mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 14:48:51 +01:00
Clarify the 'optional' interface option.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
e5e8e6fbc0
commit
7343b19abc
@ -70,8 +70,7 @@
|
|||||||
in this column.</para>
|
in this column.</para>
|
||||||
|
|
||||||
<para>If the interface serves multiple zones that will be defined in
|
<para>If the interface serves multiple zones that will be defined in
|
||||||
the <ulink
|
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||||
url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
|
||||||
file, you should place "-" in this column.</para>
|
file, you should place "-" in this column.</para>
|
||||||
|
|
||||||
<para>If there are multiple interfaces to the same zone, you must
|
<para>If there are multiple interfaces to the same zone, you must
|
||||||
@ -109,8 +108,8 @@ loc eth2 -</programlisting>
|
|||||||
<para>When using Shorewall versions before 4.1.4, care must be
|
<para>When using Shorewall versions before 4.1.4, care must be
|
||||||
exercised when using wildcards where there is another zone that uses
|
exercised when using wildcards where there is another zone that uses
|
||||||
a matching specific interface. See <ulink
|
a matching specific interface. See <ulink
|
||||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
|
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
||||||
for a discussion of this problem.</para>
|
discussion of this problem.</para>
|
||||||
|
|
||||||
<para>Shorewall allows '+' as an interface name, but that usage is
|
<para>Shorewall allows '+' as an interface name, but that usage is
|
||||||
deprecated. A better approach is to specify
|
deprecated. A better approach is to specify
|
||||||
@ -370,8 +369,7 @@ loc eth2 -</programlisting>
|
|||||||
firewall through this interface and whether the source address
|
firewall through this interface and whether the source address
|
||||||
and/or destination address is to be compared against the
|
and/or destination address is to be compared against the
|
||||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||||
<ulink
|
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>).
|
|
||||||
The default is determine by the setting of
|
The default is determine by the setting of
|
||||||
DYNAMIC_BLACKLIST:</para>
|
DYNAMIC_BLACKLIST:</para>
|
||||||
|
|
||||||
@ -459,8 +457,8 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>the interface is a <ulink
|
<para>the interface is a <ulink
|
||||||
url="../SimpleBridge.html">simple bridge</ulink> with a DHCP
|
url="../SimpleBridge.html">simple bridge</ulink> with a
|
||||||
server on one port and DHCP clients on another
|
DHCP server on one port and DHCP clients on another
|
||||||
port.</para>
|
port.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
@ -585,8 +583,8 @@ loc eth2 -</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Connection requests from this interface are compared
|
<para>Connection requests from this interface are compared
|
||||||
against the contents of <ulink
|
against the contents of <ulink
|
||||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
|
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||||
If this option is specified, the interface must be an Ethernet
|
this option is specified, the interface must be an Ethernet
|
||||||
NIC and must be up before Shorewall is started.</para>
|
NIC and must be up before Shorewall is started.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -650,8 +648,8 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<para>Smurfs will be optionally logged based on the setting of
|
<para>Smurfs will be optionally logged based on the setting of
|
||||||
SMURF_LOG_LEVEL in <ulink
|
SMURF_LOG_LEVEL in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).
|
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||||
After logging, the packets are dropped.</para>
|
logging, the packets are dropped.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -659,6 +657,11 @@ loc eth2 -</programlisting>
|
|||||||
<term><emphasis role="bold">optional</emphasis></term>
|
<term><emphasis role="bold">optional</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
<para>This option indicates that the firewall should be able
|
||||||
|
to start, even if the interface is not usable for handling
|
||||||
|
traffic. It allows use of the <command>enable</command> and
|
||||||
|
<command>disable</command> commands on the interface.</para>
|
||||||
|
|
||||||
<para>When <option>optional</option> is specified for an
|
<para>When <option>optional</option> is specified for an
|
||||||
interface, Shorewall will be silent when:</para>
|
interface, Shorewall will be silent when:</para>
|
||||||
|
|
||||||
@ -674,6 +677,16 @@ loc eth2 -</programlisting>
|
|||||||
<para>The first address of the interface cannot be
|
<para>The first address of the interface cannot be
|
||||||
obtained.</para>
|
obtained.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The gateway of the interface can not be obtained
|
||||||
|
(provider interface).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The interface has been disabled using the
|
||||||
|
<command>disable</command> command.</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>May not be specified with <emphasis
|
<para>May not be specified with <emphasis
|
||||||
@ -826,9 +839,9 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>If ROUTE_FILTER=Yes in <ulink
|
<para>If ROUTE_FILTER=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5),
|
url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
|
||||||
or if your distribution sets net.ipv4.conf.all.rp_filter=1
|
your distribution sets net.ipv4.conf.all.rp_filter=1 in
|
||||||
in <filename>/etc/sysctl.conf</filename>, then setting
|
<filename>/etc/sysctl.conf</filename>, then setting
|
||||||
<emphasis role="bold">routefilter</emphasis>=0 in an
|
<emphasis role="bold">routefilter</emphasis>=0 in an
|
||||||
<replaceable>interface</replaceable> entry will not disable
|
<replaceable>interface</replaceable> entry will not disable
|
||||||
route filtering on that
|
route filtering on that
|
||||||
@ -848,8 +861,8 @@ loc eth2 -</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If USE_DEFAULT_RT=Yes in <ulink
|
<para>If USE_DEFAULT_RT=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
url="shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||||
and the interface is listed in <ulink
|
the interface is listed in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user