diagram is depicted below. diff --git a/docs/support.xml b/docs/support.xml index d3a94280b..3bdd01fbe 100644 --- a/docs/support.xml +++ b/docs/support.xml @@ -274,9 +274,9 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006) If Shorewall is starting successfully and your problem is that some set of connections to/from or through your firewall isn't working - (examples: local systems can't access the internet, you can't send + (examples: local systems can't access the Internet, you can't send email through the firewall, you can't surf the web from the firewall, - connections that you are certain should be rejected are mysterously + connections that you are certain should be rejected are mysteriously accepted, etc.) or you are having problems with traffic shaping then please perform the following six steps: @@ -313,7 +313,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006) Otherwise: - Shorewall is starting successfuly and you have Shorewall is starting successfully and you have no connection problems and you have no traffic shaping problems. Your problem is with performance, logging, etc. Please include the following: @@ -409,7 +409,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006) - The author gratefully acknowleges that the above list was + The author gratefully acknowledges that the above list was heavily plagiarized from the excellent LEAF document by Ray Olszewski found here. diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 9d0aa947a..31097c3af 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -76,7 +76,7 @@ - DMZ connected to a separate ethernet interface. The purpose of a + DMZ connected to a separate Ethernet interface. The purpose of a DMZ is to isolate those servers that are exposed to the Internet from your local systems so that if one of those servers is compromised there is still a firewall between the hacked server and your local @@ -185,7 +185,7 @@ class="directory">/etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. + class="directory">/usr/share/doc/shorewall-common/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. @@ -286,10 +286,10 @@ dmz ipv4Zone names are defined in If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If there is a comon action defined for the + url="shorewall_extension_scripts.htm">common action defined for the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is - peformed before the action is applied. The purpose of the common action is + performed before the action is applied. The purpose of the common action is two-fold: @@ -316,7 +316,7 @@ all all REJECT info In the three-interface sample, the line below is included but commented out. If you want your firewall system to have full access to - servers on the internet, uncomment that line. + servers on the Internet, uncomment that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT @@ -327,17 +327,17 @@ $FW net ACCEPT allow all connection requests from your local network to the - internet + Internet - drop (ignore) all connection requests from the internet to your + drop (ignore) all connection requests from the Internet to your firewall or local network optionally accept all connection requests from the firewall to - the internet (if you uncomment the additional policy) + the Internet (if you uncomment the additional policy) @@ -346,9 +346,9 @@ $FW net ACCEPT The word info in the LOG LEVEL column for the - DROP and REJECT policies indicates that packets droped or rejected under + DROP and REJECT policies indicates that packets dropped or rejected under those policies should be logged at - that level. + that level. It is important to note that Shorewall policies (and rules) refer to connections and not packet flow. With the @@ -379,7 +379,7 @@ $FW net ACCEPT The firewall has three network interfaces. Where Internet connectivity is through a cable or DSL Modem, the External - Interface will be the ethernet adapter that is connected to that + Interface will be the Ethernet adapter that is connected to that Modem (e.g., eth0) unless you connect via Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol @@ -424,7 +424,7 @@ root@lists:~# CLAMPMSS=yes in /etc/shorewall/shorewall.conf. - Your Local Interface will be an ethernet adapter (Your Local Interface will be an Ethernet adapter (eth0, eth1 or eth2) and will be connected to a hub or @@ -432,7 +432,7 @@ root@lists:~# If you have only a single local system, you can connect the firewall directly to the computer using a cross-over cable). - Your DMZ Interface will also be an ethernet adapter (Your DMZ Interface will also be an Ethernet adapter (eth0, eth1 or eth2) and will be connected to a hub or @@ -604,7 +604,7 @@ root@lists:~# Routing, Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0. - The remainder of this quide will assume that you have configured + The remainder of this guide will assume that you have configured your network as shown here:
@@ -641,14 +641,14 @@ root@lists:~# The addresses reserved by RFC 1918 are sometimes referred to as non-routable because the Internet backbone routers don't forward packets which have an RFC-1918 destination address. When one of your local systems - (let's assume local computer 1) sends a connection request to an internet + (let's assume local computer 1) sends a connection request to an Internet host, the firewall must perform Network Address Translation (NAT). The firewall rewrites the source address in the packet to be the address of the firewall's external interface; in other words, the firewall makes it look as if the firewall itself is initiating the connection. This is necessary so that the destination host will be able to route return packets back to the firewall (remember that packets whose destination - address is reserved by RFC 1918 can't be routed accross the internet). + address is reserved by RFC 1918 can't be routed across the Internet). When the firewall receives a return packet, it rewrites the destination address back to 10.10.10.1 and forwards the packet on to local computer 1. @@ -736,7 +736,7 @@ DNAT net dmz:<server local IP address>[: Be sure to add your rules after the line that reads SECTON NEW. + role="bold">SECTION NEW. @@ -975,7 +975,7 @@ ACCEPT net $FW tcp 80 shorewall show log (Displays the last 20 - netfilter log messages) + Netfilter log messages) diff --git a/docs/three-interface_ru.xml b/docs/three-interface_ru.xml index 07ebda46f..2d8bde0e1 100644 --- a/docs/three-interface_ru.xml +++ b/docs/three-interface_ru.xml @@ -185,15 +185,15 @@ директория /etc/shorewall пуста. Это сделано специально. Поставляемые шаблоны файлов конфигурации Вы найдете на вашей системе в директории /usr/share/doc/shorewall/default-config. + class="directory">/usr/share/doc/shorewall-common/default-config. Просто скопируйте нужные Вам файлы из этой директории в /etc/shorewall и отредактируйте копии. Заметьте, что Вы должны скопировать /usr/share/doc/shorewall/default-config/shorewall.conf + class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf и /usr/share/doc/shorewall/default-config/modules + class="directory">/usr/share/doc/shorewall-common/default-config/modules в /etc/shorewall даже если Вы не будете изменять эти файлы. Если же Вы пользовались пакетом .deb, примеры находятся в директории/usr/share/doc/shorewall/examples/three-interface. + class="directory">/usr/share/doc/shorewall-common/examples/three-interface. diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index 798db5bc9..ce6e3f27f 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -48,7 +48,7 @@ Traffic shaping is complex and the Shorewall community is not well - equiped to answer traffic shaping questions. So if you are the type of + equipped to answer traffic shaping questions. So if you are the type of person who needs "insert tab A into slot B" instructions for everything that you do, then please don't try to implement traffic shaping using Shorewall. You will just frustrate yourself and we won't be able to help @@ -92,7 +92,7 @@ traffic shaping and control. Before this version, the support was quite limited. You were able to use your own tcstart script (and you still are), but besides the tcrules file it was not possible to define classes or - queueing discplines inside the Shorewall config files. + queuing disciplines inside the Shorewall config files. The support for traffic shaping and control still does not cover all options available (and especially all algorithms that can be used to queue @@ -108,7 +108,7 @@ Linux traffic shaping and control This section gives a brief introduction of how controlling traffic - with the linux kernel works. Although this might be enough for configuring + with the Linux kernel works. Although this might be enough for configuring it in the Shorewall configuration files, we strongly recommend that you take a deeper look into the Linux Advanced Routing and Shaping HOWTO. At the time of writing this, @@ -119,7 +119,7 @@ traffic before it leaves an interface. The standard one is called pfifo and is (as the name suggests) of the type First In First out. This means, that it does not shape anything, if you have a connection that eats up all - your bandwidth, this qeueing algorithm will not stop it from doing + your bandwidth, this queuing algorithm will not stop it from doing so. For Shorewall traffic shaping we use two algorithms, one is called @@ -127,9 +127,9 @@ is easy to explain: it just tries to track your connections (tcp or udp streams) and balances the traffic between them. This normally works well. HTB allows you to define a set of classes, and you can put the traffic you - want into these classes. You can define minimum and maximum bandwitdh - settings for those classes and order them hierachically (the less - priorized classes only get bandwitdth if the more important have what they + want into these classes. You can define minimum and maximum bandwidth + settings for those classes and order them hierarchically (the less + prioritized classes only get bandwidth if the more important have what they need). Shorewall builtin traffic shaping allows you to define these classes (and their bandwidth limits), and it uses SFQ inside these classes to make sure, that different data streams are handled equally. @@ -148,7 +148,7 @@ outgoing interface as fast as possible. There is one exception, though. Limiting incoming traffic to a - value a bit slower than your actual line speed will avoid queueing on + value a bit slower than your actual line speed will avoid queuing on the other end of that connection. This is mostly useful if you don't have access to traffic control on the other side and if this other side has a faster network connection than you do (the line speed @@ -160,16 +160,16 @@ has not (but the protocol over UDP might recognize it , if there is any). - The reason why queing is bad in these cases is, that you might - have packets which need to be priorized over others, e.g. VoIP or ssh. + The reason why queuing is bad in these cases is, that you might + have packets which need to be prioritized over others, e.g. VoIP or ssh. For this type of connections it is important that packets arrive in a - certain amount of time. For others like http downloads, it does not + certain amount of time. For others like HTTP downloads, it does not really matter if it takes a few seconds more. If you have a large queue on the other side and the router there does not care about QoS or the QoS bits are not set properly, your important packets will go into the same queue as your less - timecritical download packets which will result in a large + time critical download packets which will result in a large delay. @@ -211,7 +211,7 @@ RATE - The minimum bandwidth this class should get, when the traffic load rises. Classes with a higher priority (lower PRIORITY value) are served even if there are others that have a guaranteed - bandwith but have a lower priority (higher PRIORITY value). + bandwidth but have a lower priority (higher PRIORITY value). @@ -338,7 +338,7 @@ the facility. Again, please see the links at top of this article. For defining bandwidths (for either devices or classes) please use - kbit or kbps(for Kilobytes per second) and make sure there is NO space between the number and the unit (it is 100kbit not 100 kbit). Using mbit, mbps or a raw number (which means bytes) could be used, but note that only @@ -414,7 +414,7 @@ - OUT-BANDWIDTH - Specifiy the outgoing bandwidth of that + OUT-BANDWIDTH - Specify the outgoing bandwidth of that interface. This is the maximum speed your connection can handle. It is also the speed you can refer as "full" if you define the tc classes. Outgoing traffic above this rate will be dropped. @@ -488,7 +488,7 @@ ppp0 6000kbit 500kbit MARK - The mark value which is an integer in the range 1-255. You define these marks in the tcrules file, marking the traffic you - want to go into the queueing classes defined in here. You can use + want to go into the queuing classes defined in here. You can use the same marks for different Interfaces. You must specify "-' in this column if the device specified in the INTERFACE column has the classify option in @@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit RATE - The minimum bandwidth this class should get, when the traffic load rises. Please note that first the classes which equal or a lesser priority value are served even if there are others that - have a guaranteed bandwith but a lower priority. If the sum of the RATEs for all classes assigned to an INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit will not be honored. @@ -517,7 +517,7 @@ ppp0 6000kbit 500kbit PRIORITY - you have to define a priority for the class. packets in a class with a higher priority (=lesser value) are - handled before less priorized onces. You can just define the mark + handled before less prioritized ones. You can just define the mark value here also, if you are increasing the mark values with lesser priority. @@ -749,7 +749,7 @@ ppp0 6000kbit 500kbit iprange match support, IP address ranges are also allowed. List elements may also consist of an interface name followed by ":" and an address (e.g., eth1:192.168.1.0/24). If the MARK column - specificies a classification of the form <major>:<minor> + specifies a classification of the form <major>:<minor> then this column may also contain an interface name. @@ -791,7 +791,7 @@ ppp0 6000kbit 500kbit [!][<user name or number>]:[<group name or number>][+<program name>] - The colon is optionnal when specifying only a user. + The colon is optional when specifying only a user. Examples: @@ -833,7 +833,7 @@ ppp0 6000kbit 500kbit match. You must have iptables length support for this to work. If you - let it empy or place an "-" here, no length match will be + let it empty or place an "-" here, no length match will be done. Examples: 1024, 64:1500, :100 @@ -861,7 +861,7 @@ ppp0 6000kbit 500kbit HELPER (Optional, added in Shorewall version 4.2.0 Beta 2). - Names one of the Netfiler protocol helper modules such as + Names one of the Netfilter protocol helper modules such as ftp, sip, amanda, etc. @@ -939,7 +939,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - The last four rules can be translated as:
- "If a packet hasn't been classifed (packet mark is 0), copy + "If a packet hasn't been classified (packet mark is 0), copy the connection mark to the packet mark. If the packet mark is set, we're done. If the packet is P2P, set the packet mark to 4. If the packet mark has been set, save it to the connection mark." @@ -966,10 +966,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
ppp devices - If you use ppp/pppoe/pppoa) to connect to your internet provider + If you use ppp/pppoe/pppoa) to connect to your Internet provider and you use traffic shaping you need to restart shorewall traffic shaping. The reason for this is, that if the ppp connection gets - restarted (and it usally does this at least daily), all + restarted (and it usually does this at least daily), all tc filters/qdiscs related to that interface are deleted. @@ -994,7 +994,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/. Please note that they are just examples and need to be adjusted to work for you. In this example it is assumed that your interface for - you internet connection is ppp0 (for DSL), if you use another + your Internet connection is ppp0 (for DSL), if you use another connection type, you have to change it. You also need to change the settings in the tcdevices.wondershaper file to reflect your line speed. The relevant lines of the config files follow here. Please note @@ -1071,7 +1071,7 @@ NOPRIOPORTDST="6662 6663"
A simple setup - This is a simple setup for people sharing an internet connection + This is a simple setup for people sharing an Internet connection and using different computers for this. It just basically shapes between 2 hosts which have the ip addresses 192.168.2.23 and 192.168.2.42 @@ -1167,7 +1167,7 @@ ppp0 4 90kbit 200kbit 3 default - Traffic being forwarded from the internet + Traffic being forwarded from the Internet @@ -1687,4 +1687,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300 At least one Shorewall user has found this tool helpful: http://e2epi.internet2.edu/network-performance-toolkit.html
- \ No newline at end of file + diff --git a/docs/troubleshoot.xml b/docs/troubleshoot.xml index 7af391d3e..e2642c3cf 100644 --- a/docs/troubleshoot.xml +++ b/docs/troubleshoot.xml @@ -140,7 +140,7 @@ gateway:~/test # This information is useful to Shorewall The end of the compile phase is signaled by a message such as the following:Shorewall configuration compiled to /var/lib/shorewall/.restartErrors - occuring past that point are said to occur at + occurring past that point are said to occur at run-time because they occur during the running of the compiled firewall script (/var/lib/shorewall/.restart in the case of the above message). diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 0e8399425..47a03c490 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -164,7 +164,7 @@ class="directory">/etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. + class="directory">/usr/share/doc/shorewall-common/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. @@ -269,10 +269,10 @@ loc ipv4Zones are defined in the /etc/shorewall/policy that matches the request is applied. If there is a comon action defined for the + url="shorewall_extension_scripts.htm">common action defined for the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is - peformed before the action is applied. The purpose of the common action is + performed before the action is applied. The purpose of the common action is two-fold: @@ -296,32 +296,32 @@ loc net ACCEPT net all DROP info all all REJECT infoIn the two-interface sample, the line below is included but commented out. If you want your - firewall system to have full access to servers on the internet, uncomment + firewall system to have full access to servers on the Internet, uncomment that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT The above policy will: Allow all connection requests from your local network to the - internet + Internet - Drop (ignore) all connection requests from the internet to + Drop (ignore) all connection requests from the Internet to your firewall or local network Optionally accept all connection requests from the firewall to - the internet (if you uncomment the additional policy) + the Internet (if you uncomment the additional policy) reject all other connection requests. The word info in the LOG LEVEL - column for the DROP and REJECT policies indicates that packets droped or + column for the DROP and REJECT policies indicates that packets dropped or rejected under those policies should be logged at that level. + url="shorewall_logging.html">logged at that level. @@ -349,7 +349,7 @@ $FW net ACCEPT The above policy will: The firewall has two network interfaces. Where Internet connectivity is through a cable or DSL Modem, the - External Interface will be the ethernet adapter that + External Interface will be the Ethernet adapter that is connected to that Modem (e.g., eth0) unless you connect via Point-to-Point Protocol over Ethernet @@ -395,7 +395,7 @@ root@lists:~# CLAMPMSS=yes in /etc/shorewall/shorewall.conf. - Your Internal Interface will be an ethernet + Your Internal Interface will be an Ethernet adapter (eth1 or eth0) and will be connected to a hub or switch. Your other computers will be connected to the same hub/switch @@ -565,7 +565,7 @@ root@lists:~# (link). - The remainder of this quide will assume that you have + The remainder of this guide will assume that you have configured your network as shown here: @@ -588,14 +588,14 @@ root@lists:~# don't forward packets which have an RFC-1918 destination address. When one of your local systems (let's assume computer 1 in the above diagram) sends a connection request to an - internet host, the firewall must perform Network Address + Internet host, the firewall must perform Network Address Translation (NAT). The firewall rewrites the source address in the packet to be the address of the firewall's external interface; in other words, the firewall makes it appear to the destination - internet host as if the firewall itself is initiating the connection. This + Internet host as if the firewall itself is initiating the connection. This is necessary so that the destination host will be able to route return packets back to the firewall (remember that packets whose destination - address is reserved by RFC 1918 can't be routed across the internet so the + address is reserved by RFC 1918 can't be routed across the Internet so the remote host can't address its response to computer 1). When the firewall receives a return packet, it rewrites the destination address back to 10.10.10.1 and forwards the @@ -662,7 +662,7 @@ root@lists:~# One of your goals may be to run one or more servers on your local computers. Because these computers have RFC-1918 addresses, it is not - possible for clients on the internet to connect directly to them. It is + possible for clients on the Internet to connect directly to them. It is rather necessary for those clients to address their connection requests to the firewall who rewrites the destination address to the address of your server and forwards the packet to that server. When your server responds, @@ -682,7 +682,7 @@ root@lists:~# #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:<server local ip address>[:<server port>] <protocol> <port> Be sure to add your rules after the line that reads SECTON NEW. + role="bold">SECTION NEW. The server must have a static IP address. If you assign IP addresses to your local system using DHCP, you need to configure your @@ -822,7 +822,7 @@ DNS/ACCEPT $FW netThis rule allows DNS access from your firewall and may be removed if you uncommented the line in /etc/shorewall/policy - allowing all connections from the firewall to the internet. + allowing all connections from the firewall to the Internet. In the rule shown above, DNS/ACCEPT is an example of a macro invocation. Shorewall includes a number of @@ -863,8 +863,8 @@ Web/ACCEPT loc $FW Those two rules would of If you don't know what port and protocol a particular application uses, look here. I don't recommend enabling telnet to/from the - internet because it uses clear text (even for login!). If you want - shell access to your firewall from the internet, use + Internet because it uses clear text (even for login!). If you want + shell access to your firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) @@ -1022,7 +1022,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work/etc/shorewall/routestopped accordingly. - If you are connected to your firewall from the internet, do not + If you are connected to your firewall from the Internet, do not issue a shorewall stop command unless you have added an entry for the IP address that you are connected from to Once you have the two-interface setup working, the next logical step is to add a Wireless Network. The first step involves adding an additional - network card to your firewall, either a Wireless card or an ethernet card + network card to your firewall, either a Wireless card or an Ethernet card that is connected to a Wireless Access Point. When you add a network card, it won't necessarily be detected as - the next highest ethernet interface. For example, if you have two - ethernet cards in your system (eth0 and eth1) and you add a third card that uses the same driver as one of the other two, that third card won't @@ -1130,7 +1130,7 @@ loc wlan0 detect maclist url="MAC_Validation.html">maclist option for the wireless segment. By adding entries for computers 3 and 4 in /etc/shorewall/maclist, you help ensure that your - neighbors aren't getting a free ride on your internet connection. + neighbors aren't getting a free ride on your Internet connection. Start by omitting that option; when you have everything working, then add the option and configure your /etc/shorewall/maclist file. @@ -1139,7 +1139,7 @@ loc wlan0 detect maclist You need to add an entry to the /etc/shorewall/masq file to masquerade traffic - from the wireless network to the internet. If your internet interface + from the wireless network to the Internet. If your Internet interface is eth0 and your wireless interface is wlan0, the entry would be: diff --git a/docs/two-interface_ru.xml b/docs/two-interface_ru.xml index e8b710ce4..41d0ed0a4 100644 --- a/docs/two-interface_ru.xml +++ b/docs/two-interface_ru.xml @@ -173,15 +173,15 @@ директория /etc/shorewall пуста. Это сделано специально. Поставляемые шаблоны файлов конфигурации Вы найдете на вашей системе в директории /usr/share/doc/shorewall/default-config. + class="directory">/usr/share/doc/shorewall-common/default-config. Просто скопируйте нужные Вам файлы из этой директории в /etc/shorewall и отредактируйте копии. Заметьте, что Вы должны скопировать /usr/share/doc/shorewall/default-config/shorewall.conf + class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf и /usr/share/doc/shorewall/default-config/modules + class="directory">/usr/share/doc/shorewall=common/default-config/modules в /etc/shorewall даже если Вы не будете изменять эти файлы. Если же Вы пользовались пакетом .deb, примеры находятся в директории/usr/share/doc/shorewall/examples/two-interface. + class="directory">/usr/share/doc/shorewall-common/examples/two-interface. @@ -1068,4 +1068,4 @@ eth0 wlan0 Вашем файерволе потребует правил, перечисленных в документации Shorewall/Samba.
- \ No newline at end of file + diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 34ea71f36..f282fd136 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -167,7 +167,7 @@ shorewall restart The RPMs are set up so that if Insure correct operation. Default actions can also avoid common pitfalls like dropping connection requests on TCP port 113. If these connections are dropped (rather than rejected) then you - may encounter problems connecting to internet services that + may encounter problems connecting to Internet services that utilize the AUTH protocol of client authentication. @@ -485,7 +485,7 @@ all all REJECT:MyReject info Beginning with this release, the way in which packet marking in - the PREROUTING chain interracts with the 'track' option in + the PREROUTING chain interacts with the 'track' option in /etc/shorewall/providers has changed in two ways: diff --git a/docs/useful_links.xml b/docs/useful_links.xml index 7d2d3aa1f..442f8b9b6 100644 --- a/docs/useful_links.xml +++ b/docs/useful_links.xml @@ -42,7 +42,7 @@ - NetFilter Site: Netfilter Site: http://www.netfilter.org/ @@ -79,7 +79,7 @@ Debian apt-get sources for Shorewall: http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian + url="http://people.connexer.com/~roberto/debian/">http://people.connexer.com/~roberto/debian/ diff --git a/docs/whitelisting_under_shorewall.xml b/docs/whitelisting_under_shorewall.xml index a6e26da31..f1f5445cb 100644 --- a/docs/whitelisting_under_shorewall.xml +++ b/docs/whitelisting_under_shorewall.xml @@ -42,7 +42,7 @@ - The local network uses SNAT to the internet and + The local network uses SNAT to the Internet and is comprised of the Class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on SNAT. @@ -90,7 +90,7 @@ dmz ipv4 Interfaces File - #ZONE INTERFACE BROACAST OPTIONS + #ZONE INTERFACE BROADCAST OPTIONS net eth0 <whatever> ... dmz eth1 <whatever> ... - eth2 10.10.255.255