More shorewall(8) documentation updates

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-11-21 13:57:06 -08:00
parent bd2df4836d
commit 38c9165c39
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 150 additions and 92 deletions

View File

@ -4366,7 +4366,9 @@ shorewall_cli() {
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1
#
# Set the default product based on the Shorewall packages installed
#
set_default_product set_default_product
finished=0 finished=0

View File

@ -1009,12 +1009,11 @@
<listitem> <listitem>
<para>Re-enables receipt of packets from hosts previously <para>Re-enables receipt of packets from hosts previously
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis blacklisted by a <emphasis role="bold">blacklist</emphasis>,
<emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command. Beginning with Shorewall role="bold">logreject</emphasis> command.</para>
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1441,7 +1440,7 @@
and raw table PREROUTING chains.</para> and raw table PREROUTING chains.</para>
<para>The log message destination is determined by the <para>The log message destination is determined by the
currently-selected IPv4 <ulink currently-selected IPv4 or IPv6 <ulink
url="/shorewall_logging.html#Backends">logging url="/shorewall_logging.html#Backends">logging
backend</ulink>.</para> backend</ulink>.</para>
</listitem> </listitem>
@ -1670,62 +1669,90 @@
pre-5.0.0 <command>reload</command> command is now called pre-5.0.0 <command>reload</command> command is now called
<command>remote-restart</command> (see below).</para> <command>remote-restart</command> (see below).</para>
<variablelist>
<varlistentry>
<term>Shorewall and Shorewall6</term>
<listitem>
<para>Reload is similar to <emphasis role="bold">shorewall <para>Reload is similar to <emphasis role="bold">shorewall
start</emphasis> except that it assumes that the firewall is already start</emphasis> except that it assumes that the firewall is
started. Existing connections are maintained. If a already started. Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command, Shorewall <emphasis>directory</emphasis> is included in the command,
will look in that <emphasis>directory</emphasis> first for Shorewall will look in that <emphasis>directory</emphasis>
configuration files.</para> first for configuration files.</para>
<para>The <option>-n</option> option causes Shorewall to avoid <para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para> updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking <para>The <option>-p</option> option causes the connection
table to be flushed; the <command>conntrack</command> utility must tracking table to be flushed; the <command>conntrack</command>
be installed to use this option.</para> utility must be installed to use this option.</para>
<para>The <option>-d</option> option causes the compiler to run <para>The <option>-d</option> option causes the compiler to
under the Perl debugger (Shorewall and Shorewall6 only).</para> run under the Perl debugger.</para>
<para>The <option>-f</option> option suppresses the compilation step <para>The <option>-f</option> option suppresses the
and simply reused the compiled script which last started/restarted compilation step and simply reused the compiled script which
Shorewall, provided that /etc/shorewall and its contents have not last started/restarted Shorewall, provided that /etc/shorewall
been modified since the last start/restart (Shorewall and Shorewall6 and its contents have not been modified since the last
only).</para> start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20 <para>The <option>-c</option> option was added in Shorewall
and performs the compilation step unconditionally, overriding the 4.4.20 and performs the compilation step unconditionally,
AUTOMAKE setting in <ulink overriding the AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(Shorewall and Shorewall6 only). When both <option>-f</option> and (Shorewall and Shorewall6 only). When both <option>-f</option>
<option>-c</option> are present, the result is determined by the and <option>-c</option> are present, the result is determined
option that appears last.</para> by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3 <para>The <option>-T</option> option was added in Shorewall
and causes a Perl stack trace to be included with each 4.5.3 and causes a Perl stack trace to be included with each
compiler-generated error and warning message (Shorewall and compiler-generated error and warning message.</para>
Shorewall6 only).</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0 <para>The <option>-i</option> option was added in Shorewall
and causes a warning message to be issued if the current line 4.6.0 and causes a warning message to be issued if the current
contains alternative input specifications following a semicolon line contains alternative input specifications following a
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is semicolon (";"). Such lines will be handled incorrectly if
set to Yes in <ulink INLINE_MATCHES is set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
<para>The <option>-C</option> option was added in Shorewall
4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink (<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
This option is available in Shorewall and Shorewall6 only.</para> If an existing firewall script is used and if that script was
the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so
as to preserve the iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<para>The <option>-C</option> option was added in Shorewall 4.6.5 <varlistentry>
and is only meaningful when AUTOMAKE=Yes in <ulink <term>Shorewall-lite and Shorewall6-lite</term>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink <listitem>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). <para>Reload is similar to <emphasis role="bold">shorewall
If an existing firewall script is used and if that script was the start</emphasis> except that it assumes that the firewall is
one that generated the current running configuration, then the already started. Existing connections are maintained.</para>
running netfilter configuration will be reloaded as is so as to
preserve the iptables packet and byte counters. This option is <para>The <option>-n</option> option causes Shorewall to avoid
available in Shorewall and Shorewall6 only.</para> updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection
tracking table to be flushed; the <command>conntrack</command>
utility must be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall
4.6.5 If the existing firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to
preserve the iptables packet and byte counters.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1973,53 +2000,82 @@
<para>Beginning with Shorewall 5.0.0, this command performs a true <para>Beginning with Shorewall 5.0.0, this command performs a true
restart. The firewall is completely stopped as if a restart. The firewall is completely stopped as if a
<command>stop</command> command had been issued then it is started <command>stop</command> command had been issued then it is started
again. The command is available on Shorewall and Shorewall6 again.</para>
only.</para>
<variablelist>
<varlistentry>
<term>Shorewall and Shorewall6</term>
<listitem>
<para>If a <emphasis>directory</emphasis> is included in the <para>If a <emphasis>directory</emphasis> is included in the
command, Shorewall will look in that <emphasis>directory</emphasis> command, Shorewall will look in that
first for configuration files.</para> <emphasis>directory</emphasis> first for configuration
files.</para>
<para>The <option>-n</option> option causes Shorewall to avoid <para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para> updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking <para>The <option>-p</option> option causes the connection
table to be flushed; the <command>conntrack</command> utility must tracking table to be flushed; the <command>conntrack</command>
be installed to use this option.</para> utility must be installed to use this option.</para>
<para>The <option>-d</option> option causes the compiler to run <para>The <option>-d</option> option causes the compiler to
under the Perl debugger.</para> run under the Perl debugger.</para>
<para>The <option>-f</option> option suppresses the compilation step <para>The <option>-f</option> option suppresses the
and simply reused the compiled script which last started/restarted compilation step and simply reused the compiled script which
Shorewall, provided that /etc/shorewall and its contents have not last started/restarted Shorewall, provided that /etc/shorewall
been modified since the last start/restart.</para> and its contents have not been modified since the last
start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20 <para>The <option>-c</option> option was added in Shorewall
and performs the compilation step unconditionally, overriding the 4.4.20 and performs the compilation step unconditionally,
AUTOMAKE setting in <ulink overriding the AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
both <option>-f</option> and <option>-c</option> are present, the When both <option>-f</option> and <option>-c</option> are
result is determined by the option that appears last.</para> present, the result is determined by the option that appears
last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3 <para>The <option>-T</option> option was added in Shorewall
and causes a Perl stack trace to be included with each 4.5.3 and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para> compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0 <para>The <option>-i</option> option was added in Shorewall
and causes a warning message to be issued if the current line 4.6.0 and causes a warning message to be issued if the current
contains alternative input specifications following a semicolon line contains alternative input specifications following a
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is semicolon (";"). Such lines will be handled incorrectly if
set to Yes in <ulink INLINE_MATCHES is set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5 <para>The <option>-C</option> option was added in Shorewall
and is only meaningful when AUTOMAKE=Yes in <ulink 4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
existing firewall script is used and if that script was the one that If an existing firewall script is used and if that script was
the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so
as to preserve the iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Shorewall-lite and Shorewall6-lite</term>
<listitem>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection
tracking table to be flushed; the <command>conntrack</command>
utility must be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall
4.6.5 If the existing firewall script is the one that
generated the current running configuration, then the running generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the netfilter configuration will be reloaded as is so as to
iptables packet and byte counters.</para> preserve the iptables packet and byte counters.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>