diff --git a/docs/Multiple_Zones.xml b/docs/Multiple_Zones.xml index 497a06a19..54e728db8 100644 --- a/docs/Multiple_Zones.xml +++ b/docs/Multiple_Zones.xml @@ -209,13 +209,13 @@ loc1:loc ipv4 /etc/shorewall/interfaces - #ZONE INTERFACE BROADCAST -loc eth1 192.168.1.255 + #ZONE INTERFACE BROADCAST OPTIONS +loc eth1 - /etc/shorewall/hosts - #ZONE HOSTS -loc1 eth1:192.168.2.0/24 + #ZONE HOSTS OPTIONS +loc1 eth1:192.168.2.0/24 - If you don't need Shorewall to set up infrastructure to route traffic between loc and loc1, add these @@ -248,13 +248,14 @@ loc2 ipv4 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST -- eth1 192.168.1.255 +- eth1 192.168.1.255 + /etc/shorewall/hosts - #ZONE HOSTS -loc1 eth1:192.168.1.0/24 -loc2 eth1:192.168.2.0/24 + #ZONE HOSTS OPTIONS +loc1 eth1:192.168.1.0/24 - +loc2 eth1:192.168.2.0/24 - You don't need Shorewall to set up infrastructure to route traffic between loc and loc1, so add @@ -287,10 +288,18 @@ loc1:loc ipv4 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST -loc eth1 192.168.1.255 +loc eth1 - - /etc/shorewall/hosts#ZONE HOSTS -loc1 eth1:192.168.1.8/29 + /etc/shorewall/hosts#ZONE HOSTS OPTIONS +loc1 eth1:192.168.1.8/29 broadcast + + The option causes limited broadcasts + (destination IP address 255.255.255.255) to be checked against the loc1 + zone. If that zone allows the packet, then of course it will be seen by + the mempers of loc that are outside of loc1 as well. If the broadcast is + not specifically DROPped by the fw->loc1 rules then it will also be + checked against the fw->loc rules, even if there is a DROP or REJECT + fw->loc1 policy. You probably don't want Shorewall to set up infrastructure to route traffic between loc and loc1 so you should diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 5c32c6341..cabddfbe3 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -500,7 +500,7 @@ esac the table name - To add a rule to the chain:add_rule( $chainref, <the rule> );Where + To add a rule to the chain:add_rule( $chainref, <the rule> [ , <break lists> ] );Where <the rule> is a scalar argument holding the rule text. Do not include "-A <chain name>" @@ -508,14 +508,16 @@ esac The add_rule() function accepts an optional third argument; If that argument evaluates to true and the passed rule contains a --dports list with more than 15 ports (a port + role="bold">--dports or --sports list with more than 15 ports (a port range counts as two ports), the rule will be split into multiple rules where each resulting rule has 15 or fewer ports in its --dports list. + role="bold">--dports and --sports lists. To insert a rule into the chain: insert_rule( $chainref, <rulenum>, <the rule> );The log_rule_limit() function works like it - does in the shell compiler with three exceptions: + did in the shell compiler with three exceptions: You pass the chain reference rather than the name of the chain. @@ -531,14 +533,14 @@ esac you must quote that part). Example:log_rule_limit( - 'info' , - $chainref , - $chainref->{name}, - 'DROP' , - '', #Limit - '' , #Log tag - 'add', #Command - '-p tcp' #Pass as-is + 'info' , #Log Level + $chainref , #Chain to add the rule to + $chainref->{name}, #Name of the chain as it will appear in the log prefix + 'DROP' , #Disposition of the packet + '', #Limit + '' , #Log tag + 'add', #Command + '-p tcp' #Added to the rule as-is );Note that in the 'initdone' script, there is no default chain ($chainref). You can obtain a reference to a standard chain by:my $chainref = $chain_table{<table>}{<chain name>};Example:my $chainref = $chain_table{filter}{INPUT}; diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml index 8a0fb2db9..ab5005cec 100644 --- a/manpages/shorewall-hosts.xml +++ b/manpages/shorewall-hosts.xml @@ -191,13 +191,12 @@ - broadcast + broadcast - (Only supported by Shorewall-perl). Used when you want - to include limited broadcasts (destination IP address - 255.255.255.255) from the firewall to this zone. Only - necessary when: + Used when you want to include limited broadcasts + (destination IP address 255.255.255.255) from the firewall to + this zone. Only necessary when: @@ -215,13 +214,13 @@ - destonly + destonly - (Only supported by Shorewall-perl). Normally used with - the Multi-cast IP address range (224.0.0.0/4). Specifies that - traffic will be sent to the specified net(s) but that no - traffic will be received from the net(s). + Normally used with the Multi-cast IP address range + (224.0.0.0/4). Specifies that traffic will be sent to the + specified net(s) but that no traffic will be received from the + net(s).