diff --git a/docs/Actions.xml b/docs/Actions.xml index a67be7f3b..a7ee3c8b7 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -178,9 +178,9 @@ ACCEPT - - tcp 135,139,445 - The name of a recent set; you select the set name - which must conform to the rules for a valid chain name. Different - rules that specify the same set name will use the same set of + The name of a recent list. You select the list + name which must conform to the rules for a valid chain name. Different + rules that specify the same list name will use the same set of counters. @@ -196,7 +196,7 @@ ACCEPT - - tcp 135,139,445 Connections that exceed the specified rate are dropped. - For example, to use a recent set name of For example, to use a recent list name of SSHA, and to limit SSH connections to 3 per minute, use this entry in /etc/shorewall/rules: @@ -219,7 +219,7 @@ Limit:info:SSHA,3,60 net $FW tcp 22 - The name of the recent set that you want to use + The name of the recent list that you want to use (SSHA in this example). @@ -242,10 +242,10 @@ Limit:info:SSHA,3,60 net $FW tcp 22my @tag = split /,/, $tag; -fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' +fatal_error 'Limit rules must include <list name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3; -my $set = $tag[0]; +my $list = $tag[0]; for ( @tag[1,2] ) { fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/ @@ -253,15 +253,15 @@ for ( @tag[1,2] ) { my $count = $tag[1] + 1; -add_rule $chainref, "-m recent --name $set --set"; +add_rule $chainref, "-m recent --name $list --set"; if ( $level ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; add_rule $xchainref, '-j DROP'; - add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}"; + add_rule $chainref, "-m recent --name $list --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}"; } else { - add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP"; + add_rule $chainref, "-m recent --update --name $list --seconds $tag[2] --hitcount $count -j DROP"; } add_rule $chainref, '-j ACCEPT'; diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index f22c81e17..831b1ab71 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -96,35 +96,8 @@ - The Perl-based compiler requires the following capabilities in - your kernel and iptables. - - - - addrtype match (Restriction relaxed in Shorewall-perl - 4.0.1) - - - - multiport match (will not be relaxed) - - - - These capabilities are in current distributions. - - - - Now that Netfilter has features to deal reasonably with port - lists, I see no reason to duplicate those features in Shorewall. The - Shorewall-shell compiler goes to great pain (in some cases) to break - very long port lists ( > 15 where port ranges in lists count as - two ports) into individual rules. In the new compiler, I'm avoiding - the ugliness required to do that for source port lists. The new - compiler just generates an error if your source list is too long - (beginning with Shorewall 4.0.5, the compiler will break rules with - a long destination port list into multiple rules).. It will also - produce an error if you insert a port range into a port list and you - don't have extended multiport support. + The Perl-based compiler requires multiport match in your + kernel and iptables. @@ -134,6 +107,12 @@ is provided by Shorewall-perl. + + DYNAMIC_ZONES=Yes is not supported. Use an ipset to define your + dytnamic zones. + + The BROADCAST column in the interfaces file is essentially unused if your kernel/iptables has Address Type Match support. If @@ -490,9 +469,8 @@ eth0 eth1:!192.168.4.9 ... The PKTTYPE option is ignored by Shorewall-perl. - Shorewall-perl 4.0.0 requires Address type match. Shorewall-perl - versions 4.0.1 and later will use Address type match if it is - available; otherwise, they will behave as if PKTTYPE=No had been + Shorewall-perl will use Address type match if it is available; + otherwise, it will behave as if PKTTYPE=No had been specified. @@ -531,9 +509,9 @@ ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22 - Beginning in Shorewall 4.2.0, Shorewall-perl gives a warning - if a zone name is entered in the DEST column of a - nonat rule. Nonat rules include: + Shorewall-perl gives a warning if a zone name is entered in + the DEST column of a nonat rule. Nonat rules + include: @@ -565,7 +543,8 @@ DNAT- net 192.168.1.3 tcp 21 + your embedded systems. Shorewall-perl will run on Windows under Cygwin. diff --git a/docs/shorewall_features.xml b/docs/shorewall_features.xml index 786ad2d2d..13675c017 100644 --- a/docs/shorewall_features.xml +++ b/docs/shorewall_features.xml @@ -16,7 +16,7 @@ - 2001-2008 + 2001-2009 Thomas M Eastep @@ -33,9 +33,9 @@ - This article applies to Shorewall 3.0 and + This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall - 3.0.0 then please see the documentation for that + 4.3.5 then please see the documentation for that release. @@ -79,6 +79,25 @@ + + Supports centralized firewall + administration. + + + + Shorewall installed on a single administrative system. May + be a Windows PC running + Cygwin. + + + + Centrally generated firewall scripts run on the firewalls + under control of Shorewall-lite. + + + + QuickStart Guides (HOWTOs) to help get your first firewall up and running @@ -188,8 +207,8 @@ RPM and Debian - packages available. + url="http://www.debian.org">Debian packages + available. diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 23251a102..5c608c191 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -69,8 +69,9 @@ eth3:192.0.2.123 - You can use the shorewall check - command to see the groups associated with each of your zones. + You can use the shorewall show + zones command to see the groups associated with each of your + zones.