Update for Shorewall 2.2.0 -- take 2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1746 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-02 02:49:54 +01:00 · 2004-11-10 21:10:06 +00:00 · 2004-11-10 21:10:06 +00:00 · 2322635ac4
commit 2322635ac4
parent 5a1b6dfeb3
1 changed files with 40 additions and 0 deletions
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@ -26,6 +26,15 @@
 #
 #				ACCEPT
 #						Allow the connection request
+#				ACCEPT+
+#						Like ACCEPT but also excludes the
+#						connection from any subsequent
+#						DNAT[-] or REDIRECT[-] rules
+#				NONAT
+#						Excludes the connection from any
+#						subsequent DNAT[-] or REDIRECT[-]
+#						rules but doesn't generate a rule
+#						to accept the traffic.
 #				DROP
 #						Ignore the request
 #				REJECT
@ -73,11 +82,34 @@
 #			log level (e.g, REJECT:info or DNAT:debug). This causes the 
 #			packet to be logged at the specified level.
 #		
+#			If the ACTION names an action defined in
+#			/etc/shorewall/actions or in
+#			/usr/share/shorewall/actions.std then:
+#
+#			- If the log level is followed by "!' then all rules
+#			  in the action are logged at the log level.
+#
+#			- If the log level is not followed by "!" then only
+#			  those rules in the action that do not specify
+#			  logging are logged at the specified level.
+#
+#			- The special log level 'none!' suppresses logging
+#			  by the action.
+#
 #			You may also specify ULOG (Must be in upper case) as a log
 #			level. This will log to the ULOG target for routing to a
 #			seperate log through the use of ulogd.
 #			(http://www.gnumonks.org/projects/ulogd).						
 #
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+##
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or
@ -85,6 +117,10 @@
 #			excluded from the rule by following the zone name with
 #			"!' and a comma-separated list of sub-zone names.
 #
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. You must add
+#			separate rules to handle that traffic.
+#
 #			Except when "all" is specified, clients may be further
 #			restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
@ -109,6 +145,10 @@
 #						Host on the Internet with
 #						MAC address 00:A0:C9:15:39:78.
 #
+#			net:192.0.2.11-192.0.2.17
+#						Hosts 192.0.2.11-192.0.2.17 in
+#						the net zone.
+#
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, net:eth0 specifies a