mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 19:21:21 +02:00
Correct manpages per Vieri Di Paolo's proofreading
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4952 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5054e21730
commit
5bc03af1a0
@ -23,12 +23,12 @@
|
||||
|
||||
<para>This file allows you to define new ACTIONS for use in rules (see
|
||||
shorewall-rules(5)). You define the iptables rules to be performed in an
|
||||
ACTION in /etc/shorewall/action.<emphasis>action-name</emphasis>. </para>
|
||||
ACTION in /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
|
||||
|
||||
<para>ACTION names should begin with an upper-case letter to distinguish
|
||||
them from Shorewall-generated chain names and they must meet the
|
||||
requirements of a Netfilter chain. If you intend to log from the action
|
||||
then the name must be no longer than 11 character in length. Names must
|
||||
then the name must be no longer than 11 characters in length. Names must
|
||||
also meet the requirements for a Bourne Shell identifier (must begin with
|
||||
a letter and be composed of letters, digits and underscore
|
||||
characters).</para>
|
||||
|
@ -22,7 +22,7 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>The blacklist file is used to perform static blacklisting. You can
|
||||
blacklist by source address (IP or MAC), or by application. </para>
|
||||
blacklist by source address (IP or MAC), or by application.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
@ -33,7 +33,7 @@
|
||||
<listitem>
|
||||
<para>Host address, network address, MAC address, IP address range
|
||||
(if your kernel and iptables contain iprange match support) or ipset
|
||||
name prefaced by "+" (i your kernel supports ipset match).</para>
|
||||
name prefaced by "+" (if your kernel supports ipset match).</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
@ -97,7 +97,7 @@
|
||||
<term>Example 2:</term>
|
||||
|
||||
<listitem>
|
||||
<para>To block some of the nuisance applicataion:</para>
|
||||
<para>To block some of the nuisance applications:</para>
|
||||
|
||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 1024:1033,1434
|
||||
|
@ -28,7 +28,7 @@
|
||||
<para>The order of entries in this file is not significant in determining
|
||||
zone composition. Rather, the order that the zones are defined in
|
||||
shorewall-zones(5) determines the order in which the records in this file
|
||||
are interpreted. </para>
|
||||
are interpreted.</para>
|
||||
|
||||
<warning>
|
||||
<para>The only time that you need this file is when you have more than
|
||||
@ -80,8 +80,8 @@
|
||||
<para>A physical port name; only allowed when the interface
|
||||
names a bridge created by the <command>brctl(8) addbr</command>
|
||||
command. This port must not be defined in
|
||||
shorewall-interfaces(5) and may optionally followed by a colon
|
||||
(":") and a host or network IP or a range. See
|
||||
shorewall-interfaces(5) and may be optionally followed by a
|
||||
colon (":") and a host or network IP or a range. See
|
||||
http://www.shorewall.net/bridge.html for details. Specifying a
|
||||
physical port name requires that you have BRIDGING=Yes in
|
||||
shorewall.conf(5).</para>
|
||||
|
@ -202,7 +202,7 @@ loc eth2 -</programlisting>
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
||||
Do NOT use this option if you are employing Proxy ARP through
|
||||
entries in shorewall-proxyarp(5). This option is intended
|
||||
soley for use with Proxy ARP sub-networking as described at:
|
||||
solely for use with Proxy ARP sub-networking as described at:
|
||||
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -247,7 +247,7 @@ loc eth2 -</programlisting>
|
||||
interface</para>
|
||||
|
||||
<para>3 - do not reply for local addresses configured with
|
||||
scope host, only resolutions for global and link </para>
|
||||
scope host, only resolutions for global and link</para>
|
||||
|
||||
<para>4-7 - reserved</para>
|
||||
|
||||
@ -298,8 +298,8 @@ loc eth2 -</programlisting>
|
||||
source-routed packets will not be accepted from that interface
|
||||
(sets
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
|
||||
to 1). Only set this option if you know what you are you
|
||||
doing. This might represent a security risk and is not usually
|
||||
to 1). Only set this option if you know what you are doing.
|
||||
This might represent a security risk and is not usually
|
||||
needed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -326,7 +326,7 @@ loc eth2 -</programlisting>
|
||||
<term>Example 1:</term>
|
||||
|
||||
<listitem>
|
||||
<para> Suppose you have eth0 connected to a DSL modem and eth1
|
||||
<para>Suppose you have eth0 connected to a DSL modem and eth1
|
||||
connected to your local network and that your local subnet is
|
||||
192.168.1.0/24. The interface gets it's IP address via DHCP from
|
||||
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
|
||||
|
@ -86,9 +86,9 @@
|
||||
firewall (Shorewall will use your main routing table to determine
|
||||
the appropriate addresses to masquerade).</para>
|
||||
|
||||
<para>In order to exclude a addrress of the specified SOURCE, you
|
||||
may append "!" and a comma-separated list of IP addresses (host or
|
||||
net) that you wish to exclude.</para>
|
||||
<para>In order to exclude a address of the specified SOURCE, you may
|
||||
append "!" and a comma-separated list of IP addresses (host or net)
|
||||
that you wish to exclude.</para>
|
||||
|
||||
<para>Example: eth1!192.168.1.4,192.168.32.0/27</para>
|
||||
|
||||
@ -104,7 +104,7 @@
|
||||
<para>If you specify an address here, SNAT will be used and this
|
||||
will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
|
||||
in shorewall.conf(5) then Shorewall will automatically add this
|
||||
address to the INTERFACE named in the first column. </para>
|
||||
address to the INTERFACE named in the first column.</para>
|
||||
|
||||
<para>You may also specify a range of up to 256 IP addresses if you
|
||||
want the SNAT address to be assigned from that range in a
|
||||
@ -294,14 +294,14 @@
|
||||
<listitem>
|
||||
<para>You have a simple masquerading setup where eth0 connects to a
|
||||
DSL or cable modem and eth1 connects to your local network with
|
||||
subnet 192.168.0.0/24. </para>
|
||||
subnet 192.168.0.0/24.</para>
|
||||
|
||||
<para>Your entry in the file can be either:</para>
|
||||
|
||||
<programlisting> #INTERFACE SOURCE
|
||||
eth0 eth1</programlisting>
|
||||
|
||||
<para>or </para>
|
||||
<para>or</para>
|
||||
|
||||
<programlisting> #INTERFACE SOURCE
|
||||
eth0 192.168.0.0/24</programlisting>
|
||||
@ -340,8 +340,8 @@
|
||||
<listitem>
|
||||
<para>You want all outgoing traffic from 192.168.1.0/24 through eth0
|
||||
to use source address 206.124.146.176 which is NOT the primary
|
||||
address of eth0. You want 206.124.146.176 added to be added to eth0
|
||||
with name eth0:0.</para>
|
||||
address of eth0. You want 206.124.146.176 to be added to eth0 with
|
||||
name eth0:0.</para>
|
||||
|
||||
<programlisting> #INTERFACE SOURCE ADDRESS
|
||||
eth0:0 192.168.1.0/24 206.124.146.176</programlisting>
|
||||
|
@ -36,7 +36,7 @@
|
||||
<important>
|
||||
<para>Intra-zone policies are pre-defined</para>
|
||||
|
||||
<para>For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
||||
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
|
||||
the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||
logging or TCP connection rate limiting but may be overridden by an
|
||||
entry in this file. The overriding entry must be explicit (cannot use
|
||||
@ -121,9 +121,10 @@
|
||||
SOURCE to this DEST. Shorewall will not create any
|
||||
infrastructure to handle such packets and you may not have any
|
||||
rules with this SOURCE and DEST in the /etc/shorewall/rules
|
||||
file such a packet _is_ received, the result is undefined.
|
||||
NONE may not be used if the SOURCE or DEST columns contain the
|
||||
firewall zone ($FW) or "all".</para>
|
||||
file. If such a packet <emphasis role="bold">is</emphasis>
|
||||
received, the result is undefined. NONE may not be used if the
|
||||
SOURCE or DEST columns contain the firewall zone ($FW) or
|
||||
"all".</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -163,11 +164,11 @@
|
||||
levels.</para>
|
||||
|
||||
<para>You may also specify ULOG (must be in upper case). This will
|
||||
log to the ULOG target and sent to a separate log through use of
|
||||
ulogd (http://www.gnumonks.org/projects/ulogd).</para>
|
||||
log to the ULOG target and will send to a separate log through use
|
||||
of ulogd (http://www.gnumonks.org/projects/ulogd).</para>
|
||||
|
||||
<para>If you don't want to log but need to specify the following
|
||||
column, place "-" here. </para>
|
||||
column, place "-" here.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -177,7 +178,7 @@
|
||||
<listitem>
|
||||
<para>If passed, specifies the maximum TCP connection rate and the
|
||||
size of an acceptable burst. If not specified, TCP connections are
|
||||
not limited. </para>
|
||||
not limited.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -163,9 +163,9 @@
|
||||
<term><emphasis role="bold">optional</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para> If the interface named in the INTERFACE column is not
|
||||
up and configured with an IPv4 address then ignore this
|
||||
provider. </para>
|
||||
<para>If the interface named in the INTERFACE column is not up
|
||||
and configured with an IPv4 address then ignore this
|
||||
provider.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -176,7 +176,7 @@
|
||||
<term><emphasis role="bold">COPY</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated lists of other interfaces on your firewall.
|
||||
<para>A comma-separated list of other interfaces on your firewall.
|
||||
Usually used only when DUPLICATE is 'main'. Only copy routes through
|
||||
INTERFACE and through interfaces listed here. If you only wish to
|
||||
copy routes through INTERFACE, enter 'none' here.</para>
|
||||
|
@ -21,7 +21,7 @@
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para> Entries in this file cause traffic to be routed to one of the
|
||||
<para>Entries in this file cause traffic to be routed to one of the
|
||||
providers listed in shorewall-providers(5).</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
@ -40,7 +40,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term> <emphasis role="bold">DEST</emphasis> (Optional)</term>
|
||||
<term><emphasis role="bold">DEST</emphasis> (Optional)</term>
|
||||
|
||||
<listitem>
|
||||
<para>An ip address (network or host) that matches the destination
|
||||
@ -70,7 +70,7 @@
|
||||
<term><emphasis role="bold">PRIORITY</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para> The rule's priority which determines the order in which the
|
||||
<para>The rule's priority which determines the order in which the
|
||||
rules are processed.</para>
|
||||
|
||||
<variablelist>
|
||||
@ -133,7 +133,7 @@
|
||||
multiple providers. In this case you have to set up a rule to ensure
|
||||
that the OpenVPN traffic is routed back through the tunX
|
||||
interface(s) rather than through any of the providers. 10.8.0.0/24
|
||||
is the subnet choosen in your OpenVPN configuration (server 10.8.0.0
|
||||
is the subnet chosen in your OpenVPN configuration (server 10.8.0.0
|
||||
255.255.255.0).</para>
|
||||
|
||||
<programlisting> #SOURCE DEST PROVIDER PRIORITY
|
||||
|
@ -265,7 +265,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>the rest of the line will be attached as a comment to
|
||||
the Netfilter rule(s) generated by the following entres. The
|
||||
the Netfilter rule(s) generated by the following entrIes. The
|
||||
comment will appear delimited by "/* ... */" in the output of
|
||||
"shorewall show <chain>". To stop the comment from being
|
||||
attached to further rules, simply include COMMENT on a line by
|
||||
@ -378,7 +378,7 @@
|
||||
<para>Hosts may be specified as an IP address range using the syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
This requires that your kernel and iptables contain iprange match
|
||||
support. If you kernel and iptables have ipset match support then
|
||||
support. If your kernel and iptables have ipset match support then
|
||||
you may give the name of an ipset prefaced by "+". The ipset name
|
||||
may be optionally followed by a number from 1 to 6 enclosed in
|
||||
square brackets ([]) to indicate the number of levels of source
|
||||
@ -388,7 +388,7 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>dmz:192.168.2.2 </term>
|
||||
<term>dmz:192.168.2.2</term>
|
||||
|
||||
<listitem>
|
||||
<para>Host 192.168.2.2 in the DMZ</para>
|
||||
@ -497,7 +497,7 @@
|
||||
firewall will not modifiy the destination port. A destination port
|
||||
may only be included if the <emphasis role="bold">ACTION</emphasis>
|
||||
is <emphasis role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">REDIRECT</emphasis>. Example: </para>
|
||||
role="bold">REDIRECT</emphasis>. Example:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -593,11 +593,11 @@
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
|
||||
column, then place "-" in this column. </para>
|
||||
column, then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above: </para>
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
@ -650,8 +650,8 @@
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional)</term>
|
||||
|
||||
<listitem>
|
||||
<para>You may rate-limit the rule by placing a value in this column:
|
||||
</para>
|
||||
<para>You may rate-limit the rule by placing a value in this
|
||||
column:</para>
|
||||
|
||||
<para><emphasis>rate</emphasis>/<emphasis>interval</emphasis>[:<emphasis>burst</emphasis>]
|
||||
where <emphasis>rate</emphasis> is the number of connections per
|
||||
@ -675,8 +675,8 @@
|
||||
<para>The column may contain:</para>
|
||||
|
||||
<para>[!][<emphasis>user name or number</emphasis>][:<emphasis>group
|
||||
name or number</emphasis>][+<emphasis>program name</emphasis>]
|
||||
</para>
|
||||
name or number</emphasis>][+<emphasis>program
|
||||
name</emphasis>]</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
|
Loading…
x
Reference in New Issue
Block a user