Man page updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8044 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-27 01:53:27 +01:00 · 2008-01-11 22:38:39 +00:00 · 2008-01-11 22:38:39 +00:00 · 7f28dedeea
commit 7f28dedeea
parent 93e0f6cb51
1 changed files with 52 additions and 0 deletions
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -1151,6 +1151,58 @@
        REDIRECT net    $FW::81-90:random   tcp   www</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 9:</term>
+
+        <listitem>
+          <para>Shorewall does not impose as much structure on the Netfilter
+          rules in the 'nat' table as it does on those in the filter table. As
+          a consequence, care must be exercised when using DNAT and REDIRECT
+          rules with zones defined with wildcard interfaces (those ending with
+          '+'. Here is an example:</para>
+
+          <para><ulink
+          url="shorewall-zones.html">shorewall-zones</ulink>(8):<programlisting>        #ZONE       TYPE    OPTIONS
+        fw          firewall
+        net         ipv4
+        dmz         ipv4
+        loc         ipv4</programlisting></para>
+
+          <para><ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8):<programlisting>        #ZONE       INTERFACE       BROADCAST      OPTIONS
+        net         ppp0
+        loc         eth1            detect
+        dmz         eth2            detect
+        -           ppp+                           # Addresses are assigned from 192.168.3.0/24</programlisting></para>
+
+          <para><ulink
+          url="shorewall-hosts.html">shorewall-host</ulink>(8):<programlisting>        #ZONE       HOST(S)              OPTIONS
+        loc         ppp+:192.168.3.0/24</programlisting></para>
+
+          <para>rules:</para>
+
+          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST
+        #                                                  PORT(S)
+        REDIRECT    loc             3128       tcp         80                                                   </programlisting>
+
+          <simpara>Note that it would have been tempting to simply define the
+          loc zone entirely in shorewall-interfaces(8):</simpara>
+
+          <para><programlisting>        #******************* INCORRECT *****************
+        #ZONE       INTERFACE       BROADCAST      OPTIONS
+        net         ppp0
+        loc         eth1            detect
+        loc         ppp+
+        dmz         eth2</programlisting></para>
+
+          <para>This would have made it impossible to run a
+          internet-accessible web server in the DMZ because all traffic
+          entering ppp+ interfaces would have been redirected to port 3128 on
+          the firewall and there would have been no net-&gt;fw ACCEPT rule for
+          that traffic.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>