mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
More documentation changes for Lite
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4082 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
90ad8341ba
commit
467e62de62
@ -15,10 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-11-02</pubdate>
|
||||
<pubdate>2006-06-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2005</year>
|
||||
<year>2003-2002</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -44,9 +44,9 @@
|
||||
<para>Shorewall accounting rules are described in the file
|
||||
/etc/shorewall/accounting. By default, the accounting rules are placed in a
|
||||
chain called <quote>accounting</quote> and can thus be displayed using
|
||||
<quote>shorewall show accounting</quote>. All traffic passing into, out of
|
||||
or through the firewall traverses the accounting chain including traffic
|
||||
that will later be rejected by interface options such as
|
||||
<quote>shorewall[-lite] show accounting</quote>. All traffic passing into,
|
||||
out of or through the firewall traverses the accounting chain including
|
||||
traffic that will later be rejected by interface options such as
|
||||
<quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
|
||||
support the connection tracking match extension (Kernel 2.4.21) then some
|
||||
traffic rejected under <quote>norfc1918</quote> will not traverse the
|
||||
@ -184,8 +184,9 @@
|
||||
web:COUNT - eth1 eth0 tcp - 443
|
||||
DONE web</programlisting>
|
||||
|
||||
<para>Now <quote>shorewall show web</quote> will give you a breakdown of
|
||||
your web traffic:</para>
|
||||
<para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
|
||||
for Shorewall Lite users) will give you a breakdown of your web
|
||||
traffic:</para>
|
||||
|
||||
<programlisting> [root@gateway shorewall]# shorewall show web
|
||||
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
|
||||
@ -212,8 +213,9 @@
|
||||
COUNT web eth0 eth1
|
||||
COUNT web eth1 eth0</programlisting>
|
||||
|
||||
<para>Now <quote>shorewall show web</quote> simply gives you a breakdown by
|
||||
input and output:</para>
|
||||
<para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
|
||||
for Shorewall Lite users) simply gives you a breakdown by input and
|
||||
output:</para>
|
||||
|
||||
<programlisting> [root@gateway shorewall]# shorewall show accounting web
|
||||
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2006-06-10</pubdate>
|
||||
<pubdate>2006-06-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2006</year>
|
||||
@ -39,15 +39,9 @@
|
||||
|
||||
<para>Beginning with Shorewall version 3.1, Shorewall has the capability
|
||||
to compile a Shorewall configuration and produce a runnable firewall
|
||||
program script. The script is a complete program which can be placed in
|
||||
the /etc/init.d/ directory on a system without Shorewall installed and can
|
||||
serve as the firewall creation script for that system.</para>
|
||||
|
||||
<para>Compiled programs can also be created to instantiate special
|
||||
configurations during parts of the day; for example, to disallow web
|
||||
browsing between the hours of 9pm and 7AM. The program can be run as a
|
||||
cron job at 9PM and another program run at 6AM to restore normal
|
||||
operation.</para>
|
||||
program script. The script is a complete program which can be placed on a
|
||||
system with <emphasis>Shorewall Lite</emphasis> installed and can serve as
|
||||
the firewall creation script for that system.</para>
|
||||
|
||||
<section>
|
||||
<title>Restrictions</title>
|
||||
@ -197,7 +191,7 @@
|
||||
<para>The firewall systems do <emphasis role="bold">NOT</emphasis>
|
||||
need to have the full Shorewall product installed but rather only
|
||||
the Shorewall Lite product. Shorewall and Shorewall LIte may be
|
||||
installed on the same system.</para>
|
||||
installed on the same system but that isn't encouraged.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
@ -225,6 +219,15 @@
|
||||
directory appropriately. It's a good idea to include the IP
|
||||
address of the administrative system in the
|
||||
<filename>routestopped</filename> file.</para>
|
||||
|
||||
<para>It is important to understand that with Shorewall Lite, the
|
||||
firewall's configuration directory on the administrative system
|
||||
acts as <filename class="directory">/etc/shorewall</filename> for
|
||||
that firewall. So when the Shorewall documentation gives
|
||||
instructions for placing entries in files in the firewall's
|
||||
<filename class="directory">/etc/shorewall</filename>, when using
|
||||
Shorewall Lite you make those changes in the firewall's
|
||||
configuration directory on the administrative system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -348,15 +351,12 @@
|
||||
|
||||
<programlisting><command>shorewall stop</command></programlisting>
|
||||
|
||||
<para><emphasis role="bold">We strongly recommend that you uninstall
|
||||
<para><emphasis role="bold">We recommend that you uninstall
|
||||
Shorewall at this point.</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Install Shorewall Lite on the firewall system; <emphasis
|
||||
role="bold">If you did not uninstall Shorewall in the previous step,
|
||||
then you must switch <filename>/sbin/shorewall</filename> to
|
||||
Shorewall Lite as described above.</emphasis></para>
|
||||
<para>Install Shorewall Lite on the firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
49
docs/FAQ.xml
49
docs/FAQ.xml
@ -193,8 +193,8 @@ DNAT net loc:<l<emphasis>ocal IP address</emphasis>>[:<<emphasis>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root type <quote> <command>shorewall show nat</command>
|
||||
</quote></para>
|
||||
<para>As root type <quote> <command>shorewall[-lite] show
|
||||
nat</command> </quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -244,11 +244,11 @@ DNAT net loc:<l<emphasis>ocal IP address</emphasis>>[:<<emphasis>
|
||||
the connection is being dropped or rejected. If it is, then you
|
||||
may have a zone definition problem such that the server is in a
|
||||
different zone than what is specified in the DEST column. At a
|
||||
root promt, type "<command>shorewall show zones</command>" then be
|
||||
sure that in the DEST column you have specified the <emphasis
|
||||
role="bold">first</emphasis> zone in the list that matches
|
||||
OUT=<dev> and DEST= <ip>from the REJECT/DROP log
|
||||
message.</para>
|
||||
root promt, type "<command>shorewall[-lite] show zones</command>"
|
||||
then be sure that in the DEST column you have specified the
|
||||
<emphasis role="bold">first</emphasis> zone in the list that
|
||||
matches OUT=<dev> and DEST= <ip>from the REJECT/DROP
|
||||
log message.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
@ -550,8 +550,9 @@ DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0
|
||||
|
||||
<warning>
|
||||
<para>With dynamic IP addresses, you probably don't want to use
|
||||
<ulink url="starting_and_stopping_shorewall.htm"><command>shorewall
|
||||
save</command> and <command>shorewall
|
||||
<ulink
|
||||
url="starting_and_stopping_shorewall.htm"><command>shorewall[-lite]
|
||||
save</command> and <command>shorewall[-lite]
|
||||
restore</command></ulink>.</para>
|
||||
</warning>
|
||||
</section>
|
||||
@ -1063,8 +1064,8 @@ LOGBURST=""</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The packet has a source IP address that isn't in any of your
|
||||
defined zones (<quote>shorewall check</quote> and look at the
|
||||
printed zone definitions) or the chain is FORWARD and the
|
||||
defined zones (<quote>shorewall[-lite] show zones</quote> and look
|
||||
at the printed zone definitions) or the chain is FORWARD and the
|
||||
destination IP isn't in any of your defined zones. If the chain is
|
||||
FORWARD and the IN and OUT interfaces are the same, then you
|
||||
probably need the <emphasis role="bold">routeback</emphasis>
|
||||
@ -1083,8 +1084,8 @@ LOGBURST=""</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The packet has a destination IP address that isn't in any of
|
||||
your defined zones("shorewall check" and look at the printed zone
|
||||
definitions).</para>
|
||||
your defined zones("shorewall show zones" and look at the printed
|
||||
zone definitions).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1247,9 +1248,9 @@ LOGBURST=""</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq52">
|
||||
<title>(FAQ 52) When I blacklist an IP address with "shorewall drop
|
||||
www.xxx.yyy.zzz", why does my log still show REDIRECT and DNAT entries
|
||||
from that address?</title>
|
||||
<title>(FAQ 52) When I blacklist an IP address with "shorewall[-lite]
|
||||
drop www.xxx.yyy.zzz", why does my log still show REDIRECT and DNAT
|
||||
entries from that address?</title>
|
||||
|
||||
<para>I blacklisted the address 130.252.100.59 using <command>shorewall
|
||||
drop 130.252.100.59</command> but I am still seeing these log
|
||||
@ -1312,7 +1313,7 @@ LOGBURST=""</programlisting>
|
||||
<title>Starting and Stopping</title>
|
||||
|
||||
<section id="faq7">
|
||||
<title>(FAQ 7) When I stop Shorewall using <quote>shorewall
|
||||
<title>(FAQ 7) When I stop Shorewall using <quote>shorewall[-lite]
|
||||
stop</quote>, I can't connect to anything. Why doesn't that command
|
||||
work?</title>
|
||||
|
||||
@ -1320,7 +1321,7 @@ LOGBURST=""</programlisting>
|
||||
to place your firewall into a safe state whereby only those hosts listed
|
||||
in <filename>/etc/shorewall/routestopped</filename>' are activated. If
|
||||
you want to totally open up your firewall, you must use the <quote>
|
||||
<command>shorewall clear</command> </quote> command.</para>
|
||||
<command>shorewall[-lite] clear</command> </quote> command.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq8">
|
||||
@ -1512,8 +1513,8 @@ Creating input Chains...
|
||||
</section>
|
||||
|
||||
<section id="faq45">
|
||||
<title>(FAQ 45) Why does "shorewall start fail" when trying to set up
|
||||
SNAT/Masquerading?</title>
|
||||
<title>(FAQ 45) Why does "shorewall[-lite] start" fail when trying to
|
||||
set up SNAT/Masquerading?</title>
|
||||
|
||||
<para><command>shorewall start</command> produces the following
|
||||
output:</para>
|
||||
@ -1595,12 +1596,12 @@ iptables: Invalid argument
|
||||
</section>
|
||||
|
||||
<section id="faq25">
|
||||
<title>(FAQ 25) How to I tell which version of Shorewall I am
|
||||
running?</title>
|
||||
<title>(FAQ 25) How to I tell which version of Shorewall or Shorewall
|
||||
Lite I am running?</title>
|
||||
|
||||
<para>At the shell prompt, type:</para>
|
||||
|
||||
<programlisting><command>/sbin/shorewall version</command> </programlisting>
|
||||
<programlisting><command>/sbin/shorewall[-lite] version</command> </programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq31">
|
||||
@ -1988,7 +1989,7 @@ REJECT fw net:216.239.39.99 all</programlisting>Given that
|
||||
support?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Use the
|
||||
<command>shorewall show capabilities</command> command at a root
|
||||
<command>shorewall[-lite] show capabilities</command> command at a root
|
||||
prompt.</para>
|
||||
|
||||
<programlisting>gateway:~# shorewall show capabilities
|
||||
|
@ -15,12 +15,12 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-11-23</pubdate>
|
||||
<pubdate>2006-06-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-</year>
|
||||
|
||||
<year>2005</year>
|
||||
<year>2006</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2006-03-23</pubdate>
|
||||
<pubdate>2006-06-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2006</year>
|
||||
@ -157,7 +157,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<title>Dynamic Blacklisting</title>
|
||||
|
||||
<para>Dynamic blacklisting doesn't use any configuration parameters but is
|
||||
rather controlled using /sbin/shorewall commands:</para>
|
||||
rather controlled using /sbin/shorewall[-lite] commands:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -219,7 +219,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<example>
|
||||
<title>Ignore packets from a pair of systems</title>
|
||||
|
||||
<programlisting> <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
||||
</example>
|
||||
@ -227,7 +227,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<example>
|
||||
<title>Re-enable packets from a system</title>
|
||||
|
||||
<programlisting> <command>shorewall allow 192.0.2.125</command></programlisting>
|
||||
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Re-enables traffic from 192.0.2.125.</para>
|
||||
</example>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2006-06-04</pubdate>
|
||||
<pubdate>2006-06-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -589,6 +589,13 @@
|
||||
respectively. The default level of verbosity is determined by the
|
||||
setting of the VERBOSITY option in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
||||
|
||||
<para>For Shorewall Lite, the general command form is:</para>
|
||||
|
||||
<para><command>shorewall-lite [ <options> ] <command> [
|
||||
<command options> ] [ <argument> ... ]</command></para>
|
||||
|
||||
<para>where the options are the same as with Shorewall.</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Following in alphabetical order are the supported commands. Except
|
||||
@ -773,7 +780,8 @@
|
||||
<term>drop</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall drop <address> ...</command></para>
|
||||
<para><command>shorewall[-lite] drop <address>
|
||||
...</command></para>
|
||||
|
||||
<para>Causes packets from the specified
|
||||
<<emphasis>address</emphasis>> to be ignored</para>
|
||||
@ -784,7 +792,7 @@
|
||||
<term>dump</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall [ -x ] dump</command></para>
|
||||
<para><command>shorewall[-lite] [ -x ] dump</command></para>
|
||||
|
||||
<para>Produce a verbose report about the firewall.</para>
|
||||
|
||||
@ -797,7 +805,7 @@
|
||||
<term>forget</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall forget [ <filename>
|
||||
<para><command>shorewall[-lite] forget [ <filename>
|
||||
]</command></para>
|
||||
|
||||
<para>Deletes<filename>
|
||||
@ -813,8 +821,8 @@
|
||||
<term>help</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall help [<command> | host | address
|
||||
]</command></para>
|
||||
<para><command>shorewall[-lite] help [<command> | host |
|
||||
address ]</command></para>
|
||||
|
||||
<para>Display helpful information about the shorewall
|
||||
commands.</para>
|
||||
@ -825,7 +833,7 @@
|
||||
<term>hits</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>hits</command></para>
|
||||
<para><command>shorewall[-lite] hits</command></para>
|
||||
|
||||
<para>Produces several reports about the Shorewall packet log
|
||||
messages in the current log file specified by the LOGFILE option in
|
||||
@ -838,8 +846,8 @@
|
||||
<term>ipcalc</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall ipcalc { <address> <mask> |
|
||||
<address>/<vlsm> }</command></para>
|
||||
<para><command>shorewall[-lite] ipcalc { <address>
|
||||
<mask> | <address>/<vlsm> }</command></para>
|
||||
|
||||
<para>Ipcalc displays the network address, broadcast address,
|
||||
network in CIDR notation and netmask corresponding to the
|
||||
@ -847,7 +855,8 @@
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><command>ipcalc 192.168.1.0/24</command></para>
|
||||
<para><command>shorewall[-lite] ipcalc
|
||||
192.168.1.0/24</command></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -855,7 +864,7 @@
|
||||
<term>iprange</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall iprange
|
||||
<para><command>shorewall[-lite] iprange
|
||||
<address1>-<address2></command></para>
|
||||
|
||||
<para>Iprange decomposes the specified range of IP addresses into
|
||||
@ -867,7 +876,7 @@
|
||||
<term>logdrop</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall logdrop <address>
|
||||
<para><command>shorewall[-lite] logdrop <address>
|
||||
...</command></para>
|
||||
|
||||
<para>Causes packets from the specified
|
||||
@ -879,7 +888,7 @@
|
||||
<term>logwatch</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall logwatch [ -m ] [<refresh
|
||||
<para><command>shorewall[-lite] logwatch [ -m ] [<refresh
|
||||
interval>]</command></para>
|
||||
|
||||
<para>Monitors the log file specified by theLOGFILE option in <ulink
|
||||
@ -897,7 +906,7 @@
|
||||
<term>logreject</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall logreject <address>
|
||||
<para><command>shorewall[-lite] logreject <address>
|
||||
...</command></para>
|
||||
|
||||
<para>Causes packets from the specified
|
||||
@ -926,7 +935,8 @@
|
||||
<term>reject</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall reject <address> ...</command></para>
|
||||
<para><command>shorewall[-lite] reject <address>
|
||||
...</command></para>
|
||||
|
||||
<para>Causes packets from the specified
|
||||
<<emphasis>address</emphasis>>s to be rejected</para>
|
||||
@ -937,7 +947,7 @@
|
||||
<term>reset</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall reset</command></para>
|
||||
<para><command>shorewall[-lite] reset</command></para>
|
||||
|
||||
<para>All the packet and byte counters in the firewall are
|
||||
reset.</para>
|
||||
@ -948,7 +958,7 @@
|
||||
<term>restart</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall [ -q ] restart
|
||||
<para><command>shorewall[-lite] [ -q ] restart
|
||||
<configuration-directory></command></para>
|
||||
|
||||
<para>Restart is similar to <command>shorewall stop</command>
|
||||
@ -962,7 +972,7 @@
|
||||
<term>restore</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall [ -q ] restore [ <filename>
|
||||
<para><command>shorewall[-lite] [ -q ] restore [ <filename>
|
||||
]</command></para>
|
||||
|
||||
<para>Restore Shorewall to a state saved using the
|
||||
@ -1016,15 +1026,16 @@
|
||||
<term>save</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall save [ <filename> ]</command></para>
|
||||
<para><command>shorewall[-lite] save [ <filename>
|
||||
]</command></para>
|
||||
|
||||
<para>The dynamic data is stored in /var/lib/shorewall/save. The
|
||||
state of the firewall is stored in
|
||||
<filename>/var/lib/shorewall/<filename></filename> for use by
|
||||
the <command>shorewall restore</command> and <command>shorewall -f
|
||||
start</command> commands. If <<emphasis>filename</emphasis>>
|
||||
is not given then the state is saved in the file specified by the
|
||||
RESTOREFILE option in <ulink
|
||||
the <command>shorewall[-lite] restore</command> and
|
||||
<command>shorewall[-lite] -f start</command> commands. If
|
||||
<<emphasis>filename</emphasis>> is not given then the state is
|
||||
saved in the file specified by the RESTOREFILE option in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1033,40 +1044,52 @@
|
||||
<term>show</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall [ -x ] show [ <chain> [ <chain>
|
||||
...] |classifiers|connections|log|nat|tc|tos]</command></para>
|
||||
<para><command>shorewall [ -x ] show actions (Not supported by
|
||||
Shorewall Lite)</command> — produces a list of actions available on
|
||||
the system.</para>
|
||||
|
||||
<para><command>shorewall [ -x ] show <chain> [ <chain>
|
||||
... ] </command> - produce a verbose report about the Netfilter
|
||||
chain(s). (<command>iptables -L chain -n -v</command>)</para>
|
||||
<para><command>shorewall[-lite] [ -x ] show [ <chain> [
|
||||
<chain> ...]
|
||||
|classifiers|connections|log|nat|tc|tos]</command></para>
|
||||
|
||||
<para><command>shorewall [ -x ] show mangle</command> - produce a
|
||||
verbose report about the mangle table. (<command>iptables -t mangle
|
||||
-L -n -v</command>)</para>
|
||||
|
||||
<para><command>shorewall [ -x ] show nat</command> - produce a
|
||||
verbose report about the nat table. (<command>iptables -t nat -L -n
|
||||
<para><command>shorewall[-lite] [ -x ] show <chain> [
|
||||
<chain> ... ] </command> - produce a verbose report about the
|
||||
Netfilter chain(s). (<command>iptables -L chain -n
|
||||
-v</command>)</para>
|
||||
|
||||
<para><command>shorewall show [- m ] log</command> - display the
|
||||
last 20 packet log entries. The '-m' option is available in
|
||||
<para><command>shorewall[-lite] [ -x ] show mangle</command> -
|
||||
produce a verbose report about the mangle table. (<command>iptables
|
||||
-t mangle -L -n -v</command>)</para>
|
||||
|
||||
<para><command>shorewall[-lite] [ -x ] show nat</command> - produce
|
||||
a verbose report about the nat table. (<command>iptables -t nat -L
|
||||
-n -v</command>)</para>
|
||||
|
||||
<para><command>shorewall[-lite] show [- m ] log</command> - display
|
||||
the last 20 packet log entries. The '-m' option is available in
|
||||
Shorewall version 3.2.0 Beta5 and later and causes the MAC address
|
||||
of each packet source to be displayed if that information is
|
||||
available.</para>
|
||||
|
||||
<para><command>shorewall show capabilities</command> - Displays your
|
||||
kernel/iptables capabilities</para>
|
||||
<para><command>shorewall[-lite] show capabilities</command> -
|
||||
Displays your kernel/iptables capabilities</para>
|
||||
|
||||
<para><command>shorewall show connections</command> - displays the
|
||||
IP connections currently being tracked by the firewall.</para>
|
||||
<para><command>shorewall[-lite] show connections</command> -
|
||||
displays the IP connections currently being tracked by the
|
||||
firewall.</para>
|
||||
|
||||
<para><command>shorewall show classifiers</command> - displays
|
||||
information about the traffic control/shaping classifiers.</para>
|
||||
<para><command>shorewall[-lite] show classifiers</command> -
|
||||
displays information about the traffic control/shaping
|
||||
classifiers.</para>
|
||||
|
||||
<para><command>shorewall show tc</command> - displays information
|
||||
about the traffic control/shaping configuration.</para>
|
||||
<para><command>shorewall [ -x ] show macros (Not supported by
|
||||
Shorewall Lite)</command> — produces a list of macros available on
|
||||
the system.</para>
|
||||
|
||||
<para><command>shorewall show zones</command> — Displays the
|
||||
<para><command>shorewall[-lite] show tc</command> - displays
|
||||
information about the traffic control/shaping configuration.</para>
|
||||
|
||||
<para><command>shorewall[-lite] show zones</command> — Displays the
|
||||
composition of each zone.</para>
|
||||
|
||||
<para>When -x is given, that option is also passed to iptables to
|
||||
@ -1078,7 +1101,7 @@
|
||||
<term>start</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall [ -q ] [ -f ] start [
|
||||
<para><command>shorewall[-lite] [ -q ] [ -f ] start [
|
||||
<configuration-directory> ]</command></para>
|
||||
|
||||
<para>Start shorewall. Existing connections through shorewall
|
||||
@ -1096,7 +1119,7 @@
|
||||
<term>stop</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall stop</command></para>
|
||||
<para><command>shorewall[-lite] stop</command></para>
|
||||
|
||||
<para>Stops the firewall. All existing connections, except those
|
||||
listed in <filename><ulink
|
||||
@ -1114,7 +1137,7 @@
|
||||
<term>status</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall status</command></para>
|
||||
<para><command>shorewall[-lite] status</command></para>
|
||||
|
||||
<para>Produce a short report about the firewall's status and state
|
||||
relative to <link linkend="State">the diagram below</link>.</para>
|
||||
@ -1146,7 +1169,7 @@
|
||||
<term>version</term>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall version</command></para>
|
||||
<para><command>shorewall[-lite] version</command></para>
|
||||
|
||||
<para>Show the current shorewall version</para>
|
||||
</listitem>
|
||||
@ -1161,13 +1184,6 @@
|
||||
|
||||
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
|
||||
|
||||
<para>You will note that mose of the commands that result in state
|
||||
transitions use the word <quote>firewall</quote> rather than
|
||||
<quote>shorewall</quote>. That is because the actual transitions are done
|
||||
by <command>/usr/share/shorewall/firewall</command>;
|
||||
<command>/sbin/shorewall</command> runs <quote>firewall</quote> according
|
||||
to the following table:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
@ -1268,11 +1284,11 @@
|
||||
</informaltable>
|
||||
|
||||
<para>The only time that a program other than
|
||||
<command>/usr/share/shorewall/firewall</command> performs a state
|
||||
transition itself is when it executes the <command>shorewall
|
||||
<command>/usr/share/shorewall[-lite[/firewall</command> performs a state
|
||||
transition itself is when it executes the <command>shorewall[-lite]
|
||||
restore</command> command is executed. In that case, the
|
||||
<command>/var/lib/shorewall/restore</command> program sets the state to
|
||||
"Started".</para>
|
||||
<command>/var/lib/shorewall[-lite]/restore</command> program sets the
|
||||
state to "Started".</para>
|
||||
|
||||
<section>
|
||||
<title>Notes for Shorewall 3.2.0 and Later</title>
|
||||
|
@ -191,6 +191,52 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para> Beginning with this release, the way in which packet marking in
|
||||
the PREROUTING chain interracts with the 'track' option in
|
||||
/etc/shorewall/providers has changed in two ways:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Packets arriving on a tracked interface are now passed to
|
||||
the PREROUTING marking chain so that they may be marked with a
|
||||
mark other than the 'track' mark (the connection still retains the
|
||||
'track' mark).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on
|
||||
packets in the PREROUTING chain (i.e., you can specify a mark
|
||||
value of zero).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para> Kernel version 2.6.16 introduces 'xtables', a new common packet
|
||||
filtering and connection tracking facility that supports both IPv4 and
|
||||
IPv6. Because a different set of kernel modules must be loaded for
|
||||
xtables, Shorewall now includes two 'modules' files:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para><filename>/usr/share/shorewall/modules</filename> -- the
|
||||
former <filename>/etc/shorewall/modules</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>/usr/share/shorewall/xmodules -- a new file that support
|
||||
xtables.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>If you wish to use the new file, then simply execute this
|
||||
command:</para>
|
||||
|
||||
<para><command>cp -f /usr/share/shorewall/xmodules
|
||||
/etc/shorewall/modules</command></para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
|
@ -59,7 +59,7 @@ DIR=$PWD
|
||||
#
|
||||
# location and options for GnuPG
|
||||
#
|
||||
GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
|
||||
GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
|
||||
################################################################################
|
||||
# V A R I A B L E S
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user