mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Clarify the 'optional' interface option.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
e5e8e6fbc0
commit
7343b19abc
@ -70,8 +70,7 @@
|
||||
in this column.</para>
|
||||
|
||||
<para>If the interface serves multiple zones that will be defined in
|
||||
the <ulink
|
||||
url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||
file, you should place "-" in this column.</para>
|
||||
|
||||
<para>If there are multiple interfaces to the same zone, you must
|
||||
@ -109,8 +108,8 @@ loc eth2 -</programlisting>
|
||||
<para>When using Shorewall versions before 4.1.4, care must be
|
||||
exercised when using wildcards where there is another zone that uses
|
||||
a matching specific interface. See <ulink
|
||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
|
||||
for a discussion of this problem.</para>
|
||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
||||
discussion of this problem.</para>
|
||||
|
||||
<para>Shorewall allows '+' as an interface name, but that usage is
|
||||
deprecated. A better approach is to specify
|
||||
@ -370,8 +369,7 @@ loc eth2 -</programlisting>
|
||||
firewall through this interface and whether the source address
|
||||
and/or destination address is to be compared against the
|
||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||
<ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||
The default is determine by the setting of
|
||||
DYNAMIC_BLACKLIST:</para>
|
||||
|
||||
@ -459,8 +457,8 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>the interface is a <ulink
|
||||
url="../SimpleBridge.html">simple bridge</ulink> with a DHCP
|
||||
server on one port and DHCP clients on another
|
||||
url="../SimpleBridge.html">simple bridge</ulink> with a
|
||||
DHCP server on one port and DHCP clients on another
|
||||
port.</para>
|
||||
|
||||
<note>
|
||||
@ -585,8 +583,8 @@ loc eth2 -</programlisting>
|
||||
<listitem>
|
||||
<para>Connection requests from this interface are compared
|
||||
against the contents of <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
|
||||
If this option is specified, the interface must be an Ethernet
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an Ethernet
|
||||
NIC and must be up before Shorewall is started.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -650,8 +648,8 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||
After logging, the packets are dropped.</para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
logging, the packets are dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -659,6 +657,11 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">optional</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This option indicates that the firewall should be able
|
||||
to start, even if the interface is not usable for handling
|
||||
traffic. It allows use of the <command>enable</command> and
|
||||
<command>disable</command> commands on the interface.</para>
|
||||
|
||||
<para>When <option>optional</option> is specified for an
|
||||
interface, Shorewall will be silent when:</para>
|
||||
|
||||
@ -674,6 +677,16 @@ loc eth2 -</programlisting>
|
||||
<para>The first address of the interface cannot be
|
||||
obtained.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The gateway of the interface can not be obtained
|
||||
(provider interface).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The interface has been disabled using the
|
||||
<command>disable</command> command.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>May not be specified with <emphasis
|
||||
@ -826,9 +839,9 @@ loc eth2 -</programlisting>
|
||||
|
||||
<important>
|
||||
<para>If ROUTE_FILTER=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
or if your distribution sets net.ipv4.conf.all.rp_filter=1
|
||||
in <filename>/etc/sysctl.conf</filename>, then setting
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
|
||||
your distribution sets net.ipv4.conf.all.rp_filter=1 in
|
||||
<filename>/etc/sysctl.conf</filename>, then setting
|
||||
<emphasis role="bold">routefilter</emphasis>=0 in an
|
||||
<replaceable>interface</replaceable> entry will not disable
|
||||
route filtering on that
|
||||
@ -848,8 +861,8 @@ loc eth2 -</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If USE_DEFAULT_RT=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
and the interface is listed in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||
the interface is listed in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user