diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 3ddc97b61..429ce25be 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -21,12 +21,14 @@ VERBOSITY=1
# L O G G I N G
###############################################################################
-LOGFILE=/var/log/messages
+BLACKLIST_LOGLEVEL=
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
LOG_VERBOSITY=2
+LOGFILE=/var/log/messages
+
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
@@ -35,169 +37,163 @@ LOGLIMIT=
LOGALLNEW=
-BLACKLIST_LOGLEVEL=
-
MACLIST_LOG_LEVEL=info
-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
-FILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
IPTABLES=
IP=
-TC=
-
IPSET=
+MODULESDIR=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+RESTOREFILE=restore
+
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
+TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
-RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
-IP_FORWARDING=On
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DISABLE_IPV6=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+EXPORTPARAMS=No
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
+
+LOAD_HELPERS_ONLY=No
+
+LEGACY_FASTSTART=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=0
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
RETAIN_ALIASES=No
+ROUTE_FILTER=No
+
+SAVE_IPSETS=No
+
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-DYNAMIC_ZONES=No
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=0
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
+TRACK_PROVIDERS=No
USE_DEFAULT_RT=No
-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
WIDE_TC_MARKS=No
-TRACK_PROVIDERS=No
-
ZONE2ZONE=2
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=No
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
-ACCOUNTING_TABLE=filter
-
-LEGACY_FASTSTART=Yes
-
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@@ -206,11 +202,11 @@ BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
-TCP_FLAGS_DISPOSITION=DROP
-
SMURF_DISPOSITION=DROP
-FILTER_DISPOSITION=DROP
+SFILTER_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
################################################################################
# L E G A C Y O P T I O N
diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf
index f8d95fff9..071c812ba 100644
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -22,159 +22,161 @@ VERBOSITY=1
# L O G G I N G
###############################################################################
-LOGFILE=/var/log/messages
-
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=
LOG_VERBOSITY=2
-LOGFORMAT="Shorewall:%s:%s:"
+LOGALLNEW=
-LOGTAGONLY=No
+LOGFILE=/var/log/messages
+
+LOGFORMAT="Shorewall:%s:%s:"
LOGLIMIT=
-LOGALLNEW=
+LOGTAGONLY=No
-BLACKLIST_LOGLEVEL=
-
-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
-FILTER_LOG_LEVEL=info
+STARTUP_LOG=/var/log/shorewall6-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
+CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+
IP6TABLES=
IP=
-TC=
-
IPSET=
+LOCKFILE=
+
+MODULESDIR=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+RESTOREFILE=
+
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
+TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
-RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=No
+
+COMPLETE=No
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+EXPORTPARAMS=No
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=Yes
+
+HIGH_ROUTE_MARKS=No
+
+IMPLICIT_CONTINUE=No
+
IP_FORWARDING=Off
+KEEP_RT_TABLES=Yes
+
+LEGACY_FASTSTART=No
+
+LOAD_HELPERS_ONLY=No
+
+MANGLE_ENABLED=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MUTEX_TIMEOUT=60
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
+RESTOREFILE=restore
+
TC_ENABLED=No
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-CLEAR_TC=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=1
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
+TRACK_PROVIDERS=No
WIDE_TC_MARKS=No
-TRACK_PROVIDERS=No
-
ZONE2ZONE=2
-ACCOUNTING=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-DYNAMIC_BLACKLIST=Yes
-
-LOAD_HELPERS_ONLY=No
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
-ACCOUNTING_TABLE=filter
-
-LEGACY_FASTSTART=No
-
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
-TCP_FLAGS_DISPOSITION=DROP
+SFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
-FILTER_DISPOSITION=DROP
+TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index 7d1b31a15..46f079378 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -185,6 +185,19 @@
+
+ ACCOUNTING_TABLE=[filter|mangle]
+
+
+ Added in Shorewall 4.4.20. This setting determines which
+ Netfilter table the accounting rules are added in. By default,
+ ACCOUNTING_TABLE=filter is assumed. See also shorewall-accounting(5).
+
+
+
ADD_IP_ALIASES=[Yes|No]
@@ -621,41 +634,6 @@ net all DROP infothen the chain name is 'net2all'
-
- FILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
-
-
- Added in Shorewall 4.4.20. Determines the disposition of
- packets matching the option (see shorewall-interfaces(5)) and
- of hairpin packets on interfaces without the
- option.
- Hairpin packets are packets that are routed out of the
- same interface that they arrived on.
- interfaces without the routeback option.
-
-
-
-
- FILTER_LOG_LEVEL=log-level
-
-
- Added on Shorewall 4.4.20. Determines the logging of packets
- matching the option (see shorewall-interfaces(5)) and
- of hairpin packets on interfaces without the
- option.
- Hairpin packets are packets that are routed out of the
- same interface that they arrived on.
- interfaces without the routeback option. The default
- is . If you don't wish for these packets to be
- logged, use FILTER_LOG_LEVEL=none.
-
-
-
FORWARD_CLEAR_MARK={Yes|No}
@@ -1219,6 +1197,18 @@ net all DROP infothen the chain name is 'net2all'
+
+ MANGLE_ENABLED=[Yes|No]
+
+
+ Determines whether Shorewall will generate rules in the
+ Netfilter mangle table. Setting MANGLE_ENABLED=No disables all
+ Shorewall features that require the mangle table. The default is
+ MANGLE_ENABLED=Yes.
+
+
+
MAPOLDACTIONS=[Yes|No]
@@ -1649,6 +1639,41 @@ net all DROP infothen the chain name is 'net2all'
+
+ SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
+
+
+ Added in Shorewall 4.4.20. Determines the disposition of
+ packets matching the option (see shorewall-interfaces(5)) and
+ of hairpin packets on interfaces without the
+ option.
+ Hairpin packets are packets that are routed out of the
+ same interface that they arrived on.
+ interfaces without the routeback option.
+
+
+
+
+ SFILTER_LOG_LEVEL=log-level
+
+
+ Added on Shorewall 4.4.20. Determines the logging of packets
+ matching the option (see shorewall-interfaces(5)) and
+ of hairpin packets on interfaces without the
+ option.
+ Hairpin packets are packets that are routed out of the
+ same interface that they arrived on.
+ interfaces without the routeback option. The default
+ is . If you don't wish for these packets to be
+ logged, use FILTER_LOG_LEVEL=none.
+
+
+
SHOREWALL_SHELL=[pathname]
diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml
index 290325b79..47b2ffb13 100644
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -183,6 +183,19 @@
+
+ ACCOUNTING_TABLE=[filter|mangle]
+
+
+ Added in Shorewall 4.4.20. This setting determines which
+ Netfilter table the accounting rules are added in. By default,
+ ACCOUNTING_TABLE=filter is assumed. See also shorewall-accounting(5).
+
+
+
ADMINISABSENTMINDED=[Yes|No]
@@ -443,6 +456,26 @@
+
+ EXPAND_POLICIES={Yes|No}
+
+
+ Normally, when the SOURCE or DEST columns in
+ shorewall-policy(5) contains 'all', a single policy chain is created
+ and the policy is enforced in that chain. For example, if the policy
+ entry is#SOURCE DEST POLICY LOG
+# LEVEL
+net all DROP infothen the chain name is 'net2all'
+ which is also the chain named in Shorewall log messages generated as
+ a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall will
+ create a separate chain for each pair of zones covered by the
+ policy. This makes the resulting log messages easier to interpret
+ since the chain in the messages will have a name of the form 'a2b'
+ where 'a' is the SOURCE zone and 'b' is the DEST zone.
+
+
+
EXPORTMODULES=[Yes|No]
@@ -997,6 +1030,18 @@
+
+ MANGLE_ENABLED=[Yes|No]
+
+
+ Determines whether Shorewall will generate rules in the
+ Netfilter mangle table. Setting MANGLE_ENABLED=No disables all
+ Shorewall features that require the mangle table. The default is
+ MANGLE_ENABLED=Yes.
+
+
+
MARK_IN_FORWARD_CHAIN=[
+
+ SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
+
+
+ Added in Shorewall 4.4.20. Determines the disposition of
+ packets matching the option (see shorewall6-interfaces(5))
+ and of hairpin packets on interfaces without
+ the option.
+ Hairpin packets are packets that are routed out of the
+ same interface that they arrived on.
+ interfaces without the routeback option.
+
+
+
+
+ SFILTER_LOG_LEVEL=log-level
+
+
+ Added on Shorewall 4.4.20. Determines the logging of packets
+ matching the option (see shorewall6-interfaces(5))
+ and of hairpin packets on interfaces without
+ the option.
+ Hairpin packets are packets that are routed out of the
+ same interface that they arrived on.
+ interfaces without the routeback option. The default
+ is . If you don't wish for these packets to be
+ logged, use FILTER_LOG_LEVEL=none.
+
+
+
STARTUP_ENABLED={Yes|No}