More Shorewall 2.2 updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1713 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-02 19:49:08 +01:00 · 2004-10-24 21:10:47 +00:00 · 2004-10-24 21:10:47 +00:00 · 30bf899901
commit 30bf899901
parent 706242aa2c
7 changed files with 471 additions and 120 deletions
--- a/Shorewall-docs2/Accounting.xml
+++ b/Shorewall-docs2/Accounting.xml
@ -29,7 +29,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -41,11 +42,11 @@
  chain called <quote>accounting</quote> and can thus be displayed using
  <quote>shorewall show accounting</quote>. All traffic passing into, out of
  or through the firewall traverses the accounting chain including traffic
-  that will later be rejected by interface options such as <quote>tcpflags</quote>
+  that will later be rejected by interface options such as
-  and <quote>maclist</quote>. If your kernel doesn&#39;t support the
+  <quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
-  connection tracking match extension (Kernel 2.4.21) then some traffic
+  support the connection tracking match extension (Kernel 2.4.21) then some
-  rejected under <quote>norfc1918</quote> will not traverse the accounting
+  traffic rejected under <quote>norfc1918</quote> will not traverse the
-  chain.</para>
+  accounting chain.</para>
  <para>The columns in the accounting file are as follows:</para>
@ -61,15 +62,15 @@
        </listitem>
        <listitem>
-          <para>DONE- Count the match and don&#39;t attempt to match any
+          <para>DONE- Count the match and don't attempt to match any following
-          following accounting rules.</para>
+          accounting rules.</para>
        </listitem>
        <listitem>
-          <para><emphasis>&#60;chain&#62;</emphasis> - The name of a chain to
+          <para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain to
          jump to. Shorewall will create the chain automatically. If the name
          of the chain is followed by <quote>:COUNT</quote> then a COUNT rule
-          matching this rule will automatically be added to &#60;chain&#62;.
+          matching this rule will automatically be added to &lt;chain&gt;.
          Chain names must start with a letter, must be composed of letters
          and digits, and may contain underscores (<quote>_</quote>) and
          periods (<quote>.</quote>). Beginning with Shorewall version 1.4.8,
@ -98,13 +99,20 @@
    <listitem>
      <para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
-      <filename>/etc/protocols</filename>) or a protocol number.</para>
+      <filename>/etc/protocols</filename>), a protocol number or "ipp2p". For
      "ipp2p", your kernel and iptables must have ipp2p match support from
      <ulink url="http://www.netfilter.org">Netfilter
      Patch_o_matic_ng</ulink>.</para>
    </listitem>
    <listitem>
      <para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
      number. Service name from <filename>/etc/services</filename> or port
-      number. May only be specified if the protocol is TCP or UDP (6 or 17).</para>
+      number. May only be specified if the protocol is TCP or UDP (6 or 17).
      If the PROTOCOL is "ipp2p", then this column is interpreted as an ipp2p
      option without the leading "--" (default "ipp2p"). For a list of value
      ipp2p options, as root type <command>iptables -m ipp2p
      --help</command>.</para>
    </listitem>
    <listitem>
@ -112,15 +120,42 @@
      Service name from /etc/services or port number. May only be specified if
      the protocol is TCP or UDP (6 or 17).</para>
    </listitem>
    <listitem>
      <para><emphasis role="bold">USER/GROUP</emphasis> (Added in Shorewall
      2.2.0) - This column may only be non-empty if the CHAIN is OUTPUT. The
      column may contain:</para>
      <programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
      <para>When this column is non-empty, the rule applies only if the
      program generating the output is running under the effective
      &lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
      that id if "!" is given).</para>
      <para>Examples:</para>
      <simplelist>
        <member>joe #program must be run by joe</member>
        <member>:kids #program must be run by a member of the 'kids'
        group.</member>
        <member>!:kids #program must not be run by a member of the 'kids'
        group</member>
      </simplelist>
    </listitem>
  </itemizedlist>
-  <para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,<quote>any</quote>
+  <para>In all columns except ACTION and CHAIN, the values
-  and <quote>all</quote> are treated as wild-cards.</para>
+  <quote>-</quote>,<quote>any</quote> and <quote>all</quote> are treated as
  wild-cards.</para>
-  <para>The accounting rules are evaluated in the Netfilter <quote>filter</quote>
+  <para>The accounting rules are evaluated in the Netfilter
-  table. This is the same environment where the <quote>rules</quote> file
+  <quote>filter</quote> table. This is the same environment where the
-  rules are evaluated and in this environment, DNAT has already occurred in
+  <quote>rules</quote> file rules are evaluated and in this environment, DNAT
-  inbound packets and SNAT has not yet occurred on outbound ones.</para>
+  has already occurred in inbound packets and SNAT has not yet occurred on
  outbound ones.</para>
  <para>Accounting rules are not stateful -- each rule only handles traffic in
  one direction. For example, if eth0 is your internet interface and you have
@ -192,13 +227,13 @@
        11506   13M            all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
     [root@gateway shorewall]#</programlisting>
-  <para>Here&#39;s how the same example would be constructed on an HTTP server
+  <para>Here's how the same example would be constructed on an HTTP server
  with only one interface (eth0).</para>
  <caution>
-    <para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis role="bold">SERVER</emphasis>.
+    <para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis
-    If you want to account for web browsing, you have to reverse the rules
+    role="bold">SERVER</emphasis>. If you want to account for web browsing,
-    below.</para>
+    you have to reverse the rules below.</para>
  </caution>
  <programlisting>        #ACTION         CHAIN   SOURCE  DESTINATION     PROTOCOL        DEST            SOURCE
@ -213,7 +248,7 @@
  <para>Note that with only one interface, only the SOURCE (for input rules)
  or the DESTINATION (for output rules) is specified in each rule.</para>
-  <para>Here&#39;s the output:</para>
+  <para>Here's the output:</para>
  <programlisting>     [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
     Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
@ -234,5 +269,6 @@
     [root@mail shorewall]#</programlisting>
  <para>For an example of integrating Shorewall Accounting with MRTG, see
-  <ulink url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
+  <ulink
  url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
 </article>
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-09-10</pubdate>
+    <pubdate>2004-10-25</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -703,6 +703,31 @@ dmz        DMZ            Demilitarized zone</programlisting>
                linkend="Conf">/etc/shorewall/shorewall.conf</link>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>logmartians</term>
              <listitem>
                <para>(Added in version 2.2.0) - If this option is specified,
                the kernel's martian logging facility will be enabled on this
                interface
                (/proc/sys/net/ipv4/conf/&lt;<emphasis>interface</emphasis>&gt;/log_martians
                will be set to 1). See also the LOG_MARTIANS option in <link
                linkend="Conf">shorewall.conf</link>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>sourceroute</term>
              <listitem>
                <para>(Added in version 2.2.0) - If this option is not
                specified for an interface, then source-routed packets will
                not be accepted from that interface (sets
                <filename>/proc/sys/net/ipv4/conf/&lt;interface&gt;</filename>
                to 1).</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>My recommendations concerning options:</para>
@ -710,7 +735,7 @@ dmz        DMZ            Demilitarized zone</programlisting>
          <itemizedlist>
            <listitem>
              <para>External Interface -- <emphasis
-              role="bold">tcpflags,blacklist,norfc1918,routefilter,nosmurfs</emphasis></para>
+              role="bold">tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians</emphasis></para>
            </listitem>
            <listitem>
@ -1666,8 +1691,11 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
        <listitem>
          <para>Protocol. Must be a protocol name from /etc/protocols, a
-          number or <quote>all</quote>. Specifies the protocol of the
+          number, "ipp2p" or <quote>all</quote>. Specifies the protocol of the
-          connection request.</para>
+          connection request. If "ipp2p" then your kernel and iptables must
          have ipp2p match support from <ulink
          url="http://www.netfilter.org">Netfilter
          Patch-o-matic-ng</ulink>.</para>
        </listitem>
      </varlistentry>
@ -1678,11 +1706,14 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
          <para>Port or port range (&lt;low port&gt;:&lt;high port&gt;) being
          connected to. May only be specified if the protocol is tcp, udp or
          icmp. For icmp, this column's contents are interpreted as an icmp
-          type. If you don't want to specify DEST PORT(S) but need to include
+          type. For ipp2p, this column must contain an ipp2p option without
-          information in one of the columns to the right, enter
+          the leading "--" (default "ipp2p" -- for a list of valid options, as
-          <quote>-</quote> in this column. You may give a list of ports and/or
+          root type <command>iptables -m ipp2p --help</command>). If you don't
-          port ranges separated by commas. Port numbers may be either integers
+          want to specify DEST PORT(S) but need to include information in one
-          or service names from /etc/services.</para>
+          of the columns to the right, enter <quote>-</quote> in this column.
          You may give a list of ports and/or port ranges separated by commas.
          Port numbers may be either integers or service names from
          /etc/services.</para>
        </listitem>
      </varlistentry>
@ -2097,6 +2128,20 @@ eth1::192.0.2.32/27
          fashion. Beginning with Shorewall version 1.4.7, you may include a
          list of ranges and/or addresses in this column; again, Netfilter
          will use all listed ranges/addresses in rounde-robin fashion.</para>
          <para>Beginning with Shorewall 2.2.0, you may also specify the
          source port range to be used (the PROTO column must specify tcp or
          udp) by following the address or address range if any with ":" and
          the port range (in the format &lt;<emphasis>low
          port</emphasis>&gt;-&lt;<emphasis>high port</emphasis>&gt;).</para>
          <para>Examples:</para>
          <programlisting>#INTERFACE SUBNET          ADDRESS                PROTO
 eth0       10.0.0.0/8      192.0.2.44:7000-8000   udp</programlisting>
          <programlisting>#INTERFACE SUBNET          ADDRESS                PROTO
 eth0       192.168.1.0/24  :4000-5000             tcp</programlisting>
        </listitem>
      </varlistentry>
@ -2501,10 +2546,42 @@ eth0                  eth1            206.124.146.176</programlisting>
      </varlistentry>
      <varlistentry>
-        <term></term>
+        <term>LOGALLNEW</term>
        <listitem>
-          <para></para>
+          <para>(Aded at version 2.2.0)- When set to a log level, this option
          causes Shorewall to generaate a logging rule as the first rule in
          each builtin chain.</para>
          <itemizedlist>
            <listitem>
              <para>The table name is used as the chain name in the log
              prefix.</para>
            </listitem>
            <listitem>
              <para>The chain name is used as the target in the log
              pref</para>
            </listitem>
          </itemizedlist>
          <para>Example: Using the default LOGFORMAT, the log prefix for
          logging from the nat table's PREROUTING chain is: </para>
          <programlisting>Shorewall:nat:PREROUTING</programlisting>
          <important>
            <para>There is no rate limiting on these logging rules so use
            LOGALLNEW at your own risk; it may cause high CPU and disk
            utilization and you may not be able to control your firewall after
            you enable this option.</para>
          </important>
          <caution>
            <para><emphasis role="bold">DO NOT USE THIS OPTION IF THE
            RESULTING LOG MESSAGES WILL BE SENT TO ANOTHER
            SYSTEM.</emphasis></para>
          </caution>
        </listitem>
      </varlistentry>
@ -2846,6 +2923,21 @@ eth0                  eth1            206.124.146.176</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>LOG_MARTIANS</term>
        <listitem>
          <para>(Added in Version 2.2.0) - If set to Yes or yes, sets
          <filename>/proc/sys/net/ipv4/conf/all/log_martians</filename> and
          <filename>/proc/sys/net/ipv4/conf/default/log_martians</filename> to
          1. Default is which sets both of the above to zero. If you do not
          enable martian logging for all interfaces, you may still enable it
          for individual interfaces using the <emphasis
          role="bold">logmartians</emphasis> interface option in <link
          linkend="Interfaces">/etc/shorewall/interfaces</link>. </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DETECT_DNAT_ADDRS</term>
@ -3099,6 +3191,21 @@ LOGBURST=5</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DELAYBLACKLISTLOAD</term>
        <listitem>
          <para>(Added in Shorewall 2.2.0) - Users with a large static black
          list (<filename>/etc/shorewall/blacklist</filename>) may want to set
          the DELAYBLACKLISTLOAD option to Yes. When DELAYBLACKLISTLOAD=Yes,
          Shorewall will enable new connections before loading the blacklist
          rules. While this may allow connections from blacklisted hosts to
          slip by during construction of the blacklist, it can substantially
          reduce the time that all new connections are disabled during
          <command>shorewall [re]start</command>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>CLAMPMSS</term>
@ -3114,6 +3221,11 @@ LOGBURST=5</programlisting>
            <para>This option requires CONFIG_IP_NF_TARGET_TCPMSS <ulink
            url="kernel.htm">in your kernel</ulink>.</para>
          </note>
          <para>Beginning with Shorewall version 2.2.0, you may also set
          CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This will set the
          MSS field in TCP SYN packets going through the firewall to the value
          that you specify.</para>
        </listitem>
      </varlistentry>
@ -3713,7 +3825,7 @@ eth1                -</programlisting>
        <revision>
          <revnumber>1.20</revnumber>
-          <date>2004-10-22</date>
+          <date>2004-10-25</date>
          <authorinitials>TE</authorinitials>
--- a/Shorewall-docs2/FTP.xml
+++ b/Shorewall-docs2/FTP.xml
@ -31,7 +31,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -55,7 +56,8 @@
      </listitem>
      <listitem>
-        <para>Install the Mandrake <quote>cooker</quote> version of Shorewall.</para>
+        <para>Install the Mandrake <quote>cooker</quote> version of
        Shorewall.</para>
      </listitem>
      <listitem>
@ -67,16 +69,17 @@
  <important>
    <para><trademark>Mandrake</trademark> have done it again with their 10.0
    release. This time, they have decided that kernel modules should have
-    &#34;ko.gz&#34; for their suffix. If you are having problems with Mandrake
+    "ko.gz" for their suffix. If you are having problems with Mandrake 10.0
-    10.0 and FTP, change your <filename>/etc/shorewall/conf</filename> file
+    and FTP, change your <filename>/etc/shorewall/conf</filename> file
    definition of MODULE_SUFFIX as follows:</para>
-    <programlisting>MODULE_SUFFIX=&#34;o gz ko o.gz ko.gz&#34;</programlisting>
+    <programlisting>MODULE_SUFFIX="o gz ko o.gz ko.gz"</programlisting>
    <para>The version of <command>insmod</command> shipped with 10.0 also does
    not comprehend these module files so you will also need Shorewall 2.0.2 or
-    later OR you need to change <filename>/usr/share/shorewall/firewall</filename>
+    later OR you need to change
-    -- replace the line that reads:</para>
+    <filename>/usr/share/shorewall/firewall</filename> -- replace the line
    that reads:</para>
    <programlisting>     insmod $modulefile $*</programlisting>
@ -133,14 +136,14 @@
    <programlisting>[teastep@wookie Shorewall]$ <emphasis role="bold">ftp ftp1.shorewall.net</emphasis>
 Connected to lists.shorewall.net.
-220-=(&#60;*&#62;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&#60;*&#62;)=-
+220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-
 220-You are user number 1 of 50 allowed.
 220-Local time is now 10:21 and the load is 0.14. Server port: 21.
 220 You will be disconnected after 15 minutes of inactivity.
 500 Security extensions not implemented
 500 Security extensions not implemented
 KERBEROS_V4 rejected as an authentication type
-Name (ftp1.shorewall.net:teastep): ftp
+Name (ftp1.shorewall.net:teastep): <command>ftp</command>
 331-Welcome to ftp.shorewall.net
 331-
 331 Any password will work
@ -148,31 +151,31 @@ Password:
 230 Any password will work
 Remote system type is UNIX.
 Using binary mode to transfer files.
-ftp&#62; <emphasis role="bold">debug</emphasis>
+ftp&gt; <emphasis role="bold">debug</emphasis>
 Debugging on (debug=1).
-ftp&#62; <emphasis role="bold">ls</emphasis>
+ftp&gt; <emphasis role="bold">ls</emphasis>
---&#62; <emphasis>PASV</emphasis>
+---&gt; <emphasis>PASV</emphasis>
 <emphasis>227 Entering Passive Mode (192,168,1,193,195,210)</emphasis>
---&#62; LIST
+---&gt; LIST
 150 Accepted data connection
 drwxr-xr-x    5 0        0            4096 Nov  9  2002 archives
 drwxr-xr-x    2 0        0            4096 Feb 12  2002 etc
 drwxr-sr-x    6 0        50           4096 Feb 19 15:24 pub
 226-Options: -l
 226 3 matches total
-ftp&#62; <emphasis role="bold">passive</emphasis>
+ftp&gt; <emphasis role="bold">passive</emphasis>
 Passive mode off.
-ftp&#62; <emphasis role="bold">ls</emphasis>
+ftp&gt; <emphasis role="bold">ls</emphasis>
-<emphasis>---&#62; PORT 192,168,1,3,142,58</emphasis>
+<emphasis>---&gt; PORT 192,168,1,3,142,58</emphasis>
 200 PORT command successful
---&#62; LIST
+---&gt; LIST
 150 Connecting to port 36410
 drwxr-xr-x    5 0        0            4096 Nov  9  2002 archives
 drwxr-xr-x    2 0        0            4096 Feb 12  2002 etc
 drwxr-sr-x    6 0        50           4096 Feb 19 15:24 pub
 226-Options: -l
 226 3 matches total
-ftp&#62;</programlisting>
+ftp&gt;</programlisting>
    <para>Things to notice:</para>
@ -184,7 +187,7 @@ ftp&#62;</programlisting>
      <listitem>
        <para>Commands sent by the client to the server are preceded by
-        ---&#62;</para>
+        ---&gt;</para>
      </listitem>
      <listitem>
@ -208,14 +211,14 @@ ftp&#62;</programlisting>
  <section>
    <title>Linux FTP connection-tracking</title>
-    <para>Given the normal loc-&#62;net policy of ACCEPT, passive mode access
+    <para>Given the normal loc-&gt;net policy of ACCEPT, passive mode access
    from local clients to remote servers will always work but active mode
    requires the firewall to dynamically open a <quote>hole</quote> for the
-    server&#39;s connection back to the client. Similarly, if you are running
+    server's connection back to the client. Similarly, if you are running an
-    an FTP server in your local zone then active mode should always work but
+    FTP server in your local zone then active mode should always work but
-    passive mode requires the firewall to dynamically open a <quote>hole</quote>
+    passive mode requires the firewall to dynamically open a
-    for the client&#39;s second connection to the server. This is the role of
+    <quote>hole</quote> for the client's second connection to the server. This
-    FTP connection-tracking support in the Linux kernel.</para>
+    is the role of FTP connection-tracking support in the Linux kernel.</para>
    <para>Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
    involved, the PORT commands and PASV responses may also need to be
@ -223,11 +226,12 @@ ftp&#62;</programlisting>
    function.</para>
    <para>Including FTP connection-tracking and NAT support normally means
-    that the modules <quote>ip_conntrack_ftp</quote> and <quote>ip_nat_ftp</quote>
+    that the modules <quote>ip_conntrack_ftp</quote> and
-    need to be loaded. Shorewall automatically loads these <quote>helper</quote>
+    <quote>ip_nat_ftp</quote> need to be loaded. Shorewall automatically loads
-    modules from /lib/modules/&#60;<emphasis>kernel-version</emphasis>&#62;/kernel/net/ipv4/netfilter/
+    these <quote>helper</quote> modules from
    /lib/modules/&lt;<emphasis>kernel-version</emphasis>&gt;/kernel/net/ipv4/netfilter/
    and you can determine if they are loaded using the <quote>lsmod</quote>
-    command. The &#60;<emphasis>kernel-version</emphasis>&#62; may be obtained
+    command. The &lt;<emphasis>kernel-version</emphasis>&gt; may be obtained
    by typing</para>
    <programlisting><command>uname -r</command></programlisting>
@ -292,8 +296,10 @@ jbd                    47860   2  [ext3]
    responses. If you run an FTP server on a nonstandard port or you need to
    access such a server, you must therefore let the helpers know by
    specifying the port in /etc/shorewall/modules entries for the helpers.
-    <caution><para>You must have modularized FTP connection tracking support
+    <caution>
-    in order to use FTP on a non-standard port.</para></caution></para>
+        <para>You must have modularized FTP connection tracking support in
        order to use FTP on a non-standard port.</para>
      </caution></para>
    <example>
      <title>if you run an FTP server that listens on port 49 or you need to
@ -303,8 +309,10 @@ jbd                    47860   2  [ext3]
      <programlisting>loadmodule ip_conntrack_ftp ports=21,49
 loadmodule ip_nat_ftp ports=21,49</programlisting>
-      <para><note><para>you MUST include port 21 in the ports list or you may
+      <para><note>
-      have problems accessing regular FTP servers.</para></note></para>
+          <para>you MUST include port 21 in the ports list or you may have
          problems accessing regular FTP servers.</para>
        </note></para>
      <para>If there is a possibility that these modules might be loaded
      before Shorewall starts, then you should include the port list in
@ -313,9 +321,22 @@ loadmodule ip_nat_ftp ports=21,49</programlisting>
      <programlisting>options ip_conntrack_ftp ports=21,49
 options ip_nat_ftp ports=21,49</programlisting>
-      <para><important><para>Once you have made these changes to
+      <para><important>
-      /etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload
+          <para>Once you have made these changes to /etc/shorewall/modules
-      the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para>
+          and/or /etc/modules.conf, you must either:</para>
          <orderedlist>
            <listitem>
              <para>Unload the modules and restart shorewall:</para>
              <programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting>
            </listitem>
            <listitem>
              <para>Reboot</para>
            </listitem>
          </orderedlist>
        </important></para>
    </example>
  </section>
@ -323,15 +344,15 @@ options ip_nat_ftp ports=21,49</programlisting>
    <title>Rules</title>
    <para>If the policy from the source zone to the destination zone is ACCEPT
-    and you don&#39;t need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
+    and you don't need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
    then <emphasis role="bold">you need no rule</emphasis>.</para>
-    <para>Otherwise, for FTP you need exactly <emphasis role="bold">one</emphasis>
+    <para>Otherwise, for FTP you need exactly <emphasis
-    rule:</para>
+    role="bold">one</emphasis> rule:</para>
    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     PORT(S)    SOURCE      ORIGINAL
 #                                                           PORT(S)     DESTINATION
-ACCEPT or    &#60;<emphasis>source</emphasis>&#62;   &#60;<emphasis>destination</emphasis>&#62;  tcp       21                     &#60;external IP addr&#62; if
+ACCEPT or    &lt;<emphasis>source</emphasis>&gt;   &lt;<emphasis>destination</emphasis>&gt;  tcp       21                     &lt;external IP addr&gt; if
 DNAT                                                                    ACTION = DNAT</programlisting>
    <para>You need an entry in the ORIGINAL DESTINATION column only if the
@ -341,23 +362,32 @@ DNAT                                                                    ACTION =
    <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
    with 20 (ftp-data) in the PORT(S) column. If you post your rules on the
    mailing list and they show 20 in the PORT(S) column, I will know that you
-    haven&#39;t read this article and I will either ignore your post or tell
+    haven't read this article and I will either ignore your post or tell you
-    you to RTFM.<example><title>Server running behind a Masquerading Gateway</title><para>Suppose
+    to RTFM.<example>
-    that you run an FTP server on 192.168.1.5 in your local zone using the
+        <title>Server running behind a Masquerading Gateway</title>
-    standard port (21). You need this rule: </para><programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
+
        <para>Suppose that you run an FTP server on 192.168.1.5 in your local
        zone using the standard port (21). You need this rule:</para>
        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
 #                                                            PORT(S)     DESTINATION
-DNAT         net        loc:192.168.1.5 tcp       21</programlisting></example><example><title>Allow
+DNAT         net        loc:192.168.1.5 tcp       21</programlisting>
-    your DMZ FTP access to the Internet</title><programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
+      </example><example>
        <title>Allow your DMZ FTP access to the Internet</title>
        <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
 #                                                            PORT(S)     DESTINATION
-ACCEPT       dmz        net             tcp       21</programlisting></example></para>
+ACCEPT       dmz        net             tcp       21</programlisting>
      </example></para>
    <para>Note that the FTP connection tracking in the kernel cannot handle
    cases where a PORT command (or PASV reply) is broken across two packets.
-    When such cases occur, you will see a console message similar to this one:</para>
+    When such cases occur, you will see a console message similar to this
    one:</para>
    <programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
-    <para> I see this problem occasionally with the FTP server in my DMZ. My
+    <para>I see this problem occasionally with the FTP server in my DMZ. My
    solution is to add the following rule:</para>
    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
--- a/Shorewall-docs2/blacklisting_support.xml
+++ b/Shorewall-docs2/blacklisting_support.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-02-17</pubdate>
+    <pubdate>2004-10-25</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -29,7 +29,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -43,7 +44,7 @@
    <orderedlist>
      <listitem>
-        <para>BLACKLISTNEWONLY=No --&#x00A0; All incoming packets are checked
+        <para>BLACKLISTNEWONLY=No --&nbsp; All incoming packets are checked
        against the blacklist. New blacklist entries can be used to terminate
        existing connections. Versions of Shorewall prior to 1.4.8 behave in
        this manner.</para>
@ -88,12 +89,14 @@
      <listitem>
        <para>You specify whether you want packets from blacklisted hosts
        logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
-        in <ulink url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
+        in <ulink
        url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
      </listitem>
      <listitem>
        <para>You list the IP addresses/subnets that you wish to blacklist in
-        <ulink url="Documentation.htm#Blacklist"><filename>/etc/shorewall/blacklist</filename></ulink>.
+        <ulink
        url="Documentation.htm#Blacklist"><filename>/etc/shorewall/blacklist</filename></ulink>.
        Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
        and Port numbers/Service names in the blacklist file.</para>
      </listitem>
@ -101,40 +104,52 @@
      <listitem>
        <para>You specify the interfaces whose incoming packets you want
        checked against the blacklist using the <quote>blacklist</quote>
-        option in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
+        option in <ulink
        url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
      </listitem>
      <listitem>
-        <para>The black list is refreshed from <filename>/etc/shorewall/blacklist</filename>
+        <para>The black list is refreshed from
-        by the <quote><ulink url="starting_and_stopping_shorewall.htm"><command>shorewall
+        <filename>/etc/shorewall/blacklist</filename> by the <quote><ulink
        url="starting_and_stopping_shorewall.htm"><command>shorewall
        refresh</command></ulink></quote> command.</para>
      </listitem>
    </itemizedlist>
    <para>Users with a large static black list may want to set the
    DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
    2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
    before loading the blacklist rules. While this may allow connections from
    blacklisted hosts to slip by during construction of the blacklist, it can
    substantially reduce the time that all new connections are disabled during
    "shorewall [re]start".</para>
  </section>
  <section>
    <title>Dynamic Blacklisting</title>
    <para>Dynamic blacklisting support was added in version 1.3.2. Dynamic
-    blacklisting doesn&#39;t use any configuration parameters but is rather
+    blacklisting doesn't use any configuration parameters but is rather
    controlled using /sbin/shorewall commands:</para>
    <itemizedlist>
      <listitem>
-        <para>drop <emphasis>&#60;ip address list&#62;</emphasis> - causes
+        <para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes
        packets from the listed IP addresses to be silently dropped by the
        firewall.</para>
      </listitem>
      <listitem>
-        <para>reject <emphasis>&#60;ip address list&#62;</emphasis> - causes
+        <para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be rejected by the firewall.</para>
+        packets from the listed IP addresses to be rejected by the
        firewall.</para>
      </listitem>
      <listitem>
-        <para>allow <emphasis>&#60;ip address list&#62;</emphasis> -
+        <para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
-        re-enables receipt of packets from hosts previously blacklisted by a
+        receipt of packets from hosts previously blacklisted by a
-        <emphasis>drop</emphasis> or <emphasis>reject</emphasis> command.</para>
+        <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
        command.</para>
      </listitem>
      <listitem>
@ -144,12 +159,14 @@
      </listitem>
      <listitem>
-        <para>show dynamic - displays the dynamic blacklisting configuration.</para>
+        <para>show dynamic - displays the dynamic blacklisting
        configuration.</para>
      </listitem>
    </itemizedlist>
-    <para>Dynamic blacklisting is not dependent on the <quote>blacklist</quote>
+    <para>Dynamic blacklisting is not dependent on the
-    option in <filename>/etc/shorewall/interfaces</filename>.</para>
+    <quote>blacklist</quote> option in
    <filename>/etc/shorewall/interfaces</filename>.</para>
    <example>
      <title>Ignore packets from a pair of systems</title>
--- a/Shorewall-docs2/shorewall_quickstart_guide.xml
+++ b/Shorewall-docs2/shorewall_quickstart_guide.xml
@ -58,8 +58,8 @@
    </section>
    <section>
-      <title>If you have a <emphasis role="bold">single public IP
+      <title>If you want the firewall system to handle a <emphasis
-      address</emphasis></title>
+      role="bold">single public IP address</emphasis></title>
      <para>These guides are designed to get your first firewall up and
      running quickly in the three most common Shorewall configurations. If
@ -88,7 +88,8 @@
    </section>
    <section>
-      <title>If you have more than one public IP address</title>
+      <title>If you want the firewall system to handle more than one public IP
      address</title>
      <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
      Guide</ulink> outlines the steps necessary to set up a firewall where
@ -99,11 +100,11 @@
    </section>
    <section>
-      <title>Guide that Others have Written</title>
+      <title>Guides that Others have Written</title>
      <para>Andrew Allen has provided <ulink
      url="http://unofficial-support.com/node/view/46">this guide</ulink> for
      installing Shorewall on standalone webhosting servers.</para>
    </section>
  </section>
-</article>
+</article>
--- a/Shorewall-docs2/starting_and_stopping_shorewall.xml
+++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-09-12</pubdate>
+    <pubdate>2004-10-25</pubdate>
    <copyright>
      <year>2004</year>
@ -278,11 +278,19 @@
    restart</command>, <command>shorewall check</command>, and
    <command>shorewall try </command>commands allow you to specify a different
    directory for Shorewall to check before looking in <filename
-    class="directory">/etc/shorewall</filename>:</para>
+    class="directory">/etc/shorewall</filename>.</para>
    <para>Shorewall versions before Shorewall 2.2.0:</para>
    <programlisting>     <command>shorewall [ -c &lt;configuration-directory&gt; ] {start|restart|check}</command>
     <command>shorewall try &lt;configuration-directory&gt; [ &lt;timeout&gt; ]</command></programlisting>
    <para>Shorewall versions 2.2.0 and later the -c option is
    deprecated:</para>
    <programlisting>     <command>shorewall {start|restart|check} &lt;configuration-directory&gt;</command>
     <command>shorewall try &lt;configuration-directory&gt; [ &lt;timeout&gt; ]</command></programlisting>
    <para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
    specified, each time that Shorewall is going to use a file in <filename
    class="directory">/etc/shorewall</filename> it will first look in
@ -313,7 +321,7 @@
      </listitem>
      <listitem>
-        <para><command>shorewall -c ./ check</command></para>
+        <para><command>shorewall check ./</command></para>
      </listitem>
      <listitem>
@ -388,7 +396,7 @@
      </varlistentry>
      <varlistentry>
-        <term>check</term>
+        <term>check (Shorewall versions prior to 2.2.0)</term>
        <listitem>
          <para><command>shorewall [ -c &lt;configuration-directory&gt; ]
@ -402,6 +410,21 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>check (Shorewall 2.2.0 and later)</term>
        <listitem>
          <para><command>shorewall [-q] check [
          &lt;configuration-directory&gt; ]</command></para>
          <para>Performs a cursory validation of the zones, interfaces, hosts,
          rules and policy files. Use this if you are unsure of any edits you
          have made to the shorewall configuration. See <link
          linkend="AltConfig">above</link> for a recommended way to make
          changes.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>clear</term>
@ -584,7 +607,7 @@
      </varlistentry>
      <varlistentry>
-        <term>restart</term>
+        <term>restart (Prior to Shorewall version 2.2.0)</term>
        <listitem>
          <para><command>shorewall [ -q ] [ -c &lt;configuration-directory&gt;
@ -597,6 +620,20 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>restart (Shorewall version 2.2.0 and later)</term>
        <listitem>
          <para><command>shorewall [ -q ] restart
          &lt;configuration-directory&gt;</command></para>
          <para>Restart is similar to <command>shorewall stop</command>
          followed by <command>shorewall start</command>. Existing connections
          are maintained. If -q is specified, less detail is displayed making
          it easier to spot warnings</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>restore</term>
@ -671,7 +708,7 @@
      </varlistentry>
      <varlistentry>
-        <term>start</term>
+        <term>start (Shorewall versions prior to 2.2.0)</term>
        <listitem>
          <para><command>shorewall [ -q ] [ -f ] [ -c
@ -688,6 +725,24 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>start (Shorewall 2.2.0 and later)</term>
        <listitem>
          <para><command>shorewall [ -q ] [ -f ] start [
          &lt;configuration-directory&gt; ]</command></para>
          <para>Start shorewall. Existing connections through shorewall
          managed interfaces are untouched. New connections will be allowed
          only if they are allowed by the firewall rules or policies. If -q is
          specified, less detail is displayed making it easier to spot
          warnings If -f is specified, the saved configuration specified by
          the RESTOREFILE option in <ulink
          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
          will be restored if that saved configuration exists</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>stop</term>
--- a/Shorewall-docs2/traffic_shaping.xml
+++ b/Shorewall-docs2/traffic_shaping.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-09-30</pubdate>
+    <pubdate>2004-10-25</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -203,6 +203,77 @@
        chains respectively. If this additional specification is omitted, the
        chain used to mark packets will be determined by the setting of the
        MARK_IN_FORWARD_CHAIN option in shorewall.conf.</para>
        <para>This possible values in this field were expanded in Shorewall
        version 2.2.0:</para>
        <itemizedlist>
          <listitem>
            <para>If your kernel and iptables include CONNMARK support then
            you can also mark the connection rather than the packet</para>
            <itemizedlist>
              <listitem>
                <para>The mark value may be optionally followed by "/" and a
                mask value (used to determine those bits of the connection
                mark to actually be set).</para>
              </listitem>
              <listitem>
                <para>The mark and optional mask are then followed by one
                of:<simplelist>
                    <member>C: Mark the connection in the chain determined by
                    the setting of MARK_IN_FORWARD_CHAIN</member>
                    <member>CF: Mark the conneciton in the FORWARD
                    chain</member>
                    <member>CP: Mark the connection in the PREROUTING
                    chain.</member>
                  </simplelist></para>
              </listitem>
            </itemizedlist>
          </listitem>
          <listitem>
            <para>A classification of the form &lt;major&gt;:&lt;minor&gt;
            where &lt;major&gt; and &lt;minor&gt; are integers. Corresponds to
            the 'class' specification in these traffic shaping
            modules:<simplelist>
                <member>- atm</member>
                <member>- cbq</member>
                <member>- dsmark</member>
                <member>- pfifo_fast</member>
                <member>- htb</member>
                <member>- prio</member>
              </simplelist>Classification always occurs in the POSTROUTING
            chain.</para>
          </listitem>
          <listitem>
            <para>RESTORE[/mask] -- restore the packet's mark from the
            connection's mark using the supplied mask if any. Your kernel and
            iptables must include CONNMARK support. As iabove, may be followed
            by ":P" or ":F</para>
          </listitem>
          <listitem>
            <para>SAVE[/mask] -- save the packet's mark to the connection's
            mark using the supplied mask if any. Your kernel and iptables must
            include CONNMARK support. As above, may be followed by ":P" or
            ":F</para>
          </listitem>
          <listitem>
            <para>CONTINUE -- don't process any more marking rules in the
            table. As above, may be followed by ":P" or ":F".</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
@ -222,14 +293,20 @@
      <listitem>
        <para>PROTO - Protocol - Must be the name of a protocol from
-        /etc/protocol, a number or <quote>all</quote></para>
+        /etc/protocol, "ipp2p", a number or "all". For "ipp2p", your kernel
        and iptables must have ipp2p match support from <ulink
        url="http://www.netfilter.org">Netfilter
        Patch_o_matic_ng</ulink>.</para>
      </listitem>
      <listitem>
        <para>PORT(S) - Destination Ports. A comma-separated list of Port
        names (from /etc/services), port numbers or port ranges (e.g., 21:22);
        if the protocol is <quote>icmp</quote>, this column is interpreted as
-        the destination icmp type(s).</para>
+        the destination icmp type(s). If the protocol is "ipp2p", then this
        column is interpreted as an ipp2p option (default "ipp2p"). For a list
        of value ipp2p options, as root type <command>iptables -m ipp2p
        --help</command>.</para>
      </listitem>
      <listitem>
@ -252,6 +329,29 @@
        <para>Examples : john: / john / :users / john:users</para>
      </listitem>
      <listitem>
        <para>TEST (added in Shorewall version 2.2.0). Defines a test on the
        existing packet or connection mark. The rule will match only if the
        test returns true. Tests have the format </para>
        <programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
        <para>where</para>
        <simplelist>
          <member>! Inverts the test (not equal)</member>
          <member>&lt;<emphasis>value</emphasis>&gt; Value of the packet or
          connection mark.</member>
          <member>&lt;<emphasis>mask</emphasis>&gt; A mask to be applied to
          the mark before testing</member>
          <member>:C Designates a connection mark. If omitted, the packet
          mark's value is tested.</member>
        </simplelist>
      </listitem>
    </itemizedlist>
    <example>
@ -261,7 +361,7 @@
      arriving on eth2 and eth3 should be marked with 2. All packets
      originating on the firewall itself should be marked with 3.</para>
-      <programlisting>#MARK   SOURCE    DESTINATION    PROTOCOL   USER/GROUP
+      <programlisting>#MARK   SOURCE    DESTINATION    PROTOCOL   USER/GROUP    TEST
 1       eth1      0.0.0.0/0      all
 2       eth2      0.0.0.0/0      all
 2       eth3      0.0.0.0/0      all
@ -274,7 +374,7 @@
      <para>All GRE (protocol 47) packets not originating on the firewall and
      destined for 155.186.235.151 should be marked with 12.</para>
-      <programlisting>#MARK   SOURCE    DESTINATION     PROTOCOL   USER/GROUP
+      <programlisting>#MARK   SOURCE    DESTINATION     PROTOCOL   USER/GROUP    TEST
 12      0.0.0.0/0 155.182.235.151 47</programlisting>
    </example>
@ -284,7 +384,7 @@
      <para>All SSH packets originating in 192.168.1.0/24 and destined for
      155.186.235.151 should be marked with 22.</para>
-      <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   USER/GROUP
+      <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   USER/GROUP    TEST
 22      192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
    </example>
  </section>