Document FORMAT 2 and the ORIGINAL DEST column

This commit is contained in:
Tom Eastep 2009-04-16 13:19:16 -07:00
parent f09b15b2bd
commit 1ea375c4e3

View File

@ -426,6 +426,45 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
port.</para>
</listitem>
<listitem>
<para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
<para>To use this column, you must include 'FORMAT 2' as the first
non-comment line in your macro file.</para>
<para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
included and is different from the IP address given in the SERVER
column, then connections destined for that address will be forwarded
to the IP and port specified in the DEST column.</para>
<para>A comma-separated list of addresses may also be used. This is
most useful with the REDIRECT target where you want to redirect
traffic destined for particular set of hosts. Finally, if the list of
addresses begins with "!" (exclusion) then the rule will be followed
only if the original destination address in the connection request
does not match any of the addresses listed.</para>
<para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are
generated that require that the original destination address matches
one of the listed addresses. This feature is most useful when you want
to generate a filter rule that corresponds to a DNAT- or REDIRECT-
rule. In this usage, the list of addresses should not begin with
"!".</para>
<para>It is also possible to specify a set of addresses then exclude
part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
specifies the addresses 192.168.1.0-182.168.1.15 and
192.168.1.32-192.168.1.255. See <ulink
url="manpages/shorewall_exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>See <ulink
url="http://shorewall.net/PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
for an example of using an entry in this column with a user-defined
action rule.</para>
</listitem>
<listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>