Allow comma-separated list in routestopped file entries; update documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@452 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-05-30 22:45:44 +02:00 · 2003-02-18 01:51:36 +00:00 · 2003-02-18 01:51:36 +00:00 · 5c4c7d8f41
commit 5c4c7d8f41
parent 5fe2bef29e
4 changed files with 2026 additions and 1872 deletions
--- a/STABLE/documentation/Shorewall_Squid_Usage.html
+++ b/STABLE/documentation/Shorewall_Squid_Usage.html
@ -42,17 +42,17 @@
    <br>
    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
    &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
-as  a transparent proxy  as described at <a
+ as  a transparent proxy  as described at <a
 href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
    <b><br>
    </b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
    &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start
  and /etc/shorewall/init -- if you don't have those files, siimply create
-them.<br>
+ them.<br>
    <br>
    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
     </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in
-the  local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts 
+ the  local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
  file entries. That is because the packets being routed to the Squid server
  still have their original destination IP addresses.<br>
    <br>
@ -62,11 +62,11 @@ the  local zone, that zone must be defined ONLY by its interface -- no /etc/shor
    <br>
    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
     </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
-server.<br>
+ server.<br>
    <br>
    <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
-    </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf 
+     </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
- file<br>
+/etc/shorewall/conf   file<br>
    <br>
    &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
  </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
@ -74,8 +74,8 @@ server.<br>
    Three different configurations are covered:<br>
 <ol>
-     <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
+      <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
- Firewall.</a></li>
+the  Firewall.</a></li>
      <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the 
 local  network</a></li>
      <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
@ -147,10 +147,10 @@ local  network</a></li>
 <h2><a name="Local"></a>Squid Running in the local network</h2>
       You want to redirect all local www connection requests  to a Squid 
                                                 transparent       proxy 
- running   in your local zone at 192.168.1.3 and listening on port  3128. 
+running   in your local zone at 192.168.1.3 and listening on port  3128.
-Your local  interface is eth1. There may also be a web server running on 192.168.1.3.
+ Your local  interface is eth1. There may also be a web server running on
-It is assumed that web access is already enabled from the local zone to the
+192.168.1.3. It is assumed that web access is already enabled from the local
-internet.<br>
+zone to the internet.<br>
 <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with 
   other aspects of your gateway including but not limited to traffic shaping 
@ -315,18 +315,19 @@ internet.<br>
 <ul>
        <li>&nbsp;Do<b> one </b>of the following:<br>
     <br>
-A) In /etc/shorewall/start add<br>
+ A) In /etc/shorewall/start add<br>
       </li>
 </ul>
 <blockquote>               
  <pre><b><font color="#009900">	iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
-</blockquote>
+ </blockquote>
 <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf 
 and add the following entry in /etc/shorewall/tcrules:<br>
-</blockquote>
+ </blockquote>
 <blockquote>   
  <blockquote>     
    <table cellpadding="2" border="1" cellspacing="0">
@ -359,11 +360,13 @@ and add the following entry in /etc/shorewall/tcrules:<br>
           <td valign="top">-<br>
           </td>
         </tr>
      </tbody>     
    </table>
   </blockquote>
-C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
+ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
-</blockquote>
+ </blockquote>
 <blockquote>      
  <blockquote>          
    <table cellpadding="2" border="1" cellspacing="0">
@ -401,7 +404,8 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
    </table>
    </blockquote>
   <br>
-</blockquote>
+ </blockquote>
 <ul>
        <li>In /etc/shorewall/rules, you will need:</li>
@ -473,8 +477,7 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
 <blockquote>  </blockquote>
-<p><font size="-1">   Updated 1/23/2003 - <a
+<p><font size="-1">   Updated 1/23/2003 - <a href="support.htm">Tom  Eastep</a>
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a>  
            </font></p>
@ -486,5 +489,6 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
      <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -8,6 +8,7 @@
  <title>Shorewall 1.3 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
@ -47,9 +48,9 @@
                                    </li>
                       <li>                                             
-    <p align="left">          <b>If you are installing Shorewall for the
+    <p align="left">          <b>If you are installing Shorewall for the first
-first time and plan to use the        .tgz and install.sh script, you can
+time and plan to use the        .tgz and install.sh script, you can untar
-untar the archive, replace the        'firewall' script in the untarred directory
+the archive, replace the        'firewall' script in the untarred directory 
         with the one you downloaded        below, and then run install.sh.</b></p>
                                    </li>
                       <li>                                             
@ -57,15 +58,14 @@ untar the archive, replace the        'firewall' script in the untarred director
    <p align="left">          <b>If you are running a Shorewall version earlier 
  than 1.3.11, when the instructions say to install a corrected        firewall 
  script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall  
-     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
+    or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
-overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD
+       the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
-/etc/shorewall/firewall               or /var/lib/shorewall/firewall  before
+              or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
-you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall
+              and /var/lib/shorewall/firewall  are symbolic links that point
- are symbolic links that point           to the 'shorewall' file used by
+          to the 'shorewall' file used by your  system initialization scripts
-your  system initialization scripts     to         start Shorewall during
+    to         start Shorewall during boot. It is  that file that must be
-boot. It is  that file that must be overwritten              with the corrected
+overwritten              with the corrected script. Beginning with Shorewall
-script. Beginning with Shorewall 1.3.11, you may rename the existing file
+1.3.11, you may rename the existing file before copying in the new file.</b></p>
 before copying in the new file.</b></p>
               </li>
               <li>                                                     
@ -80,8 +80,8 @@ For    example,  do NOT install the 1.3.9a firewall script if you are running
 <ul>
                       <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-                      <li>                            <b><a href="#V1.3">Problems 
+                       <li>                            <b><a
-    in  Version    1.3</a></b></li>
+ href="#V1.3">Problems      in  Version    1.3</a></b></li>
                       <li>                            <b><a
 href="errata_2.htm">Problems      in  Version 1.2</a></b></li>
                       <li>                            <b><font
@ -90,14 +90,14 @@ For    example,  do NOT install the 1.3.9a firewall script if you are running
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3
   on RH7.2</a></font></b></li>
                       <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
-RedHat iptables</a></b></li>
+iptables</a></b></li>
                       <li><b><a href="#SuSE">Problems installing/upgrading 
 RPM   on  SuSE</a></b></li>
                       <li><b><a href="#Multiport">Problems with iptables 
 version     1.2.7    and       MULTIPORT=Yes</a></b></li>
-                <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and 
+                 <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
- NAT</a></b><br>
+and   NAT</a></b><br>
                 </li>
 </ul>
@ -106,6 +106,19 @@ version     1.2.7    and       MULTIPORT=Yes</a></b></li>
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.14</h3>
 <ul>
  <li>There is an <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
 rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
  <li>The documentation for the routestopped file claimed that a comma-separated
 list could appear in the second column while the code only supported a single
 host or network address. This has been corrected in <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
 firewall script</a> which may be installed in /usr/lib/shorewall as described
 above.<br>
  </li>
 </ul>
 <h3>Version 1.3.13</h3>
 <ul>
@ -124,8 +137,8 @@ too big".<br>
 <ul>
    <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
-are not supported in this version or in 1.3.12. If you need such support, 
+ are not supported in this version or in 1.3.12. If you need such support,
-post on the users list and I can provide you with a patched version.<br>
+ post on the users list and I can provide you with a patched version.<br>
    </li>
 </ul>
@ -133,8 +146,8 @@ post on the users list and I can provide you with a patched version.<br>
 <h3>Version 1.3.12</h3>
 <ul>
-      <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
+       <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
- the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
+is  the  same as if RFC_1918_LOG_LEVEL=info had been specified. The problem 
 is  corrected  by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this 
  firewall script</a> which may be installed in /usr/lib/shorewall as described 
@ -149,8 +162,9 @@ is  corrected  by <a
 <h3>Version 1.3.12 LRP</h3>
 <ul>
-       <li>The .lrp was missing the /etc/shorewall/routestopped file -- a 
+        <li>The .lrp was missing the /etc/shorewall/routestopped file --
-new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
+a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this
 problem.<br>
        </li>
 </ul>
@ -194,16 +208,16 @@ the   following   warnings:<br>
 <h3>Version 1.3.10</h3>
 <ul>
-             <li>If you experience problems connecting to a PPTP server running 
+              <li>If you experience problems connecting to a PPTP server
-   on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
+running     on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, 
         <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this 
     version of the firewall script</a> may help. Please report any cases 
 where     installing this script in /usr/lib/shorewall/firewall solved your 
 connection     problems. Beginning with version 1.3.10, it is safe to save 
-the old version     of /usr/lib/shorewall/firewall before copying in the
+the old version     of /usr/lib/shorewall/firewall before copying in the new
-new one since /usr/lib/shorewall/firewall     is the real script now and
+one since /usr/lib/shorewall/firewall     is the real script now and not
-not just a symbolic link to the real script.<br>
+just a symbolic link to the real script.<br>
              </li>
 </ul>
@ -233,9 +247,9 @@ not just a symbolic link to the real script.<br>
 <ul>
               <li>The installer (install.sh) issues a misleading message 
 "Common     functions   installed in /var/lib/shorewall/functions" whereas 
-the file   is  installed  in /usr/lib/shorewall/functions. The installer
+the file   is  installed  in /usr/lib/shorewall/functions. The installer also
-also performs   incorrectly  when updating old configurations that had the
+performs   incorrectly  when updating old configurations that had the file
-file /etc/shorewall/functions.         <a
+/etc/shorewall/functions.         <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here 
      is an updated version that corrects these problems.<br>
                 </a></li>
@ -271,8 +285,7 @@ problems.
   <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          this corrected firewall script</a> in /var/lib/shorewall/firewall 
-                                        as described above corrects this
+                                        as described above corrects this problem.</p>
 problem.</p>
 <h3>Version 1.3.7a</h3>
@ -283,8 +296,7 @@ problem.</p>
                      <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          this corrected firewall script</a> in /var/lib/shorewall/firewall 
-                                        as described above corrects this
+                                        as described above corrects this problem.</p>
 problem.</p>
 <h3>Version &lt;= 1.3.7a</h3>
@ -298,13 +310,13 @@ problem.</p>
 <ol>
                                                    <li>If the firewall is
-running     a  DHCP   server,                                   the client 
+ running     a  DHCP   server,                                   the client
-won't be   able   to obtain   an IP  address                             
+ won't be   able   to obtain   an IP  address                           
      lease  from that   server.</li>
                                                    <li>With this order of
-checking,      the   "dhcp"                                   option cannot 
+ checking,      the   "dhcp"                                   option cannot
-be used as   a  noise-reduction                                     measure 
+ be used as   a  noise-reduction                                     measure
-where there   are  both dynamic and    static                            
+ where there   are  both dynamic and    static                          
       clients  on a LAN segment.</li>
 </ol>
@ -313,9 +325,9 @@ where there   are  both dynamic and    static
 <p>                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          This version of the 1.3.7a firewall script </a>
-                                       corrects the problem. It must be installed
+                                        corrects the problem. It must be
-         in /var/lib/shorewall                                as described
+installed          in /var/lib/shorewall                                as
- above.</p>
+described  above.</p>
 <h3>Version 1.3.7</h3>
@ -339,11 +351,12 @@ where there   are  both dynamic and    static
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf, 
-         an error occurs when the firewall            script attempts to
+         an error occurs when the firewall            script attempts to add
-add    an   SNAT   alias.  </p>
+   an   SNAT   alias.  </p>
                     </li>
                     <li>                                               
    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options 
          cause errors during startup when Shorewall is run with iptables 
         1.2.7. </p>
@ -410,10 +423,10 @@ add    an   SNAT   alias.  </p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands   
-         to not verify that the zones named in the /etc/shorewall/policy
+        to not verify that the zones named in the /etc/shorewall/policy file
-file            have been previously defined in the /etc/shorewall/zones
+           have been previously defined in the /etc/shorewall/zones file.
-file. The            "shorewall check" command does perform this verification
+The            "shorewall check" command does perform this verification so
-so it's a            good idea to run that command after you have made configuration
+it's a            good idea to run that command after you have made configuration 
                    changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -423,23 +436,22 @@ so it's a            good idea to run that command after you have made configura
         by that name" then you probably have an entry in            /etc/shorewall/hosts 
         that specifies an interface that you didn't            include in 
 /etc/shorewall/interfaces.        To correct this problem, you          
-  must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3
+ must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 and
-and             later versions produce a clearer error    message    in this
+            later versions produce a clearer error    message    in this case.</p>
 case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the        
   download sites contained an incorrect version of the .lrp file. That 
-           file can be identified by its size (56284 bytes). The correct
+          file can be identified by its size (56284 bytes). The correct version
-version            has a size of 38126 bytes.</p>
+           has a size of 38126 bytes.</p>
 <ul>
                                <li>The code to detect a duplicate interface
- entry    in             /etc/shorewall/interfaces contained a typo that prevented
+  entry    in             /etc/shorewall/interfaces contained a typo that
-   it from               working correctly. </li>
+prevented    it from               working correctly. </li>
-                               <li>"NAT_BEFORE_RULES=No" was broken; it behaved 
+                                <li>"NAT_BEFORE_RULES=No" was broken; it
-   just   like   "NAT_BEFORE_RULES=Yes".</li>
+behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -484,9 +496,9 @@ appearence of the   option.  For example:<br>
  that affects only   the 'routestopped' option.<br>
                                <br>
                                Users who downloaded the corrected script 
-prior    to  1850   GMT   today              should download and install
+prior    to  1850   GMT   today              should download and install the
-the corrected     script   again   to ensure              that this second
+corrected     script   again   to ensure              that this second problem
-problem is corrected.</li>
+is corrected.</li>
 </ul>
@ -530,19 +542,19 @@ problem is corrected.</li>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
           corrected 1.2.3 rpm which you can download here</a>  and I have
-also     built            an <a
+ also     built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
-iptables-1.2.4   rpm which you can download here</a>. If  you are currently
+ iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
         running RedHat 7.1, you can install either of these RPMs        
     <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat 
-         has   released an iptables-1.2.4 RPM of their own which you can
+         has   released an iptables-1.2.4 RPM of their own which you can download
-download         from<font color="#ff6633">   <a
+        from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
            </font>I have installed this RPM   on my firewall and it works
-fine.</p>
+ fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself, 
@ -586,8 +598,8 @@ fine.</p>
 installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
             this iptables RPM</a>. If you are already running a 1.2.5 version
-    of       iptables, you will need to specify the --oldpackage option to 
+     of       iptables, you will need to specify the --oldpackage option
- rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                     </blockquote>
@ -613,10 +625,10 @@ installing            <a
                          Shorewall 1.3.7a or later or:</p>
 <ul>
-                                                   <li>set MULTIPORT=No in
+                                                    <li>set MULTIPORT=No
-                                  /etc/shorewall/shorewall.conf; or </li>
+in                                   /etc/shorewall/shorewall.conf; or </li>
                                                    <li>if you are running
-Shorewall      1.3.6    you may                                  install 
+ Shorewall      1.3.6    you may                                  install
                                <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">    
                            this firewall script</a> in /var/lib/shorewall/firewall 
@ -635,11 +647,11 @@ Shorewall      1.3.6    you may                                  install
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
               The solution is to put "no" in the LOCAL column. Kernel support
-  for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it.
+   for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled
-  The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
+it.   The  2.4.19 kernel   contains corrected support under a new kernel
-   option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 2/8/2003 -                             
+<p><font size="2">  Last updated 2/17/2003 -                            
  <a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
@ -654,5 +666,6 @@ Shorewall      1.3.6    you may                                  install
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/three-interface_fr.html
+++ b/STABLE/documentation/three-interface_fr.html
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -1281,8 +1281,10 @@ stop_firewall() {
    while read interface host; do
 	expandv interface host
-	[ "x$host" = "x-" ] && host=
+	[ "x$host" = "x-" ] && host=0.0.0.0/0
-	hosts="$hosts $interface:${host:-0.0.0.0/0}"
+	for h in `separate_list $host`; do
 	    hosts="$hosts $interface:$h"
 	done
    done < $TMP_DIR/routestopped
    for host in $hosts; do