mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 16:43:21 +01:00
Add <refmiscinfo>...</refmiscinfo> to remaining manpages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
5a649dc205
commit
44e0d48fc5
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-lite-vardir</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -54,7 +56,7 @@
|
||||
/opt/var/lib/shorewall-lite/.</para>
|
||||
</blockquote>
|
||||
|
||||
<para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
|
||||
<para>When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
|
||||
will save its state in the <replaceable>directory</replaceable>
|
||||
specified.</para>
|
||||
</note>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-lite.conf</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-lite</refentrytitle>
|
||||
|
||||
<manvolnum>8</manvolnum>
|
||||
|
||||
<refmiscinfo>Administrative Commands</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-accounting</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-actions</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -24,8 +26,8 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file allows you to define new ACTIONS for use in rules (see
|
||||
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>). You define
|
||||
the iptables rules to be performed in an ACTION in
|
||||
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>).
|
||||
You define the iptables rules to be performed in an ACTION in
|
||||
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
|
||||
|
||||
<para>Columns are:</para>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-arprules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-blacklist</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -44,8 +46,8 @@
|
||||
(if your kernel and iptables contain iprange match support) or ipset
|
||||
name prefaced by "+" (if your kernel supports ipset match).
|
||||
Exclusion (<ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
|
||||
supported.</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
|
||||
is supported.</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-blrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -33,8 +35,9 @@
|
||||
connections in the NEW and INVALID states.</para>
|
||||
|
||||
<para>The format of rules in this file is the same as the format of rules
|
||||
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>. The
|
||||
difference in the two files lies in the ACTION (first) column.</para>
|
||||
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
|
||||
(5)</ulink>. The difference in the two files lies in the ACTION (first)
|
||||
column.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -69,8 +72,8 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
|
||||
the macro expands to <emphasis
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
then the macro expands to <emphasis
|
||||
role="bold">blacklog</emphasis>.</para>
|
||||
</listitem>
|
||||
|
||||
@ -88,10 +91,11 @@
|
||||
|
||||
<listitem>
|
||||
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5).
|
||||
Logs, audits (if specified) and applies the
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
||||
</ulink>(5). Logs, audits (if specified) and applies the
|
||||
BLACKLIST_DISPOSITION specified in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
|
||||
(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -205,8 +209,8 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
in /usr/share/shorewall/actions.std.</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
||||
or in /usr/share/shorewall/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -237,8 +241,8 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
/usr/share/shorewall/actions.std then:</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
||||
or in /usr/share/shorewall/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-conntrack</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -365,7 +367,8 @@
|
||||
<para>Where <replaceable>interface</replaceable> is an interface to
|
||||
that zone, and <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
<ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
(5)).</para>
|
||||
|
||||
<para>COMMENT is only allowed in format 1; the remainder of the line
|
||||
@ -381,7 +384,8 @@
|
||||
<listitem>
|
||||
<para>where <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
<ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-ecn</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -64,12 +66,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-exclusion</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -88,8 +90,8 @@ ACCEPT all!z2 net tcp 22</programlisting>
|
||||
<para>In most contexts, ipset names can be used as an
|
||||
<replaceable>address-or-range</replaceable>. Beginning with Shorewall
|
||||
4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
|
||||
url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
|
||||
of these lists when used in an exclusion are as follows:</para>
|
||||
url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The
|
||||
semantics of these lists when used in an exclusion are as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-hosts</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -29,8 +31,8 @@
|
||||
|
||||
<para>The order of entries in this file is not significant in determining
|
||||
zone composition. Rather, the order that the zones are declared in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
|
||||
in which the records in this file are interpreted.</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines
|
||||
the order in which the records in this file are interpreted.</para>
|
||||
|
||||
<warning>
|
||||
<para>The only time that you need this file is when you have more than
|
||||
@ -39,9 +41,9 @@
|
||||
|
||||
<warning>
|
||||
<para>If you have an entry for a zone and interface in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
|
||||
not include any entries in this file for that same (zone, interface)
|
||||
pair.</para>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
then do not include any entries in this file for that same (zone,
|
||||
interface) pair.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
@ -53,8 +55,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name of a zone declared in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You may not
|
||||
list the firewall zone in this column.</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You
|
||||
may not list the firewall zone in this column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -67,9 +69,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name of an interface defined in the <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
|
||||
followed by a colon (":") and a comma-separated list whose elements
|
||||
are either:</para>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
file followed by a colon (":") and a comma-separated list whose
|
||||
elements are either:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
@ -169,8 +171,8 @@
|
||||
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
||||
that if the zone named in the ZONE column is specified as an
|
||||
IPSEC zone in the <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) file
|
||||
then you do NOT need to specify the 'ipsec' option
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||
file then you do NOT need to specify the 'ipsec' option
|
||||
here.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -181,8 +183,8 @@
|
||||
<listitem>
|
||||
<para>Connection requests from these hosts are compared
|
||||
against the contents of <ulink
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an Ethernet
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
|
||||
If this option is specified, the interface must be an Ethernet
|
||||
NIC or equivalent and must be up before Shorewall is
|
||||
started.</para>
|
||||
</listitem>
|
||||
@ -212,8 +214,8 @@
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
logging, the packets are dropped.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||
After logging, the packets are dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-init</refentrytitle>
|
||||
|
||||
<manvolnum>8</manvolnum>
|
||||
|
||||
<refmiscinfo>Administrative Commands</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -145,10 +147,11 @@
|
||||
|
||||
<para>On a laptop with both Ethernet and wireless interfaces, you will
|
||||
want to make both interfaces optional and set the REQUIRE_INTERFACE option
|
||||
to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5) or
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5). This causes the firewall to remain stopped until at least one of the
|
||||
interfaces comes up.</para>
|
||||
to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
||||
</ulink>(5) or <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). This
|
||||
causes the firewall to remain stopped until at least one of the interfaces
|
||||
comes up.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -163,12 +166,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-interfaces</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -71,7 +73,8 @@
|
||||
in this column.</para>
|
||||
|
||||
<para>If the interface serves multiple zones that will be defined in
|
||||
the <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||
the <ulink
|
||||
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||
file, you should place "-" in this column.</para>
|
||||
|
||||
<para>If there are multiple interfaces to the same zone, you must
|
||||
@ -111,8 +114,8 @@ loc eth2 -</programlisting>
|
||||
<para>When using Shorewall versions before 4.1.4, care must be
|
||||
exercised when using wildcards where there is another zone that uses
|
||||
a matching specific interface. See <ulink
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
||||
discussion of this problem.</para>
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
|
||||
for a discussion of this problem.</para>
|
||||
|
||||
<para>Shorewall allows '+' as an interface name.</para>
|
||||
|
||||
@ -433,8 +436,8 @@ loc eth2 -</programlisting>
|
||||
<listitem>
|
||||
<para>Connection requests from this interface are compared
|
||||
against the contents of <ulink
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an Ethernet
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
|
||||
If this option is specified, the interface must be an Ethernet
|
||||
NIC and must be up before Shorewall is started.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -486,8 +489,8 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
logging, the packets are dropped.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||
After logging, the packets are dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -631,9 +634,9 @@ loc eth2 -</programlisting>
|
||||
|
||||
<important>
|
||||
<para>If ROUTE_FILTER=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), or if
|
||||
your distribution sets net.ipv4.conf.all.rp_filter=1 in
|
||||
<filename>/etc/sysctl.conf</filename>, then setting
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
or if your distribution sets net.ipv4.conf.all.rp_filter=1
|
||||
in <filename>/etc/sysctl.conf</filename>, then setting
|
||||
<emphasis role="bold">routefilter</emphasis>=0 in an
|
||||
<replaceable>interface</replaceable> entry will not disable
|
||||
route filtering on that
|
||||
@ -653,8 +656,8 @@ loc eth2 -</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If USE_DEFAULT_RT=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||
the interface is listed in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
and the interface is listed in <ulink
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-ipsets</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -79,7 +81,8 @@
|
||||
specified, matching packets must match all of the listed sets.</para>
|
||||
|
||||
<para>For information about set lists and exclusion, see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-maclist</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -27,9 +29,9 @@
|
||||
associated IP addresses to be allowed to use the specified interface. The
|
||||
feature is enabled by using the <emphasis role="bold">maclist</emphasis>
|
||||
option in the <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
|
||||
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
|
||||
file.</para>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
or <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||
configuration file.</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
@ -45,8 +47,8 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
||||
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
|
||||
also allowed). If specified, the
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
|
||||
REJECT is also allowed). If specified, the
|
||||
<replaceable>log-level</replaceable> causes packets matching the
|
||||
rule to be logged at that level.</para>
|
||||
</listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-mangle</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -24,13 +26,15 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
||||
replace <ulink url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>.
|
||||
This file is only processed by the compiler if:</para>
|
||||
replace <ulink
|
||||
url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>. This
|
||||
file is only processed by the compiler if:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>); or</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
|
||||
or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -44,10 +48,10 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
|
||||
evaluation of rules in this file will continue after a match. So the
|
||||
final mark for each packet will be the one assigned by the LAST tcrule
|
||||
that matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||
@ -104,8 +108,8 @@
|
||||
<para>Unless otherwise specified for the particular
|
||||
<replaceable>command</replaceable>, the default chain is PREROUTING
|
||||
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and FORWARD
|
||||
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
|
||||
FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
|
||||
@ -310,8 +314,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
||||
third rule above can be specified as follows:</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
|
||||
then the third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
</listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-masq</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -35,8 +37,8 @@
|
||||
<para>If you have more than one ISP link, adding entries to this file
|
||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||
through a particular link. You must use entries in <ulink
|
||||
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
|
||||
entries in <ulink
|
||||
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
|
||||
PREROUTING entries in <ulink
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
|
||||
that.</para>
|
||||
</warning>
|
||||
@ -55,27 +57,26 @@
|
||||
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
|
||||
comma-separated list of interface names. This is usually your
|
||||
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
|
||||
and a <emphasis>digit</emphasis> to indicate that you want the alias
|
||||
added with that name (e.g., eth0:0). This will allow the alias to be
|
||||
displayed with ifconfig. <emphasis role="bold">That is the only use
|
||||
for the alias name; it may not appear in any other place in your
|
||||
Shorewall configuration.</emphasis></para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
|
||||
may add ":" and a <emphasis>digit</emphasis> to indicate that you
|
||||
want the alias added with that name (e.g., eth0:0). This will allow
|
||||
the alias to be displayed with ifconfig. <emphasis role="bold">That
|
||||
is the only use for the alias name; it may not appear in any other
|
||||
place in your Shorewall configuration.</emphasis></para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
For example, <filename class="devicefile">ppp0</filename> in this
|
||||
file will match a <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
<para>Where <ulink
|
||||
url="/4.4/MultiISP.html#Shared">more that
|
||||
one internet provider share a single interface</ulink>, the provider
|
||||
is specified by including the provider name or number in
|
||||
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
|
||||
internet provider share a single interface</ulink>, the provider is
|
||||
specified by including the provider name or number in
|
||||
parentheses:</para>
|
||||
|
||||
<programlisting> eth0(Avvanta)</programlisting>
|
||||
@ -88,8 +89,8 @@
|
||||
addresses to indicate that you only want to change the source IP
|
||||
address for packets being sent to those particular destinations.
|
||||
Exclusion is allowed (see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
|
||||
are ipset names preceded by a plus sign '+';</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
|
||||
as are ipset names preceded by a plus sign '+';</para>
|
||||
|
||||
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
|
||||
entry then include the ":" but omit the digit:</para>
|
||||
@ -99,9 +100,9 @@
|
||||
|
||||
<para>Normally Masq/SNAT rules are evaluated after those for
|
||||
one-to-one NAT (defined in <ulink
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
|
||||
rule to be applied before one-to-one NAT rules, prefix the interface
|
||||
name with "+":</para>
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
|
||||
want the rule to be applied before one-to-one NAT rules, prefix the
|
||||
interface name with "+":</para>
|
||||
|
||||
<programlisting> +eth0
|
||||
+eth0:192.0.2.32/27
|
||||
@ -174,7 +175,8 @@
|
||||
<listitem>
|
||||
<para>If you specify an address here, SNAT will be used and this
|
||||
will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
|
||||
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
|
||||
in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
|
||||
Shorewall will automatically add this address to the INTERFACE named
|
||||
in the first column.</para>
|
||||
|
||||
@ -689,8 +691,8 @@
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then these
|
||||
rules may be specified as follows:</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
|
||||
these rules may be specified as follows:</para>
|
||||
|
||||
<programlisting>/etc/shorewall/masq:
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-modules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -86,13 +88,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-nat</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -29,10 +31,10 @@
|
||||
<warning>
|
||||
<para>If all you want to do is simple port forwarding, do NOT use this
|
||||
file. See <ulink
|
||||
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
|
||||
Also, in many cases, Proxy ARP (<ulink
|
||||
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
|
||||
solution that one-to-one NAT.</para>
|
||||
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
|
||||
in many cases, Proxy ARP (<ulink
|
||||
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
|
||||
is a better solution that one-to-one NAT.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
@ -72,7 +74,8 @@
|
||||
<listitem>
|
||||
<para>Interfaces that have the <emphasis
|
||||
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
<ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
Shorewall will automatically add the EXTERNAL address to this
|
||||
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
|
||||
name with ":" and a <emphasis>digit</emphasis> to indicate that you
|
||||
@ -85,9 +88,9 @@
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
For example, <filename class="devicefile">ppp0</filename> in this
|
||||
file will match a <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-nesting</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -24,17 +26,18 @@
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>In <ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a
|
||||
zone may be declared to be a sub-zone of one or more other zones using the
|
||||
<para>In <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a zone
|
||||
may be declared to be a sub-zone of one or more other zones using the
|
||||
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
||||
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
||||
parent zone, although all vserver zones are handled as sub-zones of the
|
||||
firewall zone.</para>
|
||||
|
||||
<para>Where zones are nested, the CONTINUE policy in <ulink
|
||||
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
|
||||
are within multiple zones to be managed under the rules of all of these
|
||||
zones.</para>
|
||||
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows
|
||||
hosts that are within multiple zones to be managed under the rules of all
|
||||
of these zones.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -74,7 +77,8 @@
|
||||
under rules where the source zone is net. It is important that this policy
|
||||
be listed BEFORE the next policy (net to all). You can have this policy
|
||||
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
@ -204,12 +208,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-netmap</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -95,9 +97,9 @@
|
||||
in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
For example, <filename class="devicefile">ppp0</filename> in this
|
||||
file will match a <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
@ -145,8 +147,8 @@
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-params</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -26,8 +28,8 @@
|
||||
<para>Assign any shell variables that you need in this file. The file is
|
||||
always processed by <filename>/bin/sh</filename> or by the shell specified
|
||||
through SHOREWALL_SHELL in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
|
||||
shell capabilities may be used.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
|
||||
range of shell capabilities may be used.</para>
|
||||
|
||||
<para>It is suggested that variable names begin with an upper case letter
|
||||
to distinguish them from variables used internally within the Shorewall
|
||||
@ -40,7 +42,8 @@
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">Any option from <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
|
||||
(5)</emphasis></member>
|
||||
|
||||
<member><emphasis role="bold">COMMAND</emphasis></member>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-policy</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -66,8 +68,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+".</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
|
||||
$FW, "all" or "all+".</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
@ -84,11 +86,11 @@
|
||||
|
||||
<listitem>
|
||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||
"all+", another bport zone associated with the same bridge, or it
|
||||
must be an ipv4 zone that is associated with only the same
|
||||
bridge.</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
|
||||
$FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
|
||||
must be "all", "all+", another bport zone associated with the same
|
||||
bridge, or it must be an ipv4 zone that is associated with only the
|
||||
same bridge.</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
@ -118,8 +120,8 @@
|
||||
<listitem>
|
||||
<para>The word "None" or "none". This causes any default action
|
||||
defined in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
||||
omitted for this policy.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to
|
||||
be omitted for this policy.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -191,8 +193,8 @@
|
||||
might also match (where the source or destination zone in
|
||||
those rules is a superset of the SOURCE or DEST in this
|
||||
policy). See <ulink
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
|
||||
for additional information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-providers</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -77,17 +79,17 @@
|
||||
|
||||
<listitem>
|
||||
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
|
||||
direct packets to this provider.</para>
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
|
||||
file to direct packets to this provider.</para>
|
||||
|
||||
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
|
||||
must be a multiple of 256 between 256 and 65280 or their hexadecimal
|
||||
equivalents (0x0100 and 0xff00 with the low-order byte of the value
|
||||
being zero). Otherwise, the value must be between 1 and 255. Each
|
||||
provider must be assigned a unique mark value. This column may be
|
||||
omitted if you don't use packet marking to direct connections to a
|
||||
particular provider.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
|
||||
the value must be a multiple of 256 between 256 and 65280 or their
|
||||
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
|
||||
of the value being zero). Otherwise, the value must be between 1 and
|
||||
255. Each provider must be assigned a unique mark value. This column
|
||||
may be omitted if you don't use packet marking to direct connections
|
||||
to a particular provider.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -112,8 +114,8 @@
|
||||
<listitem>
|
||||
<para>The name of the network interface to the provider. Must be
|
||||
listed in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
|
||||
general, that interface should not have the
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
|
||||
In general, that interface should not have the
|
||||
<option>proxyarp</option> option specified unless
|
||||
<option>loose</option> is given in the OPTIONS column of this
|
||||
entry.</para>
|
||||
@ -177,8 +179,9 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
||||
defaults to the setting of the TRACK_PROVIDERS option in
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
|
||||
If you set TRACK_PROVIDERS=Yes and want to override that
|
||||
<ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
|
||||
(5). If you set TRACK_PROVIDERS=Yes and want to override that
|
||||
setting for an individual provider, then specify
|
||||
<option>notrack</option> (see below).</para>
|
||||
</listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-proxyarp</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-routes</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -34,8 +36,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name or number of a provider defined in <ulink
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5).
|
||||
Beginning with Shorewall 4.5.14, you may also enter
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>
|
||||
(5). Beginning with Shorewall 4.5.14, you may also enter
|
||||
<option>main</option> in this column to add routes to the main
|
||||
routing table.</para>
|
||||
</listitem>
|
||||
@ -73,8 +75,8 @@
|
||||
<listitem>
|
||||
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
|
||||
given, then the INTERFACE specified for the PROVIDER in <ulink
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5). This
|
||||
column must be omitted if <option>blackhole</option>,
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>
|
||||
(5). This column must be omitted if <option>blackhole</option>,
|
||||
<option>prohibit</option> or <option>unreachable</option> is
|
||||
specified in the GATEWAY column.</para>
|
||||
</listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-routestopped</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-rtrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-rules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,8 +27,8 @@
|
||||
|
||||
<para>Entries in this file govern connection establishment by defining
|
||||
exceptions to the policies laid out in <ulink
|
||||
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By default,
|
||||
subsequent requests and responses are automatically allowed using
|
||||
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By
|
||||
default, subsequent requests and responses are automatically allowed using
|
||||
connection tracking. For any particular (source,dest) pair of zones, the
|
||||
rules are evaluated in the order in which they appear in this file and the
|
||||
first terminating match is the one that determines the disposition of the
|
||||
@ -145,8 +147,8 @@
|
||||
|
||||
<warning>
|
||||
<para>If you specify FASTACCEPT=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
|
||||
role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the
|
||||
<emphasis role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
|
||||
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||
|
||||
<para>An except is made if you are running Shorewall 4.4.27 or later and
|
||||
@ -234,8 +236,8 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
in /usr/share/shorewall/actions.std.</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
||||
or in /usr/share/shorewall/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -329,12 +331,13 @@
|
||||
<para>Do not process any of the following rules for this
|
||||
(source zone,destination zone). If the source and/or
|
||||
destination IP address falls into a zone defined later in
|
||||
<ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||
<ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||
or in a parent zone of the source or destination zones, then
|
||||
this connection request will be passed to the rules defined
|
||||
for that (those) zone(s). See <ulink
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
|
||||
for additional information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -671,8 +674,8 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
/usr/share/shorewall/actions.std then:</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
||||
or in /usr/share/shorewall/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -732,10 +735,10 @@
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic.</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
|
||||
This <replaceable>zone-list</replaceable> may be optionally followed
|
||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
||||
as well as inter-zone traffic.</para>
|
||||
|
||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||
@ -906,18 +909,19 @@
|
||||
|
||||
<listitem>
|
||||
<para>Location of Server. May be a zone declared in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
|
||||
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
||||
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
||||
<emphasis role="bold">none</emphasis>.</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
|
||||
$<emphasis role="bold">FW</emphasis> to indicate the firewall
|
||||
itself, <emphasis role="bold">all</emphasis>. <emphasis
|
||||
role="bold">all+</emphasis> or <emphasis
|
||||
role="bold">none</emphasis>.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic.</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
|
||||
This <replaceable>zone-list</replaceable> may be optionally followed
|
||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
||||
as well as inter-zone traffic.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
@ -1577,8 +1581,8 @@
|
||||
</simplelist>
|
||||
|
||||
<para>If the HELPERS option is specified in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then any module
|
||||
specified in this column must be listed in the HELPERS
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
|
||||
any module specified in this column must be listed in the HELPERS
|
||||
setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-secmarks</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,10 +27,10 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final secmark
|
||||
for each packet will be the one assigned by the LAST rule that
|
||||
matches.</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
|
||||
evaluation of rules in this file will continue after a match. So the
|
||||
final secmark for each packet will be the one assigned by the LAST rule
|
||||
that matches.</para>
|
||||
</important>
|
||||
|
||||
<para>The secmarks file is used to associate an SELinux context with
|
||||
@ -249,8 +251,8 @@
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-stoppedrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-tcclasses</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -125,9 +127,9 @@
|
||||
<para>You may specify the interface number rather than the interface
|
||||
name. If the <emphasis role="bold">classify</emphasis> option is
|
||||
given for the interface in <ulink
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
|
||||
you must also specify an interface class (an integer that must be
|
||||
unique within classes associated with this interface). If the
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5),
|
||||
then you must also specify an interface class (an integer that must
|
||||
be unique within classes associated with this interface). If the
|
||||
classify option is not given, you may still specify a
|
||||
<emphasis>class</emphasis> or you may have Shorewall generate a
|
||||
class number from the MARK value. Interface numbers and class
|
||||
@ -144,8 +146,8 @@
|
||||
|
||||
<para>Normally, all classes defined here are sub-classes of a root
|
||||
class that is implicitly defined from the entry in <ulink
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
|
||||
can establish a class hierarchy by specifying a
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5).
|
||||
You can establish a class hierarchy by specifying a
|
||||
<emphasis>parent</emphasis> class -- the number of a class that you
|
||||
have previously defined. The sub-class may borrow unused bandwidth
|
||||
from its parent.</para>
|
||||
@ -159,11 +161,12 @@
|
||||
<listitem>
|
||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||
range 1-255. You set mark values in the <ulink
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) file,
|
||||
marking the traffic you want to fit in the classes defined in here.
|
||||
Must be specified as '-' if the <emphasis
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
|
||||
file, marking the traffic you want to fit in the classes defined in
|
||||
here. Must be specified as '-' if the <emphasis
|
||||
role="bold">classify</emphasis> option is given for the interface in
|
||||
<ulink url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
<ulink
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
and you are running Shorewall 4.5.5 or earlier.</para>
|
||||
|
||||
<para>You can use the same marks for different interfaces.</para>
|
||||
@ -290,7 +293,7 @@
|
||||
<para>This is the default class for that interface where all
|
||||
traffic should go, that is not classified otherwise.</para>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>You must define <emphasis
|
||||
@ -417,7 +420,8 @@
|
||||
of the class. So the total RATE represented by an entry with
|
||||
'occurs' will be the listed RATE multiplied by
|
||||
<emphasis>number</emphasis>. For additional information, see
|
||||
<ulink url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
<ulink
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -720,10 +724,10 @@
|
||||
priority number, giving less delay) and will be granted excess
|
||||
bandwidth (up to 180kbps, the class ceiling) first, before any other
|
||||
traffic. A single VoIP stream, depending upon codecs, after
|
||||
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
|
||||
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
|
||||
classes EF and AFF3-1 respectively and are often used by VOIP
|
||||
devices).</para>
|
||||
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad
|
||||
a little bit just in case. (TOS byte values 0xb8 and 0x68 are
|
||||
DiffServ classes EF and AFF3-1 respectively and are often used by
|
||||
VOIP devices).</para>
|
||||
|
||||
<para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
|
||||
echo traffic if you use the example in tcrules) and any packet with
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-tcdevices</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -150,8 +152,7 @@
|
||||
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-tcfilters</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-tcinterfaces</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,7 +27,8 @@
|
||||
|
||||
<para>This file lists the interfaces that are subject to simple traffic
|
||||
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
||||
file:</para>
|
||||
@ -161,8 +164,7 @@
|
||||
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-tcpri</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,12 +27,13 @@
|
||||
|
||||
<para>This file is used to specify the priority of traffic for simple
|
||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
|
||||
each packet is determined by the <emphasis role="bold">last</emphasis>
|
||||
entry that the packet matches. If a packet doesn't match any entry in this
|
||||
file, then its priority will be determined by its TOS field. The default
|
||||
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
||||
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The
|
||||
priority band of each packet is determined by the <emphasis
|
||||
role="bold">last</emphasis> entry that the packet matches. If a packet
|
||||
doesn't match any entry in this file, then its priority will be determined
|
||||
by its TOS field. The default mapping is as follows but can be changed by
|
||||
setting the TC_PRIOMAP option in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<programlisting>TOS Bits Means Linux Priority BAND
|
||||
------------------------------------------------------------
|
||||
@ -131,8 +134,8 @@
|
||||
[<replaceable>helper</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional. Names a Netfilter protocol helper module such as ftp,
|
||||
sip, amanda, etc. A packet will match if it was accepted by the
|
||||
<para>Optional. Names a Netfilter protocol helper module such as
|
||||
ftp, sip, amanda, etc. A packet will match if it was accepted by the
|
||||
named helper module. You can also append "-" and a port number to
|
||||
the helper module name (e.g., ftp-21) to specify the port number
|
||||
that the original connection was made on.</para>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -52,12 +54,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-tos</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,7 +27,8 @@
|
||||
|
||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
||||
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink> (5).</para>
|
||||
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-tunnels</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -27,8 +29,8 @@
|
||||
encrypted) traffic to pass between the Shorewall system and a remote
|
||||
gateway. Traffic flowing through the tunnel is handled using the normal
|
||||
zone/policy/rule mechanism. See <ulink
|
||||
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
for details.</para>
|
||||
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink> for
|
||||
details.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
@ -143,8 +145,8 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||
may be given. Exclusion (<ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
|
||||
not supported.</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
(5) ) is not supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-vardir</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -54,12 +56,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-zones</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -45,17 +47,17 @@
|
||||
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
|
||||
as zone names. The maximum length of a zone name is determined by
|
||||
the setting of the LOGFORMAT option in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With the
|
||||
default LOGFORMAT, zone names can be at most 5 characters
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With
|
||||
the default LOGFORMAT, zone names can be at most 5 characters
|
||||
long.</para>
|
||||
|
||||
<blockquote>
|
||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||
explained in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5), the default
|
||||
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
||||
%s is replaced by the chain name and the second is replaced by the
|
||||
disposition.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
|
||||
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
|
||||
where the first %s is replaced by the chain name and the second is
|
||||
replaced by the disposition.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -97,8 +99,8 @@
|
||||
(sub)zone name by ":" and a comma-separated list of the parent
|
||||
zones. The parent zones must have been declared in earlier records
|
||||
in this file. See <ulink
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
|
||||
for additional information.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@ -110,8 +112,8 @@ c:a,b ipv4</programlisting>
|
||||
<para>Currently, Shorewall uses this information to reorder the zone
|
||||
list so that parent zones appear after their subzones in the list.
|
||||
The IMPLICIT_CONTINUE option in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can also create
|
||||
implicit CONTINUE policies to/from the subzone.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can
|
||||
also create implicit CONTINUE policies to/from the subzone.</para>
|
||||
|
||||
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
||||
explicitly included as a child of an <emphasis
|
||||
@ -180,7 +182,8 @@ c:a,b ipv4</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
||||
Linux-vserver guests. The zone contents must be defined in
|
||||
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
|
||||
<ulink
|
||||
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Vserver zones are implicitly handled as subzones of the
|
||||
@ -310,7 +313,8 @@ c:a,b ipv4</programlisting>
|
||||
<para>Added in Shorewall 4.5.9. May only be specified in the
|
||||
OPTIONS column and indicates that only a single ipset should
|
||||
be created for this zone if it has multiple dynamic entries in
|
||||
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
|
||||
<ulink
|
||||
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
|
||||
Without this option, a separate ipset is created for each
|
||||
interface.</para>
|
||||
</listitem>
|
||||
@ -354,9 +358,9 @@ c:a,b ipv4</programlisting>
|
||||
<listitem>
|
||||
<para>sets the MSS field in TCP packets. If you supply this
|
||||
option, you should also set FASTACCEPT=No in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to insure
|
||||
that both the SYN and SYN,ACK packets have their MSS field
|
||||
adjusted.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
to insure that both the SYN and SYN,ACK packets have their MSS
|
||||
field adjusted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall.conf</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -204,8 +206,8 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
|
||||
is enabled (see <ulink
|
||||
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
|
||||
not specified or set to the empty value, ACCOUNTING=Yes is
|
||||
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)).
|
||||
If not specified or set to the empty value, ACCOUNTING=Yes is
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -230,8 +232,8 @@
|
||||
<listitem>
|
||||
<para>This parameter determines whether Shorewall automatically adds
|
||||
the external address(es) in <ulink
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
|
||||
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the
|
||||
variable is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis> then Shorewall automatically adds these
|
||||
aliases. If it is set to <emphasis role="bold">No</emphasis> or
|
||||
<emphasis role="bold">no</emphasis>, you must add these aliases
|
||||
@ -256,13 +258,13 @@
|
||||
<listitem>
|
||||
<para>This parameter determines whether Shorewall automatically adds
|
||||
the SNAT ADDRESS in <ulink
|
||||
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
|
||||
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis> then Shorewall automatically adds these
|
||||
addresses. If it is set to <emphasis role="bold">No</emphasis> or
|
||||
<emphasis role="bold">no</emphasis>, you must add these addresses
|
||||
yourself using your distribution's network configuration
|
||||
tools.</para>
|
||||
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If
|
||||
the variable is set to <emphasis role="bold">Yes</emphasis> or
|
||||
<emphasis role="bold">yes</emphasis> then Shorewall automatically
|
||||
adds these addresses. If it is set to <emphasis
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
you must add these addresses yourself using your distribution's
|
||||
network configuration tools.</para>
|
||||
|
||||
<para>If this variable is not set or is given an empty value
|
||||
(ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
|
||||
@ -356,7 +358,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>Specify the appropriate helper in the HELPER column in
|
||||
<ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
<ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<note>
|
||||
@ -430,7 +433,8 @@
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). It
|
||||
determines the disposition of packets sent to the <emphasis
|
||||
role="bold">blacklog</emphasis> target of <ulink
|
||||
url="/manpages/shorewall-blrules.html">shorewall-blrules </ulink>(5).</para>
|
||||
url="/manpages/shorewall-blrules.html">shorewall-blrules
|
||||
</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -463,9 +467,11 @@
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections and for packets in the INVALID connection state (such as
|
||||
TCP SYN,ACK when there has been no corresponding SYN). That includes
|
||||
entries in the <ulink url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) file
|
||||
and in the BLACKLIST section of <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||
entries in the <ulink
|
||||
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
|
||||
file and in the BLACKLIST section of <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
@ -534,8 +540,8 @@
|
||||
/etc/shorewall/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
|
||||
specified, CLEAR_TC=Yes is assumed.</para>
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
||||
If not specified, CLEAR_TC=Yes is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -907,8 +913,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<para>Prior to version 3.2.0, it was not possible to use connection
|
||||
marking in <ulink
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
|
||||
a multi-ISP configuration that uses the track option.</para>
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5)
|
||||
if you had a multi-ISP configuration that uses the track
|
||||
option.</para>
|
||||
|
||||
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
|
||||
packet mark and connection mark into two mark fields.</para>
|
||||
@ -990,11 +997,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<para>Subzones are defined by following their name with ":" and a
|
||||
list of parent zones (in <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
|
||||
you want to have a set of special rules for the subzone and if a
|
||||
connection doesn't match any of those subzone-specific rules then
|
||||
you want the parent zone rules and policies to be applied; see
|
||||
<ulink url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)).
|
||||
Normally, you want to have a set of special rules for the subzone
|
||||
and if a connection doesn't match any of those subzone-specific
|
||||
rules then you want the parent zone rules and policies to be
|
||||
applied; see <ulink
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
|
||||
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
||||
|
||||
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
||||
@ -1011,9 +1019,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a semicolon
|
||||
separates column-oriented specifications on the left from <ulink
|
||||
url="/configuration_file_basics.htm#Pairs">alternative
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a
|
||||
semicolon separates column-oriented specifications on the left from
|
||||
<ulink url="/configuration_file_basics.htm#Pairs">alternative
|
||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||
specified, the specifications on the right are interpreted as if
|
||||
INLINE had been specified in the ACTION column. If not specified or
|
||||
@ -1029,10 +1037,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
INVALID packets through the NEW section of <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||
packet in INVALID state fails to match any rule in the INVALID
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
When a packet in INVALID state fails to match any rule in the
|
||||
INVALID section, the packet is disposed of based on this setting.
|
||||
The default value is CONTINUE for compatibility with earlier
|
||||
versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1117,11 +1125,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>This option indicates that zone-related ipsec information is
|
||||
found in the zones file (<ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). The option
|
||||
indicates to the compiler that this is not a legacy configuration
|
||||
where the ipsec information was contained in a separate file. The
|
||||
value of this option must not be changed and the option must not be
|
||||
deleted.</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)).
|
||||
The option indicates to the compiler that this is not a legacy
|
||||
configuration where the ipsec information was contained in a
|
||||
separate file. The value of this option must not be changed and the
|
||||
option must not be deleted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1378,7 +1386,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<note>
|
||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||
length of zone names. See <ulink
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1546,8 +1555,8 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>The performance of configurations with a large numbers of
|
||||
entries in <ulink
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
|
||||
improved by setting the MACLIST_TTL variable in <ulink
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5)
|
||||
can be improved by setting the MACLIST_TTL variable in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>If your iptables and kernel support the "Recent Match" (see
|
||||
@ -1557,14 +1566,15 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<para>When a new connection arrives from a 'maclist' interface, the
|
||||
packet passes through then list of entries for that interface in
|
||||
<ulink url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
there is a match then the source IP address is added to the 'Recent'
|
||||
set for that interface. Subsequent connection attempts from that IP
|
||||
address occurring within $MACLIST_TTL seconds will be accepted
|
||||
without having to scan all of the entries. After $MACLIST_TTL from
|
||||
the first accepted connection request from an IP address, the next
|
||||
connection request from that IP address will be checked against the
|
||||
entire list.</para>
|
||||
<ulink
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).
|
||||
If there is a match then the source IP address is added to the
|
||||
'Recent' set for that interface. Subsequent connection attempts from
|
||||
that IP address occurring within $MACLIST_TTL seconds will be
|
||||
accepted without having to scan all of the entries. After
|
||||
$MACLIST_TTL from the first accepted connection request from an IP
|
||||
address, the next connection request from that IP address will be
|
||||
checked against the entire list.</para>
|
||||
|
||||
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
|
||||
@ -2104,12 +2114,13 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
||||
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
||||
section of <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5). Concern about the safety of this practice resulted in the
|
||||
addition of this option. When a packet in RELATED state fails to
|
||||
match any rule in the RELATED section, the packet is disposed of
|
||||
based on this setting. The default value is ACCEPT for compatibility
|
||||
with earlier versions.</para>
|
||||
section of <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
Concern about the safety of this practice resulted in the addition
|
||||
of this option. When a packet in RELATED state fails to match any
|
||||
rule in the RELATED section, the packet is disposed of based on this
|
||||
setting. The default value is ACCEPT for compatibility with earlier
|
||||
versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2120,9 +2131,9 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
||||
do not match any rule in the RELATED section of <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||
this level. The default value is empty which means no logging is
|
||||
performed.</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2203,7 +2214,8 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
||||
at least one optional interface must be up in order for the firewall
|
||||
to be in the started state. Intended to be used with the <ulink
|
||||
url="/manpages/shorewall-init.html">Shorewall Init Package</ulink>.</para>
|
||||
url="/manpages/shorewall-init.html">Shorewall Init
|
||||
Package</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2266,17 +2278,17 @@ INLINE - - - ; -j REJECT
|
||||
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP
|
||||
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
|
||||
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
|
||||
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) are processed
|
||||
then are re-added later. This is done to help ensure that the
|
||||
addresses can be added with the specified labels but can have the
|
||||
undesirable side effect of causing routes to be quietly deleted.
|
||||
When RETAIN_ALIASES is set to Yes, existing addresses will not be
|
||||
deleted. Regardless of the setting of RETAIN_ALIASES, addresses
|
||||
added during <emphasis role="bold">shorewall start</emphasis> are
|
||||
still deleted at a subsequent <emphasis role="bold">shorewall
|
||||
stop</emphasis> or <emphasis role="bold">shorewall
|
||||
restart</emphasis>.</para>
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and
|
||||
<ulink url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5)
|
||||
are processed then are re-added later. This is done to help ensure
|
||||
that the addresses can be added with the specified labels but can
|
||||
have the undesirable side effect of causing routes to be quietly
|
||||
deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
|
||||
not be deleted. Regardless of the setting of RETAIN_ALIASES,
|
||||
addresses added during <emphasis role="bold">shorewall
|
||||
start</emphasis> are still deleted at a subsequent <emphasis
|
||||
role="bold">shorewall stop</emphasis> or <emphasis
|
||||
role="bold">shorewall restart</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2374,9 +2386,9 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Determines the disposition of
|
||||
packets matching the <option>sfilter</option> option (see <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
||||
<option>routeback</option> option.<footnote>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
|
||||
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
same interface that they arrived on.</para>
|
||||
</footnote> interfaces without the routeback option.</para>
|
||||
@ -2390,9 +2402,9 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added on Shorewall 4.4.20. Determines the logging of packets
|
||||
matching the <option>sfilter</option> option (see <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
||||
<option>routeback</option> option.<footnote>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
|
||||
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
same interface that they arrived on.</para>
|
||||
</footnote> interfaces without the routeback option. The default
|
||||
@ -2421,9 +2433,9 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
||||
causes smurf packets (see the nosmurfs option in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
|
||||
be dropped. A_DROP causes the packets to be audited prior to being
|
||||
dropped and requires AUDIT_TARGET support in the kernel and
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
|
||||
to be dropped. A_DROP causes the packets to be audited prior to
|
||||
being dropped and requires AUDIT_TARGET support in the kernel and
|
||||
iptables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2435,8 +2447,8 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Specifies the logging level for smurf packets (see the
|
||||
nosmurfs option in <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
|
||||
set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
|
||||
If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
||||
logged.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2525,7 +2537,8 @@ INLINE - - - ; -j REJECT
|
||||
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
|
||||
simple traffic shaping using <ulink
|
||||
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
|
||||
and <ulink url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
|
||||
and <ulink
|
||||
url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
|
||||
enabled.</para>
|
||||
|
||||
<para>If you set TC_ENABLED=Internal or internal or leave the option
|
||||
@ -2589,10 +2602,10 @@ INLINE - - - ; -j REJECT
|
||||
<para>Determines the disposition of TCP packets that fail the checks
|
||||
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
|
||||
option (see <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
must have a value of ACCEPT (accept the packet), REJECT (send an RST
|
||||
response) or DROP (ignore the packet). If not set or if set to the
|
||||
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
|
||||
and must have a value of ACCEPT (accept the packet), REJECT (send an
|
||||
RST response) or DROP (ignore the packet). If not set or if set to
|
||||
the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
||||
TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
|
||||
|
||||
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
|
||||
@ -2621,8 +2634,8 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
||||
<option>track</option> option to be assumed on all providers defined
|
||||
in <ulink
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5). May
|
||||
be overridden on an individual provider through use of the
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).
|
||||
May be overridden on an individual provider through use of the
|
||||
<option>notrack</option> option. The default value is 'No'.</para>
|
||||
|
||||
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
||||
@ -2669,10 +2682,10 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
UNTRACKED packets through the NEW section of <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
When a packet in UNTRACKED state fails to match any rule in the
|
||||
UNTRACKED section, the packet is disposed of based on this setting.
|
||||
The default value is CONTINUE for compatibility with earlier
|
||||
versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2684,9 +2697,9 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
||||
do not match any rule in the UNTRACKED section of <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||
this level. The default value is empty which means no logging is
|
||||
performed.</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2708,8 +2721,8 @@ INLINE - - - ; -j REJECT
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Both the DUPLICATE and the COPY columns in <ulink
|
||||
url="/manpages/shorewall-providers.html">providers</ulink>(5) file must
|
||||
remain empty (or contain "-").</para>
|
||||
url="/manpages/shorewall-providers.html">providers</ulink>(5)
|
||||
file must remain empty (or contain "-").</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -2725,9 +2738,9 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Packets are sent through the main routing table by a rule
|
||||
with priority 999. In <ulink
|
||||
url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5), the
|
||||
range 1-998 may be used for inserting rules that bypass the main
|
||||
table.</para>
|
||||
url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5),
|
||||
the range 1-998 may be used for inserting rules that bypass the
|
||||
main table.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-lite-vardir</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-lite.conf</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-lite</refentrytitle>
|
||||
|
||||
<manvolnum>8</manvolnum>
|
||||
|
||||
<refmiscinfo>Administrative Commands</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-accounting</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-actions</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -24,8 +26,9 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file allows you to define new ACTIONS for use in rules (see
|
||||
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You define
|
||||
the ip6tables rules to be performed in an ACTION in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You
|
||||
define the ip6tables rules to be performed in an ACTION in
|
||||
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
|
||||
|
||||
<para>Columns are:</para>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-blacklist</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -26,10 +28,11 @@
|
||||
<para>The blacklist file is used to perform static blacklisting by source
|
||||
address (IP or MAC), or by application. The use of this file is deprecated
|
||||
in favor of <ulink
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
|
||||
with Shorewall 4.5.7, the blacklist file is no longer installed. Existing
|
||||
blacklist files can be converted to a corresponding blrules file using the
|
||||
<command>shorewall6 update -b</command> command.</para>
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5),
|
||||
and beginning with Shorewall 4.5.7, the blacklist file is no longer
|
||||
installed. Existing blacklist files can be converted to a corresponding
|
||||
blrules file using the <command>shorewall6 update -b</command>
|
||||
command.</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
@ -47,8 +50,8 @@
|
||||
(if your kernel and ip6tables contain iprange match support) or
|
||||
ipset name prefaced by "+" (if your kernel supports ipset match).
|
||||
Exclusion (<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
|
||||
supported.</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
|
||||
is supported.</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
@ -145,13 +148,13 @@
|
||||
|
||||
<para>When a packet arrives on an interface that has the <emphasis
|
||||
role="bold">blacklist</emphasis> option specified in <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5), its
|
||||
source IP address and MAC address is checked against this file and
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5),
|
||||
its source IP address and MAC address is checked against this file and
|
||||
disposed of according to the <emphasis
|
||||
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
||||
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If <emphasis
|
||||
role="bold">PROTOCOL</emphasis> or <emphasis
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||
<emphasis role="bold">PROTOCOL</emphasis> or <emphasis
|
||||
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
||||
are supplied, only packets matching the protocol (and one of the ports if
|
||||
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-blrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -34,7 +36,8 @@
|
||||
connections in the NEW and INVALID states.</para>
|
||||
|
||||
<para>The format of rules in this file is the same as the format of rules
|
||||
in <ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
|
||||
in <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
|
||||
difference in the two files lies in the ACTION (first) column.</para>
|
||||
|
||||
<variablelist>
|
||||
@ -89,10 +92,11 @@
|
||||
|
||||
<listitem>
|
||||
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf </ulink>(5).
|
||||
Logs, audits (if specified) and applies the
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
||||
</ulink>(5). Logs, audits (if specified) and applies the
|
||||
BLACKLIST_DISPOSITION specified in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -206,8 +210,8 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||
in /usr/share/shorewall6/actions.std.</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
|
||||
or in /usr/share/shorewall6/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -238,8 +242,8 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
||||
/usr/share/shorewall6/actions.std then:</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
|
||||
or in /usr/share/shorewall6/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -274,7 +278,8 @@
|
||||
</variablelist>
|
||||
|
||||
<para>For the remaining columns, see <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules
|
||||
(5)</ulink>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-conntrack</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -357,7 +359,8 @@
|
||||
<para>Where <replaceable>interface</replaceable> is an interface to
|
||||
that zone, and <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
(5)).</para>
|
||||
|
||||
<para>COMMENT is only allowed in format 1; the remainder of the line
|
||||
@ -373,7 +376,8 @@
|
||||
<listitem>
|
||||
<para>where <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-exclusion</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -103,10 +105,11 @@ ACCEPT all!z2 net tcp 22</programlisting>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-hosts</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -29,8 +31,9 @@
|
||||
|
||||
<para>The order of entries in this file is not significant in determining
|
||||
zone composition. Rather, the order that the zones are declared in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) determines the
|
||||
order in which the records in this file are interpreted.</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
||||
determines the order in which the records in this file are
|
||||
interpreted.</para>
|
||||
|
||||
<warning>
|
||||
<para>The only time that you need this file is when you have more than
|
||||
@ -39,9 +42,9 @@
|
||||
|
||||
<warning>
|
||||
<para>If you have an entry for a zone and interface in <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) then do
|
||||
not include any entries in this file for that same (zone, interface)
|
||||
pair.</para>
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
then do not include any entries in this file for that same (zone,
|
||||
interface) pair.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
@ -55,8 +58,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name of a zone declared in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5). You may not
|
||||
list the firewall zone in this column.</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).
|
||||
You may not list the firewall zone in this column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -137,8 +140,8 @@
|
||||
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
||||
that if the zone named in the ZONE column is specified as an
|
||||
IPSEC zone in the <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) file
|
||||
then you do NOT need to specify the 'ipsec' option
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
||||
file then you do NOT need to specify the 'ipsec' option
|
||||
here.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-interfaces</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -71,7 +73,8 @@
|
||||
zone in this column.</para>
|
||||
|
||||
<para>If the interface serves multiple zones that will be defined in
|
||||
the <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
the <ulink
|
||||
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
file, you should place "-" in this column.</para>
|
||||
|
||||
<para>If there are multiple interfaces to the same zone, you must
|
||||
@ -115,8 +118,8 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>Care must be exercised when using wildcards where there is
|
||||
another zone that uses a matching specific interface. See <ulink
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
|
||||
discussion of this problem.</para>
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||
for a discussion of this problem.</para>
|
||||
|
||||
<para>Shorewall6 allows '+' as an interface name.</para>
|
||||
|
||||
@ -270,8 +273,8 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>the interface is a <ulink
|
||||
url="/SimpleBridge.html">simple bridge</ulink> with a
|
||||
DHCP server on one port and DHCP clients on another
|
||||
url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
|
||||
server on one port and DHCP clients on another
|
||||
port.</para>
|
||||
|
||||
<note>
|
||||
@ -501,7 +504,7 @@ loc eth2 -</programlisting>
|
||||
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
|
||||
default. To disable this option, specify tcpflags=0. </para>
|
||||
default. To disable this option, specify tcpflags=0.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall-ipsets</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -78,7 +80,8 @@
|
||||
specified, matching packets must match all of the listed sets.</para>
|
||||
|
||||
<para>For information about set lists and exclusion, see <ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-maclist</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -27,8 +29,9 @@
|
||||
associated IPv6 addresses to be allowed to use the specified interface.
|
||||
The feature is enabled by using the <emphasis
|
||||
role="bold">maclist</emphasis> option in the <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
|
||||
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
or <ulink
|
||||
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
configuration file.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
@ -43,8 +46,8 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
||||
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
|
||||
is also allowed). If specified, the
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||
then REJECT is also allowed). If specified, the
|
||||
<replaceable>log-level</replaceable> causes packets matching the
|
||||
rule to be logged at that level.</para>
|
||||
</listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-mangle</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,13 +27,14 @@
|
||||
|
||||
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
||||
replace <ulink
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>. This file is
|
||||
only processed by the compiler if:</para>
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>.
|
||||
This file is only processed by the compiler if:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
|
||||
or</para>
|
||||
</listitem>
|
||||
|
||||
@ -46,10 +49,10 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
|
||||
evaluation of rules in this file will continue after a match. So the
|
||||
final mark for each packet will be the one assigned by the LAST tcrule
|
||||
that matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||
@ -106,8 +109,8 @@
|
||||
<para>Unless otherwise specified for the particular
|
||||
<replaceable>command</replaceable>, the default chain is PREROUTING
|
||||
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, and FORWARD
|
||||
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
|
||||
and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
|
||||
@ -312,8 +315,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
|
||||
third rule above can be specified as follows:</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
||||
then the third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
</listitem>
|
||||
@ -731,9 +734,9 @@ Normal-Service => 0x00</programlisting>
|
||||
<para>An interface name. May not be used in the PREROUTING chain
|
||||
(:P in the mark column or no chain qualifier and
|
||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)). The
|
||||
interface name may be optionally followed by a colon (":") and
|
||||
an IP address list.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5)). The interface name may be optionally followed by a colon
|
||||
(":") and an IP address list.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-masq</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -35,10 +37,10 @@
|
||||
<para>If you have more than one ISP link, adding entries to this file
|
||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||
through a particular link. You must use entries in <ulink
|
||||
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) or
|
||||
PREROUTING entries in <ulink
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to do
|
||||
that.</para>
|
||||
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
|
||||
or PREROUTING entries in <ulink
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
|
||||
do that.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
@ -65,10 +67,9 @@
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
<para>Where <ulink
|
||||
url="/4.4/MultiISP.html#Shared">more that
|
||||
one internet provider share a single interface</ulink>, the provider
|
||||
is specified by including the provider name or number in
|
||||
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
|
||||
internet provider share a single interface</ulink>, the provider is
|
||||
specified by including the provider name or number in
|
||||
parentheses:</para>
|
||||
|
||||
<programlisting> eth0(Avvanta)</programlisting>
|
||||
@ -81,8 +82,8 @@
|
||||
addresses to indicate that you only want to change the source IP
|
||||
address for packets being sent to those particular destinations.
|
||||
Exclusion is allowed (see <ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
|
||||
are ipset names preceded by a plus sign '+'.</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
|
||||
as are ipset names preceded by a plus sign '+'.</para>
|
||||
|
||||
<para>Comments may be attached to Netfilter rules generated from
|
||||
entries in this file through the use of COMMENT lines. These lines
|
||||
@ -545,8 +546,8 @@
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then these
|
||||
rules may be specified as follows:</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||
then these rules may be specified as follows:</para>
|
||||
|
||||
<programlisting>/etc/shorewall/masq:
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-modules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -30,8 +32,8 @@
|
||||
<para>These files specify which kernel modules shorewall6 will load before
|
||||
trying to determine your ip6tables/kernel's capabilities. The
|
||||
<filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5); the
|
||||
<filename>helpers</filename> file is used when
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5);
|
||||
the <filename>helpers</filename> file is used when
|
||||
LOAD_HELPERS_ONLY=Yes.</para>
|
||||
|
||||
<para>Each record in the files has the following format:</para>
|
||||
@ -86,8 +88,8 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-nesting</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -24,17 +26,18 @@
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>In <ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a
|
||||
zone may be declared to be a sub-zone of one or more other zones using the
|
||||
<para>In <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a zone
|
||||
may be declared to be a sub-zone of one or more other zones using the
|
||||
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
||||
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
||||
parent zone, although all vserver zones are handled as sub-zones of the
|
||||
firewall zone.</para>
|
||||
|
||||
<para>Where zones are nested, the CONTINUE policy in <ulink
|
||||
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
|
||||
that are within multiple zones to be managed under the rules of all of
|
||||
these zones.</para>
|
||||
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5)
|
||||
allows hosts that are within multiple zones to be managed under the rules
|
||||
of all of these zones.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -74,7 +77,8 @@
|
||||
under rules where the source zone is net. It is important that this policy
|
||||
be listed BEFORE the next policy (net to all). You can have this policy
|
||||
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
||||
|
||||
@ -109,10 +113,11 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-netmap</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -24,8 +26,7 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file is used to map addresses in one network to corresponding
|
||||
addresses in a second network. It was added in Shorewall6
|
||||
4.4.23.3.</para>
|
||||
addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
|
||||
|
||||
<warning>
|
||||
<para>To use this file, your kernel and ip6tables must have RAWPOST
|
||||
@ -145,8 +146,8 @@
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
|
@ -3,9 +3,11 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-netmap(5),shorewall6-params</refentrytitle>
|
||||
<refentrytitle>shorewall6-params</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -26,8 +28,8 @@
|
||||
<para>Assign any shell variables that you need in this file. The file is
|
||||
always processed by <filename>/bin/sh</filename> or by the shell specified
|
||||
through SHOREWALL_SHELL in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
|
||||
of shell capabilities may be used.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the
|
||||
full range of shell capabilities may be used.</para>
|
||||
|
||||
<para>It is suggested that variable names begin with an upper case letter
|
||||
to distinguish them from variables used internally within the Shorewall
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-policy</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -66,8 +68,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
|
||||
"all+".</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
|
||||
$FW, "all" or "all+".</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
@ -84,11 +86,11 @@
|
||||
|
||||
<listitem>
|
||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
|
||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||
"all+", another bport zone associated with the same bridge, or it
|
||||
must be an ipv4 zone that is associated with only the same
|
||||
bridge.</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
|
||||
$FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
|
||||
must be "all", "all+", another bport zone associated with the same
|
||||
bridge, or it must be an ipv4 zone that is associated with only the
|
||||
same bridge.</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
@ -118,8 +120,8 @@
|
||||
<listitem>
|
||||
<para>The word "None" or "none". This causes any default action
|
||||
defined in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
|
||||
omitted for this policy.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
||||
to be omitted for this policy.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-providers</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -77,17 +79,17 @@
|
||||
|
||||
<listitem>
|
||||
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
||||
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file to
|
||||
direct packets to this provider.</para>
|
||||
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
|
||||
file to direct packets to this provider.</para>
|
||||
|
||||
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then the
|
||||
value must be a multiple of 256 between 256 and 65280 or their
|
||||
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
|
||||
of the value being zero). Otherwise, the value must be between 1 and
|
||||
255. Each provider must be assigned a unique mark value. This column
|
||||
may be omitted if you don't use packet marking to direct connections
|
||||
to a particular provider.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||
then the value must be a multiple of 256 between 256 and 65280 or
|
||||
their hexadecimal equivalents (0x0100 and 0xff00 with the low-order
|
||||
byte of the value being zero). Otherwise, the value must be between
|
||||
1 and 255. Each provider must be assigned a unique mark value. This
|
||||
column may be omitted if you don't use packet marking to direct
|
||||
connections to a particular provider.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -190,7 +192,8 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
||||
defaults to the setting of the TRACK_PROVIDERS option in
|
||||
<ulink url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
|
||||
<ulink
|
||||
url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5). If you set TRACK_PROVIDERS=Yes and want to override that
|
||||
setting for an individual provider, then specify
|
||||
<option>notrack</option> (see below).</para>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-proxyndp</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-routes</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -34,8 +36,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name or number of a provider defined in <ulink
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink> (5).
|
||||
Beginning with Shorewall 4.5.14, you may also enter
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
|
||||
(5). Beginning with Shorewall 4.5.14, you may also enter
|
||||
<option>main</option> in this column to add routes to the main
|
||||
routing table.</para>
|
||||
</listitem>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-routestopped</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-rtrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-rules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,8 +27,8 @@
|
||||
|
||||
<para>Entries in this file govern connection establishment by defining
|
||||
exceptions to the policies laid out in <ulink
|
||||
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
|
||||
subsequent requests and responses are automatically allowed using
|
||||
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By
|
||||
default, subsequent requests and responses are automatically allowed using
|
||||
connection tracking. For any particular (source,dest) pair of zones, the
|
||||
rules are evaluated in the order in which they appear in this file and the
|
||||
first terminating match is the one that determines the disposition of the
|
||||
@ -137,8 +139,8 @@
|
||||
|
||||
<warning>
|
||||
<para>If you specify FASTACCEPT=Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
|
||||
role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then
|
||||
the <emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||
|
||||
<para>An except is made if you are running Shorewall 4.4.27 or later and
|
||||
@ -207,8 +209,8 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||
in /usr/share/shorewall/actions.std.</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
|
||||
or in /usr/share/shorewall/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -302,7 +304,8 @@
|
||||
<para>Do not process any of the following rules for this
|
||||
(source zone,destination zone). If the source and/or
|
||||
destination IP address falls into a zone defined later in
|
||||
<ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
||||
or in a parent zone of the source or destination zones, then
|
||||
this connection request will be passed to the rules defined
|
||||
for that (those) zone(s). See <ulink
|
||||
@ -629,8 +632,8 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
/usr/share/shorewall/actions.std then:</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
||||
or in /usr/share/shorewall/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -688,10 +691,10 @@
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). This
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic.</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
|
||||
This <replaceable>zone-list</replaceable> may be optionally followed
|
||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
||||
as well as inter-zone traffic.</para>
|
||||
|
||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||
@ -856,18 +859,19 @@
|
||||
|
||||
<listitem>
|
||||
<para>Location of Server. May be a zone declared in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
|
||||
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
||||
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
||||
<emphasis role="bold">none</emphasis>.</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
|
||||
$<emphasis role="bold">FW</emphasis> to indicate the firewall
|
||||
itself, <emphasis role="bold">all</emphasis>. <emphasis
|
||||
role="bold">all+</emphasis> or <emphasis
|
||||
role="bold">none</emphasis>.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). Ths
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic. Beginning with Shorewall-4.4.13,
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
|
||||
Ths <replaceable>zone-list</replaceable> may be optionally followed
|
||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
||||
as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
|
||||
exclusion is supported -- see see <ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
@ -1559,9 +1563,9 @@
|
||||
</simplelist>
|
||||
|
||||
<para>If the HELPERS option is specified in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then any module
|
||||
specified in this column must be listed in the HELPERS
|
||||
setting.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||
then any module specified in this column must be listed in the
|
||||
HELPERS setting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-secmarks</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,10 +27,10 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final secmark
|
||||
for each packet will be the one assigned by the LAST rule that
|
||||
matches.</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
|
||||
evaluation of rules in this file will continue after a match. So the
|
||||
final secmark for each packet will be the one assigned by the LAST rule
|
||||
that matches.</para>
|
||||
</important>
|
||||
|
||||
<para>The secmarks file is used to associate an SELinux context with
|
||||
@ -243,8 +245,8 @@
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-stoppedrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-tcclasses</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -140,8 +142,8 @@
|
||||
<para>Normally, all classes defined here are sub-classes of a root
|
||||
class (class number 1) that is implicitly defined from the entry in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
|
||||
can establish a class hierarchy by specifying a
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5).
|
||||
You can establish a class hierarchy by specifying a
|
||||
<emphasis>parent</emphasis> class -- the number of a class that you
|
||||
have previously defined. The sub-class may borrow unused bandwidth
|
||||
from its parent.</para>
|
||||
@ -155,13 +157,13 @@
|
||||
<listitem>
|
||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||
range 1-255. You set mark values in the <ulink
|
||||
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file,
|
||||
marking the traffic you want to fit in the classes defined in here.
|
||||
Must be specified as '-' if the <emphasis
|
||||
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
|
||||
file, marking the traffic you want to fit in the classes defined in
|
||||
here. Must be specified as '-' if the <emphasis
|
||||
role="bold">classify</emphasis> option is given for the interface in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
|
||||
you are running Shorewall 4.5 5 or earlier.</para>
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
and you are running Shorewall 4.5 5 or earlier.</para>
|
||||
|
||||
<para>You can use the same marks for different interfaces.</para>
|
||||
</listitem>
|
||||
@ -672,10 +674,10 @@
|
||||
priority number, giving less delay) and will be granted excess
|
||||
bandwidth (up to 180kbps, the class ceiling) first, before any other
|
||||
traffic. A single VoIP stream, depending upon codecs, after
|
||||
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
|
||||
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
|
||||
classes EF and AFF3-1 respectively and are often used by VOIP
|
||||
devices).</para>
|
||||
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad
|
||||
a little bit just in case. (TOS byte values 0xb8 and 0x68 are
|
||||
DiffServ classes EF and AFF3-1 respectively and are often used by
|
||||
VOIP devices).</para>
|
||||
|
||||
<para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
|
||||
echo traffic if you use the example in tcrules) and any packet with
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-tcdevices</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -151,8 +153,7 @@
|
||||
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-tcfilters</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-tcinterfaces</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,7 +27,8 @@
|
||||
|
||||
<para>This file lists the interfaces that are subject to simple traffic
|
||||
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
||||
file:</para>
|
||||
@ -161,8 +164,7 @@
|
||||
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-tcpri</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -25,12 +27,13 @@
|
||||
|
||||
<para>This file is used to specify the priority band of traffic for simple
|
||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
|
||||
of each packet is determined by the <emphasis role="bold">last</emphasis>
|
||||
entry that the packet matches. If a packet doesn't match any entry in this
|
||||
file, then its priority will be determined by its TOS field. The default
|
||||
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
||||
in <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The
|
||||
priority band of each packet is determined by the <emphasis
|
||||
role="bold">last</emphasis> entry that the packet matches. If a packet
|
||||
doesn't match any entry in this file, then its priority will be determined
|
||||
by its TOS field. The default mapping is as follows but can be changed by
|
||||
setting the TC_PRIOMAP option in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<programlisting>TOS Bits Means Linux Priority BAND
|
||||
------------------------------------------------------------
|
||||
@ -131,8 +134,8 @@
|
||||
[<replaceable>helper</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional. Names a Netfilter protocol helper module such as ftp,
|
||||
sip, amanda, etc. A packet will match if it was accepted by the
|
||||
<para>Optional. Names a Netfilter protocol helper module such as
|
||||
ftp, sip, amanda, etc. A packet will match if it was accepted by the
|
||||
named helper module. You can also append "-" and a port number to
|
||||
the helper module name (e.g., ftp-21) to specify the port number
|
||||
that the original connection was made on.</para>
|
||||
|
@ -3,9 +3,11 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-mangle</refentrytitle>
|
||||
<refentrytitle>shorewall6-tcrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -28,10 +30,10 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
|
||||
evaluation of rules in this file will continue after a match. So the
|
||||
final mark for each packet will be the one assigned by the LAST tcrule
|
||||
that matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall6/providers be sure to read the restrictions at <ulink
|
||||
@ -517,7 +519,8 @@
|
||||
[<replaceable>option</replaceable>] ...") after any matches
|
||||
specified at the end of the rule. If the target is not one known
|
||||
to Shorewall, then it must be defined as a builtin action in
|
||||
<ulink url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The following rules are equivalent:</para>
|
||||
@ -529,8 +532,8 @@ INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
|
||||
INLINE eth0 - ; -p tcp -j MARK --set-mark 2</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
|
||||
third rule above can be specified as follows:</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
||||
then the third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -54,10 +56,11 @@
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
|
||||
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
|
||||
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-rtrules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5),
|
||||
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-tos</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-tunnels</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -27,8 +29,8 @@
|
||||
encrypted) traffic to pass between the Shorewall6 system and a remote
|
||||
gateway. Traffic flowing through the tunnel is handled using the normal
|
||||
zone/policy/rule mechanism. See <ulink
|
||||
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
for details.</para>
|
||||
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink> for
|
||||
details.</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
@ -138,8 +140,8 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||
may be given. Exclusion (<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
|
||||
is not supported.</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
(5) ) is not supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-vardir</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -55,10 +57,11 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6-zones</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -44,17 +46,17 @@
|
||||
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
|
||||
names. The maximum length of a zone name is determined by the
|
||||
setting of the LOGFORMAT option in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
|
||||
default LOGFORMAT, zone names can be at most 5 characters
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
With the default LOGFORMAT, zone names can be at most 5 characters
|
||||
long.</para>
|
||||
|
||||
<blockquote>
|
||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||
explained in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5), the default
|
||||
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
||||
%s is replaced by the chain name and the second is replaced by the
|
||||
disposition.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5),
|
||||
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
|
||||
where the first %s is replaced by the chain name and the second is
|
||||
replaced by the disposition.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -95,8 +97,8 @@
|
||||
follow the (sub)zone name by ":" and a comma-separated list of the
|
||||
parent zones. The parent zones must have been declared in earlier
|
||||
records in this file. See <ulink
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||
for additional information.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@ -108,8 +110,8 @@ c:a,b ipv6</programlisting>
|
||||
<para>Currently, Shorewall6 uses this information to reorder the
|
||||
zone list so that parent zones appear after their subzones in the
|
||||
list. The IMPLICIT_CONTINUE option in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
|
||||
create implicit CONTINUE policies to/from the subzone.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can
|
||||
also create implicit CONTINUE policies to/from the subzone.</para>
|
||||
|
||||
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
||||
explicitly included as a child of an <emphasis
|
||||
@ -178,7 +180,8 @@ c:a,b ipv6</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
||||
Linux-vserver guests. The zone contents must be defined in
|
||||
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Vserver zones are implicitly handled as subzones of the
|
||||
@ -353,8 +356,8 @@ c:a,b ipv6</programlisting>
|
||||
<listitem>
|
||||
<para>sets the MSS field in TCP packets. If you supply this
|
||||
option, you should also set FASTACCEPT=No in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to
|
||||
insure that both the SYN and SYN,ACK packets have their MSS
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
||||
to insure that both the SYN and SYN,ACK packets have their MSS
|
||||
field adjusted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6.conf</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -286,7 +288,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>Specify the appropriate helper in the HELPER column in
|
||||
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<note>
|
||||
@ -393,9 +396,10 @@
|
||||
packets that are UNTRACKED due to entries in <ulink
|
||||
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
|
||||
This includes entries in the <ulink
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
|
||||
and in the BLACKLIST section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
|
||||
(5) file and in the BLACKLIST section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
@ -464,8 +468,8 @@
|
||||
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5). If not
|
||||
specified, CLEAR_TC=No is assumed.</para>
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
||||
If not specified, CLEAR_TC=No is assumed.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you also run Shorewall and if you have
|
||||
@ -861,11 +865,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<para>Subzones are defined by following their name with ":" and a
|
||||
list of parent zones (in <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)). Normally,
|
||||
you want to have a set of special rules for the subzone and if a
|
||||
connection doesn't match any of those subzone-specific rules then
|
||||
you want the parent zone rules and policies to be applied; see
|
||||
<ulink url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)).
|
||||
Normally, you want to have a set of special rules for the subzone
|
||||
and if a connection doesn't match any of those subzone-specific
|
||||
rules then you want the parent zone rules and policies to be
|
||||
applied; see <ulink
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
|
||||
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
||||
|
||||
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
||||
@ -882,9 +887,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
|
||||
separates column-oriented specifications on the left from <ulink
|
||||
url="/configuration_file_basics.htm#Pairs">alternative
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>,
|
||||
a semicolon separates column-oriented specifications on the left
|
||||
from <ulink url="/configuration_file_basics.htm#Pairs">alternative
|
||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||
specified, the specifications on the right are interpreted as if
|
||||
INLINE had been specified in the ACTION column. If not specified or
|
||||
@ -900,10 +905,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
INVALID packets through the NEW section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5). When a
|
||||
packet in INVALID state fails to match any rule in the INVALID
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5).
|
||||
When a packet in INVALID state fails to match any rule in the
|
||||
INVALID section, the packet is disposed of based on this setting.
|
||||
The default value is CONTINUE for compatibility with earlier
|
||||
versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -915,8 +920,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
|
||||
do not match any rule in the INVALID section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
|
||||
are logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1205,7 +1210,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<note>
|
||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||
length of zone names. See <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1373,8 +1379,8 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>The performance of configurations with a large numbers of
|
||||
entries in <ulink
|
||||
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5) can be
|
||||
improved by setting the MACLIST_TTL variable in <ulink
|
||||
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5)
|
||||
can be improved by setting the MACLIST_TTL variable in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>If your iptables and kernel support the "Recent Match" (see
|
||||
@ -1384,14 +1390,15 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<para>When a new connection arrives from a 'maclist' interface, the
|
||||
packet passes through then list of entries for that interface in
|
||||
<ulink url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5). If
|
||||
there is a match then the source IP address is added to the 'Recent'
|
||||
set for that interface. Subsequent connection attempts from that IP
|
||||
address occurring within $MACLIST_TTL seconds will be accepted
|
||||
without having to scan all of the entries. After $MACLIST_TTL from
|
||||
the first accepted connection request from an IP address, the next
|
||||
connection request from that IP address will be checked against the
|
||||
entire list.</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5).
|
||||
If there is a match then the source IP address is added to the
|
||||
'Recent' set for that interface. Subsequent connection attempts from
|
||||
that IP address occurring within $MACLIST_TTL seconds will be
|
||||
accepted without having to scan all of the entries. After
|
||||
$MACLIST_TTL from the first accepted connection request from an IP
|
||||
address, the next connection request from that IP address will be
|
||||
checked against the entire list.</para>
|
||||
|
||||
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
|
||||
@ -1860,10 +1867,10 @@ LOG:info:,bar net fw</programlisting>
|
||||
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
||||
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
||||
section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
|
||||
about the safety of this practice resulted in the addition of this
|
||||
option. When a packet in RELATED state fails to match any rule in
|
||||
the RELATED section, the packet is disposed of based on this
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
|
||||
Concern about the safety of this practice resulted in the addition
|
||||
of this option. When a packet in RELATED state fails to match any
|
||||
rule in the RELATED section, the packet is disposed of based on this
|
||||
setting. The default value is ACCEPT for compatibility with earlier
|
||||
versions.</para>
|
||||
</listitem>
|
||||
@ -1876,8 +1883,8 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
||||
do not match any rule in the RELATED section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
|
||||
are logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2040,9 +2047,9 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
||||
causes smurf packets (see the nosmurfs option in <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)) to
|
||||
be dropped. A_DROP causes the packets to be audited prior to being
|
||||
dropped and requires AUDIT_TARGET support in the kernel and
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||
to be dropped. A_DROP causes the packets to be audited prior to
|
||||
being dropped and requires AUDIT_TARGET support in the kernel and
|
||||
ip6tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2187,7 +2194,8 @@ INLINE - - - ; -j REJECT
|
||||
<filename>tcdevices</filename> and <filename>tcclasses</filename>
|
||||
files. This allows the compiler to have access to your Shorewall
|
||||
traffic shaping configuration so that it can validate CLASSIFY rules
|
||||
in <ulink url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
|
||||
in <ulink
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<warning>
|
||||
@ -2222,12 +2230,12 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
|
||||
TOS field to priority bands. See <ulink
|
||||
url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
|
||||
<emphasis>map</emphasis> consists of 16 space-separated digits with
|
||||
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
|
||||
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
|
||||
the priority of TOS value 0, the second of TOS value 1, and so on.
|
||||
See tc-prio(8) for additional information.</para>
|
||||
url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5).
|
||||
The <emphasis>map</emphasis> consists of 16 space-separated digits
|
||||
with values 1, 2 or 3. A value of 1 corresponds to Linux priority 0,
|
||||
2 to Linux priority 1, and 3 to Linux Priority 2. The first entry
|
||||
gives the priority of TOS value 0, the second of TOS value 1, and so
|
||||
on. See tc-prio(8) for additional information.</para>
|
||||
|
||||
<para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2
|
||||
2 2".</para>
|
||||
@ -2273,8 +2281,8 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
||||
<option>track</option> option to be assumed on all providers defined
|
||||
in <ulink
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5). May
|
||||
be overridden on an individual provider through use of the
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).
|
||||
May be overridden on an individual provider through use of the
|
||||
<option>notrack</option> option. The default value is 'No'.</para>
|
||||
|
||||
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
||||
@ -2286,14 +2294,15 @@ INLINE - - - ; -j REJECT
|
||||
to zero, thus allowing the packet to be routed using the 'main'
|
||||
routing table. Using the main table allowed dynamic routes (such as
|
||||
those added for VPNs) to be effective. The <ulink
|
||||
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
|
||||
created to provide a better alternative to clearing the packet mark.
|
||||
As a consequence, passing these packets to PREROUTING complicates
|
||||
things without providing any real benefit. Beginning with Shorewall
|
||||
4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
|
||||
through 'tracked' interfaces will not be passed to the PREROUTING
|
||||
rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
|
||||
change should be transparent to most, if not all, users.</para>
|
||||
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
|
||||
file was created to provide a better alternative to clearing the
|
||||
packet mark. As a consequence, passing these packets to PREROUTING
|
||||
complicates things without providing any real benefit. Beginning
|
||||
with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
|
||||
packets arriving through 'tracked' interfaces will not be passed to
|
||||
the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
|
||||
4.4.3, this change should be transparent to most, if not all,
|
||||
users.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2322,10 +2331,10 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
UNTRACKED packets through the NEW section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
|
||||
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
|
||||
When a packet in UNTRACKED state fails to match any rule in the
|
||||
UNTRACKED section, the packet is disposed of based on this setting.
|
||||
The default value is CONTINUE for compatibility with earlier
|
||||
versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2337,8 +2346,8 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
||||
do not match any rule in the UNTRACKED section of <ulink
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5)
|
||||
are logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -6,6 +6,8 @@
|
||||
<refentrytitle>shorewall6</refentrytitle>
|
||||
|
||||
<manvolnum>8</manvolnum>
|
||||
|
||||
<refmiscinfo>Administrative Commands</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
@ -659,9 +661,9 @@
|
||||
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
||||
options are omitted, the amount of output is determined by the setting of
|
||||
the VERBOSITY parameter in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
|
||||
role="bold">v</emphasis> adds one to the effective verbosity and each
|
||||
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each
|
||||
<emphasis role="bold">v</emphasis> adds one to the effective verbosity and
|
||||
each <emphasis role="bold">q</emphasis> subtracts one from the effective
|
||||
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
||||
followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
|
||||
There may be no white-space between <emphasis role="bold">v</emphasis> and
|
||||
@ -701,10 +703,10 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||
single ipset to handle entries for multiple interfaces. When that
|
||||
option is specified for a zone, the <command>add</command> command
|
||||
has the alternative syntax in which the
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
|
||||
allows a single ipset to handle entries for multiple interfaces.
|
||||
When that option is specified for a zone, the <command>add</command>
|
||||
command has the alternative syntax in which the
|
||||
<replaceable>zone</replaceable> name precedes the
|
||||
<replaceable>host-list</replaceable>.</para>
|
||||
</listitem>
|
||||
@ -756,7 +758,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -822,7 +825,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -842,11 +846,11 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||
single ipset to handle entries for multiple interfaces. When that
|
||||
option is specified for a zone, the <command>delete</command>
|
||||
command has the alternative syntax in which the
|
||||
<replaceable>zone</replaceable> name precedes the
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
|
||||
allows a single ipset to handle entries for multiple interfaces.
|
||||
When that option is specified for a zone, the
|
||||
<command>delete</command> command has the alternative syntax in
|
||||
which the <replaceable>zone</replaceable> name precedes the
|
||||
<replaceable>host-list</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -865,8 +869,8 @@
|
||||
any optional network interface. <replaceable>interface</replaceable>
|
||||
may be either the logical or physical name of the interface. The
|
||||
command removes any routes added from <ulink
|
||||
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
|
||||
traffic shaping configuration for the interface.</para>
|
||||
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
|
||||
and any traffic shaping configuration for the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -912,8 +916,8 @@
|
||||
may be either the logical or physical name of the interface. The
|
||||
command sets <filename>/proc</filename> entries for the interface,
|
||||
adds any route specified in <ulink
|
||||
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and
|
||||
installs the interface's traffic shaping configuration, if
|
||||
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
|
||||
and installs the interface's traffic shaping configuration, if
|
||||
any.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1032,7 +1036,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1043,7 +1048,8 @@
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be logged then discarded. Logging occurs at the log level
|
||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1052,7 +1058,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>Monitors the log file specified by the LOGFILE option in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
|
||||
produces an audible alarm when new Shorewall6 messages are logged.
|
||||
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
||||
address of each packet source to be displayed if that information is
|
||||
@ -1072,7 +1079,8 @@
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be logged then rejected. Logging occurs at the log level
|
||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1124,7 +1132,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
||||
and causes Shorewall to look in the given
|
||||
@ -1184,7 +1193,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1229,9 +1239,9 @@
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||
<option>-f</option> and <option>-c </option>are present, the result
|
||||
is determined by the option that appears last.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
When both <option>-f</option> and <option>-c </option>are present,
|
||||
the result is determined by the option that appears last.</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
@ -1241,7 +1251,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1445,8 +1456,8 @@
|
||||
<listitem>
|
||||
<para>Displays the last 20 Shorewall6 messages from the log
|
||||
file specified by the LOGFILE option in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
|
||||
<emphasis role="bold">-m</emphasis> option causes the MAC
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
||||
address of each packet source to be displayed if that
|
||||
information is available.</para>
|
||||
</listitem>
|
||||
@ -1537,16 +1548,16 @@
|
||||
for configuration files. If <emphasis role="bold">-f</emphasis> is
|
||||
specified, the saved configuration specified by the RESTOREFILE
|
||||
option in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) will be
|
||||
restored if that saved configuration exists and has been modified
|
||||
more recently than the files in /etc/shorewall6. When <emphasis
|
||||
role="bold">-f</emphasis> is given, a
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
||||
will be restored if that saved configuration exists and has been
|
||||
modified more recently than the files in /etc/shorewall6. When
|
||||
<emphasis role="bold">-f</emphasis> is given, a
|
||||
<replaceable>directory</replaceable> may not be specified.</para>
|
||||
|
||||
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
|
||||
was added to <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When
|
||||
LEGACY_FASTSTART=No, the modification times of files in
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
When LEGACY_FASTSTART=No, the modification times of files in
|
||||
/etc/shorewall6 are compared with that of
|
||||
/var/lib/shorewall6/firewall (the compiled script that last
|
||||
started/restarted the firewall).</para>
|
||||
@ -1557,9 +1568,9 @@
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||
<option>-f</option> and <option>-c </option>are present, the result
|
||||
is determined by the option that appears last.</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
When both <option>-f</option> and <option>-c </option>are present,
|
||||
the result is determined by the option that appears last.</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
@ -1569,7 +1580,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1581,9 +1593,9 @@
|
||||
listed in <ulink
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
or permitted by the ADMINISABSENTMINDED option in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), are taken
|
||||
down. The only new traffic permitted through the firewall is from
|
||||
systems listed in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||
are taken down. The only new traffic permitted through the firewall
|
||||
is from systems listed in <ulink
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
or by ADMINISABSENTMINDED.</para>
|
||||
</listitem>
|
||||
@ -1652,13 +1664,15 @@
|
||||
|
||||
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||
and causes legacy blacklisting rules (<ulink
|
||||
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
|
||||
to be converted to entries in the blrules file (<ulink
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
|
||||
blacklist keyword is removed from <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5)
|
||||
and <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
||||
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>
|
||||
(5) ) to be converted to entries in the blrules file (<ulink
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
|
||||
(5) ). The blacklist keyword is removed from <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5),
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5) and <ulink
|
||||
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
||||
The unmodified files are saved with a .bak suffix.</para>
|
||||
|
||||
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
|
||||
@ -1672,7 +1686,8 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
|
||||
<para>For a description of the other options, see the <emphasis
|
||||
role="bold">check</emphasis> command above.</para>
|
||||
|
Loading…
Reference in New Issue
Block a user