Documentation updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1699 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/Shorewall_Squid_Usage.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-20</pubdate>
+    <pubdate>2004-10-17</pubdate>
 
     <copyright>
       <year>2003-2004</year>
@@ -29,7 +29,8 @@
       1.2 or any later version published by the Free Software Foundation; with
       no Invariant Sections, with no Front-Cover, and with no Back-Cover
       Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
     </legalnotice>
   </articleinfo>
 
@@ -43,6 +44,13 @@
   <section>
     <title>Squid as a Transparent Proxy</title>
 
+    <important>
+      <para>This section gives instructions for transparent proxying of HTTP.
+      HTTPS (normally TCP port 443) <emphasis role="bold">cannot</emphasis> be
+      proxied transparently (stop and think about it for a minute; if HTTPS
+      could be transparently proxied, then how secure would it be?).</para>
+    </important>
+
     <caution>
       <para>Please observe the following general requirements:</para>
 
@@ -55,8 +63,8 @@
 
         <listitem>
           <para>The following instructions mention the files
-          /etc/shorewall/start and /etc/shorewall/init -- if you don&#39;t
-          have those files, siimply create them.</para>
+          /etc/shorewall/start and /etc/shorewall/init -- if you don't have
+          those files, siimply create them.</para>
         </listitem>
 
         <listitem>
@@ -84,8 +92,9 @@ MANGLE_ENABLED=Yes</programlisting>
     <caution>
       <para>In the instructions below, only TCP Port 80 is opened from the
       system running Squid to the internet. If your users require browsing
-      sites that use a port other than 80 (e.g., http://www.domain.tld:<emphasis
-      role="bold">8080</emphasis>) then you must open those ports as well.</para>
+      sites that use a port other than 80 (e.g.,
+      http://www.domain.tld:<emphasis role="bold">8080</emphasis>) then you
+      must open those ports as well.</para>
     </caution>
   </section>
 
@@ -151,17 +160,17 @@ REDIRECT  loc        3128     tcp      www              -          !206.124.146.
         <listitem>
           <para>* On your firewall system, issue the following command</para>
 
-          <programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
+          <programlisting><command>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</command></programlisting>
         </listitem>
 
         <listitem>
           <para>In /etc/shorewall/init, put:</para>
 
-          <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
+          <programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
         ip rule add fwmark CA table www.out # Note 0xCA = 202
         ip route add default via 192.168.1.3 dev eth1 table www.out
         ip route flush cache
-        echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
+        echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects
 fi</command></programlisting>
         </listitem>
 
@@ -213,7 +222,7 @@ loc       loc           ACCEPT</programlisting>
           execute the following commands after you have typed the iptables
           command above:</para>
 
-          <programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
+          <programlisting><command>iptables-save &gt; /etc/sysconfig/iptables
 chkconfig --level 35 iptables on</command></programlisting>
         </listitem>
       </orderedlist>
@@ -230,13 +239,13 @@ chkconfig --level 35 iptables on</command></programlisting>
         <listitem>
           <para>On your firewall system, issue the following command</para>
 
-          <programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
+          <programlisting><command>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</command></programlisting>
         </listitem>
 
         <listitem>
           <para>In /etc/shorewall/init, put:</para>
 
-          <programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
+          <programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
         ip rule add fwmark CA table www.out # Note 0xCA = 202
         ip route add default via 192.0.2.177 dev eth1 table www.out
         ip route flush cache
@@ -244,7 +253,8 @@ fi</command></programlisting>
         </listitem>
 
         <listitem>
-          <para>Do <emphasis role="bold">one</emphasis> of the following:</para>
+          <para>Do <emphasis role="bold">one</emphasis> of the
+          following:</para>
 
           <orderedlist numeration="loweralpha">
             <listitem>
@@ -254,8 +264,10 @@ fi</command></programlisting>
             </listitem>
 
             <listitem>
-              <para>Set MARK_IN_FORWARD_CHAIN=No in <filename>/etc/shorewall/shorewall.conf</filename>
-              and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
+              <para>Set MARK_IN_FORWARD_CHAIN=No in
+              <filename>/etc/shorewall/shorewall.conf</filename> and add the
+              following entry in
+              <filename>/etc/shorewall/tcrules</filename>:</para>
 
               <programlisting>#MARK   SOURCE   DESTINATION    PROTOCOL    PORT
 202     eth2     0.0.0.0/0      tcp         80</programlisting>
@@ -272,7 +284,8 @@ fi</command></programlisting>
         </listitem>
 
         <listitem>
-          <para>In <filename>/etc/shorewall/rules</filename>, you will need:</para>
+          <para>In <filename>/etc/shorewall/rules</filename>, you will
+          need:</para>
 
           <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
 ACCEPT    loc      dmz    tcp     80
@@ -289,7 +302,7 @@ ACCEPT    dmz      net    tcp     80</programlisting>
           execute the following commands after you have typed the iptables
           command above:</para>
 
-          <programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
+          <programlisting><command>iptables-save &gt; /etc/sysconfig/iptables
 chkconfig --level 35 iptables on</command></programlisting>
         </listitem>
       </orderedlist>

Shorewall-docs2/myfiles.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-10-14</pubdate>
+    <pubdate>2004-10-16</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -48,7 +48,7 @@
 
     <caution>
       <para>The configuration shown here corresponds to Shorewall version
-      2.1.11. My configuration uses features not available in earlier
+      2.1.12. My configuration uses features not available in earlier
       Shorewall releases.</para>
     </caution>
 
@@ -669,7 +669,7 @@ ACCEPT          tx                              loc:192.168.1.5         all
   </section>
 
   <section>
-    <title>IPSEC Gateway (Ursa) Configuration</title>
+    <title>Wireless IPSEC Gateway (Ursa) Configuration</title>
 
     <para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
     network. It's view of the network is diagrammed in the following
@@ -677,18 +677,7 @@ ACCEPT          tx                              loc:192.168.1.5         all
 
     <graphic align="center" fileref="images/network1.png" valign="middle" />
 
-    <para>I've included the files that I used to configure that system -- some
-    of them are SuSE-specific.</para>
-
-    <section>
-      <title>shorewall.conf</title>
-
-      <blockquote>
-        <para>Only the changes from the defaults are shown.</para>
-
-        <programlisting>CLAMPMSS=1400 # There is an MTU problem between Tipper and the IMAP server at work. This corrects the problem</programlisting>
-      </blockquote>
-    </section>
+    <para>I've included the files that I used to configure that system.</para>
 
     <section>
       <title>zones</title>
@@ -728,7 +717,6 @@ fw              sec             ACCEPT
 fw              WiFi            ACCEPT
 sec             WiFi            NONE
 WiFi            sec             NONE
-WiFi            net             ACCEPT
 all             all             REJECT          info
 #LAST LINE -- DO NOT REMOVE</programlisting>
 
@@ -753,9 +741,16 @@ WiFi    eth1            192.168.3.255   nobogons,blacklist,maclist,routeback
       <title>ipsec</title>
 
       <blockquote>
+        <para>The mss=1400 in the OUT OPTIONS uses a feature added in 2.1.12
+        and sets the MSS field in forwarded TCP SYN packets from the 'sec'
+        zone to 1400. This works around a problem whereby ICMP
+        fragmentation-needed packets are being dropped somewhere between my
+        main firewall and the IMAP server at my work.</para>
+
         <programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
 #       ONLY                            OPTIONS                 OPTIONS
-sec     yes     mode=tunnel             tunnel-src=192.168.3.8  tunnel-dst=192.168.3.8
+sec     yes     mode=tunnel             -                       <emphasis
+            role="bold">mss=1400</emphasis>
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 </programlisting>
       </blockquote>