From 508fbf0d452da8f19fad4ce9745e40d182bac67c Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 15 Oct 2007 17:13:50 +0000 Subject: [PATCH] Document third argument to add_rule() git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7468 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/Documentation_Index.xml | 14 ++++++------- docs/VPN.xml | 31 ++++++++++++++-------------- docs/shorewall_extension_scripts.xml | 11 ++++++++-- 3 files changed, 32 insertions(+), 24 deletions(-) diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 1cb143e2f..81a25f3ef 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -240,8 +240,7 @@ Port Forwarding - White List - Creation + VPN Passthrough @@ -250,8 +249,8 @@ Port Information - Xen - Shorewall in a Bridged Xen - DomU + White List + Creation @@ -261,8 +260,8 @@ Port Knocking and Other Uses of the 'Recent Match' - Xen - Shorewall in Routed - Xen Dom0 + Xen - Shorewall in a Bridged Xen + DomU @@ -270,7 +269,8 @@ PPTP - + Xen - Shorewall in Routed + Xen Dom0 diff --git a/docs/VPN.xml b/docs/VPN.xml index a6348fc53..e31c41bb2 100644 --- a/docs/VPN.xml +++ b/docs/VPN.xml @@ -5,7 +5,7 @@ - VPN + VPN Passthrough @@ -53,17 +53,17 @@ system has IP address 192.168.1.12 and that the remote gateway has IP address 192.0.2.224. - If PPTP is being used, there are no firewall requirements beyond the - default loc->net ACCEPT policy. There is one restriction however: Only - one local system at a time can be connected to a single remote gateway - unless you patch your kernel from the Patch-o-matic patches - available at http://www.netfilter.org. + If PPTP is being used and you need to have two or more local systems + connected to the same remote server at the same time, then you should be + sure that the PPTP helpers modules are loaded (ip_conntrack_pptp and + ip_nat_pptp or nf_conntrack_pptp and nf_nat_pptp). Using the default + modules file, Shorewall (Lite) will attempt to load these modules when + Shorewall (Lite) is started. If IPSEC is being used, you should configure IPSEC to use NAT Traversal -- Under NAT traversal the IPSEC - packets (protocol 50 or 51) are encapsulated in UDP packets with - destination port 4500. Additionally, keep-alive + packets (protocol 50 or 51) are encapsulated in UDP packets (normally with + destination port 4500). Additionally, keep-alive messages are sent frequently so that NATing gateways between the end-points will retain their connection-tracking entries. This is the way that I connect to the HP Intranet and it works flawlessly without @@ -72,9 +72,10 @@ of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN" pulldown. - Alternatively, if IPSEC is being used then you can try the - following: only one system may connect to the remote gateway and there are - firewall configuration requirements as follows: + Alternatively, if you have an IPSEC gateway behind your firewall + then you can try the following: only one system may connect to the remote + gateway and there are firewall configuration requirements as + follows: /etc/shorewall/rules @@ -196,7 +197,7 @@ If you want to be able to give access to all of your local systems to the remote network, you should consider running a VPN client on your firewall. As starting points, see The /etc/shorewall/tunnels manpage - or http://www.shorewall.net/PPTP.htm. + url="manpages/shorewall-tunnels.html">The /etc/shorewall/tunnels + manpage. - + \ No newline at end of file diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 6ecea824b..c69f650ee 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -412,8 +412,15 @@ esac <the rule> is a scalar argument holding the rule text. Do not include "-A <chain name>" - Example:add_rule( $chainref, '-j ACCEPT' );To - insert a rule into the chain: insert_rule( $chainref, <rulenum>, <the rule> );The + Example:add_rule( $chainref, '-j ACCEPT' ); + + Beginning with Shorewall 4.0.5, add_rule() accepts an optional + third argument; If that argument evaluates to true and the passed rule + contains a --dports list with more than 15 ports (a port range counts as + two ports), the rule will be split into multiple rules where each + resulting rule has 15 or fewer ports in its --dports list. + + To insert a rule into the chain: insert_rule( $chainref, <rulenum>, <the rule> );The log_rule_limit() function works like it does in the shell compiler with three exceptions: