fixed quotes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1012 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 09:47:51 +02:00 · 2003-12-28 19:36:40 +00:00 · 2003-12-28 19:36:40 +00:00 · 59aad1c596
commit 59aad1c596
parent 29c8ce43ac
1 changed files with 58 additions and 81 deletions
--- a/Shorewall-docs/upgrade_issues.xml
+++ b/Shorewall-docs/upgrade_issues.xml
@ -89,11 +89,10 @@
      <listitem>
        <para>An undocumented feature previously allowed entries in the host
        file as follows: <synopsis>
-zone	eth1:192.168.1.0/24,eth2:192.168.2.0/24
+zone    eth1:192.168.1.0/24,eth2:192.168.2.0/24</synopsis> This capability was
-				</synopsis> This capability was never documented and has been removed in
+        never documented and has been removed in 1.4.6 to allow entries of the
-        1.4.6 to allow entries of the following format: <synopsis>
+        following format: <synopsis>
-zone	eth1:192.168.1.0/24,192.168.2.0/24
+zone    eth1:192.168.1.0/24,192.168.2.0/24</synopsis></para>
 				</synopsis></para>
      </listitem>
    </itemizedlist>
  </section>
@ -140,9 +139,9 @@ zone	eth1:192.168.1.0/24,192.168.2.0/24
        was treated just like any other traffic; any matching rules were
        applied followed by enforcement of the appropriate policy. With 1.4.1
        and later versions, unless you have explicit rules for traffic from Z
-        to Z or you have an explicit Z to Z policy (where &#34;Z&#34; is some
+        to Z or you have an explicit Z to Z policy (where <quote>Z</quote> is
-        zone) then traffic between the groups in zone Z will be accepted. If
+        some zone) then traffic between the groups in zone Z will be accepted.
-        you do have one or more explicit rules for Z to Z or if you have an
+        If you do have one or more explicit rules for Z to Z or if you have an
        explicit Z to Z policy then the behavior is as it was in prior
        versions.</para>
@ -162,10 +161,10 @@ zone	eth1:192.168.1.0/24,192.168.2.0/24
          <listitem>
            <para>If you are currently relying on a implicit policy (one that
-            has &#34;all&#34; in either the SOURCE or DESTINATION column) to
+            has <quote>all</quote> in either the SOURCE or DESTINATION column)
-            prevent traffic between two interfaces to a zone Z and you have no
+            to prevent traffic between two interfaces to a zone Z and you have
-            rules for Z-&#62;Z then you should add an explicit DROP or REJECT
+            no rules for Z-&#62;Z then you should add an explicit DROP or
-            policy for Z to Z.</para>
+            REJECT policy for Z to Z.</para>
          </listitem>
        </orderedlist>
      </listitem>
@ -177,27 +176,25 @@ zone	eth1:192.168.1.0/24,192.168.2.0/24
        <filename>interfaces</filename> and, <filename>hosts</filename> file
        contents</title><programlisting>
 <filename class="directory">/etc/shorewall/</filename><filename>zones</filename>
-z1	Zone1	The first Zone
+z1    Zone1    The first Zone
-z2	Zone2	The second Zone
+z2    Zone2    The second Zone
 <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
-z2	eth1	192.168.1.255
+z2    eth1    192.168.1.255
 <filename class="directory">/etc/shorewall/</filename><filename>hosts</filename>
-z1	eth1:192.168.1.3
+z1    eth1:192.168.1.3</programlisting></example> Here, zone z1 is nested in
-					</programlisting></example> Here, zone z1 is nested in zone z2 and the
+        zone z2 and the firewall is not going to be involved in any traffic
-        firewall is not going to be involved in any traffic between these two
+        between these two zones. Beginning with Shorewall 1.4.1, you can
-        zones. Beginning with Shorewall 1.4.1, you can prevent Shorewall from
+        prevent Shorewall from setting up any infrastructure to handle traffic
-        setting up any infrastructure to handle traffic between z1 and z2 by
+        between z1 and z2 by using the new NONE policy: <example><title>The
-        using the new NONE policy: <example><title>The contents of
+        contents of <filename>policy</filename></title><programlisting>
        <filename>policy</filename></title><programlisting>
 <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
-z1	z2	NONE
+z1    z2    NONE
-z2	z1	NONE
+z2    z1    NONE</programlisting></example> Note that NONE policies are
-					</programlisting></example> Note that NONE policies are generally used in
+        generally used in pairs unless there is asymetric routing where only
-        pairs unless there is asymetric routing where only the traffic on one
+        the traffic on one direction flows through the firewall and you are
-        direction flows through the firewall and you are using a NONE polciy
+        using a NONE polciy in the other direction.</para>
        in the other direction.</para>
      </listitem>
    </itemizedlist>
  </section>
@ -222,16 +219,16 @@ z2	z1	NONE
    <important>
      <para>Shorewall &#62;=1.4.0 requires the <command>iproute</command>
-      package (&#39;<literal>ip</literal>&#39; utility).</para>
+      package (<quote><literal>ip</literal></quote> utility).</para>
    </important>
    <note>
      <para>Unfortunately, some distributions call this package
      <command>iproute2</command> which will cause the upgrade of Shorewall to
      fail with the diagnostic: <synopsis>
-error: failed dependencies:iproute is needed by shorewall-1.4.0-1
+error: failed dependencies:iproute is needed by shorewall-1.4.0-1</synopsis>
-				</synopsis> This may be worked around by using the <option>--nodeps</option>
+      This may be worked around by using the <option>--nodeps</option> option
-      option of <command>rpm</command> (<command>rpm -Uvh --nodeps
+      of <command>rpm</command> (<command>rpm -Uvh --nodeps
      <filename>your_shorewall_rpm.rpm</filename></command>).</para>
    </note>
@ -318,8 +315,7 @@ error: failed dependencies:iproute is needed by shorewall-1.4.0-1
    and</para></listitem><listitem><para>That interface connects to more than
    one subnetwork.</para></listitem></orderedlist> Two examples: <example
    label="1"><title>Suppose that your current config is as follows:</title><programlisting>
-				<!-- I added a space below the end of the config file for clarity -->
+<!--I added a space below the end of the config file for clarity-->[root@gateway test]# cat /etc/shorewall/masq
 [root@gateway test]# cat /etc/shorewall/masq
 #INTERFACE              SUBNET                  ADDRESS
 eth0                    eth2                    206.124.146.176
 eth0                    192.168.10.0/24         206.124.146.176
@ -328,12 +324,10 @@ eth0                    192.168.10.0/24         206.124.146.176
 [root@gateway test]# ip route show dev eth2
 192.168.1.0/24  scope link
 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
-[root@gateway test]#
+[root@gateway test]#</programlisting></example> In this case, the second entry
-				</programlisting></example> In this case, the second entry in <filename
+    in <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> is
+    is no longer required. <example label="2"><title>What if your current
-    no longer required. <example label="2"><title>What if your current
+    configuration is like this?</title><programlisting>[root@gateway test]# cat /etc/shorewall/masq
    configuration is like this?</title><programlisting>
 [root@gateway test]# cat /etc/shorewall/masq
 #INTERFACE              SUBNET                  ADDRESS
 eth0                    eth2                    206.124.146.176
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
@ -341,21 +335,20 @@ eth0                    eth2                    206.124.146.176
 [root@gateway test]# ip route show dev eth2
 192.168.1.0/24  scope link
 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
-[root@gateway test]#
+[root@gateway test]#</programlisting></example> In this case, you would want
-				</programlisting></example> In this case, you would want to change the
+    to change the entry in /etc/shorewall/masq to:
-    entry in /etc/shorewall/masq to: <programlisting>
+    <programlisting>#INTERFACE              SUBNET                  ADDRESS
 #INTERFACE              SUBNET                  ADDRESS
 eth0                    192.168.1.0/24          206.124.146.176
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
-			</programlisting> Version 1.3.14 also introduced simplified ICMP
+    Version 1.3.14 also introduced simplified ICMP echo-request (ping)
-    echo-request (ping) handling. The option <varname>OLD_PING_HANDLING=Yes</varname>
+    handling. The option <varname>OLD_PING_HANDLING=Yes</varname> in <filename
-    in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
+    class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
    is used to specify that the old (pre-1.3.14) ping handling is to be used
    (If the option is not set in your <filename class="directory">/etc/shorewall/</filename>shorewall.conf
    then <varname>OLD_PING_HANDLING=Yes</varname> is assumed). I don&#39;t
    plan on supporting the old handling indefinitely so I urge current users
    to migrate to using the new handling as soon as possible. See the
-    &#39;Ping&#39; handling documentation for details.</para>
+    <quote>Ping</quote> handling documentation for details.</para>
  </section>
  <section>
@ -365,9 +358,7 @@ eth0                    192.168.1.0/24          206.124.146.176
      <listitem>
        <para>If you have installed the 1.3.10 Beta 1 RPM and are now
        upgrading to version 1.3.10, you will need to use the
-        <option>--force</option> option: <programlisting>
+        <option>--force</option> option: <programlisting>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</programlisting></para>
 rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
 						</programlisting></para>
      </listitem>
    </itemizedlist>
  </section>
@ -411,13 +402,12 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
        will need to include the following rules in their <filename
        class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
        file (creating this file if necessary):
-        <programlisting>
+        <programlisting>run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
 run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
-run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
+run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</programlisting>
-					</programlisting> Users having an <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
+        Users having an <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
        file may remove the <command>./etc/shorewall/icmp.def</command>
        command from that file since the <filename>icmp.def</filename> file is
        now empty.</para>
@ -444,14 +434,12 @@ run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
        like Jacques&#39;s. You need to follow the instructions for setting up
        a two-interface firewall plus you also need to add the following two
        Bering-specific rules to <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>:
-        <programlisting>
+        <programlisting># Bering specific rules:
 # Bering specific rules:
 # allow loc to fw udp/53 for dnscache to work
 # allow loc to fw tcp/80 for weblet to work
 #
 ACCEPT loc fw udp 53
-ACCEPT loc fw tcp 80
+ACCEPT loc fw tcp 80</programlisting></para>
 					</programlisting></para>
      </listitem>
    </itemizedlist>
  </section>
@ -467,19 +455,15 @@ ACCEPT loc fw tcp 80
        <orderedlist><listitem><para>Create the file <filename
        class="directory">/etc/shorewall/</filename><filename>newnotsyn</filename>
        and in it add the following rule: <!-- The following code wraps off of the document. I have added the comment above the command. -->
-        <programlisting>
+        <programlisting># So that the connection tracking table can be rebuilt
 # So that the connection tracking table can be rebuilt
 # from non-SYN packets after takeover.
-run_iptables -A newnotsyn -j RETURN
+run_iptables -A newnotsyn -j RETURN</programlisting></para></listitem><listitem><para>Create
- 							</programlisting></para></listitem><listitem><para>Create <filename
+        <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
        class="directory">/etc/shorewall/</filename><filename>common</filename>
        (if you don&#39;t already have that file) and include the following:
-        <programlisting>
+        <programlisting>#Accept Acks to rebuild connection tracking table.
 #Accept Acks to rebuild connection tracking table.
 run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
-./etc/shorewall/common.def
+./etc/shorewall/common.def</programlisting></para></listitem></orderedlist></para>
 							</programlisting></para></listitem></orderedlist></para>
      </listitem>
    </itemizedlist>
  </section>
@ -490,17 +474,10 @@ run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
    <itemizedlist>
      <listitem>
        <para>Some forms of pre-1.3.0 rules file syntax are no longer
-        supported. <example label="1"><title></title><programlisting>
+        supported. <example label="1"><title></title><programlisting>ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</programlisting></example>
-ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
+        Must be replaced with: <programlisting>DNAT    net    loc:192.168.1.12:22    tcp    11111</programlisting>
-						</programlisting></example> Must be replaced with:
+        <example label="2"><title></title><programlisting>ACCEPT    loc    fw::3128    tcp    80    -    all</programlisting></example>
-        <programlisting>
+        Must be replaced with: <programlisting>REDIRECT    loc    3128    tcp    80</programlisting></para>
 DNAT	net	loc:192.168.1.12:22	tcp	11111
 					</programlisting> <example label="2"><title></title><programlisting>
 ACCEPT	loc	fw::3128	tcp	80	-	all
 						</programlisting></example> Must be replaced with:
        <programlisting>
 REDIRECT	loc	3128	tcp	80
 						</programlisting></para>
      </listitem>
    </itemizedlist>
  </section>