Add <refmiscinfo>...</refmiscinfo> to remaining manpages

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-01-16 08:32:57 -08:00
parent 5a649dc205
commit 44e0d48fc5
84 changed files with 929 additions and 683 deletions

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-lite-vardir</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -54,7 +56,7 @@
/opt/var/lib/shorewall-lite/.</para>
</blockquote>
<para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
<para>When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
will save its state in the <replaceable>directory</replaceable>
specified.</para>
</note>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-lite.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-lite</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>Administrative Commands</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-accounting</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-actions</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -24,8 +26,8 @@
<title>Description</title>
<para>This file allows you to define new ACTIONS for use in rules (see
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>). You define
the iptables rules to be performed in an ACTION in
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>).
You define the iptables rules to be performed in an ACTION in
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
<para>Columns are:</para>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-arprules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-blacklist</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -44,8 +46,8 @@
(if your kernel and iptables contain iprange match support) or ipset
name prefaced by "+" (if your kernel supports ipset match).
Exclusion (<ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
supported.</para>
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
is supported.</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-blrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -33,8 +35,9 @@
connections in the NEW and INVALID states.</para>
<para>The format of rules in this file is the same as the format of rules
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>. The
difference in the two files lies in the ACTION (first) column.</para>
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
(5)</ulink>. The difference in the two files lies in the ACTION (first)
column.</para>
<variablelist>
<varlistentry>
@ -69,8 +72,8 @@
<itemizedlist>
<listitem>
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
the macro expands to <emphasis
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
then the macro expands to <emphasis
role="bold">blacklog</emphasis>.</para>
</listitem>
@ -88,10 +91,11 @@
<listitem>
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5).
Logs, audits (if specified) and applies the
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
</ulink>(5). Logs, audits (if specified) and applies the
BLACKLIST_DISPOSITION specified in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
@ -205,8 +209,8 @@
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
in /usr/share/shorewall/actions.std.</para>
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std.</para>
</listitem>
</varlistentry>
@ -237,8 +241,8 @@
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
/usr/share/shorewall/actions.std then:</para>
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std then:</para>
<itemizedlist>
<listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-conntrack</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -365,7 +367,8 @@
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
<ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
@ -381,7 +384,8 @@
<listitem>
<para>where <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
<ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-ecn</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -64,12 +66,13 @@
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-exclusion</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -88,8 +90,8 @@ ACCEPT all!z2 net tcp 22</programlisting>
<para>In most contexts, ipset names can be used as an
<replaceable>address-or-range</replaceable>. Beginning with Shorewall
4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
of these lists when used in an exclusion are as follows:</para>
url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The
semantics of these lists when used in an exclusion are as follows:</para>
<itemizedlist>
<listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-hosts</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -29,8 +31,8 @@
<para>The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
in which the records in this file are interpreted.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines
the order in which the records in this file are interpreted.</para>
<warning>
<para>The only time that you need this file is when you have more than
@ -39,9 +41,9 @@
<warning>
<para>If you have an entry for a zone and interface in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
not include any entries in this file for that same (zone, interface)
pair.</para>
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
then do not include any entries in this file for that same (zone,
interface) pair.</para>
</warning>
<para>The columns in the file are as follows.</para>
@ -53,8 +55,8 @@
<listitem>
<para>The name of a zone declared in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You may not
list the firewall zone in this column.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You
may not list the firewall zone in this column.</para>
</listitem>
</varlistentry>
@ -67,9 +69,9 @@
<listitem>
<para>The name of an interface defined in the <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
followed by a colon (":") and a comma-separated list whose elements
are either:</para>
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file followed by a colon (":") and a comma-separated list whose
elements are either:</para>
<orderedlist numeration="loweralpha">
<listitem>
@ -169,8 +171,8 @@
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) file
then you do NOT need to specify the 'ipsec' option
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
file then you do NOT need to specify the 'ipsec' option
here.</para>
</listitem>
</varlistentry>
@ -181,8 +183,8 @@
<listitem>
<para>Connection requests from these hosts are compared
against the contents of <ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an Ethernet
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
If this option is specified, the interface must be an Ethernet
NIC or equivalent and must be up before Shorewall is
started.</para>
</listitem>
@ -212,8 +214,8 @@
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
After logging, the packets are dropped.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-init</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>Administrative Commands</refmiscinfo>
</refmeta>
<refnamediv>
@ -145,10 +147,11 @@
<para>On a laptop with both Ethernet and wireless interfaces, you will
want to make both interfaces optional and set the REQUIRE_INTERFACE option
to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5) or
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
(5). This causes the firewall to remain stopped until at least one of the
interfaces comes up.</para>
to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf
</ulink>(5) or <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). This
causes the firewall to remain stopped until at least one of the interfaces
comes up.</para>
</refsect1>
<refsect1>
@ -163,12 +166,13 @@
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-interfaces</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -71,7 +73,8 @@
in this column.</para>
<para>If the interface serves multiple zones that will be defined in
the <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
the <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must
@ -111,8 +114,8 @@ loc eth2 -</programlisting>
<para>When using Shorewall versions before 4.1.4, care must be
exercised when using wildcards where there is another zone that uses
a matching specific interface. See <ulink
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
discussion of this problem.</para>
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
for a discussion of this problem.</para>
<para>Shorewall allows '+' as an interface name.</para>
@ -433,8 +436,8 @@ loc eth2 -</programlisting>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an Ethernet
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
If this option is specified, the interface must be an Ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
@ -486,8 +489,8 @@ loc eth2 -</programlisting>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
After logging, the packets are dropped.</para>
</listitem>
</varlistentry>
@ -631,9 +634,9 @@ loc eth2 -</programlisting>
<important>
<para>If ROUTE_FILTER=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), or if
your distribution sets net.ipv4.conf.all.rp_filter=1 in
<filename>/etc/sysctl.conf</filename>, then setting
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
or if your distribution sets net.ipv4.conf.all.rp_filter=1
in <filename>/etc/sysctl.conf</filename>, then setting
<emphasis role="bold">routefilter</emphasis>=0 in an
<replaceable>interface</replaceable> entry will not disable
route filtering on that
@ -653,8 +656,8 @@ loc eth2 -</programlisting>
<itemizedlist>
<listitem>
<para>If USE_DEFAULT_RT=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
the interface is listed in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
and the interface is listed in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-ipsets</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -79,7 +81,8 @@
specified, matching packets must match all of the listed sets.</para>
<para>For information about set lists and exclusion, see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
(5).</para>
<para>Beginning with Shorewall 4.5.16, you can increment one or more
nfacct objects each time a packet matches an ipset. You do that by listing

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-maclist</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -27,9 +29,9 @@
associated IP addresses to be allowed to use the specified interface. The
feature is enabled by using the <emphasis role="bold">maclist</emphasis>
option in the <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
file.</para>
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
configuration file.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
@ -45,8 +47,8 @@
<listitem>
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
also allowed). If specified, the
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
REJECT is also allowed). If specified, the
<replaceable>log-level</replaceable> causes packets matching the
rule to be logged at that level.</para>
</listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-mangle</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -24,13 +26,15 @@
<title>Description</title>
<para>This file was introduced in Shorewall 4.6.0 and is intended to
replace <ulink url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>.
This file is only processed by the compiler if:</para>
replace <ulink
url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
file is only processed by the compiler if:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>); or</para>
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
or</para>
</listitem>
<listitem>
@ -44,10 +48,10 @@
<important>
<para>Unlike rules in the <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.</para>
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
evaluation of rules in this file will continue after a match. So the
final mark for each packet will be the one assigned by the LAST tcrule
that matches.</para>
<para>If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at <ulink
@ -104,8 +108,8 @@
<para>Unless otherwise specified for the particular
<replaceable>command</replaceable>, the default chain is PREROUTING
when MARK_IN_FORWARD_CHAIN=No in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and FORWARD
when MARK_IN_FORWARD_CHAIN=Yes.</para>
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
<para>A chain-designator may not be specified if the SOURCE or DEST
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
@ -310,8 +314,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then the
third rule above can be specified as follows:</para>
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
then the third rule above can be specified as follows:</para>
<programlisting>2:P eth0 - ; -p tcp</programlisting>
</listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-masq</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -35,8 +37,8 @@
<para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
entries in <ulink
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
PREROUTING entries in <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
that.</para>
</warning>
@ -55,27 +57,26 @@
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
comma-separated list of interface names. This is usually your
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
and a <emphasis>digit</emphasis> to indicate that you want the alias
added with that name (e.g., eth0:0). This will allow the alias to be
displayed with ifconfig. <emphasis role="bold">That is the only use
for the alias name; it may not appear in any other place in your
Shorewall configuration.</emphasis></para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
may add ":" and a <emphasis>digit</emphasis> to indicate that you
want the alias added with that name (e.g., eth0:0). This will allow
the alias to be displayed with ifconfig. <emphasis role="bold">That
is the only use for the alias name; it may not appear in any other
place in your Shorewall configuration.</emphasis></para>
<para>Each interface must match an entry in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Where <ulink
url="/4.4/MultiISP.html#Shared">more that
one internet provider share a single interface</ulink>, the provider
is specified by including the provider name or number in
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
internet provider share a single interface</ulink>, the provider is
specified by including the provider name or number in
parentheses:</para>
<programlisting> eth0(Avvanta)</programlisting>
@ -88,8 +89,8 @@
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
are ipset names preceded by a plus sign '+';</para>
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
as are ipset names preceded by a plus sign '+';</para>
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
entry then include the ":" but omit the digit:</para>
@ -99,9 +100,9 @@
<para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
rule to be applied before one-to-one NAT rules, prefix the interface
name with "+":</para>
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
want the rule to be applied before one-to-one NAT rules, prefix the
interface name with "+":</para>
<programlisting> +eth0
+eth0:192.0.2.32/27
@ -174,7 +175,8 @@
<listitem>
<para>If you specify an address here, SNAT will be used and this
will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
Shorewall will automatically add this address to the INTERFACE named
in the first column.</para>
@ -689,8 +691,8 @@
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then these
rules may be specified as follows:</para>
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
these rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-modules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -86,13 +88,13 @@
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-nat</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -29,10 +31,10 @@
<warning>
<para>If all you want to do is simple port forwarding, do NOT use this
file. See <ulink
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
Also, in many cases, Proxy ARP (<ulink
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
solution that one-to-one NAT.</para>
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
in many cases, Proxy ARP (<ulink
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
is a better solution that one-to-one NAT.</para>
</warning>
<para>The columns in the file are as follows (where the column name is
@ -72,7 +74,8 @@
<listitem>
<para>Interfaces that have the <emphasis
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
Shorewall will automatically add the EXTERNAL address to this
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
name with ":" and a <emphasis>digit</emphasis> to indicate that you
@ -85,9 +88,9 @@
<para>Each interface must match an entry in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-nesting</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -24,17 +26,18 @@
<refsect1>
<title>Description</title>
<para>In <ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a
zone may be declared to be a sub-zone of one or more other zones using the
<para>In <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a zone
may be declared to be a sub-zone of one or more other zones using the
above syntax. The <replaceable>child-zone</replaceable> may be neither the
firewall zone nor a vserver zone. The firewall zone may not appear as a
parent zone, although all vserver zones are handled as sub-zones of the
firewall zone.</para>
<para>Where zones are nested, the CONTINUE policy in <ulink
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
are within multiple zones to be managed under the rules of all of these
zones.</para>
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows
hosts that are within multiple zones to be managed under the rules of all
of these zones.</para>
</refsect1>
<refsect1>
@ -74,7 +77,8 @@
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
@ -204,12 +208,13 @@
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-netmap</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -95,9 +97,9 @@
in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
@ -145,8 +147,8 @@
range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-params</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -26,8 +28,8 @@
<para>Assign any shell variables that you need in this file. The file is
always processed by <filename>/bin/sh</filename> or by the shell specified
through SHOREWALL_SHELL in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
shell capabilities may be used.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
range of shell capabilities may be used.</para>
<para>It is suggested that variable names begin with an upper case letter
to distinguish them from variables used internally within the Shorewall
@ -40,7 +42,8 @@
<simplelist>
<member><emphasis role="bold">Any option from <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
(5)</emphasis></member>
<member><emphasis role="bold">COMMAND</emphasis></member>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-policy</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -66,8 +68,8 @@
<listitem>
<para>Source zone. Must be the name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
"all+".</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
$FW, "all" or "all+".</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
@ -84,11 +86,11 @@
<listitem>
<para>Destination zone. Must be the name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
"all+", another bport zone associated with the same bridge, or it
must be an ipv4 zone that is associated with only the same
bridge.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
$FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
must be "all", "all+", another bport zone associated with the same
bridge, or it must be an ipv4 zone that is associated with only the
same bridge.</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
@ -118,8 +120,8 @@
<listitem>
<para>The word "None" or "none". This causes any default action
defined in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to be
omitted for this policy.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to
be omitted for this policy.</para>
</listitem>
<listitem>
@ -191,8 +193,8 @@
might also match (where the source or destination zone in
those rules is a superset of the SOURCE or DEST in this
policy). See <ulink
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
additional information.</para>
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
for additional information.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-providers</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -77,17 +79,17 @@
<listitem>
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
direct packets to this provider.</para>
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
file to direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
must be a multiple of 256 between 256 and 65280 or their hexadecimal
equivalents (0x0100 and 0xff00 with the low-order byte of the value
being zero). Otherwise, the value must be between 1 and 255. Each
provider must be assigned a unique mark value. This column may be
omitted if you don't use packet marking to direct connections to a
particular provider.</para>
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
the value must be a multiple of 256 between 256 and 65280 or their
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
of the value being zero). Otherwise, the value must be between 1 and
255. Each provider must be assigned a unique mark value. This column
may be omitted if you don't use packet marking to direct connections
to a particular provider.</para>
</listitem>
</varlistentry>
@ -112,8 +114,8 @@
<listitem>
<para>The name of the network interface to the provider. Must be
listed in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
general, that interface should not have the
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
In general, that interface should not have the
<option>proxyarp</option> option specified unless
<option>loose</option> is given in the OPTIONS column of this
entry.</para>
@ -177,8 +179,9 @@
<para>Beginning with Shorewall 4.4.3, <option>track</option>
defaults to the setting of the TRACK_PROVIDERS option in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
If you set TRACK_PROVIDERS=Yes and want to override that
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
(5). If you set TRACK_PROVIDERS=Yes and want to override that
setting for an individual provider, then specify
<option>notrack</option> (see below).</para>
</listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-proxyarp</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-routes</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -34,8 +36,8 @@
<listitem>
<para>The name or number of a provider defined in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5).
Beginning with Shorewall 4.5.14, you may also enter
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>
(5). Beginning with Shorewall 4.5.14, you may also enter
<option>main</option> in this column to add routes to the main
routing table.</para>
</listitem>
@ -73,8 +75,8 @@
<listitem>
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
given, then the INTERFACE specified for the PROVIDER in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5). This
column must be omitted if <option>blackhole</option>,
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>
(5). This column must be omitted if <option>blackhole</option>,
<option>prohibit</option> or <option>unreachable</option> is
specified in the GATEWAY column.</para>
</listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-routestopped</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-rtrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-rules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,8 +27,8 @@
<para>Entries in this file govern connection establishment by defining
exceptions to the policies laid out in <ulink
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By default,
subsequent requests and responses are automatically allowed using
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By
default, subsequent requests and responses are automatically allowed using
connection tracking. For any particular (source,dest) pair of zones, the
rules are evaluated in the order in which they appear in this file and the
first terminating match is the one that determines the disposition of the
@ -145,8 +147,8 @@
<warning>
<para>If you specify FASTACCEPT=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the
<emphasis role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections must be empty.</para>
<para>An except is made if you are running Shorewall 4.4.27 or later and
@ -234,8 +236,8 @@
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
in /usr/share/shorewall/actions.std.</para>
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std.</para>
</listitem>
</varlistentry>
@ -329,12 +331,13 @@
<para>Do not process any of the following rules for this
(source zone,destination zone). If the source and/or
destination IP address falls into a zone defined later in
<ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
or in a parent zone of the source or destination zones, then
this connection request will be passed to the rules defined
for that (those) zone(s). See <ulink
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
additional information.</para>
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
for additional information.</para>
</listitem>
</varlistentry>
@ -671,8 +674,8 @@
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
/usr/share/shorewall/actions.std then:</para>
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std then:</para>
<itemizedlist>
<listitem>
@ -732,10 +735,10 @@
<para>Beginning with Shorewall 4.4.13, you may use a
<replaceable>zone-list </replaceable>which consists of a
comma-separated list of zones declared in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
<replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
This <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic.</para>
<para>When <emphasis role="bold">none</emphasis> is used either in
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@ -906,18 +909,19 @@
<listitem>
<para>Location of Server. May be a zone declared in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
<emphasis role="bold">none</emphasis>.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
$<emphasis role="bold">FW</emphasis> to indicate the firewall
itself, <emphasis role="bold">all</emphasis>. <emphasis
role="bold">all+</emphasis> or <emphasis
role="bold">none</emphasis>.</para>
<para>Beginning with Shorewall 4.4.13, you may use a
<replaceable>zone-list </replaceable>which consists of a
comma-separated list of zones declared in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
<replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
This <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic.</para>
<para>Beginning with Shorewall 4.5.4, A
<replaceable>countrycode-list</replaceable> may be specified. A
@ -1577,8 +1581,8 @@
</simplelist>
<para>If the HELPERS option is specified in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then any module
specified in this column must be listed in the HELPERS
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
any module specified in this column must be listed in the HELPERS
setting.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-secmarks</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,10 +27,10 @@
<important>
<para>Unlike rules in the <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final secmark
for each packet will be the one assigned by the LAST rule that
matches.</para>
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
evaluation of rules in this file will continue after a match. So the
final secmark for each packet will be the one assigned by the LAST rule
that matches.</para>
</important>
<para>The secmarks file is used to associate an SELinux context with
@ -249,8 +251,8 @@
<emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-stoppedrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-tcclasses</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -125,9 +127,9 @@
<para>You may specify the interface number rather than the interface
name. If the <emphasis role="bold">classify</emphasis> option is
given for the interface in <ulink
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
you must also specify an interface class (an integer that must be
unique within classes associated with this interface). If the
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5),
then you must also specify an interface class (an integer that must
be unique within classes associated with this interface). If the
classify option is not given, you may still specify a
<emphasis>class</emphasis> or you may have Shorewall generate a
class number from the MARK value. Interface numbers and class
@ -144,8 +146,8 @@
<para>Normally, all classes defined here are sub-classes of a root
class that is implicitly defined from the entry in <ulink
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
can establish a class hierarchy by specifying a
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5).
You can establish a class hierarchy by specifying a
<emphasis>parent</emphasis> class -- the number of a class that you
have previously defined. The sub-class may borrow unused bandwidth
from its parent.</para>
@ -159,11 +161,12 @@
<listitem>
<para>The mark <emphasis>value</emphasis> which is an integer in the
range 1-255. You set mark values in the <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) file,
marking the traffic you want to fit in the classes defined in here.
Must be specified as '-' if the <emphasis
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
file, marking the traffic you want to fit in the classes defined in
here. Must be specified as '-' if the <emphasis
role="bold">classify</emphasis> option is given for the interface in
<ulink url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
<ulink
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
and you are running Shorewall 4.5.5 or earlier.</para>
<para>You can use the same marks for different interfaces.</para>
@ -290,7 +293,7 @@
<para>This is the default class for that interface where all
traffic should go, that is not classified otherwise.</para>
<para/>
<para></para>
<note>
<para>You must define <emphasis
@ -417,7 +420,8 @@
of the class. So the total RATE represented by an entry with
'occurs' will be the listed RATE multiplied by
<emphasis>number</emphasis>. For additional information, see
<ulink url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
<ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
(5).</para>
</listitem>
</varlistentry>
@ -720,10 +724,10 @@
priority number, giving less delay) and will be granted excess
bandwidth (up to 180kbps, the class ceiling) first, before any other
traffic. A single VoIP stream, depending upon codecs, after
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
classes EF and AFF3-1 respectively and are often used by VOIP
devices).</para>
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad
a little bit just in case. (TOS byte values 0xb8 and 0x68 are
DiffServ classes EF and AFF3-1 respectively and are often used by
VOIP devices).</para>
<para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
echo traffic if you use the example in tcrules) and any packet with

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-tcdevices</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -150,8 +152,7 @@
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used
with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink
url="/FAQ.htm#faq97a">Shorewall FAQ
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para>
<para>To create a rate-estimated filter, precede the bandwidth with

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-tcfilters</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-tcinterfaces</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,7 +27,8 @@
<para>This file lists the interfaces that are subject to simple traffic
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
file:</para>
@ -161,8 +164,7 @@
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used
with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink
url="/FAQ.htm#faq97a">Shorewall FAQ
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para>
<para>To create a rate-estimated filter, precede the bandwidth with

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-tcpri</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,12 +27,13 @@
<para>This file is used to specify the priority of traffic for simple
traffic shaping (TC_ENABLED=Simple in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
each packet is determined by the <emphasis role="bold">last</emphasis>
entry that the packet matches. If a packet doesn't match any entry in this
file, then its priority will be determined by its TOS field. The default
mapping is as follows but can be changed by setting the TC_PRIOMAP option
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The
priority band of each packet is determined by the <emphasis
role="bold">last</emphasis> entry that the packet matches. If a packet
doesn't match any entry in this file, then its priority will be determined
by its TOS field. The default mapping is as follows but can be changed by
setting the TC_PRIOMAP option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<programlisting>TOS Bits Means Linux Priority BAND
------------------------------------------------------------
@ -131,8 +134,8 @@
[<replaceable>helper</replaceable>]</term>
<listitem>
<para>Optional. Names a Netfilter protocol helper module such as ftp,
sip, amanda, etc. A packet will match if it was accepted by the
<para>Optional. Names a Netfilter protocol helper module such as
ftp, sip, amanda, etc. A packet will match if it was accepted by the
named helper module. You can also append "-" and a port number to
the helper module name (e.g., ftp-21) to specify the port number
that the original connection was made on.</para>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -52,12 +54,13 @@
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-tos</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,7 +27,8 @@
<para>This file defines rules for setting Type Of Service (TOS). Its use
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink> (5).</para>
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>
(5).</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-tunnels</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -27,8 +29,8 @@
encrypted) traffic to pass between the Shorewall system and a remote
gateway. Traffic flowing through the tunnel is handled using the normal
zone/policy/rule mechanism. See <ulink
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
for details.</para>
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink> for
details.</para>
<para>The columns in the file are as follows.</para>
@ -143,8 +145,8 @@
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
may be given. Exclusion (<ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
not supported.</para>
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
(5) ) is not supported.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-vardir</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -54,12 +56,13 @@
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-zones</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -45,17 +47,17 @@
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
as zone names. The maximum length of a zone name is determined by
the setting of the LOGFORMAT option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With the
default LOGFORMAT, zone names can be at most 5 characters
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With
the default LOGFORMAT, zone names can be at most 5 characters
long.</para>
<blockquote>
<para>The maximum length of an iptables log prefix is 29 bytes. As
explained in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5), the default
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
%s is replaced by the chain name and the second is replaced by the
disposition.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
where the first %s is replaced by the chain name and the second is
replaced by the disposition.</para>
<itemizedlist>
<listitem>
@ -97,8 +99,8 @@
(sub)zone name by ":" and a comma-separated list of the parent
zones. The parent zones must have been declared in earlier records
in this file. See <ulink
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
additional information.</para>
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
for additional information.</para>
<para>Example:</para>
@ -110,8 +112,8 @@ c:a,b ipv4</programlisting>
<para>Currently, Shorewall uses this information to reorder the zone
list so that parent zones appear after their subzones in the list.
The IMPLICIT_CONTINUE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can also create
implicit CONTINUE policies to/from the subzone.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can
also create implicit CONTINUE policies to/from the subzone.</para>
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
explicitly included as a child of an <emphasis
@ -180,7 +182,8 @@ c:a,b ipv4</programlisting>
<listitem>
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
Linux-vserver guests. The zone contents must be defined in
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
<ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
(5).</para>
<para>Vserver zones are implicitly handled as subzones of the
@ -310,7 +313,8 @@ c:a,b ipv4</programlisting>
<para>Added in Shorewall 4.5.9. May only be specified in the
OPTIONS column and indicates that only a single ipset should
be created for this zone if it has multiple dynamic entries in
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
<ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
Without this option, a separate ipset is created for each
interface.</para>
</listitem>
@ -354,9 +358,9 @@ c:a,b ipv4</programlisting>
<listitem>
<para>sets the MSS field in TCP packets. If you supply this
option, you should also set FASTACCEPT=No in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to insure
that both the SYN and SYN,ACK packets have their MSS field
adjusted.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
to insure that both the SYN and SYN,ACK packets have their MSS
field adjusted.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -204,8 +206,8 @@
<listitem>
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
is enabled (see <ulink
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
not specified or set to the empty value, ACCOUNTING=Yes is
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)).
If not specified or set to the empty value, ACCOUNTING=Yes is
assumed.</para>
</listitem>
</varlistentry>
@ -230,8 +232,8 @@
<listitem>
<para>This parameter determines whether Shorewall automatically adds
the external address(es) in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the
variable is set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these
aliases. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these aliases
@ -256,13 +258,13 @@
<listitem>
<para>This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in <ulink
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these
addresses. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these addresses
yourself using your distribution's network configuration
tools.</para>
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If
the variable is set to <emphasis role="bold">Yes</emphasis> or
<emphasis role="bold">yes</emphasis> then Shorewall automatically
adds these addresses. If it is set to <emphasis
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
you must add these addresses yourself using your distribution's
network configuration tools.</para>
<para>If this variable is not set or is given an empty value
(ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
@ -356,7 +358,8 @@
<listitem>
<para>Specify the appropriate helper in the HELPER column in
<ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
<ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
(5).</para>
<note>
@ -430,7 +433,8 @@
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). It
determines the disposition of packets sent to the <emphasis
role="bold">blacklog</emphasis> target of <ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules </ulink>(5).</para>
url="/manpages/shorewall-blrules.html">shorewall-blrules
</ulink>(5).</para>
</listitem>
</varlistentry>
@ -463,9 +467,11 @@
role="bold">yes</emphasis>, blacklists are only consulted for new
connections and for packets in the INVALID connection state (such as
TCP SYN,ACK when there has been no corresponding SYN). That includes
entries in the <ulink url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) file
and in the BLACKLIST section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).</para>
entries in the <ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
file and in the BLACKLIST section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
(5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
@ -534,8 +540,8 @@
/etc/shorewall/tcstart file. That way, your traffic shaping rules
can still use the “fwmark” classifier based on packet marking
defined in <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
specified, CLEAR_TC=Yes is assumed.</para>
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
If not specified, CLEAR_TC=Yes is assumed.</para>
</listitem>
</varlistentry>
@ -907,8 +913,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>Prior to version 3.2.0, it was not possible to use connection
marking in <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
a multi-ISP configuration that uses the track option.</para>
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5)
if you had a multi-ISP configuration that uses the track
option.</para>
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
packet mark and connection mark into two mark fields.</para>
@ -990,11 +997,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>Subzones are defined by following their name with ":" and a
list of parent zones (in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
you want to have a set of special rules for the subzone and if a
connection doesn't match any of those subzone-specific rules then
you want the parent zone rules and policies to be applied; see
<ulink url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)).
Normally, you want to have a set of special rules for the subzone
and if a connection doesn't match any of those subzone-specific
rules then you want the parent zone rules and policies to be
applied; see <ulink
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@ -1011,9 +1019,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a semicolon
separates column-oriented specifications on the left from <ulink
url="/configuration_file_basics.htm#Pairs">alternative
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a
semicolon separates column-oriented specifications on the left from
<ulink url="/configuration_file_basics.htm#Pairs">alternative
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. If not specified or
@ -1029,10 +1037,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
INVALID packets through the NEW section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
packet in INVALID state fails to match any rule in the INVALID
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
When a packet in INVALID state fails to match any rule in the
INVALID section, the packet is disposed of based on this setting.
The default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
@ -1117,11 +1125,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>This option indicates that zone-related ipsec information is
found in the zones file (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). The option
indicates to the compiler that this is not a legacy configuration
where the ipsec information was contained in a separate file. The
value of this option must not be changed and the option must not be
deleted.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)).
The option indicates to the compiler that this is not a legacy
configuration where the ipsec information was contained in a
separate file. The value of this option must not be changed and the
option must not be deleted.</para>
</listitem>
</varlistentry>
@ -1378,7 +1386,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<note>
<para>The setting of LOGFORMAT has an effect of the permitted
length of zone names. See <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>
(5).</para>
</note>
</listitem>
</varlistentry>
@ -1546,8 +1555,8 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>The performance of configurations with a large numbers of
entries in <ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
improved by setting the MACLIST_TTL variable in <ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5)
can be improved by setting the MACLIST_TTL variable in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>If your iptables and kernel support the "Recent Match" (see
@ -1557,14 +1566,15 @@ LOG:info:,bar net fw</programlisting>
<para>When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in
<ulink url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
there is a match then the source IP address is added to the 'Recent'
set for that interface. Subsequent connection attempts from that IP
address occurring within $MACLIST_TTL seconds will be accepted
without having to scan all of the entries. After $MACLIST_TTL from
the first accepted connection request from an IP address, the next
connection request from that IP address will be checked against the
entire list.</para>
<ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
If there is a match then the source IP address is added to the
'Recent' set for that interface. Subsequent connection attempts from
that IP address occurring within $MACLIST_TTL seconds will be
accepted without having to scan all of the entries. After
$MACLIST_TTL from the first accepted connection request from an IP
address, the next connection request from that IP address will be
checked against the entire list.</para>
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@ -2104,12 +2114,13 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
ACCEPTed RELATED packets that don't match any rule in the RELATED
section of <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
(5). Concern about the safety of this practice resulted in the
addition of this option. When a packet in RELATED state fails to
match any rule in the RELATED section, the packet is disposed of
based on this setting. The default value is ACCEPT for compatibility
with earlier versions.</para>
section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
Concern about the safety of this practice resulted in the addition
of this option. When a packet in RELATED state fails to match any
rule in the RELATED section, the packet is disposed of based on this
setting. The default value is ACCEPT for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
@ -2120,9 +2131,9 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>Added in Shorewall 4.4.27. Packets in the related state that
do not match any rule in the RELATED section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
this level. The default value is empty which means no logging is
performed.</para>
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>
@ -2203,7 +2214,8 @@ INLINE - - - ; -j REJECT
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
at least one optional interface must be up in order for the firewall
to be in the started state. Intended to be used with the <ulink
url="/manpages/shorewall-init.html">Shorewall Init Package</ulink>.</para>
url="/manpages/shorewall-init.html">Shorewall Init
Package</ulink>.</para>
</listitem>
</varlistentry>
@ -2266,17 +2278,17 @@ INLINE - - - ; -j REJECT
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) are processed
then are re-added later. This is done to help ensure that the
addresses can be added with the specified labels but can have the
undesirable side effect of causing routes to be quietly deleted.
When RETAIN_ALIASES is set to Yes, existing addresses will not be
deleted. Regardless of the setting of RETAIN_ALIASES, addresses
added during <emphasis role="bold">shorewall start</emphasis> are
still deleted at a subsequent <emphasis role="bold">shorewall
stop</emphasis> or <emphasis role="bold">shorewall
restart</emphasis>.</para>
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and
<ulink url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5)
are processed then are re-added later. This is done to help ensure
that the addresses can be added with the specified labels but can
have the undesirable side effect of causing routes to be quietly
deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
not be deleted. Regardless of the setting of RETAIN_ALIASES,
addresses added during <emphasis role="bold">shorewall
start</emphasis> are still deleted at a subsequent <emphasis
role="bold">shorewall stop</emphasis> or <emphasis
role="bold">shorewall restart</emphasis>.</para>
</listitem>
</varlistentry>
@ -2374,9 +2386,9 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.4.20. Determines the disposition of
packets matching the <option>sfilter</option> option (see <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
of <firstterm>hairpin</firstterm> packets on interfaces without the
<option>routeback</option> option.<footnote>
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
and of <firstterm>hairpin</firstterm> packets on interfaces without
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para>
</footnote> interfaces without the routeback option.</para>
@ -2390,9 +2402,9 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added on Shorewall 4.4.20. Determines the logging of packets
matching the <option>sfilter</option> option (see <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
of <firstterm>hairpin</firstterm> packets on interfaces without the
<option>routeback</option> option.<footnote>
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
and of <firstterm>hairpin</firstterm> packets on interfaces without
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para>
</footnote> interfaces without the routeback option. The default
@ -2421,9 +2433,9 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.4.20. The default setting is DROP which
causes smurf packets (see the nosmurfs option in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
be dropped. A_DROP causes the packets to be audited prior to being
dropped and requires AUDIT_TARGET support in the kernel and
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
to be dropped. A_DROP causes the packets to be audited prior to
being dropped and requires AUDIT_TARGET support in the kernel and
iptables.</para>
</listitem>
</varlistentry>
@ -2435,8 +2447,8 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Specifies the logging level for smurf packets (see the
nosmurfs option in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
logged.</para>
</listitem>
</varlistentry>
@ -2525,7 +2537,8 @@ INLINE - - - ; -j REJECT
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
simple traffic shaping using <ulink
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
and <ulink url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
and <ulink
url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
enabled.</para>
<para>If you set TC_ENABLED=Internal or internal or leave the option
@ -2589,10 +2602,10 @@ INLINE - - - ; -j REJECT
<para>Determines the disposition of TCP packets that fail the checks
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
option (see <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
must have a value of ACCEPT (accept the packet), REJECT (send an RST
response) or DROP (ignore the packet). If not set or if set to the
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
and must have a value of ACCEPT (accept the packet), REJECT (send an
RST response) or DROP (ignore the packet). If not set or if set to
the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@ -2621,8 +2634,8 @@ INLINE - - - ; -j REJECT
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
<option>track</option> option to be assumed on all providers defined
in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5). May
be overridden on an individual provider through use of the
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).
May be overridden on an individual provider through use of the
<option>notrack</option> option. The default value is 'No'.</para>
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@ -2669,10 +2682,10 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
UNTRACKED packets through the NEW section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
packet in UNTRACKED state fails to match any rule in the UNTRACKED
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
When a packet in UNTRACKED state fails to match any rule in the
UNTRACKED section, the packet is disposed of based on this setting.
The default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
@ -2684,9 +2697,9 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
do not match any rule in the UNTRACKED section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
this level. The default value is empty which means no logging is
performed.</para>
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>
@ -2708,8 +2721,8 @@ INLINE - - - ; -j REJECT
<orderedlist>
<listitem>
<para>Both the DUPLICATE and the COPY columns in <ulink
url="/manpages/shorewall-providers.html">providers</ulink>(5) file must
remain empty (or contain "-").</para>
url="/manpages/shorewall-providers.html">providers</ulink>(5)
file must remain empty (or contain "-").</para>
</listitem>
<listitem>
@ -2725,9 +2738,9 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Packets are sent through the main routing table by a rule
with priority 999. In <ulink
url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5), the
range 1-998 may be used for inserting rules that bypass the main
table.</para>
url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5),
the range 1-998 may be used for inserting rules that bypass the
main table.</para>
</listitem>
<listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-lite-vardir</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-lite.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-lite</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>Administrative Commands</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-accounting</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-actions</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -24,8 +26,9 @@
<title>Description</title>
<para>This file allows you to define new ACTIONS for use in rules (see
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You define
the ip6tables rules to be performed in an ACTION in
<ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You
define the ip6tables rules to be performed in an ACTION in
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
<para>Columns are:</para>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-blacklist</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -26,10 +28,11 @@
<para>The blacklist file is used to perform static blacklisting by source
address (IP or MAC), or by application. The use of this file is deprecated
in favor of <ulink
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
with Shorewall 4.5.7, the blacklist file is no longer installed. Existing
blacklist files can be converted to a corresponding blrules file using the
<command>shorewall6 update -b</command> command.</para>
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5),
and beginning with Shorewall 4.5.7, the blacklist file is no longer
installed. Existing blacklist files can be converted to a corresponding
blrules file using the <command>shorewall6 update -b</command>
command.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
@ -47,8 +50,8 @@
(if your kernel and ip6tables contain iprange match support) or
ipset name prefaced by "+" (if your kernel supports ipset match).
Exclusion (<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
supported.</para>
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
is supported.</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
@ -145,13 +148,13 @@
<para>When a packet arrives on an interface that has the <emphasis
role="bold">blacklist</emphasis> option specified in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5), its
source IP address and MAC address is checked against this file and
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5),
its source IP address and MAC address is checked against this file and
disposed of according to the <emphasis
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If <emphasis
role="bold">PROTOCOL</emphasis> or <emphasis
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
<emphasis role="bold">PROTOCOL</emphasis> or <emphasis
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
are supplied, only packets matching the protocol (and one of the ports if
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-blrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -34,7 +36,8 @@
connections in the NEW and INVALID states.</para>
<para>The format of rules in this file is the same as the format of rules
in <ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
in <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
difference in the two files lies in the ACTION (first) column.</para>
<variablelist>
@ -89,10 +92,11 @@
<listitem>
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf </ulink>(5).
Logs, audits (if specified) and applies the
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
</ulink>(5). Logs, audits (if specified) and applies the
BLACKLIST_DISPOSITION specified in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
@ -206,8 +210,8 @@
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
in /usr/share/shorewall6/actions.std.</para>
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
or in /usr/share/shorewall6/actions.std.</para>
</listitem>
</varlistentry>
@ -238,8 +242,8 @@
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
/usr/share/shorewall6/actions.std then:</para>
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
or in /usr/share/shorewall6/actions.std then:</para>
<itemizedlist>
<listitem>
@ -274,7 +278,8 @@
</variablelist>
<para>For the remaining columns, see <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
url="/manpages6/shorewall6-rules.html">shorewall6-rules
(5)</ulink>.</para>
</refsect1>
<refsect1>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-conntrack</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -357,7 +359,8 @@
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
@ -373,7 +376,8 @@
<listitem>
<para>where <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-exclusion</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -103,10 +105,11 @@ ACCEPT all!z2 net tcp 22</programlisting>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-hosts</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -29,8 +31,9 @@
<para>The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) determines the
order in which the records in this file are interpreted.</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
determines the order in which the records in this file are
interpreted.</para>
<warning>
<para>The only time that you need this file is when you have more than
@ -39,9 +42,9 @@
<warning>
<para>If you have an entry for a zone and interface in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) then do
not include any entries in this file for that same (zone, interface)
pair.</para>
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
then do not include any entries in this file for that same (zone,
interface) pair.</para>
</warning>
<para>The columns in the file are as follows (where the column name is
@ -55,8 +58,8 @@
<listitem>
<para>The name of a zone declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5). You may not
list the firewall zone in this column.</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).
You may not list the firewall zone in this column.</para>
</listitem>
</varlistentry>
@ -137,8 +140,8 @@
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) file
then you do NOT need to specify the 'ipsec' option
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
file then you do NOT need to specify the 'ipsec' option
here.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-interfaces</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -71,7 +73,8 @@
zone in this column.</para>
<para>If the interface serves multiple zones that will be defined in
the <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
the <ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must
@ -115,8 +118,8 @@ loc eth2 -</programlisting>
<para>Care must be exercised when using wildcards where there is
another zone that uses a matching specific interface. See <ulink
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
discussion of this problem.</para>
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
for a discussion of this problem.</para>
<para>Shorewall6 allows '+' as an interface name.</para>
@ -270,8 +273,8 @@ loc eth2 -</programlisting>
<listitem>
<para>the interface is a <ulink
url="/SimpleBridge.html">simple bridge</ulink> with a
DHCP server on one port and DHCP clients on another
url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
server on one port and DHCP clients on another
port.</para>
<note>
@ -501,7 +504,7 @@ loc eth2 -</programlisting>
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
<para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
default. To disable this option, specify tcpflags=0. </para>
default. To disable this option, specify tcpflags=0.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall-ipsets</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -78,7 +80,8 @@
specified, matching packets must match all of the listed sets.</para>
<para>For information about set lists and exclusion, see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5).</para>
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5).</para>
<para>Beginning with Shorewall 4.5.16, you can increment one or more
nfacct objects each time a packet matches an ipset. You do that by listing

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-maclist</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -27,8 +29,9 @@
associated IPv6 addresses to be allowed to use the specified interface.
The feature is enabled by using the <emphasis
role="bold">maclist</emphasis> option in the <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
or <ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
configuration file.</para>
<para>The columns in the file are as follows.</para>
@ -43,8 +46,8 @@
<listitem>
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
is also allowed). If specified, the
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then REJECT is also allowed). If specified, the
<replaceable>log-level</replaceable> causes packets matching the
rule to be logged at that level.</para>
</listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-mangle</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,13 +27,14 @@
<para>This file was introduced in Shorewall 4.6.0 and is intended to
replace <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>. This file is
only processed by the compiler if:</para>
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>.
This file is only processed by the compiler if:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
or</para>
</listitem>
@ -46,10 +49,10 @@
<important>
<para>Unlike rules in the <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.</para>
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
evaluation of rules in this file will continue after a match. So the
final mark for each packet will be the one assigned by the LAST tcrule
that matches.</para>
<para>If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at <ulink
@ -106,8 +109,8 @@
<para>Unless otherwise specified for the particular
<replaceable>command</replaceable>, the default chain is PREROUTING
when MARK_IN_FORWARD_CHAIN=No in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, and FORWARD
when MARK_IN_FORWARD_CHAIN=Yes.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
<para>A chain-designator may not be specified if the SOURCE or DEST
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
@ -312,8 +315,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
third rule above can be specified as follows:</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
then the third rule above can be specified as follows:</para>
<programlisting>2:P eth0 - ; -p tcp</programlisting>
</listitem>
@ -731,9 +734,9 @@ Normal-Service =&gt; 0x00</programlisting>
<para>An interface name. May not be used in the PREROUTING chain
(:P in the mark column or no chain qualifier and
MARK_IN_FORWARD_CHAIN=No in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)). The
interface name may be optionally followed by a colon (":") and
an IP address list.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
(5)). The interface name may be optionally followed by a colon
(":") and an IP address list.</para>
</listitem>
<listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-masq</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -35,10 +37,10 @@
<para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) or
PREROUTING entries in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to do
that.</para>
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
or PREROUTING entries in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
do that.</para>
</warning>
<para>The columns in the file are as follows.</para>
@ -65,10 +67,9 @@
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Where <ulink
url="/4.4/MultiISP.html#Shared">more that
one internet provider share a single interface</ulink>, the provider
is specified by including the provider name or number in
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
internet provider share a single interface</ulink>, the provider is
specified by including the provider name or number in
parentheses:</para>
<programlisting> eth0(Avvanta)</programlisting>
@ -81,8 +82,8 @@
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
are ipset names preceded by a plus sign '+'.</para>
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
as are ipset names preceded by a plus sign '+'.</para>
<para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of COMMENT lines. These lines
@ -545,8 +546,8 @@
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then these
rules may be specified as follows:</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then these rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-modules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -30,8 +32,8 @@
<para>These files specify which kernel modules shorewall6 will load before
trying to determine your ip6tables/kernel's capabilities. The
<filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5); the
<filename>helpers</filename> file is used when
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5);
the <filename>helpers</filename> file is used when
LOAD_HELPERS_ONLY=Yes.</para>
<para>Each record in the files has the following format:</para>
@ -86,8 +88,8 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-nesting</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -24,17 +26,18 @@
<refsect1>
<title>Description</title>
<para>In <ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a
zone may be declared to be a sub-zone of one or more other zones using the
<para>In <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a zone
may be declared to be a sub-zone of one or more other zones using the
above syntax. The <replaceable>child-zone</replaceable> may be neither the
firewall zone nor a vserver zone. The firewall zone may not appear as a
parent zone, although all vserver zones are handled as sub-zones of the
firewall zone.</para>
<para>Where zones are nested, the CONTINUE policy in <ulink
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
that are within multiple zones to be managed under the rules of all of
these zones.</para>
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5)
allows hosts that are within multiple zones to be managed under the rules
of all of these zones.</para>
</refsect1>
<refsect1>
@ -74,7 +77,8 @@
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
@ -109,10 +113,11 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-netmap</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -24,8 +26,7 @@
<title>Description</title>
<para>This file is used to map addresses in one network to corresponding
addresses in a second network. It was added in Shorewall6
4.4.23.3.</para>
addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
<warning>
<para>To use this file, your kernel and ip6tables must have RAWPOST
@ -145,8 +146,8 @@
<emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,

View File

@ -3,9 +3,11 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-netmap(5),shorewall6-params</refentrytitle>
<refentrytitle>shorewall6-params</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -26,8 +28,8 @@
<para>Assign any shell variables that you need in this file. The file is
always processed by <filename>/bin/sh</filename> or by the shell specified
through SHOREWALL_SHELL in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
of shell capabilities may be used.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the
full range of shell capabilities may be used.</para>
<para>It is suggested that variable names begin with an upper case letter
to distinguish them from variables used internally within the Shorewall

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-policy</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -66,8 +68,8 @@
<listitem>
<para>Source zone. Must be the name of a zone defined in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
"all+".</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
$FW, "all" or "all+".</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
@ -84,11 +86,11 @@
<listitem>
<para>Destination zone. Must be the name of a zone defined in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
"all+", another bport zone associated with the same bridge, or it
must be an ipv4 zone that is associated with only the same
bridge.</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
$FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
must be "all", "all+", another bport zone associated with the same
bridge, or it must be an ipv4 zone that is associated with only the
same bridge.</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
@ -118,8 +120,8 @@
<listitem>
<para>The word "None" or "none". This causes any default action
defined in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
omitted for this policy.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
to be omitted for this policy.</para>
</listitem>
<listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-providers</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -77,17 +79,17 @@
<listitem>
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file to
direct packets to this provider.</para>
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
file to direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then the
value must be a multiple of 256 between 256 and 65280 or their
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
of the value being zero). Otherwise, the value must be between 1 and
255. Each provider must be assigned a unique mark value. This column
may be omitted if you don't use packet marking to direct connections
to a particular provider.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then the value must be a multiple of 256 between 256 and 65280 or
their hexadecimal equivalents (0x0100 and 0xff00 with the low-order
byte of the value being zero). Otherwise, the value must be between
1 and 255. Each provider must be assigned a unique mark value. This
column may be omitted if you don't use packet marking to direct
connections to a particular provider.</para>
</listitem>
</varlistentry>
@ -190,7 +192,8 @@
<para>Beginning with Shorewall 4.4.3, <option>track</option>
defaults to the setting of the TRACK_PROVIDERS option in
<ulink url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
<ulink
url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
(5). If you set TRACK_PROVIDERS=Yes and want to override that
setting for an individual provider, then specify
<option>notrack</option> (see below).</para>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-proxyndp</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-routes</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -34,8 +36,8 @@
<listitem>
<para>The name or number of a provider defined in <ulink
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink> (5).
Beginning with Shorewall 4.5.14, you may also enter
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
(5). Beginning with Shorewall 4.5.14, you may also enter
<option>main</option> in this column to add routes to the main
routing table.</para>
</listitem>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-routestopped</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-rtrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-rules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,8 +27,8 @@
<para>Entries in this file govern connection establishment by defining
exceptions to the policies laid out in <ulink
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
subsequent requests and responses are automatically allowed using
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By
default, subsequent requests and responses are automatically allowed using
connection tracking. For any particular (source,dest) pair of zones, the
rules are evaluated in the order in which they appear in this file and the
first terminating match is the one that determines the disposition of the
@ -137,8 +139,8 @@
<warning>
<para>If you specify FASTACCEPT=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
role="bold">ESTABLISHED</emphasis> and <emphasis
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then
the <emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections must be empty.</para>
<para>An except is made if you are running Shorewall 4.4.27 or later and
@ -207,8 +209,8 @@
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
in /usr/share/shorewall/actions.std.</para>
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
or in /usr/share/shorewall/actions.std.</para>
</listitem>
</varlistentry>
@ -302,7 +304,8 @@
<para>Do not process any of the following rules for this
(source zone,destination zone). If the source and/or
destination IP address falls into a zone defined later in
<ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
<ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
or in a parent zone of the source or destination zones, then
this connection request will be passed to the rules defined
for that (those) zone(s). See <ulink
@ -629,8 +632,8 @@
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
/usr/share/shorewall/actions.std then:</para>
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std then:</para>
<itemizedlist>
<listitem>
@ -688,10 +691,10 @@
<para>Beginning with Shorewall 4.4.13, you may use a
<replaceable>zone-list </replaceable>which consists of a
comma-separated list of zones declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). This
<replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
This <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic.</para>
<para>When <emphasis role="bold">none</emphasis> is used either in
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@ -856,18 +859,19 @@
<listitem>
<para>Location of Server. May be a zone declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
<emphasis role="bold">none</emphasis>.</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
$<emphasis role="bold">FW</emphasis> to indicate the firewall
itself, <emphasis role="bold">all</emphasis>. <emphasis
role="bold">all+</emphasis> or <emphasis
role="bold">none</emphasis>.</para>
<para>Beginning with Shorewall 4.4.13, you may use a
<replaceable>zone-list </replaceable>which consists of a
comma-separated list of zones declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). Ths
<replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic. Beginning with Shorewall-4.4.13,
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
Ths <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
exclusion is supported -- see see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
@ -1559,9 +1563,9 @@
</simplelist>
<para>If the HELPERS option is specified in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then any module
specified in this column must be listed in the HELPERS
setting.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then any module specified in this column must be listed in the
HELPERS setting.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-secmarks</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,10 +27,10 @@
<important>
<para>Unlike rules in the <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final secmark
for each packet will be the one assigned by the LAST rule that
matches.</para>
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
evaluation of rules in this file will continue after a match. So the
final secmark for each packet will be the one assigned by the LAST rule
that matches.</para>
</important>
<para>The secmarks file is used to associate an SELinux context with
@ -243,8 +245,8 @@
<emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-stoppedrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-tcclasses</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -140,8 +142,8 @@
<para>Normally, all classes defined here are sub-classes of a root
class (class number 1) that is implicitly defined from the entry in
<ulink
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
can establish a class hierarchy by specifying a
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5).
You can establish a class hierarchy by specifying a
<emphasis>parent</emphasis> class -- the number of a class that you
have previously defined. The sub-class may borrow unused bandwidth
from its parent.</para>
@ -155,13 +157,13 @@
<listitem>
<para>The mark <emphasis>value</emphasis> which is an integer in the
range 1-255. You set mark values in the <ulink
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file,
marking the traffic you want to fit in the classes defined in here.
Must be specified as '-' if the <emphasis
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
file, marking the traffic you want to fit in the classes defined in
here. Must be specified as '-' if the <emphasis
role="bold">classify</emphasis> option is given for the interface in
<ulink
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
you are running Shorewall 4.5 5 or earlier.</para>
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
and you are running Shorewall 4.5 5 or earlier.</para>
<para>You can use the same marks for different interfaces.</para>
</listitem>
@ -672,10 +674,10 @@
priority number, giving less delay) and will be granted excess
bandwidth (up to 180kbps, the class ceiling) first, before any other
traffic. A single VoIP stream, depending upon codecs, after
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
classes EF and AFF3-1 respectively and are often used by VOIP
devices).</para>
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad
a little bit just in case. (TOS byte values 0xb8 and 0x68 are
DiffServ classes EF and AFF3-1 respectively and are often used by
VOIP devices).</para>
<para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
echo traffic if you use the example in tcrules) and any packet with

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-tcdevices</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -151,8 +153,7 @@
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used
with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink
url="/FAQ.htm#faq97a">Shorewall FAQ
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para>
<para>To create a rate-estimated filter, precede the bandwidth with

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-tcfilters</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-tcinterfaces</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,7 +27,8 @@
<para>This file lists the interfaces that are subject to simple traffic
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
file:</para>
@ -161,8 +164,7 @@
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used
with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink
url="/FAQ.htm#faq97a">Shorewall FAQ
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para>
<para>To create a rate-estimated filter, precede the bandwidth with

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-tcpri</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -25,12 +27,13 @@
<para>This file is used to specify the priority band of traffic for simple
traffic shaping (TC_ENABLED=Simple in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
of each packet is determined by the <emphasis role="bold">last</emphasis>
entry that the packet matches. If a packet doesn't match any entry in this
file, then its priority will be determined by its TOS field. The default
mapping is as follows but can be changed by setting the TC_PRIOMAP option
in <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The
priority band of each packet is determined by the <emphasis
role="bold">last</emphasis> entry that the packet matches. If a packet
doesn't match any entry in this file, then its priority will be determined
by its TOS field. The default mapping is as follows but can be changed by
setting the TC_PRIOMAP option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<programlisting>TOS Bits Means Linux Priority BAND
------------------------------------------------------------
@ -131,8 +134,8 @@
[<replaceable>helper</replaceable>]</term>
<listitem>
<para>Optional. Names a Netfilter protocol helper module such as ftp,
sip, amanda, etc. A packet will match if it was accepted by the
<para>Optional. Names a Netfilter protocol helper module such as
ftp, sip, amanda, etc. A packet will match if it was accepted by the
named helper module. You can also append "-" and a port number to
the helper module name (e.g., ftp-21) to specify the port number
that the original connection was made on.</para>

View File

@ -3,9 +3,11 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-mangle</refentrytitle>
<refentrytitle>shorewall6-tcrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -28,10 +30,10 @@
<important>
<para>Unlike rules in the <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.</para>
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
evaluation of rules in this file will continue after a match. So the
final mark for each packet will be the one assigned by the LAST tcrule
that matches.</para>
<para>If you use multiple internet providers with the 'track' option, in
/etc/shorewall6/providers be sure to read the restrictions at <ulink
@ -517,7 +519,8 @@
[<replaceable>option</replaceable>] ...") after any matches
specified at the end of the rule. If the target is not one known
to Shorewall, then it must be defined as a builtin action in
<ulink url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
<ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
(5).</para>
<para>The following rules are equivalent:</para>
@ -529,8 +532,8 @@ INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
INLINE eth0 - ; -p tcp -j MARK --set-mark 2</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
third rule above can be specified as follows:</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
then the third rule above can be specified as follows:</para>
<programlisting>2:P eth0 - ; -p tcp</programlisting>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -54,10 +56,11 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-rtrules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-tos</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-tunnels</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -27,8 +29,8 @@
encrypted) traffic to pass between the Shorewall6 system and a remote
gateway. Traffic flowing through the tunnel is handled using the normal
zone/policy/rule mechanism. See <ulink
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
for details.</para>
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink> for
details.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
@ -138,8 +140,8 @@
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
may be given. Exclusion (<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
is not supported.</para>
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5) ) is not supported.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-vardir</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -55,10 +57,11 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6-zones</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -44,17 +46,17 @@
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
names. The maximum length of a zone name is determined by the
setting of the LOGFORMAT option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
default LOGFORMAT, zone names can be at most 5 characters
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
With the default LOGFORMAT, zone names can be at most 5 characters
long.</para>
<blockquote>
<para>The maximum length of an iptables log prefix is 29 bytes. As
explained in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5), the default
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
%s is replaced by the chain name and the second is replaced by the
disposition.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5),
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
where the first %s is replaced by the chain name and the second is
replaced by the disposition.</para>
<itemizedlist>
<listitem>
@ -95,8 +97,8 @@
follow the (sub)zone name by ":" and a comma-separated list of the
parent zones. The parent zones must have been declared in earlier
records in this file. See <ulink
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
additional information.</para>
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
for additional information.</para>
<para>Example:</para>
@ -108,8 +110,8 @@ c:a,b ipv6</programlisting>
<para>Currently, Shorewall6 uses this information to reorder the
zone list so that parent zones appear after their subzones in the
list. The IMPLICIT_CONTINUE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
create implicit CONTINUE policies to/from the subzone.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can
also create implicit CONTINUE policies to/from the subzone.</para>
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
explicitly included as a child of an <emphasis
@ -178,7 +180,8 @@ c:a,b ipv6</programlisting>
<listitem>
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
Linux-vserver guests. The zone contents must be defined in
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
<ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
(5).</para>
<para>Vserver zones are implicitly handled as subzones of the
@ -353,8 +356,8 @@ c:a,b ipv6</programlisting>
<listitem>
<para>sets the MSS field in TCP packets. If you supply this
option, you should also set FASTACCEPT=No in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to
insure that both the SYN and SYN,ACK packets have their MSS
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
to insure that both the SYN and SYN,ACK packets have their MSS
field adjusted.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
@ -286,7 +288,8 @@
<listitem>
<para>Specify the appropriate helper in the HELPER column in
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
<ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
(5).</para>
<note>
@ -393,9 +396,10 @@
packets that are UNTRACKED due to entries in <ulink
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
This includes entries in the <ulink
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
and in the BLACKLIST section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
(5) file and in the BLACKLIST section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
(5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
@ -464,8 +468,8 @@
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
can still use the “fwmark” classifier based on packet marking
defined in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5). If not
specified, CLEAR_TC=No is assumed.</para>
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
If not specified, CLEAR_TC=No is assumed.</para>
<warning>
<para>If you also run Shorewall and if you have
@ -861,11 +865,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>Subzones are defined by following their name with ":" and a
list of parent zones (in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)). Normally,
you want to have a set of special rules for the subzone and if a
connection doesn't match any of those subzone-specific rules then
you want the parent zone rules and policies to be applied; see
<ulink url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)).
Normally, you want to have a set of special rules for the subzone
and if a connection doesn't match any of those subzone-specific
rules then you want the parent zone rules and policies to be
applied; see <ulink
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@ -882,9 +887,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
separates column-oriented specifications on the left from <ulink
url="/configuration_file_basics.htm#Pairs">alternative
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
a semicolon separates column-oriented specifications on the left
from <ulink url="/configuration_file_basics.htm#Pairs">alternative
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. If not specified or
@ -900,10 +905,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
INVALID packets through the NEW section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5). When a
packet in INVALID state fails to match any rule in the INVALID
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5).
When a packet in INVALID state fails to match any rule in the
INVALID section, the packet is disposed of based on this setting.
The default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
@ -915,8 +920,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
do not match any rule in the INVALID section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
logged at this level. The default value is empty which means no
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
are logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>
@ -1205,7 +1210,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<note>
<para>The setting of LOGFORMAT has an effect of the permitted
length of zone names. See <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
(5).</para>
</note>
</listitem>
</varlistentry>
@ -1373,8 +1379,8 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>The performance of configurations with a large numbers of
entries in <ulink
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5) can be
improved by setting the MACLIST_TTL variable in <ulink
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5)
can be improved by setting the MACLIST_TTL variable in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>If your iptables and kernel support the "Recent Match" (see
@ -1384,14 +1390,15 @@ LOG:info:,bar net fw</programlisting>
<para>When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in
<ulink url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5). If
there is a match then the source IP address is added to the 'Recent'
set for that interface. Subsequent connection attempts from that IP
address occurring within $MACLIST_TTL seconds will be accepted
without having to scan all of the entries. After $MACLIST_TTL from
the first accepted connection request from an IP address, the next
connection request from that IP address will be checked against the
entire list.</para>
<ulink
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5).
If there is a match then the source IP address is added to the
'Recent' set for that interface. Subsequent connection attempts from
that IP address occurring within $MACLIST_TTL seconds will be
accepted without having to scan all of the entries. After
$MACLIST_TTL from the first accepted connection request from an IP
address, the next connection request from that IP address will be
checked against the entire list.</para>
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@ -1860,10 +1867,10 @@ LOG:info:,bar net fw</programlisting>
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
ACCEPTed RELATED packets that don't match any rule in the RELATED
section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
about the safety of this practice resulted in the addition of this
option. When a packet in RELATED state fails to match any rule in
the RELATED section, the packet is disposed of based on this
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
Concern about the safety of this practice resulted in the addition
of this option. When a packet in RELATED state fails to match any
rule in the RELATED section, the packet is disposed of based on this
setting. The default value is ACCEPT for compatibility with earlier
versions.</para>
</listitem>
@ -1876,8 +1883,8 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>Added in Shorewall 4.4.27. Packets in the related state that
do not match any rule in the RELATED section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
logged at this level. The default value is empty which means no
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
are logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>
@ -2040,9 +2047,9 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.4.20. The default setting is DROP which
causes smurf packets (see the nosmurfs option in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)) to
be dropped. A_DROP causes the packets to be audited prior to being
dropped and requires AUDIT_TARGET support in the kernel and
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
to be dropped. A_DROP causes the packets to be audited prior to
being dropped and requires AUDIT_TARGET support in the kernel and
ip6tables.</para>
</listitem>
</varlistentry>
@ -2187,7 +2194,8 @@ INLINE - - - ; -j REJECT
<filename>tcdevices</filename> and <filename>tcclasses</filename>
files. This allows the compiler to have access to your Shorewall
traffic shaping configuration so that it can validate CLASSIFY rules
in <ulink url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
(5).</para>
<warning>
@ -2222,12 +2230,12 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
TOS field to priority bands. See <ulink
url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
<emphasis>map</emphasis> consists of 16 space-separated digits with
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
the priority of TOS value 0, the second of TOS value 1, and so on.
See tc-prio(8) for additional information.</para>
url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5).
The <emphasis>map</emphasis> consists of 16 space-separated digits
with values 1, 2 or 3. A value of 1 corresponds to Linux priority 0,
2 to Linux priority 1, and 3 to Linux Priority 2. The first entry
gives the priority of TOS value 0, the second of TOS value 1, and so
on. See tc-prio(8) for additional information.</para>
<para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2
2 2".</para>
@ -2273,8 +2281,8 @@ INLINE - - - ; -j REJECT
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
<option>track</option> option to be assumed on all providers defined
in <ulink
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5). May
be overridden on an individual provider through use of the
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).
May be overridden on an individual provider through use of the
<option>notrack</option> option. The default value is 'No'.</para>
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@ -2286,14 +2294,15 @@ INLINE - - - ; -j REJECT
to zero, thus allowing the packet to be routed using the 'main'
routing table. Using the main table allowed dynamic routes (such as
those added for VPNs) to be effective. The <ulink
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
created to provide a better alternative to clearing the packet mark.
As a consequence, passing these packets to PREROUTING complicates
things without providing any real benefit. Beginning with Shorewall
4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
through 'tracked' interfaces will not be passed to the PREROUTING
rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
change should be transparent to most, if not all, users.</para>
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
file was created to provide a better alternative to clearing the
packet mark. As a consequence, passing these packets to PREROUTING
complicates things without providing any real benefit. Beginning
with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
packets arriving through 'tracked' interfaces will not be passed to
the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
4.4.3, this change should be transparent to most, if not all,
users.</para>
</listitem>
</varlistentry>
@ -2322,10 +2331,10 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
UNTRACKED packets through the NEW section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
packet in UNTRACKED state fails to match any rule in the UNTRACKED
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
When a packet in UNTRACKED state fails to match any rule in the
UNTRACKED section, the packet is disposed of based on this setting.
The default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
@ -2337,8 +2346,8 @@ INLINE - - - ; -j REJECT
<listitem>
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
do not match any rule in the UNTRACKED section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
logged at this level. The default value is empty which means no
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
are logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall6</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>Administrative Commands</refmiscinfo>
</refmeta>
<refnamediv>
@ -659,9 +661,9 @@
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each
<emphasis role="bold">v</emphasis> adds one to the effective verbosity and
each <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
There may be no white-space between <emphasis role="bold">v</emphasis> and
@ -701,10 +703,10 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
single ipset to handle entries for multiple interfaces. When that
option is specified for a zone, the <command>add</command> command
has the alternative syntax in which the
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
allows a single ipset to handle entries for multiple interfaces.
When that option is specified for a zone, the <command>add</command>
command has the alternative syntax in which the
<replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para>
</listitem>
@ -756,7 +758,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -822,7 +825,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -842,11 +846,11 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
single ipset to handle entries for multiple interfaces. When that
option is specified for a zone, the <command>delete</command>
command has the alternative syntax in which the
<replaceable>zone</replaceable> name precedes the
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
allows a single ipset to handle entries for multiple interfaces.
When that option is specified for a zone, the
<command>delete</command> command has the alternative syntax in
which the <replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para>
</listitem>
</varlistentry>
@ -865,8 +869,8 @@
any optional network interface. <replaceable>interface</replaceable>
may be either the logical or physical name of the interface. The
command removes any routes added from <ulink
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
traffic shaping configuration for the interface.</para>
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
and any traffic shaping configuration for the interface.</para>
</listitem>
</varlistentry>
@ -912,8 +916,8 @@
may be either the logical or physical name of the interface. The
command sets <filename>/proc</filename> entries for the interface,
adds any route specified in <ulink
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and
installs the interface's traffic shaping configuration, if
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
and installs the interface's traffic shaping configuration, if
any.</para>
</listitem>
</varlistentry>
@ -1032,7 +1036,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1043,7 +1048,8 @@
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
@ -1052,7 +1058,8 @@
<listitem>
<para>Monitors the log file specified by the LOGFILE option in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
produces an audible alarm when new Shorewall6 messages are logged.
The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that information is
@ -1072,7 +1079,8 @@
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
@ -1124,7 +1132,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The -<option>D</option> option was added in Shorewall 4.5.3
and causes Shorewall to look in the given
@ -1184,7 +1193,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1229,9 +1239,9 @@
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
<option>-f</option> and <option>-c </option>are present, the result
is determined by the option that appears last.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
When both <option>-f</option> and <option>-c </option>are present,
the result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
@ -1241,7 +1251,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1445,8 +1456,8 @@
<listitem>
<para>Displays the last 20 Shorewall6 messages from the log
file specified by the LOGFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
<emphasis role="bold">-m</emphasis> option causes the MAC
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
</listitem>
@ -1537,16 +1548,16 @@
for configuration files. If <emphasis role="bold">-f</emphasis> is
specified, the saved configuration specified by the RESTOREFILE
option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) will be
restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall6. When <emphasis
role="bold">-f</emphasis> is given, a
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
will be restored if that saved configuration exists and has been
modified more recently than the files in /etc/shorewall6. When
<emphasis role="bold">-f</emphasis> is given, a
<replaceable>directory</replaceable> may not be specified.</para>
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
was added to <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When
LEGACY_FASTSTART=No, the modification times of files in
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
When LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall6 are compared with that of
/var/lib/shorewall6/firewall (the compiled script that last
started/restarted the firewall).</para>
@ -1557,9 +1568,9 @@
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
<option>-f</option> and <option>-c </option>are present, the result
is determined by the option that appears last.</para>
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
When both <option>-f</option> and <option>-c </option>are present,
the result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
@ -1569,7 +1580,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1581,9 +1593,9 @@
listed in <ulink
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), are taken
down. The only new traffic permitted through the firewall is from
systems listed in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
are taken down. The only new traffic permitted through the firewall
is from systems listed in <ulink
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
</listitem>
@ -1652,13 +1664,15 @@
<para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
to be converted to entries in the blrules file (<ulink
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
blacklist keyword is removed from <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5)
and <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>
(5) ) to be converted to entries in the blrules file (<ulink
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
(5) ). The blacklist keyword is removed from <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5),
<ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5) and <ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
The unmodified files are saved with a .bak suffix.</para>
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
@ -1672,7 +1686,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
<para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>