mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 19:21:21 +02:00
Correct manpages per Vieri Di Paolo's proofreading
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4952 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
5054e21730
commit
5bc03af1a0
@ -28,7 +28,7 @@
|
||||
<para>ACTION names should begin with an upper-case letter to distinguish
|
||||
them from Shorewall-generated chain names and they must meet the
|
||||
requirements of a Netfilter chain. If you intend to log from the action
|
||||
then the name must be no longer than 11 character in length. Names must
|
||||
then the name must be no longer than 11 characters in length. Names must
|
||||
also meet the requirements for a Bourne Shell identifier (must begin with
|
||||
a letter and be composed of letters, digits and underscore
|
||||
characters).</para>
|
||||
|
||||
@ -33,7 +33,7 @@
|
||||
<listitem>
|
||||
<para>Host address, network address, MAC address, IP address range
|
||||
(if your kernel and iptables contain iprange match support) or ipset
|
||||
name prefaced by "+" (i your kernel supports ipset match).</para>
|
||||
name prefaced by "+" (if your kernel supports ipset match).</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
@ -97,7 +97,7 @@
|
||||
<term>Example 2:</term>
|
||||
|
||||
<listitem>
|
||||
<para>To block some of the nuisance applicataion:</para>
|
||||
<para>To block some of the nuisance applications:</para>
|
||||
|
||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 1024:1033,1434
|
||||
|
||||
@ -80,8 +80,8 @@
|
||||
<para>A physical port name; only allowed when the interface
|
||||
names a bridge created by the <command>brctl(8) addbr</command>
|
||||
command. This port must not be defined in
|
||||
shorewall-interfaces(5) and may optionally followed by a colon
|
||||
(":") and a host or network IP or a range. See
|
||||
shorewall-interfaces(5) and may be optionally followed by a
|
||||
colon (":") and a host or network IP or a range. See
|
||||
http://www.shorewall.net/bridge.html for details. Specifying a
|
||||
physical port name requires that you have BRIDGING=Yes in
|
||||
shorewall.conf(5).</para>
|
||||
|
||||
@ -202,7 +202,7 @@ loc eth2 -</programlisting>
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
||||
Do NOT use this option if you are employing Proxy ARP through
|
||||
entries in shorewall-proxyarp(5). This option is intended
|
||||
soley for use with Proxy ARP sub-networking as described at:
|
||||
solely for use with Proxy ARP sub-networking as described at:
|
||||
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -298,8 +298,8 @@ loc eth2 -</programlisting>
|
||||
source-routed packets will not be accepted from that interface
|
||||
(sets
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
|
||||
to 1). Only set this option if you know what you are you
|
||||
doing. This might represent a security risk and is not usually
|
||||
to 1). Only set this option if you know what you are doing.
|
||||
This might represent a security risk and is not usually
|
||||
needed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -86,9 +86,9 @@
|
||||
firewall (Shorewall will use your main routing table to determine
|
||||
the appropriate addresses to masquerade).</para>
|
||||
|
||||
<para>In order to exclude a addrress of the specified SOURCE, you
|
||||
may append "!" and a comma-separated list of IP addresses (host or
|
||||
net) that you wish to exclude.</para>
|
||||
<para>In order to exclude a address of the specified SOURCE, you may
|
||||
append "!" and a comma-separated list of IP addresses (host or net)
|
||||
that you wish to exclude.</para>
|
||||
|
||||
<para>Example: eth1!192.168.1.4,192.168.32.0/27</para>
|
||||
|
||||
@ -340,8 +340,8 @@
|
||||
<listitem>
|
||||
<para>You want all outgoing traffic from 192.168.1.0/24 through eth0
|
||||
to use source address 206.124.146.176 which is NOT the primary
|
||||
address of eth0. You want 206.124.146.176 added to be added to eth0
|
||||
with name eth0:0.</para>
|
||||
address of eth0. You want 206.124.146.176 to be added to eth0 with
|
||||
name eth0:0.</para>
|
||||
|
||||
<programlisting> #INTERFACE SOURCE ADDRESS
|
||||
eth0:0 192.168.1.0/24 206.124.146.176</programlisting>
|
||||
|
||||
@ -36,7 +36,7 @@
|
||||
<important>
|
||||
<para>Intra-zone policies are pre-defined</para>
|
||||
|
||||
<para>For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
||||
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
|
||||
the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||
logging or TCP connection rate limiting but may be overridden by an
|
||||
entry in this file. The overriding entry must be explicit (cannot use
|
||||
@ -121,9 +121,10 @@
|
||||
SOURCE to this DEST. Shorewall will not create any
|
||||
infrastructure to handle such packets and you may not have any
|
||||
rules with this SOURCE and DEST in the /etc/shorewall/rules
|
||||
file such a packet _is_ received, the result is undefined.
|
||||
NONE may not be used if the SOURCE or DEST columns contain the
|
||||
firewall zone ($FW) or "all".</para>
|
||||
file. If such a packet <emphasis role="bold">is</emphasis>
|
||||
received, the result is undefined. NONE may not be used if the
|
||||
SOURCE or DEST columns contain the firewall zone ($FW) or
|
||||
"all".</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -163,8 +164,8 @@
|
||||
levels.</para>
|
||||
|
||||
<para>You may also specify ULOG (must be in upper case). This will
|
||||
log to the ULOG target and sent to a separate log through use of
|
||||
ulogd (http://www.gnumonks.org/projects/ulogd).</para>
|
||||
log to the ULOG target and will send to a separate log through use
|
||||
of ulogd (http://www.gnumonks.org/projects/ulogd).</para>
|
||||
|
||||
<para>If you don't want to log but need to specify the following
|
||||
column, place "-" here.</para>
|
||||
|
||||
@ -163,8 +163,8 @@
|
||||
<term><emphasis role="bold">optional</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para> If the interface named in the INTERFACE column is not
|
||||
up and configured with an IPv4 address then ignore this
|
||||
<para>If the interface named in the INTERFACE column is not up
|
||||
and configured with an IPv4 address then ignore this
|
||||
provider.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -176,7 +176,7 @@
|
||||
<term><emphasis role="bold">COPY</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated lists of other interfaces on your firewall.
|
||||
<para>A comma-separated list of other interfaces on your firewall.
|
||||
Usually used only when DUPLICATE is 'main'. Only copy routes through
|
||||
INTERFACE and through interfaces listed here. If you only wish to
|
||||
copy routes through INTERFACE, enter 'none' here.</para>
|
||||
|
||||
@ -133,7 +133,7 @@
|
||||
multiple providers. In this case you have to set up a rule to ensure
|
||||
that the OpenVPN traffic is routed back through the tunX
|
||||
interface(s) rather than through any of the providers. 10.8.0.0/24
|
||||
is the subnet choosen in your OpenVPN configuration (server 10.8.0.0
|
||||
is the subnet chosen in your OpenVPN configuration (server 10.8.0.0
|
||||
255.255.255.0).</para>
|
||||
|
||||
<programlisting> #SOURCE DEST PROVIDER PRIORITY
|
||||
|
||||
@ -265,7 +265,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>the rest of the line will be attached as a comment to
|
||||
the Netfilter rule(s) generated by the following entres. The
|
||||
the Netfilter rule(s) generated by the following entrIes. The
|
||||
comment will appear delimited by "/* ... */" in the output of
|
||||
"shorewall show <chain>". To stop the comment from being
|
||||
attached to further rules, simply include COMMENT on a line by
|
||||
@ -378,7 +378,7 @@
|
||||
<para>Hosts may be specified as an IP address range using the syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
This requires that your kernel and iptables contain iprange match
|
||||
support. If you kernel and iptables have ipset match support then
|
||||
support. If your kernel and iptables have ipset match support then
|
||||
you may give the name of an ipset prefaced by "+". The ipset name
|
||||
may be optionally followed by a number from 1 to 6 enclosed in
|
||||
square brackets ([]) to indicate the number of levels of source
|
||||
@ -650,8 +650,8 @@
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional)</term>
|
||||
|
||||
<listitem>
|
||||
<para>You may rate-limit the rule by placing a value in this column:
|
||||
</para>
|
||||
<para>You may rate-limit the rule by placing a value in this
|
||||
column:</para>
|
||||
|
||||
<para><emphasis>rate</emphasis>/<emphasis>interval</emphasis>[:<emphasis>burst</emphasis>]
|
||||
where <emphasis>rate</emphasis> is the number of connections per
|
||||
@ -675,8 +675,8 @@
|
||||
<para>The column may contain:</para>
|
||||
|
||||
<para>[!][<emphasis>user name or number</emphasis>][:<emphasis>group
|
||||
name or number</emphasis>][+<emphasis>program name</emphasis>]
|
||||
</para>
|
||||
name or number</emphasis>][+<emphasis>program
|
||||
name</emphasis>]</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user