extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-09 07:08:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

More manpage editing

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-01-28 18:28:13 +00:00
parent 0c46e95e73
commit 35bb78cbc0
6 changed files with 95 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
manpages/shorewall-blacklist.xml
View File

@ -47,7 +47,7 @@
<para>A dash ("-") in this column means that any source address will
match. This is useful if you want to blacklist a particular
application.</para>
application using entries in the PROTOCOL and PORTS columns.</para>
</listitem>
</varlistentry>

17
manpages/shorewall-masq.xml
View File

@ -130,7 +130,7 @@
<para>You may also specify a range of up to 256 IP addresses if you
want the SNAT address to be assigned from that range in a
round-robin range by connection. The range is specified by
round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.</para>
<para>Example: 206.124.146.177-206.124.146.180</para>
@ -157,21 +157,16 @@
<programlisting> 192.0.2.4:5000-6000
:4000-5000</programlisting>
<para>You can invoke the SAME target using the following in this
column:</para>
<para>SAME:[nodst:]<emphasis>address-range</emphasis>[,<emphasis>address-range</emphasis>...]</para>
<para>The <emphasis>address-range</emphasis>s may be single
addresses or "detect" as described above.</para>
<para>You can invoke the SAME target rather than the SNAT target by
prefixing the column contents with <option>SAME:</option>.</para>
<para>SAME works like SNAT with the exception that the same local IP
address is assigned to each connection from a local address to a
given remote address.</para>
<para>If the 'nodst:' option is included, then the same source
address is used for a given internal system regardless of which
remote system is involved.</para>
<para>If the <option>nodst:</option> option is included, then the
same source address is used for a given internal system regardless
of which remote system is involved.</para>
<para>If you want to leave this column empty but you need to specify
the next column then place a hyphen ("-") here.</para>

7
manpages/shorewall-nat.xml
View File

@ -26,8 +26,11 @@
<warning>
<para>If all you want to do is simple port forwarding, do NOT use this
file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most cases,
Proxy ARP is a better solution that one-to-one NAT.</para>
file. See <ulink
url="../FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
Also, in many cases, Proxy ARP (<ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
solution that one-to-one NAT.</para>
</warning>
<para>The columns in the file are as follows.</para>

6
manpages/shorewall-nesting.xml
View File

@ -24,7 +24,7 @@
<para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a
zone may be declared to be a sub-zone of one or more other zones using the
above syntax. </para>
above syntax.</para>
<para>Where zones are nested, the CONTINUE policy in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
@ -67,7 +67,9 @@
requests should first be processed under rules where the source zone is
sam and if there is no match then the connection request should be treated
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all).</para>
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>

95
manpages/shorewall-policy.xml
View File

@ -22,7 +22,8 @@
<title>Description</title>
<para>This file defines the high-level policy for connections between
zones defined in /etc/shorewall/zones.</para>
zones defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
<important>
<para>The order of entries in this file is important</para>
@ -57,8 +58,9 @@
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
<listitem>
<para>Source zone. Must be the name of a zone defined in
/etc/shorewall/zones, $FW or "all".</para>
<para>Source zone. Must be the name of a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
"all".</para>
</listitem>
</varlistentry>
@ -68,8 +70,9 @@
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
<listitem>
<para>Destination zone. Must be the name of a zone defined in
/etc/shorewall/zones, $FW or "all"</para>
<para>Destination zone. Must be the name of a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
"all"</para>
</listitem>
</varlistentry>
@ -79,13 +82,44 @@
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
role="bold">None</emphasis>}]</term>
<listitem>
<para>Policy if no match from the rules file is found. Must be
"ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".</para>
<para>Policy if no match from the rules file is found.</para>
<para>If the policy is other than CONTINUE or NONE then the policy
may be followed by ":" and one of the following:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The word "None" or "none". This causes any default action
defined in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
omitted for this policy.</para>
</listitem>
<listitem>
<para>The name of an action (requires that USE_ACTIONS=Yes in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
That action will be invoked before the policy is
enforced.</para>
</listitem>
<listitem>
<para>The name of a macro. The rules in that macro will be
applied before the policy is enforced. This does not require
USE_ACTIONS=Yes.</para>
</listitem>
</orderedlist>
<blockquote>
<programlisting></programlisting>
<para>Possible policies are:</para>
</blockquote>
<variablelist>
<varlistentry>
@ -110,29 +144,15 @@
<listitem>
<para>For TCP, send RST. For all other, send an "unreachable"
ICMP.</para>
</listitem>
</varlistentry>
<para>If the policy is DROP or REJECT then the policy may be
followed by ":" and one of the following:</para>
<varlistentry>
<term>QUEUE</term>
<orderedlist numeration="loweralpha">
<listitem>
<para>The word "None" or "none". This causes any default
action defined in /etc/shorewall/shorewall.conf to be
omitted for this policy.</para>
</listitem>
<listitem>
<para>The name of an action (requires that USE_ACTIONS=Yes
in shorewall.conf). That action will be invoked before the
policy is enforced.</para>
</listitem>
<listitem>
<para>The name of a macro. The rules in that macro will be
applied before the policy is enforced. This does not
require USE_ACTIONS=Yes.</para>
</listitem>
</orderedlist>
<listitem>
<para>Queue the request for a user-space application such as
Snort-inline.</para>
</listitem>
</varlistentry>
@ -180,7 +200,8 @@
<para>You may also specify ULOG (must be in upper case). This will
log to the ULOG target and will send to a separate log through use
of ulogd (http://www.gnumonks.org/projects/ulogd).</para>
of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>If you don't want to log but need to specify the following
column, place "-" here.</para>
@ -223,14 +244,14 @@
</listitem>
</orderedlist>
<programlisting>#SOURCE DEST POLICY LOG BURST:LIMIT
# LEVEL
loc net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info</programlisting>
<programlisting> #SOURCE DEST POLICY LOG BURST:LIMIT
# LEVEL
loc net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info</programlisting>
</refsect1>
<refsect1>

60
manpages/shorewall.conf.xml
View File

@ -25,9 +25,7 @@
<para>The file consists of Shell comments (lines beginning with '#'),
blank lines and assignment statements
(<emphasis>variable</emphasis>=<emphasis>value</emphasis>). Each
variable's setting is preceded by comments that describe the variable and
it's effect.</para>
(<emphasis>variable</emphasis>=<emphasis>value</emphasis>).</para>
</refsect1>
<refsect1>
@ -65,9 +63,10 @@
messages to syslogd, Shorewall will direct netfilter to log the messages
via the ULOG target which will send them to a process called 'ulogd'.
ulogd is available with most Linux distributions (although it probably
isn't installed by default). Ulogd is also available from
http://www.gnumonks.org/projects/ulogd and can be configured to log all
Shorewall message to their own log file</para>
isn't installed by default). Ulogd is also available from <ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
and can be configured to log all Shorewall message to their own log
file</para>
<para>The following options may be set in shorewall.conf.</para>
@ -215,7 +214,7 @@
<listitem>
<para>The value of this variable affects Shorewall's stopped state.
When ADMINISABSENTMINDES=No, only traffic to/from those addresses
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
@ -471,8 +470,9 @@
url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
you want to have a set of special rules for the subzone and if a
connection doesn't match any of those subzone-specific rules then
you want the parent zone rules and policies to be applied. With
IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
you want the parent zone rules and policies to be applied; see
<ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
then subzones are not subject to this special treatment. With
@ -552,26 +552,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>LITEDIR=<replaceable>pathname</replaceable></term>
<listitem>
<para>There is lack of agreement about where exactly in the file
hierarchy the firewall script in Shorewall Lite systems should be
stored. To allow everyone's opinion to prevail (and to prevent the
Shorewall author from going crazy), the LITEDIR option allows
distributions to decide where the file will be stored on Shorewall
Lite systems under the distribution.</para>
<para>If you have a Shorewall Lite system that uses a directory
other than /var/lib/shorewall-lite then in that system's export
directory, you will want to uncomment and set LITEDIR appropriately
for that distribution. You can determine the appropriate setting by
using the <emphasis role="bold">shorewall show config</emphasis>
command on the Shorewall Lite system.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -684,10 +664,10 @@
<listitem>
<para>These parameters set the match rate and initial burst size for
logged packets. Please see the iptables man page for a description
of the behavior of these parameters (the iptables option --limit is
set by LOGRATE and --limit-burst is set by LOGBURST). If both
parameters are set empty, no rate-limiting will occur.</para>
logged packets. Please see iptables(8) for a description of the
behavior of these parameters (the iptables option --limit is set by
LOGRATE and --limit-burst is set by LOGBURST). If both parameters
are set empty, no rate-limiting will occur.</para>
<para>Example:</para>
@ -808,13 +788,13 @@
may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in
the tcrules file to occur in that chain rather than in the
PREROUTING chain. This permits you to mark inbound traffic based on
its destination address when SNAT or Masquerading are in use. To
determine if your kernel has a FORWARD chain in the mangle table,
use the <emphasis role="bold">/sbin/shorewall show mangle</emphasis>
command; if a FORWARD chain is displayed then your kernel will
support this option. If this option is not specified or if it is
given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") then
MARK_IN_FORWARD_CHAIN=No is assumed.</para>
its destination address when DNAT is in use. To determine if your
kernel has a FORWARD chain in the mangle table, use the <emphasis
role="bold">/sbin/shorewall show mangle</emphasis> command; if a
FORWARD chain is displayed then your kernel will support this
option. If this option is not specified or if it is given the empty
value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
is assumed.</para>
</listitem>
</varlistentry>