mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 16:43:21 +01:00
Clean up links in the manpages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
a775fdcb7c
commit
81b42afa30
@ -148,9 +148,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||||
to be used in <ulink
|
to be used in <ulink
|
||||||
url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
|
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
|
||||||
than <ulink
|
than <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
|
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -160,9 +160,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.0.13. Specifies that this action is
|
<para>Added in Shorewall 5.0.13. Specifies that this action is
|
||||||
to be used in <ulink
|
to be used in <ulink
|
||||||
url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
|
url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink> rather
|
||||||
than <ulink
|
than <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
|
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>. The
|
||||||
<option>mangle</option> and <option>nat</option> options are
|
<option>mangle</option> and <option>nat</option> options are
|
||||||
mutually exclusive.</para>
|
mutually exclusive.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
@ -170,7 +170,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>queues matching packets to a back end logging daemon via
|
<para>queues matching packets to a back end logging daemon via
|
||||||
a netlink socket then continues to the next rule. See <ulink
|
a netlink socket then continues to the next rule. See <ulink
|
||||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@ -257,7 +257,7 @@ loc eth2 -</programlisting>
|
|||||||
<warning>
|
<warning>
|
||||||
<para>Do not specify <emphasis
|
<para>Do not specify <emphasis
|
||||||
role="bold">arp_ignore</emphasis> for any interface involved
|
role="bold">arp_ignore</emphasis> for any interface involved
|
||||||
in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
|
in <ulink url="/ProxyARP.htm">Proxy ARP</ulink>.</para>
|
||||||
</warning>
|
</warning>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -323,7 +323,7 @@ loc eth2 -</programlisting>
|
|||||||
and/or destination address is to be compared against the
|
and/or destination address is to be compared against the
|
||||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||||
<ulink
|
<ulink
|
||||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
|
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||||
The default is determine by the setting of
|
The default is determine by the setting of
|
||||||
DYNAMIC_BLACKLIST:</para>
|
DYNAMIC_BLACKLIST:</para>
|
||||||
|
|
||||||
@ -411,13 +411,13 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>the interface is a <ulink
|
<para>the interface is a <ulink
|
||||||
url="../SimpleBridge.html">simple bridge</ulink> with a
|
url="/SimpleBridge.html">simple bridge</ulink> with a
|
||||||
DHCP server on one port and DHCP clients on another
|
DHCP server on one port and DHCP clients on another
|
||||||
port.</para>
|
port.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>If you use <ulink
|
<para>If you use <ulink
|
||||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
url="/bridge-Shorewall-perl.html">Shorewall-perl for
|
||||||
firewall/bridging</ulink>, then you need to include
|
firewall/bridging</ulink>, then you need to include
|
||||||
DHCP-specific rules in <ulink
|
DHCP-specific rules in <ulink
|
||||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
|
||||||
|
|||||||
@ -103,7 +103,7 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>These additional match options are not available in <ulink
|
<para>These additional match options are not available in <ulink
|
||||||
url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
|
url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>Available options are:</para>
|
<para>Available options are:</para>
|
||||||
|
|||||||
@ -119,7 +119,7 @@
|
|||||||
Additionally, a <replaceable>chain-designator</replaceable> may not
|
Additionally, a <replaceable>chain-designator</replaceable> may not
|
||||||
be specified in an action body unless the action is declared as
|
be specified in an action body unless the action is declared as
|
||||||
<option>inline</option> in <ulink
|
<option>inline</option> in <ulink
|
||||||
url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
|
url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Where a command takes parameters, those parameters are
|
<para>Where a command takes parameters, those parameters are
|
||||||
enclosed in parentheses ("(....)") and separated by commas.</para>
|
enclosed in parentheses ("(....)") and separated by commas.</para>
|
||||||
@ -299,7 +299,7 @@
|
|||||||
configuration described at <ulink
|
configuration described at <ulink
|
||||||
url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
|
url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
|
||||||
place this entry in <ulink
|
place this entry in <ulink
|
||||||
url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
|
||||||
|
|
||||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||||
TProxy 1 - - lo - tproxy</programlisting>
|
TProxy 1 - - lo - tproxy</programlisting>
|
||||||
@ -365,7 +365,7 @@ DIVERTHA - - tcp</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.0.6 as an alternative to entries in
|
<para>Added in Shorewall 5.0.6 as an alternative to entries in
|
||||||
<ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
|
<ulink url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
|
||||||
PROTO is specified, it must be 'tcp' (6). If no PROTO is
|
PROTO is specified, it must be 'tcp' (6). If no PROTO is
|
||||||
supplied, TCP is assumed. This action causes all ECN bits in
|
supplied, TCP is assumed. This action causes all ECN bits in
|
||||||
the TCP header to be cleared.</para>
|
the TCP header to be cleared.</para>
|
||||||
@ -788,7 +788,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>interface</replaceable> is the
|
<para>where <replaceable>interface</replaceable> is the
|
||||||
logical name of an interface defined in <ulink
|
logical name of an interface defined in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||||
Matches packets entering the firewall from the named
|
Matches packets entering the firewall from the named
|
||||||
interface. May not be used in CLASSIFY rules or in rules using
|
interface. May not be used in CLASSIFY rules or in rules using
|
||||||
the :T chain qualifier.</para>
|
the :T chain qualifier.</para>
|
||||||
@ -911,11 +911,11 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>interface</replaceable> is the
|
<para>where <replaceable>interface</replaceable> is the
|
||||||
logical name of an interface defined in <ulink
|
logical name of an interface defined in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||||
Matches packets leaving the firewall through the named
|
Matches packets leaving the firewall through the named
|
||||||
interface. May not be used in the PREROUTING chain (:P in the
|
interface. May not be used in the PREROUTING chain (:P in the
|
||||||
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
|
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
|
||||||
in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
|
in <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -952,7 +952,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
when both the outgoing interface and destination IP address
|
when both the outgoing interface and destination IP address
|
||||||
match. May not be used in the PREROUTING chain (:P in the mark
|
match. May not be used in the PREROUTING chain (:P in the mark
|
||||||
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
|
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
|
||||||
<ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
|
<ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -967,7 +967,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<replaceable>exclusion</replaceable>. May not be used in the
|
<replaceable>exclusion</replaceable>. May not be used in the
|
||||||
PREROUTING chain (:P in the mark column or no chain qualifier
|
PREROUTING chain (:P in the mark column or no chain qualifier
|
||||||
and MARK_IN_FORWARD_CHAIN=No in <ulink
|
and MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||||
url="manpages/shorewall.conf">shorewall.conf</ulink>
|
url="/manpages/shorewall.conf">shorewall.conf</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1036,7 +1036,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>See <ulink
|
<para>See <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules(5)</ulink> for
|
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||||
|
|||||||
@ -199,7 +199,7 @@ all all REJECT info
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Set IMPLICIT_CONTINUE=Yes in <ulink
|
<para>Set IMPLICIT_CONTINUE=Yes in <ulink
|
||||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|||||||
@ -922,7 +922,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a zone defined in <ulink
|
<para>The name of a zone defined in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5). When
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
|
||||||
only the zone name is specified, the packet source may be any
|
only the zone name is specified, the packet source may be any
|
||||||
host in that zone.</para>
|
host in that zone.</para>
|
||||||
|
|
||||||
@ -989,9 +989,9 @@
|
|||||||
<replaceable>interface</replaceable> must be the name of an
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
interface associated with the named
|
interface associated with the named
|
||||||
<replaceable>zone</replaceable> in either <ulink
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
or <ulink
|
or <ulink
|
||||||
url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
|
url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
|
||||||
packets from hosts in the <replaceable>zone</replaceable> that
|
packets from hosts in the <replaceable>zone</replaceable> that
|
||||||
arrive through the named interface will match the rule.</para>
|
arrive through the named interface will match the rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1007,7 +1007,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>A host or network IP address. A network address may
|
<para>A host or network IP address. A network address may
|
||||||
be followed by exclusion (see <ulink
|
be followed by exclusion (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1067,7 +1067,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This form matches if the host IP address does not match
|
<para>This form matches if the host IP address does not match
|
||||||
any of the entries in the exclusion (see <ulink
|
any of the entries in the exclusion (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1229,7 +1229,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a zone defined in <ulink
|
<para>The name of a zone defined in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5). When
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
|
||||||
only the zone name is specified, the packet destination may be
|
only the zone name is specified, the packet destination may be
|
||||||
any host in that zone.</para>
|
any host in that zone.</para>
|
||||||
|
|
||||||
@ -1296,9 +1296,9 @@
|
|||||||
<replaceable>interface</replaceable> must be the name of an
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
interface associated with the named
|
interface associated with the named
|
||||||
<replaceable>zone</replaceable> in either <ulink
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
or <ulink
|
or <ulink
|
||||||
url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
|
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). Only
|
||||||
packets to hosts in the <replaceable>zone</replaceable> that
|
packets to hosts in the <replaceable>zone</replaceable> that
|
||||||
are sent through the named interface will match the
|
are sent through the named interface will match the
|
||||||
rule.</para>
|
rule.</para>
|
||||||
@ -1315,7 +1315,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>A host or network IP address. A network address may
|
<para>A host or network IP address. A network address may
|
||||||
be followed by exclusion (see <ulink
|
be followed by exclusion (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1370,7 +1370,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This form matches if the host IP address does not match
|
<para>This form matches if the host IP address does not match
|
||||||
any of the entries in the exclusion (see <ulink
|
any of the entries in the exclusion (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
<para>This file is used to define dynamic NAT (Masquerading) and to define
|
<para>This file is used to define dynamic NAT (Masquerading) and to define
|
||||||
Source NAT (SNAT). It superseded <ulink
|
Source NAT (SNAT). It superseded <ulink
|
||||||
url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
|
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
|
||||||
5.0.14.</para>
|
5.0.14.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
@ -150,7 +150,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>action</replaceable> is an action
|
<para>where <replaceable>action</replaceable> is an action
|
||||||
declared in <ulink
|
declared in <ulink
|
||||||
url="shorewall-actions.html">shorewall-actions(5)</ulink> with
|
url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink> with
|
||||||
the <option>nat</option> option. See <ulink
|
the <option>nat</option> option. See <ulink
|
||||||
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
|
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
|
||||||
further information.</para>
|
further information.</para>
|
||||||
@ -257,7 +257,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If you wish to restrict this entry to a particular protocol
|
<para>If you wish to restrict this entry to a particular protocol
|
||||||
then enter the protocol name (from protocols(5)) or number here. See
|
then enter the protocol name (from protocols(5)) or number here. See
|
||||||
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
|
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||||
|
|||||||
@ -89,11 +89,11 @@
|
|||||||
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
||||||
may be used if your kernel and ip6tables have the <firstterm>Basic
|
may be used if your kernel and ip6tables have the <firstterm>Basic
|
||||||
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
|
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
|
||||||
ipset name may optionally be followed by a number or a comma
|
ipset name may optionally be followed by a number or a comma
|
||||||
separated list of src and/or dst enclosed in square brackets
|
separated list of src and/or dst enclosed in square brackets
|
||||||
([...]). See <ulink
|
([...]). See <ulink
|
||||||
url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
|
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -108,11 +108,11 @@
|
|||||||
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
||||||
may be used if your kernel and ip6tables have the <firstterm>Basic
|
may be used if your kernel and ip6tables have the <firstterm>Basic
|
||||||
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
|
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf (5)</ulink>. The
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
|
||||||
ipset name may optionally be followed by a number or a comma
|
ipset name may optionally be followed by a number or a comma
|
||||||
separated list of src and/or dst enclosed in square brackets
|
separated list of src and/or dst enclosed in square brackets
|
||||||
([...]). See <ulink
|
([...]). See <ulink
|
||||||
url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
|
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
|
|||||||
@ -321,9 +321,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The value of this variable affects Shorewall's stopped state.
|
<para>The value of this variable affects Shorewall's stopped state.
|
||||||
The behavior differs depending on whether <ulink
|
The behavior differs depending on whether <ulink
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||||
or <ulink
|
or <ulink
|
||||||
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||||
is used:</para>
|
is used:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
@ -483,7 +483,7 @@
|
|||||||
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
|
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
|
||||||
determines whether the <option>balance</option> provider option (see
|
determines whether the <option>balance</option> provider option (see
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
|
url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>) is
|
||||||
the default. When BALANCE_PROVIDERS=Yes, then the
|
the default. When BALANCE_PROVIDERS=Yes, then the
|
||||||
<option>balance</option> option is assumed unless the
|
<option>balance</option> option is assumed unless the
|
||||||
<option>fallback</option>, <option>loose</option>,
|
<option>fallback</option>, <option>loose</option>,
|
||||||
@ -500,7 +500,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall-4.6.0. When set to <emphasis
|
<para>Added in Shorewall-4.6.0. When set to <emphasis
|
||||||
role="bold">Yes</emphasis>, causes entries in <ulink
|
role="bold">Yes</emphasis>, causes entries in <ulink
|
||||||
url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
|
url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
|
||||||
generate a basic filter rather than a u32 filter. This setting
|
generate a basic filter rather than a u32 filter. This setting
|
||||||
requires the <firstterm>Basic Ematch</firstterm> capability in your
|
requires the <firstterm>Basic Ematch</firstterm> capability in your
|
||||||
kernel and iptables.</para>
|
kernel and iptables.</para>
|
||||||
@ -1114,8 +1114,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||||
specified, the specifications on the right are interpreted as if
|
specified, the specifications on the right are interpreted as if
|
||||||
INLINE had been specified in the ACTION column. This also applies to
|
INLINE had been specified in the ACTION column. This also applies to
|
||||||
<ulink url="shorewall-masq.html">shorewall-masq(5)</ulink> and
|
<ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink> and
|
||||||
<ulink url="shorewall-mangle.html">shorewall-mangle(5</ulink>) which
|
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>) which
|
||||||
also support INLINE. If not specified or if specified as the empty
|
also support INLINE. If not specified or if specified as the empty
|
||||||
value, the value 'No' is assumed for backward compatibility.</para>
|
value, the value 'No' is assumed for backward compatibility.</para>
|
||||||
|
|
||||||
@ -1365,7 +1365,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
sample configurations use this as the default log level and changing
|
sample configurations use this as the default log level and changing
|
||||||
it will change all packet logging done by the configuration. In any
|
it will change all packet logging done by the configuration. In any
|
||||||
configuration file (except <ulink
|
configuration file (except <ulink
|
||||||
url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
|
url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
|
||||||
will expand to this value.</para>
|
will expand to this value.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1487,7 +1487,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||||
If not assigned or if assigned an empty value, /var/log/messages is
|
If not assigned or if assigned an empty value, /var/log/messages is
|
||||||
assumed. For further information, see <ulink
|
assumed. For further information, see <ulink
|
||||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
url="/manpages/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||||
Beginning with Shorewall 5.0.10.1, you may specify
|
Beginning with Shorewall 5.0.10.1, you may specify
|
||||||
<option>systemd</option> to use <command>journelctl -r</command> to
|
<option>systemd</option> to use <command>journelctl -r</command> to
|
||||||
read the log.</para>
|
read the log.</para>
|
||||||
@ -1935,10 +1935,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Optimization category 1 - Traditionally, Shorewall has
|
<para>Optimization category 1 - Traditionally, Shorewall has
|
||||||
created rules for <ulink
|
created rules for the complete matrix of
|
||||||
url="/ScalabilityAndPerformance.html">the complete matrix of
|
|
||||||
host groups defined by the zones, interfaces and hosts
|
host groups defined by the zones, interfaces and hosts
|
||||||
files</ulink>. Any traffic that didn't correspond to an element
|
files. Any traffic that didn't correspond to an element
|
||||||
of that matrix was rejected in one of the built-in chains. When
|
of that matrix was rejected in one of the built-in chains. When
|
||||||
the matrix is sparse, this results in lots of largely useless
|
the matrix is sparse, this results in lots of largely useless
|
||||||
rules.</para>
|
rules.</para>
|
||||||
@ -2944,7 +2943,7 @@ INLINE - - - ;; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Packets are sent through the main routing table by a rule
|
<para>Packets are sent through the main routing table by a rule
|
||||||
with priority 999. In <ulink
|
with priority 999. In <ulink
|
||||||
url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5),
|
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5),
|
||||||
the range 1-998 may be used for inserting rules that bypass the
|
the range 1-998 may be used for inserting rules that bypass the
|
||||||
main table.</para>
|
main table.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
@ -149,9 +149,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||||
to be used in <ulink
|
to be used in <ulink
|
||||||
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
|
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
|
||||||
rather than <ulink
|
rather than <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -161,9 +161,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.0.13. Specifies that this action is
|
<para>Added in Shorewall 5.0.13. Specifies that this action is
|
||||||
to be used in <ulink
|
to be used in <ulink
|
||||||
url="shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
|
url="/manpages6/shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
|
||||||
than <ulink
|
than <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
|
||||||
<option>mangle</option> and <option>nat</option> options are
|
<option>mangle</option> and <option>nat</option> options are
|
||||||
mutually exclusive.</para>
|
mutually exclusive.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
@ -171,7 +171,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>queues matching packets to a back end logging daemon via
|
<para>queues matching packets to a back end logging daemon via
|
||||||
a netlink socket then continues to the next rule. See <ulink
|
a netlink socket then continues to the next rule. See <ulink
|
||||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@ -403,7 +403,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Where interface is the logical name of an interface
|
<para>Where interface is the logical name of an interface
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interface</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -426,13 +426,13 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an ipset preceded by a plus sign ("+").
|
<para>The name of an ipset preceded by a plus sign ("+").
|
||||||
See <ulink
|
See <ulink
|
||||||
url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
|
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para><replaceable>exclusion</replaceable> is described in
|
<para><replaceable>exclusion</replaceable> is described in
|
||||||
<ulink
|
<ulink
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -450,7 +450,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>See <ulink
|
<para>See <ulink
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
url="/manpages6/shorewall6-exclusion.html">shorewall-exclusion</ulink>
|
||||||
(5)</para>
|
(5)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -499,7 +499,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Where interface is the logical name of an interface
|
<para>Where interface is the logical name of an interface
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -522,13 +522,13 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an ipset preceded by a plus sign ("+").
|
<para>The name of an ipset preceded by a plus sign ("+").
|
||||||
See <ulink
|
See <ulink
|
||||||
url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
|
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para><replaceable>exclusion</replaceable> is described in
|
<para><replaceable>exclusion</replaceable> is described in
|
||||||
<ulink
|
<ulink
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -547,7 +547,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>See <ulink
|
<para>See <ulink
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||||
(5)</para>
|
(5)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@ -345,7 +345,7 @@ loc eth2 -</programlisting>
|
|||||||
url="/bridge-Shorewall-perl.html">Shorewall-perl for
|
url="/bridge-Shorewall-perl.html">Shorewall-perl for
|
||||||
firewall/bridging</ulink>, then you need to include
|
firewall/bridging</ulink>, then you need to include
|
||||||
DHCP-specific rules in <ulink
|
DHCP-specific rules in <ulink
|
||||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(8).
|
||||||
DHCP uses UDP ports 546 and 547.</para>
|
DHCP uses UDP ports 546 and 547.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
@ -102,7 +102,7 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>These additional match options are not available in <ulink
|
<para>These additional match options are not available in <ulink
|
||||||
url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
|
url="/manpages6/shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>Available options are:</para>
|
<para>Available options are:</para>
|
||||||
|
|||||||
@ -120,7 +120,7 @@
|
|||||||
Additionally, a <replaceable>chain-designator</replaceable> may not
|
Additionally, a <replaceable>chain-designator</replaceable> may not
|
||||||
be specified in an action body unless the action is declared as
|
be specified in an action body unless the action is declared as
|
||||||
<option>inline</option> in <ulink
|
<option>inline</option> in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Where a command takes parameters, those parameters are
|
<para>Where a command takes parameters, those parameters are
|
||||||
enclosed in parentheses ("(....)") and separated by commas.</para>
|
enclosed in parentheses ("(....)") and separated by commas.</para>
|
||||||
@ -137,7 +137,7 @@
|
|||||||
<para>Added in Shorewall 5.0.7.
|
<para>Added in Shorewall 5.0.7.
|
||||||
<replaceable>action</replaceable> must be an action declared
|
<replaceable>action</replaceable> must be an action declared
|
||||||
with the <option>mangle</option> option in <ulink
|
with the <option>mangle</option> option in <ulink
|
||||||
url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
|
||||||
If the action accepts parameters, they are specified as a
|
If the action accepts parameters, they are specified as a
|
||||||
comma-separated list within parentheses following the
|
comma-separated list within parentheses following the
|
||||||
<replaceable>action</replaceable> name.</para>
|
<replaceable>action</replaceable> name.</para>
|
||||||
@ -300,7 +300,7 @@
|
|||||||
configuration described at <ulink
|
configuration described at <ulink
|
||||||
url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
|
url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
|
||||||
place this entry in <ulink
|
place this entry in <ulink
|
||||||
url="manpages6/shorewall6-providers.html">shorewall6-providers(5)</ulink>:</para>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers(5)</ulink>:</para>
|
||||||
|
|
||||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||||
TProxy 1 - - lo - tproxy</programlisting>
|
TProxy 1 - - lo - tproxy</programlisting>
|
||||||
@ -410,7 +410,7 @@ DIVERTHA - - tcp</programlisting>
|
|||||||
specified at the end of the rule. If the target is not one
|
specified at the end of the rule. If the target is not one
|
||||||
known to Shorewall, then it must be defined as a builtin
|
known to Shorewall, then it must be defined as a builtin
|
||||||
action in <ulink
|
action in <ulink
|
||||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>The following rules are equivalent:</para>
|
<para>The following rules are equivalent:</para>
|
||||||
@ -423,7 +423,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
|||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>If INLINE_MATCHES=Yes in <ulink
|
<para>If INLINE_MATCHES=Yes in <ulink
|
||||||
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>
|
||||||
then the third rule above can be specified as follows:</para>
|
then the third rule above can be specified as follows:</para>
|
||||||
|
|
||||||
<programlisting>MARK(2):P eth0 - ; -p tcp</programlisting>
|
<programlisting>MARK(2):P eth0 - ; -p tcp</programlisting>
|
||||||
@ -780,7 +780,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>interface</replaceable> is the
|
<para>where <replaceable>interface</replaceable> is the
|
||||||
logical name of an interface defined in <ulink
|
logical name of an interface defined in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
Matches packets entering the firewall from the named
|
Matches packets entering the firewall from the named
|
||||||
interface. May not be used in CLASSIFY rules or in rules using
|
interface. May not be used in CLASSIFY rules or in rules using
|
||||||
the :T chain qualifier.</para>
|
the :T chain qualifier.</para>
|
||||||
@ -807,7 +807,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<para>Matches traffic whose source IP address matches one of
|
<para>Matches traffic whose source IP address matches one of
|
||||||
the listed addresses and that does not match an address listed
|
the listed addresses and that does not match an address listed
|
||||||
in the <replaceable>exclusion</replaceable> (see <ulink
|
in the <replaceable>exclusion</replaceable> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">This form will not match traffic
|
<para><emphasis role="bold">This form will not match traffic
|
||||||
that originates on the firewall itself unless either
|
that originates on the firewall itself unless either
|
||||||
@ -903,11 +903,11 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>interface</replaceable> is the
|
<para>where <replaceable>interface</replaceable> is the
|
||||||
logical name of an interface defined in <ulink
|
logical name of an interface defined in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
Matches packets leaving the firewall through the named
|
Matches packets leaving the firewall through the named
|
||||||
interface. May not be used in the PREROUTING chain (:P in the
|
interface. May not be used in the PREROUTING chain (:P in the
|
||||||
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
|
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
|
||||||
in <ulink url="shorewall6.conf">shorewall6.conf</ulink>
|
in <ulink url="/manpages6/shorewall6.conf">shorewall6.conf</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -932,7 +932,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<para>Matches traffic whose destination IP address matches one
|
<para>Matches traffic whose destination IP address matches one
|
||||||
of the listed addresses and that does not match an address
|
of the listed addresses and that does not match an address
|
||||||
listed in the <replaceable>exclusion</replaceable> (see <ulink
|
listed in the <replaceable>exclusion</replaceable> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -944,7 +944,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
when both the outgoing interface and destination IP address
|
when both the outgoing interface and destination IP address
|
||||||
match. May not be used in the PREROUTING chain (:P in the mark
|
match. May not be used in the PREROUTING chain (:P in the mark
|
||||||
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
|
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
|
||||||
<ulink url="shorewall6.conf">shorewall6.conf</ulink>
|
<ulink url="/manpages6/shorewall6.conf">shorewall6.conf</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -959,7 +959,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<replaceable>exclusion</replaceable>. May not be used in the
|
<replaceable>exclusion</replaceable>. May not be used in the
|
||||||
PREROUTING chain (:P in the mark column or no chain qualifier
|
PREROUTING chain (:P in the mark column or no chain qualifier
|
||||||
and MARK_IN_FORWARD_CHAIN=No in <ulink
|
and MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||||
url="shorewall6.conf">shorewall6.conf</ulink> (5)).</para>
|
url="/manpages6/shorewall6.conf">shorewall6.conf</ulink> (5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1027,7 +1027,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>See <ulink
|
<para>See <ulink
|
||||||
url="shorewall-rules.html">shorewall6-rules(5)</ulink> for
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||||
|
|||||||
@ -67,7 +67,7 @@
|
|||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
|
|
||||||
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
|
<para>Where <ulink url="MultiISP.html#Shared">more that one
|
||||||
internet provider share a single interface</ulink>, the provider is
|
internet provider share a single interface</ulink>, the provider is
|
||||||
specified by including the provider name or number in
|
specified by including the provider name or number in
|
||||||
parentheses:</para>
|
parentheses:</para>
|
||||||
|
|||||||
@ -67,7 +67,7 @@
|
|||||||
<para>Interfaces that have the <emphasis
|
<para>Interfaces that have the <emphasis
|
||||||
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
||||||
<ulink
|
<ulink
|
||||||
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5),
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||||
Shorewall will automatically add the EXTERNAL address to this
|
Shorewall will automatically add the EXTERNAL address to this
|
||||||
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
|
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
|
||||||
name with ":" and a <emphasis>digit</emphasis> to indicate that you
|
name with ":" and a <emphasis>digit</emphasis> to indicate that you
|
||||||
@ -78,12 +78,12 @@
|
|||||||
</emphasis></para>
|
</emphasis></para>
|
||||||
|
|
||||||
<para>Each interface must match an entry in <ulink
|
<para>Each interface must match an entry in <ulink
|
||||||
url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
Shorewall allows loose matches to wildcard entries in <ulink
|
Shorewall allows loose matches to wildcard entries in <ulink
|
||||||
url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
For example, <filename class="devicefile">ppp0</filename> in this
|
For example, <filename class="devicefile">ppp0</filename> in this
|
||||||
file will match a <ulink
|
file will match a <ulink
|
||||||
url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
|
|
||||||
|
|||||||
@ -156,7 +156,7 @@
|
|||||||
policy-action list can be prefixed with a plus sign ("+") indicating
|
policy-action list can be prefixed with a plus sign ("+") indicating
|
||||||
that the listed actions are in addition to those listed in the
|
that the listed actions are in addition to those listed in the
|
||||||
related _DEFAULT setting in <ulink
|
related _DEFAULT setting in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Possible policies are:</para>
|
<para>Possible policies are:</para>
|
||||||
|
|
||||||
@ -192,7 +192,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.1.1 and requires that the
|
<para>Added in Shorewall 5.1.1 and requires that the
|
||||||
DYNAMIC_BLACKLIST setting in <ulink
|
DYNAMIC_BLACKLIST setting in <ulink
|
||||||
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
||||||
specifies ipset-based dynamic blacklisting. The SOURCE IP
|
specifies ipset-based dynamic blacklisting. The SOURCE IP
|
||||||
address is added to the blacklist ipset and the connection
|
address is added to the blacklist ipset and the connection
|
||||||
request is ignored.</para>
|
request is ignored.</para>
|
||||||
|
|||||||
@ -487,7 +487,7 @@
|
|||||||
the<replaceable>
|
the<replaceable>
|
||||||
ip6tables-</replaceable><replaceable>target</replaceable> as a
|
ip6tables-</replaceable><replaceable>target</replaceable> as a
|
||||||
builtin action in <ulink
|
builtin action in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>If you specify REJECT as the
|
<para>If you specify REJECT as the
|
||||||
@ -642,7 +642,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -829,7 +829,7 @@
|
|||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||||
<emphasis>action</emphasis> declared in <ulink
|
<emphasis>action</emphasis> declared in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
||||||
/usr/share/shorewall/actions.std then:</para>
|
/usr/share/shorewall/actions.std then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -884,7 +884,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a zone defined in <ulink
|
<para>The name of a zone defined in <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5). When
|
||||||
only the zone name is specified, the packet source may be any
|
only the zone name is specified, the packet source may be any
|
||||||
host in that zone.</para>
|
host in that zone.</para>
|
||||||
|
|
||||||
@ -951,9 +951,9 @@
|
|||||||
<replaceable>interface</replaceable> must be the name of an
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
interface associated with the named
|
interface associated with the named
|
||||||
<replaceable>zone</replaceable> in either <ulink
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
or <ulink
|
or <ulink
|
||||||
url="shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
|
url="/manpages6/shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
|
||||||
packets from hosts in the <replaceable>zone</replaceable> that
|
packets from hosts in the <replaceable>zone</replaceable> that
|
||||||
arrive through the named interface will match the rule.</para>
|
arrive through the named interface will match the rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -971,7 +971,7 @@
|
|||||||
follow the standard convention and be enclosed in square
|
follow the standard convention and be enclosed in square
|
||||||
brackets (e.g., [2001:470:b:227::0]/64). A network address
|
brackets (e.g., [2001:470:b:227::0]/64). A network address
|
||||||
may be followed by exclusion (see <ulink
|
may be followed by exclusion (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1009,7 +1009,7 @@
|
|||||||
be specified by an ampersand ('&') followed by the
|
be specified by an ampersand ('&') followed by the
|
||||||
logical name of the interface as found in the INTERFACE
|
logical name of the interface as found in the INTERFACE
|
||||||
column of <ulink
|
column of <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
@ -1031,7 +1031,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This form matches if the host IP address does not match
|
<para>This form matches if the host IP address does not match
|
||||||
any of the entries in the exclusion (see <ulink
|
any of the entries in the exclusion (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1139,7 +1139,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a zone defined in <ulink
|
<para>The name of a zone defined in <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5). When
|
||||||
only the zone name is specified, the packet destination may be
|
only the zone name is specified, the packet destination may be
|
||||||
any host in that zone.</para>
|
any host in that zone.</para>
|
||||||
|
|
||||||
@ -1206,9 +1206,9 @@
|
|||||||
<replaceable>interface</replaceable> must be the name of an
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
interface associated with the named
|
interface associated with the named
|
||||||
<replaceable>zone</replaceable> in either <ulink
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
or <ulink
|
or <ulink
|
||||||
url="shorewall.hosts.html">shorewall6-hosts</ulink>(5). Only
|
url="/manpages6/shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
|
||||||
packets to hosts in the <replaceable>zone</replaceable> that
|
packets to hosts in the <replaceable>zone</replaceable> that
|
||||||
are sent through the named interface will match the
|
are sent through the named interface will match the
|
||||||
rule.</para>
|
rule.</para>
|
||||||
@ -1225,7 +1225,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>A host or network IP address. A network address may
|
<para>A host or network IP address. A network address may
|
||||||
be followed by exclusion (see <ulink
|
be followed by exclusion (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1257,7 +1257,7 @@
|
|||||||
be specified by an ampersand ('&') followed by the
|
be specified by an ampersand ('&') followed by the
|
||||||
logical name of the interface as found in the INTERFACE
|
logical name of the interface as found in the INTERFACE
|
||||||
column of <ulink
|
column of <ulink
|
||||||
url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
@ -1280,7 +1280,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This form matches if the host IP address does not match
|
<para>This form matches if the host IP address does not match
|
||||||
any of the entries in the exclusion (see <ulink
|
any of the entries in the exclusion (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@ -223,7 +223,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>See <ulink
|
<para>See <ulink
|
||||||
url="shorewall-rules.html">shorewall6-rules(5)</ulink> for
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||||
|
|||||||
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
<para>This file is used to define dynamic NAT (Masquerading) and to define
|
<para>This file is used to define dynamic NAT (Masquerading) and to define
|
||||||
Source NAT (SNAT). While still supported, its use is deprecated in favor
|
Source NAT (SNAT). While still supported, its use is deprecated in favor
|
||||||
of <ulink url="shorewall6-snat.html">shorewall6-snat</ulink>(5) which was
|
of <ulink url="/manpages6/shorewall6-snat.html">shorewall6-snat</ulink>(5) which was
|
||||||
introduced in Shorewall 5.0.14.</para>
|
introduced in Shorewall 5.0.14.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
@ -84,7 +84,7 @@
|
|||||||
<para>If you specify an address here, matching packets will
|
<para>If you specify an address here, matching packets will
|
||||||
have their source address set to that address. If
|
have their source address set to that address. If
|
||||||
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
|
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then
|
||||||
Shorewall will automatically add this address to the INTERFACE
|
Shorewall will automatically add this address to the INTERFACE
|
||||||
named in the first column.</para>
|
named in the first column.</para>
|
||||||
|
|
||||||
@ -149,7 +149,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>action</replaceable> is an action
|
<para>where <replaceable>action</replaceable> is an action
|
||||||
declared in <ulink
|
declared in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions(5)</ulink>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>
|
||||||
with the <option>nat</option> option. See <ulink
|
with the <option>nat</option> option. See <ulink
|
||||||
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
|
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
|
||||||
further information.</para>
|
further information.</para>
|
||||||
@ -200,7 +200,7 @@
|
|||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
|
|
||||||
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
|
<para>Where <ulink url="MultiISP.html#Shared">more that one
|
||||||
internet provider share a single interface</ulink>, the provider is
|
internet provider share a single interface</ulink>, the provider is
|
||||||
specified by including the provider name or number in
|
specified by including the provider name or number in
|
||||||
parentheses:</para>
|
parentheses:</para>
|
||||||
@ -235,7 +235,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If you wish to restrict this entry to a particular protocol
|
<para>If you wish to restrict this entry to a particular protocol
|
||||||
then enter the protocol name (from protocols(5)) or number here. See
|
then enter the protocol name (from protocols(5)) or number here. See
|
||||||
<ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink> for
|
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||||
|
|||||||
@ -89,11 +89,11 @@
|
|||||||
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
||||||
may be used if your kernel and ip6tables have the <firstterm>Basic
|
may be used if your kernel and ip6tables have the <firstterm>Basic
|
||||||
Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
|
Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
|
||||||
ipset name may optionally be followed by a number or a comma
|
ipset name may optionally be followed by a number or a comma
|
||||||
separated list of src and/or dst enclosed in square brackets
|
separated list of src and/or dst enclosed in square brackets
|
||||||
([...]). See <ulink
|
([...]). See <ulink
|
||||||
url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
|
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -108,11 +108,11 @@
|
|||||||
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
|
||||||
may be used if your kernel and ip6tables have the <firstterm>Basic
|
may be used if your kernel and ip6tables have the <firstterm>Basic
|
||||||
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
|
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
|
||||||
ipset name may optionally be followed by a number or a comma
|
ipset name may optionally be followed by a number or a comma
|
||||||
separated list of src and/or dst enclosed in square brackets
|
separated list of src and/or dst enclosed in square brackets
|
||||||
([...]). See <ulink
|
([...]). See <ulink
|
||||||
url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
|
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
|
||||||
details.</para>
|
details.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@ -47,14 +47,14 @@
|
|||||||
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
|
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
|
||||||
as zone names. The maximum length of a zone name is determined by
|
as zone names. The maximum length of a zone name is determined by
|
||||||
the setting of the LOGFORMAT option in <ulink
|
the setting of the LOGFORMAT option in <ulink
|
||||||
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). With
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). With
|
||||||
the default LOGFORMAT, zone names can be at most 5 characters
|
the default LOGFORMAT, zone names can be at most 5 characters
|
||||||
long.</para>
|
long.</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||||
explained in <ulink
|
explained in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5), the legacy
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5), the legacy
|
||||||
default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
|
default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
|
||||||
the first %s is replaced by the chain name and the second is
|
the first %s is replaced by the chain name and the second is
|
||||||
replaced by the disposition.</para>
|
replaced by the disposition.</para>
|
||||||
|
|||||||
@ -243,9 +243,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The value of this variable affects Shorewall's stopped state.
|
<para>The value of this variable affects Shorewall's stopped state.
|
||||||
The behavior differs depending on whether <ulink
|
The behavior differs depending on whether <ulink
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||||
or <ulink
|
or <ulink
|
||||||
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
url="/manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
||||||
is used:</para>
|
is used:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
@ -404,7 +404,7 @@
|
|||||||
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
|
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
|
||||||
determines whether the <option>balance</option> provider option (see
|
determines whether the <option>balance</option> provider option (see
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
|
||||||
the default. When BALANCE_PROVIDERS=Yes, then the
|
the default. When BALANCE_PROVIDERS=Yes, then the
|
||||||
<option>balance</option> option is assumed unless the
|
<option>balance</option> option is assumed unless the
|
||||||
<option>fallback</option>, <option>loose</option>,
|
<option>fallback</option>, <option>loose</option>,
|
||||||
@ -421,7 +421,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall-4.6.0. When set to <emphasis
|
<para>Added in Shorewall-4.6.0. When set to <emphasis
|
||||||
role="bold">Yes</emphasis>, causes entries in <ulink
|
role="bold">Yes</emphasis>, causes entries in <ulink
|
||||||
url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink> to
|
url="/manpages6/shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink> to
|
||||||
generate a basic filter rather than a u32 filter. This setting
|
generate a basic filter rather than a u32 filter. This setting
|
||||||
requires the <firstterm>Basic Ematch</firstterm> capability in your
|
requires the <firstterm>Basic Ematch</firstterm> capability in your
|
||||||
kernel and iptables.</para>
|
kernel and iptables.</para>
|
||||||
@ -950,8 +950,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||||
specified, the specifications on the right are interpreted as if
|
specified, the specifications on the right are interpreted as if
|
||||||
INLINE had been specified in the ACTION column. This also applies to
|
INLINE had been specified in the ACTION column. This also applies to
|
||||||
<ulink url="shorewall-masq.html">shorewall6-masq(5)</ulink> and
|
<ulink url="/manpages6/shorewall6-masq.html">shorewall6-masq(5)</ulink> and
|
||||||
<ulink url="shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
|
<ulink url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
|
||||||
which also support INLINE. If not specified or if specified as the
|
which also support INLINE. If not specified or if specified as the
|
||||||
empty value, the value 'No' is assumed for backward
|
empty value, the value 'No' is assumed for backward
|
||||||
compatibility.</para>
|
compatibility.</para>
|
||||||
@ -1194,7 +1194,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
sample configurations use this as the default log level and changing
|
sample configurations use this as the default log level and changing
|
||||||
it will change all packet logging done by the configuration. In any
|
it will change all packet logging done by the configuration. In any
|
||||||
configuration file (except <ulink
|
configuration file (except <ulink
|
||||||
url="shorewall6-params.html">shorewall6-params(5)</ulink>),
|
url="/manpages6/shorewall6-params.html">shorewall6-params(5)</ulink>),
|
||||||
$LOG_LEVEL will expand to this value.</para>
|
$LOG_LEVEL will expand to this value.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1316,7 +1316,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
<note>
|
<note>
|
||||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||||
length of zone names. See <ulink
|
length of zone names. See <ulink
|
||||||
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
@ -1679,10 +1679,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Optimization category 1 - Traditionally, Shorewall has
|
<para>Optimization category 1 - Traditionally, Shorewall has
|
||||||
created rules for <ulink
|
created rules for the complete matrix of
|
||||||
url="/ScalabilityAndPerformance.html">the complete matrix of
|
|
||||||
host groups defined by the zones, interfaces and hosts
|
host groups defined by the zones, interfaces and hosts
|
||||||
files</ulink>. Any traffic that didn't correspond to an element
|
files. Any traffic that didn't correspond to an element
|
||||||
of that matrix was rejected in one of the built-in chains. When
|
of that matrix was rejected in one of the built-in chains. When
|
||||||
the matrix is sparse, this results in lots of largely useless
|
the matrix is sparse, this results in lots of largely useless
|
||||||
rules.</para>
|
rules.</para>
|
||||||
@ -2104,7 +2103,7 @@ INLINE - - - ;; -j REJECT
|
|||||||
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
||||||
at least one optional interface must be up in order for the firewall
|
at least one optional interface must be up in order for the firewall
|
||||||
to be in the started state. Intended to be used with the <ulink
|
to be in the started state. Intended to be used with the <ulink
|
||||||
url="/manpages/shorewall-init.html">Shorewall Init
|
url="/shorewall-init.html">Shorewall Init
|
||||||
Package</ulink>.</para>
|
Package</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -2381,9 +2380,9 @@ INLINE - - - ;; -j REJECT
|
|||||||
|
|
||||||
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
|
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
|
||||||
simple traffic shaping using <ulink
|
simple traffic shaping using <ulink
|
||||||
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
|
url="/manpages6/shorewall6-tcinterfaces.html">shorewall6-tcinterfaces</ulink>(5)
|
||||||
and <ulink
|
and <ulink
|
||||||
url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
|
url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5) is
|
||||||
enabled.</para>
|
enabled.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.15, if you set TC_ENABLED=Shared
|
<para>Beginning with Shorewall 4.4.15, if you set TC_ENABLED=Shared
|
||||||
@ -2598,7 +2597,7 @@ INLINE - - - ;; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Packets are sent through the main routing table by a rule
|
<para>Packets are sent through the main routing table by a rule
|
||||||
with priority 999. In <ulink
|
with priority 999. In <ulink
|
||||||
url="/manpages6/shorewall6-routing_rules.html">shorewall6-routing_rules</ulink>(5),
|
url="/manpages6/shorewall6-rtrules.html">shorewall6-routing_rules</ulink>(5),
|
||||||
the range 1-998 may be used for inserting rules that bypass the
|
the range 1-998 may be used for inserting rules that bypass the
|
||||||
main table.</para>
|
main table.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user