diff --git a/docs/Actions.xml b/docs/Actions.xml
index 06f3ec281..56ffebd09 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -113,6 +113,14 @@ ACCEPT - - tcp 135,139,445
+ Enabling the Use of Actions
+
+ In Shorewall version 3.4 and later, to make use of any of the three
+ types of actions you must set the USE_ACTIONS option to Yes in
+ /etc/shorewall/shorewall.conf.
+
+
+
Default Actions (Formerly Common Actions)
Shorewall allows the association of a default
@@ -140,17 +148,37 @@ ACCEPT - - tcp 135,139,445
- Shorewall provides default actions for the REJECT and DROP policies.
- The default action for REJECT is named Reject and
- the default action for DROP is named Drop. These
- associations are made through two entries in
- /usr/share/shorewall/actions.std:
+ If you are running Shorewall 3.2 or earlier, then:
- Drop:DROP #Default Action for DROP policy
+
+ Shorewall provides default actions for the REJECT and DROP
+ policies. The default action for REJECT is named
+ Reject and the default action for DROP is named
+ Drop. These associations are made through two
+ entries in /usr/share/shorewall/actions.std:
+
+ Drop:DROP #Default Action for DROP policy
Reject:REJECT #Default Action for REJECT policy
- These may be overridden by entries in your /etc/shorewall/actions
- file.
+ These may be overridden by entries in your /etc/shorewall/actions
+ file.
+
+
+ If you are running Shorewall 3.4 or later, then:
+
+
+ Shorewall supports default actions for the ACCEPT, REJECT, DROP
+ and QUEUE policies. These default actions are specified in the
+ /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
+ REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively.
+ Policies whose default is set to a value of "none" have no default
+ action.
+
+ In addition, the default specified in
+ /etc/shorewall/shorewall.conf may be overridden by specifying a
+ different default in the POLICY column of /etc/shorewall/policy.
+
Entries in the DROP and REJECT default actions Limiting per-IPaddress
Connection Rate
- Shorewall Setup
- Guide
+ Shorewall
+ Modularization
@@ -206,7 +206,8 @@
Logging
- SMB
+ Shorewall Setup
+ Guide
@@ -215,8 +216,7 @@
Macros
- Squid with
- Shorewall
+ SMB
@@ -226,9 +226,8 @@
MAC
Verification
- Starting/stopping the
- Firewall
+ Squid with
+ Shorewall
@@ -238,8 +237,9 @@
Multiple Internet Connections
from a Single Firewall
- Static (one-to-one)
- NAT
+ Starting/stopping the
+ Firewall
@@ -249,7 +249,8 @@
Multiple Zones Through One
Interface
- Support
+ Static (one-to-one)
+ NAT
@@ -259,8 +260,7 @@
My Shorewall
Configuration
- Traffic
- Accounting
+ Support
@@ -270,8 +270,8 @@
Netfilter
Overview
- Traffic
- Shaping/QOS
+ Traffic
+ Accounting
@@ -280,8 +280,8 @@
Network Mapping
- Troubleshooting
+ Traffic
+ Shaping/QOS
@@ -290,7 +290,8 @@
One-to-one NAT (Static
NAT)
- UPnP
+ Troubleshooting
@@ -299,8 +300,7 @@
OpenVPN
- Upgrade
- Issues
+ UPnP
@@ -310,7 +310,8 @@
Operating
Shorewall
- VPN
+ Upgrade
+ Issues
@@ -320,8 +321,7 @@
Packet
Marking
- White List
- Creation
+ VPN
@@ -331,8 +331,8 @@
Packet Processing in a
Shorewall-based Firewall
- Xen - Shorewall in a Bridged Xen
- DomU
+ White List
+ Creation
@@ -340,8 +340,8 @@
'Ping' Management
- Xen - Shorewall in Bridged Xen
- Dom0
+ Xen - Shorewall in a Bridged Xen
+ DomU
@@ -350,8 +350,8 @@
Port Information
- Xen - Shorewall in Routed
- Xen Dom0
+ Xen - Shorewall in Bridged Xen
+ Dom0
@@ -361,7 +361,8 @@
Port Knocking and Other Uses
of the 'Recent Match'
-
+ Xen - Shorewall in Routed
+ Xen Dom0
diff --git a/docs/Macros.xml b/docs/Macros.xml
index c4ba45f78..1bc67131f 100644
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -245,6 +245,29 @@ ACCEPT fw loc tcp 135,139,445
from actions cannot themselves invoke other actions.
+
+ Default Macros
+
+ Beginning with Shorewall release 3.4, Shorewall supports
+ default macros; default macros perform the same
+ function as default actions. The DEFAULT_ACCEPT,
+ DEFAULT_REJECT, DEFAULT_DROP and DEFAULT_QUEUE options in
+ /etc/shorewall/shorewall.conf may specify the name of
+ a macro. In that case, the rules in the macro will be traversed before the
+ associated policy is applied.
+
+ The value of the DEFAULT_... settings is interpreted as follows. If
+ USE_ACTIONS=Yes in shorewall.conf, then the value is treated like the name
+ of an action -- if that action is not found, then the value is treated
+ like the name of a macro. If USE_ACTIONS=No, then the value is treated
+ like the name of a macro. The special value "none" is always interpreted
+ as "no default rules should be applied".
+
+ Shorewall versions 3.4 and later include standard 'Reject' and
+ 'Drop' macros that are equivalent to the 'Reject' and 'Drop'
+ actions.
+
+
Defining your own Macros
diff --git a/docs/Modularization.xml b/docs/Modularization.xml
new file mode 100644
index 000000000..1196f6ff2
--- /dev/null
+++ b/docs/Modularization.xml
@@ -0,0 +1,235 @@
+
+
+
+
+
+
+ Shorewall Modularization
+
+
+
+ Tom
+
+ Eastep
+
+
+
+
+
+
+ 2006
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published by the Free Software Foundation; with
+ no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation
+ License
.
+
+
+
+
+ Introduction
+
+ One of the major changes in Shorewall version 3.4 involved breaking
+ much of the code into libraries. This
+ modularization is expected to be used primarily by embedded distributions
+ that wish to minimize the Shorewall disk and RAM footprint.
+
+ Shorewall libraries are Bourne shell source files that contain
+ nothing but function declarations. Shorewall libraries may be loaded into
+ a running shell program using the shell's "." operator. The library files
+ have names which begin with "lib." and are installed in /usr/share/shorewall/.
+
+ Individual libraries are of one of two classes. The first class of
+ libraries are required libraries which, as their
+ name implies, must be included in any Shorewall installation. The other
+ libraries are optional libraries that implement a
+ particular function. Each optional library may be included or omitted
+ based on the requirements of the individual installation.
+
+
+
+ Required Libraries
+
+ Shorewall 3.4 includes the following required libraries.
+
+
+
+ lib.base — includes functions needed by all Shorewall
+ programs.
+
+
+
+ lib.cli — includes functions common to both
+ /sbin/shorewall and
+ /sbin/shorewall-lite.
+
+
+
+ lib.config — contains functions common to both
+ /sbin/shorewall and
+ /usr/share/shorewall/firewall.
+
+
+
+ lib.base and lib.cli are installed in /usr/share/shorewall-lite/ on
+ Shorewall Lite systems.
+
+
+
+ Optional Libraries
+
+ Optional libraries are loaded upon demand based on the user's
+ configuration.
+
+ In Shorewall 3.4, the optional librares are as follows.
+
+
+
+ lib.accounting — required if the
+ /etc/shorewall/accounting file is
+ non-empty.
+
+
+
+ lib.actions — required if USE_ACTIONS=Yes in
+ /etc/shorewall/shorewall.conf.
+
+
+
+ lib.dynamiczones — required if DYNAMIC_ZONES=Yes in
+ /etc/shorewall/shorewall.conf.
+
+
+
+ lib.maclist — required if the maclist option is specified in any
+ entry in /etc/shorewall/interfaces or
+ /etc/shorewall/hosts.
+
+
+
+ lib.nat — required if the
+ /etc/shorewall/masq,
+ /etc/shorewall/nat or
+ /etc/shorewall/netmap files are non-empty or if
+ DNAT[-] rules are present in
+ /etc/shorewall/rules.
+
+
+
+ lib.providers — required if the
+ /etc/shorewall/providers file is
+ non-empty.
+
+
+
+ lib.proxyarp — required if the
+ /etc/shorewall/proxyarp file is non-empty or if
+ the proxyarp option is specified in
+ an entry in /etc/shorewall/interfaces.
+
+
+
+ lib.tc — required if the
+ /etc/shorewall/tcdevices or
+ /etc/shorewall/tcclasses file is
+ non-empty.
+
+
+
+ lib.tcrules — required if the
+ /etc/shorewall/tcrules file is non-empty.
+
+
+
+ lib.tunnels — required if the
+ /etc/shorewall/tunnels file is
+ non-empty.
+
+
+
+ As described, many of the libraries are required when one or more
+ configuration files are non-empty and embedded distribution providers are
+ encouraged to package each optional library together with its associated
+ configuration files.
+
+
+
+
+
+
+
+ Library
+
+ Files
+
+
+
+ lib.accounting
+
+ /etc/shorewall/accounting
+
+
+
+ lib.actions
+
+ /etc/shorewall/actions
+
+
+
+ lib.maclist
+
+ /etc/shorewall/maclist
+
+
+
+ lib.nat
+
+ /etc/shorewall/masq, /etc/shorewall/nat,
+ /etc/shorewall/netmap
+
+
+
+ lib.providers
+
+ /etc/shorewall/route_rules,
+ /etc/shorewall/providers
+
+
+
+ lib.proxyarp
+
+ /etc/shorewall/proxyarp
+
+
+
+ lib.tc
+
+ /etc/shorewall/tcclasses,
+ /etc/shorewall/tcdevices
+
+
+
+ lib.tcrules
+
+ /etc/shorewall/tcrules
+
+
+
+ lib.tunnels
+
+ /etc/shorewall/tunnels
+
+
+
+
+
+
\ No newline at end of file