More manpage editing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-24 06:29:03 +01:00 · 2007-01-28 18:28:13 +00:00 · 2007-01-28 18:28:13 +00:00 · 35bb78cbc0
commit 35bb78cbc0
parent 0c46e95e73
6 changed files with 95 additions and 94 deletions
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@ -47,7 +47,7 @@
          <para>A dash ("-") in this column means that any source address will
          match. This is useful if you want to blacklist a particular
-          application.</para>
+          application using entries in the PROTOCOL and PORTS columns.</para>
        </listitem>
      </varlistentry>
@ -138,4 +138,4 @@
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
-</refentry>
+</refentry>
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@ -130,7 +130,7 @@
          <para>You may also specify a range of up to 256 IP addresses if you
          want the SNAT address to be assigned from that range in a
-          round-robin range by connection. The range is specified by
+          round-robin fashion by connection. The range is specified by
          <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.</para>
          <para>Example: 206.124.146.177-206.124.146.180</para>
@ -157,21 +157,16 @@
          <programlisting>        192.0.2.4:5000-6000
        :4000-5000</programlisting>
-          <para>You can invoke the SAME target using the following in this
+          <para>You can invoke the SAME target rather than the SNAT target by
-          column:</para>
+          prefixing the column contents with <option>SAME:</option>.</para>
          <para>SAME:[nodst:]<emphasis>address-range</emphasis>[,<emphasis>address-range</emphasis>...]</para>
          <para>The <emphasis>address-range</emphasis>s may be single
          addresses or "detect" as described above.</para>
          <para>SAME works like SNAT with the exception that the same local IP
          address is assigned to each connection from a local address to a
          given remote address.</para>
-          <para>If the 'nodst:' option is included, then the same source
+          <para>If the <option>nodst:</option> option is included, then the
-          address is used for a given internal system regardless of which
+          same source address is used for a given internal system regardless
-          remote system is involved.</para>
+          of which remote system is involved.</para>
          <para>If you want to leave this column empty but you need to specify
          the next column then place a hyphen ("-") here.</para>
--- a/manpages/shorewall-nat.xml
+++ b/manpages/shorewall-nat.xml
@ -26,8 +26,11 @@
    <warning>
      <para>If all you want to do is simple port forwarding, do NOT use this
-      file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most cases,
+      file. See <ulink
-      Proxy ARP is a better solution that one-to-one NAT.</para>
+      url="../FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
      Also, in many cases, Proxy ARP (<ulink
      url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
      solution that one-to-one NAT.</para>
    </warning>
    <para>The columns in the file are as follows.</para>
--- a/manpages/shorewall-nesting.xml
+++ b/manpages/shorewall-nesting.xml
@ -24,7 +24,7 @@
    <para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a
    zone may be declared to be a sub-zone of one or more other zones using the
-    above syntax. </para>
+    above syntax.</para>
    <para>Where zones are nested, the CONTINUE policy in <ulink
    url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
@ -67,7 +67,9 @@
    requests should first be processed under rules where the source zone is
    sam and if there is no match then the connection request should be treated
    under rules where the source zone is net. It is important that this policy
-    be listed BEFORE the next policy (net to all).</para>
+    be listed BEFORE the next policy (net to all). You can have this policy
    generated for you automatically by using the IMPLICIT_CONTINUE option in
    <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
    <para>Partial <filename>/etc/shorewall/rules</filename>:</para>
--- a/manpages/shorewall-policy.xml
+++ b/manpages/shorewall-policy.xml
@ -22,7 +22,8 @@
    <title>Description</title>
    <para>This file defines the high-level policy for connections between
-    zones defined in /etc/shorewall/zones.</para>
+    zones defined in <ulink
    url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
    <important>
      <para>The order of entries in this file is important</para>
@ -57,8 +58,9 @@
        role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
        <listitem>
-          <para>Source zone. Must be the name of a zone defined in
+          <para>Source zone. Must be the name of a zone defined in <ulink
-          /etc/shorewall/zones, $FW or "all".</para>
+          url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
          "all".</para>
        </listitem>
      </varlistentry>
@ -68,8 +70,9 @@
        role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
        <listitem>
-          <para>Destination zone. Must be the name of a zone defined in
+          <para>Destination zone. Must be the name of a zone defined in <ulink
-          /etc/shorewall/zones, $FW or "all"</para>
+          url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
          "all"</para>
        </listitem>
      </varlistentry>
@ -79,13 +82,44 @@
        role="bold">DROP</emphasis>|<emphasis
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
        role="bold">None</emphasis>}]</term>
        <listitem>
-          <para>Policy if no match from the rules file is found. Must be
+          <para>Policy if no match from the rules file is found.</para>
-          "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".</para>
+
          <para>If the policy is other than CONTINUE or NONE then the policy
          may be followed by ":" and one of the following:</para>
          <orderedlist numeration="loweralpha">
            <listitem>
              <para>The word "None" or "none". This causes any default action
              defined in <ulink
              url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
              omitted for this policy.</para>
            </listitem>
            <listitem>
              <para>The name of an action (requires that USE_ACTIONS=Yes in
              <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
              That action will be invoked before the policy is
              enforced.</para>
            </listitem>
            <listitem>
              <para>The name of a macro. The rules in that macro will be
              applied before the policy is enforced. This does not require
              USE_ACTIONS=Yes.</para>
            </listitem>
          </orderedlist>
          <blockquote>
            <programlisting></programlisting>
            <para>Possible policies are:</para>
          </blockquote>
          <variablelist>
            <varlistentry>
@ -110,29 +144,15 @@
              <listitem>
                <para>For TCP, send RST. For all other, send an "unreachable"
                ICMP.</para>
              </listitem>
            </varlistentry>
-                <para>If the policy is DROP or REJECT then the policy may be
+            <varlistentry>
-                followed by ":" and one of the following:</para>
+              <term>QUEUE</term>
-                <orderedlist numeration="loweralpha">
+              <listitem>
-                  <listitem>
+                <para>Queue the request for a user-space application such as
-                    <para>The word "None" or "none". This causes any default
+                Snort-inline.</para>
                    action defined in /etc/shorewall/shorewall.conf to be
                    omitted for this policy.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an action (requires that USE_ACTIONS=Yes
                    in shorewall.conf). That action will be invoked before the
                    policy is enforced.</para>
                  </listitem>
                  <listitem>
                    <para>The name of a macro. The rules in that macro will be
                    applied before the policy is enforced. This does not
                    require USE_ACTIONS=Yes.</para>
                  </listitem>
                </orderedlist>
              </listitem>
            </varlistentry>
@ -180,7 +200,8 @@
          <para>You may also specify ULOG (must be in upper case). This will
          log to the ULOG target and will send to a separate log through use
-          of ulogd (http://www.gnumonks.org/projects/ulogd).</para>
+          of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
          <para>If you don't want to log but need to specify the following
          column, place "-" here.</para>
@ -223,14 +244,14 @@
      </listitem>
    </orderedlist>
-    <programlisting>#SOURCE         DEST            POLICY          LOG           BURST:LIMIT
+    <programlisting>        #SOURCE         DEST            POLICY          LOG           BURST:LIMIT
-#                                               LEVEL
+        #                                               LEVEL
-loc             net             ACCEPT
+        loc             net             ACCEPT
-net             all             DROP            info
+        net             all             DROP            info
-#
+        #
-# THE FOLLOWING POLICY MUST BE LAST
+        # THE FOLLOWING POLICY MUST BE LAST
-#
+        #
-all             all             REJECT          info</programlisting>
+        all             all             REJECT          info</programlisting>
  </refsect1>
  <refsect1>
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@ -25,9 +25,7 @@
    <para>The file consists of Shell comments (lines beginning with '#'),
    blank lines and assignment statements
-    (<emphasis>variable</emphasis>=<emphasis>value</emphasis>). Each
+    (<emphasis>variable</emphasis>=<emphasis>value</emphasis>).</para>
    variable's setting is preceded by comments that describe the variable and
    it's effect.</para>
  </refsect1>
  <refsect1>
@ -65,9 +63,10 @@
    messages to syslogd, Shorewall will direct netfilter to log the messages
    via the ULOG target which will send them to a process called 'ulogd'.
    ulogd is available with most Linux distributions (although it probably
-    isn't installed by default). Ulogd is also available from
+    isn't installed by default). Ulogd is also available from <ulink
-    http://www.gnumonks.org/projects/ulogd and can be configured to log all
+    url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
-    Shorewall message to their own log file</para>
+    and can be configured to log all Shorewall message to their own log
    file</para>
    <para>The following options may be set in shorewall.conf.</para>
@ -215,7 +214,7 @@
        <listitem>
          <para>The value of this variable affects Shorewall's stopped state.
-          When ADMINISABSENTMINDES=No, only traffic to/from those addresses
+          When ADMINISABSENTMINDED=No, only traffic to/from those addresses
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
@ -471,8 +470,9 @@
          url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
          you want to have a set of special rules for the subzone and if a
          connection doesn't match any of those subzone-specific rules then
-          you want the parent zone rules and policies to be applied. With
+          you want the parent zone rules and policies to be applied; see
-          IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
+          <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
          With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
          <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
          then subzones are not subject to this special treatment. With
@ -552,26 +552,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>LITEDIR=<replaceable>pathname</replaceable></term>
        <listitem>
          <para>There is lack of agreement about where exactly in the file
          hierarchy the firewall script in Shorewall Lite systems should be
          stored. To allow everyone's opinion to prevail (and to prevent the
          Shorewall author from going crazy), the LITEDIR option allows
          distributions to decide where the file will be stored on Shorewall
          Lite systems under the distribution.</para>
          <para>If you have a Shorewall Lite system that uses a directory
          other than /var/lib/shorewall-lite then in that system's export
          directory, you will want to uncomment and set LITEDIR appropriately
          for that distribution. You can determine the appropriate setting by
          using the <emphasis role="bold">shorewall show config</emphasis>
          command on the Shorewall Lite system.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -684,10 +664,10 @@
        <listitem>
          <para>These parameters set the match rate and initial burst size for
-          logged packets. Please see the iptables man page for a description
+          logged packets. Please see iptables(8) for a description of the
-          of the behavior of these parameters (the iptables option --limit is
+          behavior of these parameters (the iptables option --limit is set by
-          set by LOGRATE and --limit-burst is set by LOGBURST). If both
+          LOGRATE and --limit-burst is set by LOGBURST). If both parameters
-          parameters are set empty, no rate-limiting will occur.</para>
+          are set empty, no rate-limiting will occur.</para>
          <para>Example:</para>
@ -808,13 +788,13 @@
          may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in
          the tcrules file to occur in that chain rather than in the
          PREROUTING chain. This permits you to mark inbound traffic based on
-          its destination address when SNAT or Masquerading are in use. To
+          its destination address when DNAT is in use. To determine if your
-          determine if your kernel has a FORWARD chain in the mangle table,
+          kernel has a FORWARD chain in the mangle table, use the <emphasis
-          use the <emphasis role="bold">/sbin/shorewall show mangle</emphasis>
+          role="bold">/sbin/shorewall show mangle</emphasis> command; if a
-          command; if a FORWARD chain is displayed then your kernel will
+          FORWARD chain is displayed then your kernel will support this
-          support this option. If this option is not specified or if it is
+          option. If this option is not specified or if it is given the empty
-          given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") then
+          value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
-          MARK_IN_FORWARD_CHAIN=No is assumed.</para>
+          is assumed.</para>
        </listitem>
      </varlistentry>