extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 08:44:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1663 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-04 16:47:43 +00:00
parent 757b144de2
commit 8434b752f7
11 changed files with 527 additions and 295 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Shorewall-docs2/Documentation.xml
View File

@ -2027,6 +2027,28 @@ ACCEPT fw net tcp www</programlisting>
<emphasis role="bold">THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL
CONFIGURATION.</emphasis></para>
<para>Normally MASQUERADE/SNAT rules are evaluated after one-to-one
NAT rules defined in the <link
linkend="NAT"><filename>/etc/shorewall/nat</filename></link> file.
Beginning with Shorewall 2.1.1, if you preceed the interface name
with a plus sign ("+") then the rule will be evaluated before
one-to-one NAT.</para>
<para>Examples:</para>
<programlisting>+eth0
+eth1:192.0.2.32/27</programlisting>
<para>Also new in the Shorewall 2.1 series, the effect of
ADD_SNAT_ALIASES=Yes can be negated for an entry by following the
interface name by ":" but no digit. </para>
<para>Examples:</para>
<programlisting>eth0:
eth1::192.0.2.32/27
+eth3</programlisting>
</listitem>
</varlistentry>
@ -2382,6 +2404,14 @@ eth0 eth1 206.124.146.176</programlisting>
the ipconfig utility. <emphasis role="bold">THAT IS THE ONLY THING
THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN
YOUR SHOREWALL CONFIGURATION.</emphasis></para>
<para>Beginning with Shorewall 2.1.1, the effect of
ADD_IP_ALIASES=Yes can be negated for an entry by following the
interface name by ":" but no digit. </para>
<para>Example:</para>
<programlisting>eth0:</programlisting>
</listitem>
</varlistentry>
@ -3627,6 +3657,16 @@ eth1 -</programlisting>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.19</revnumber>
<date>2004-09012</date>
<authorinitials>TE</authorinitials>
<revremark>Changes for Shorewall 2.1.</revremark>
</revision>
<revision>
<revnumber>1.18</revnumber>

148
Shorewall-docs2/Install.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-06-25</pubdate>
<pubdate>2004-09-12</pubdate>
<copyright>
<year>2001</year>
@ -35,7 +35,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -45,11 +46,13 @@
<para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
<para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall/default-config/modules to <filename
class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
@ -60,9 +63,9 @@
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
print a copy of the <ulink
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
for the configuration that most closely matches your own.</para>
</important>
<para>To install Shorewall using the RPM:</para>
@ -71,14 +74,15 @@
<listitem>
<para>Install the RPM</para>
<programlisting><command>rpm -ivh &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -ivh &lt;shorewall rpm&gt;</command></programlisting>
<note>
<para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm.</para>
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to
rpm.</para>
<programlisting><filename><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></filename></programlisting>
<programlisting><filename><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></filename></programlisting>
</note>
<note>
@ -89,9 +93,10 @@
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
<para>This may be worked around by using the --nodeps option of rpm.</para>
<para>This may be worked around by using the --nodeps option of
rpm.</para>
<programlisting><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note>
</listitem>
@ -110,6 +115,14 @@
</warning>
</listitem>
<listitem>
<para>Enable startup by removing
<filename>/etc/shorewall/startup_disabled</filename> (If you are
running Shorewall 2.1.3 or later, edit
/<filename>etc/shorewall/shorewall.conf</filename> and set
STARTUP_ENABLED to Yes).</para>
</listitem>
<listitem>
<para>Start the firewall by typing</para>
@ -123,9 +136,9 @@
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
print a copy of the <ulink
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
for the configuration that most closely matches your own.</para>
</important>
<para>To install Shorewall using the tarball and install script:</para>
@ -141,18 +154,19 @@
</listitem>
<listitem>
<para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
you need Shorewall 2.0.2 RC1 or later. If you are installing a
Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
the install.sh file and change the lines</para>
<para>If you are running <ulink
url="http://www.slackware.com">Slackware</ulink>, you need Shorewall
2.0.2 RC1 or later. If you are installing a Shorewall version earlier
than 2.0.3 Beta 1 then you must also edit the install.sh file and
change the lines</para>
<programlisting>DEST=&#34;/etc/init.d&#34;
INIT=&#34;shorewall&#34;</programlisting>
<programlisting>DEST="/etc/init.d"
INIT="shorewall"</programlisting>
<para>to</para>
<programlisting>DEST=&#34;/etc/rc.d&#34;
INIT=&#34;rc.firewall&#34;</programlisting>
<programlisting>DEST="/etc/rc.d"
INIT="rc.firewall"</programlisting>
</listitem>
<listitem>
@ -172,9 +186,26 @@ INIT=&#34;rc.firewall&#34;</programlisting>
</listitem>
<listitem>
<para>Enable Startup by removing <filename>/etc/shorewall/startup_disabled</filename>
(Debian users will edit <filename>/etc/default/shorewall</filename>
and set startup=1).</para>
<para>Enable Startup:</para>
<itemizedlist>
<listitem>
<para>Users running Shorewall 2.1.3 or later, edit
<filename>/etc/shorewall/shorewall.conf</filename> and set
STARTUP_ENABLED=Yes.</para>
</listitem>
<listitem>
<para>Users running Shorewall 2.1.2 or earlier and using the .deb
should edit <filename>/etc/default/shorewall</filename> and set
startup=1.</para>
</listitem>
<listitem>
<para>All other users, remove the file
<filename>/etc/shorewall/startup_disabled</filename></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
@ -186,7 +217,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
<listitem>
<para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
url="starting_and_stopping_shorewall.htm">these
instructions</ulink>.</para>
</listitem>
</orderedlist>
</section>
@ -196,15 +228,16 @@ INIT=&#34;rc.firewall&#34;</programlisting>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
print a copy of the <ulink
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
for the configuration that most closely matches your own.</para>
</important>
<para>To install my version of Shorewall on a fresh Bering disk, simply
replace the <quote>shorwall.lrp</quote> file on the image with the file
that you downloaded. See the <ulink url="two-interface.htm">two-interface
QuickStart Guide</ulink> for information about further steps required.</para>
QuickStart Guide</ulink> for information about further steps
required.</para>
</section>
<section id="Upgrade_RPM">
@ -224,22 +257,23 @@ INIT=&#34;rc.firewall&#34;</programlisting>
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
upgrade issues</ulink> for details.</para>
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
<listitem>
<para>Upgrade the RPM</para>
<programlisting><command>rpm -Uvh &#60;shorewall rpm file&#62;</command></programlisting>
<programlisting><command>rpm -Uvh &lt;shorewall rpm file&gt;</command></programlisting>
<note>
<para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm.</para>
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to
rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note>
<note>
@ -250,15 +284,17 @@ INIT=&#34;rc.firewall&#34;</programlisting>
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
<para>This may be worked around by using the --nodeps option of rpm.</para>
<para>This may be worked around by using the --nodeps option of
rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note>
</listitem>
<listitem>
<para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as necessary.</para>
configuration and the new Shorewall version and correct as
necessary.</para>
<programlisting><command>shorewall check</command></programlisting>
</listitem>
@ -288,8 +324,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
upgrade issues</ulink> for details.</para>
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
@ -305,18 +341,19 @@ INIT=&#34;rc.firewall&#34;</programlisting>
</listitem>
<listitem>
<para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
you should use Shorewall 2.0.2 RC1 or later. If you are installing a
Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
the install.sh file and change the lines</para>
<para>If you are running <ulink
url="http://www.slackware.com">Slackware</ulink>, you should use
Shorewall 2.0.2 RC1 or later. If you are installing a Shorewall
version earlier than 2.0.3 Beta 1 then you must also edit the
install.sh file and change the lines</para>
<programlisting>DEST=&#34;/etc/init.d&#34;
INIT=&#34;shorewall&#34;</programlisting>
<programlisting>DEST="/etc/init.d"
INIT="shorewall"</programlisting>
<para>to</para>
<programlisting>DEST=&#34;/etc/rc.d&#34;
INIT=&#34;rc.firewall&#34;</programlisting>
<programlisting>DEST="/etc/rc.d"
INIT="rc.firewall"</programlisting>
</listitem>
<listitem>
@ -332,7 +369,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
<listitem>
<para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as necessary.</para>
configuration and the new Shorewall version and correct as
necessary.</para>
<programlisting><command>shorewall check</command></programlisting>
</listitem>
@ -346,7 +384,8 @@ INIT=&#34;rc.firewall&#34;</programlisting>
<listitem>
<para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
url="starting_and_stopping_shorewall.htm">these
instructions</ulink>.</para>
</listitem>
</orderedlist>
</section>
@ -375,6 +414,7 @@ INIT=&#34;rc.firewall&#34;</programlisting>
<section>
<title>Uninstall/Fallback</title>
<para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
<para>See <quote><ulink url="fallback.htm">Fallback and
Uninstall</ulink></quote>.</para>
</section>
</article>

253
Shorewall-docs2/User_defined_Actions.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-03-25</pubdate>
<pubdate>2004-09-17</pubdate>
<copyright>
<year>2003</year>
@ -31,28 +31,33 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Creating a New Action</title>
<para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
Beginning with Shorewall version 1.4.9, users may use sequences of these
elementary operations to define more complex actions.</para>
<para>Prior to Shorewall version 1.4.9, rules in
<filename>/etc/shorewall/rules</filename> were limited to those defined by
Netfilter (ACCEPT, DROP, REJECT, etc.). Beginning with Shorewall version
1.4.9, users may use sequences of these elementary operations to define
more complex actions.</para>
<para>To define a new action:</para>
<orderedlist>
<listitem>
<para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
that names your new action. Action names must be valid shell variable
names as well as valid Netfilter chain names. It is recommended that
the name you select for a new action begins with with a capital
letter; that way, the name won&#39;t conflict with a Shorewall-defined
chain name.</para>
<para>Add a line to
<filename><filename>/etc/shorewall/actions</filename></filename> that
names your new action. Action names must be valid shell variable names
((must begin with a letter and be composed of letters, digits and
underscore characters) as well as valid Netfilter chain names. If you
intend to log from the action, the name must have a maximum of 11
characters. It is recommended that the name you select for a new
action begins with with a capital letter; that way, the name won't
conflict with a Shorewall-defined chain name.</para>
<para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
@ -71,8 +76,9 @@
<listitem>
<para>Once you have defined your new action name (ActionName), then
copy /usr/share/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
(for example, if your new action name is <quote>Foo</quote> then copy
copy /usr/share/shorewall/action.template to
<filename>/etc/shorewall/action.ActionName</filename> (for example, if
your new action name is <quote>Foo</quote> then copy
<filename>/usr/share/shorewall/action.template</filename> to
<filename>/etc/shorewall/action.Foo</filename>).</para>
</listitem>
@ -87,10 +93,11 @@
<itemizedlist>
<listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
&#60;<emphasis>action</emphasis>&#62; where &#60;<emphasis>action</emphasis>&#62;
is a previously-defined action (that is, it must precede the action
being defined in this file in your <filename>/etc/shorewall/actions</filename>
file). These actions have the same meaning as they do in the
&lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These actions
have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a colon
@ -120,13 +127,14 @@
MAC addresses are not allowed.</para>
<para>Unlike in the SOURCE column, you may specify a range of up to
256 IP addresses using the syntax &#60;<emphasis>first ip</emphasis>&#62;-&#60;<emphasis>last
ip</emphasis>&#62;.</para>
256 IP addresses using the syntax &lt;<emphasis>first
ip</emphasis>&gt;-&lt;<emphasis>last ip</emphasis>&gt;.</para>
</listitem>
<listitem>
<para>PROTO - Protocol - Must be <quote>tcp</quote>, <quote>udp</quote>,
<quote>icmp</quote>, a number, or <quote>all</quote>.</para>
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
<quote>udp</quote>, <quote>icmp</quote>, a number, or
<quote>all</quote>.</para>
</listitem>
<listitem>
@ -135,8 +143,8 @@
ranges; if the protocol is <quote>icmp</quote>, this column is
interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &#60;<emphasis>low port</emphasis>&#62;:&#60;<emphasis>high
port</emphasis>&#62;.</para>
<para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTOCOL = all but must be entered if
any of the following ields are supplied. In that case, it is suggested
@ -156,7 +164,8 @@
</listitem>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each port.</para>
<para>Otherwise, a separate rule will be generated for each
port.</para>
</listitem>
<listitem>
@ -164,9 +173,8 @@
source port is acceptable. Specified as a comma-separated list of port
names, port numbers or port ranges.</para>
<para>If you don&#39;t want to restrict client ports but need to
specify an ADDRESS in the next column, then place &#34;-&#34; in this
column.</para>
<para>If you don't want to restrict client ports but need to specify
an ADDRESS in the next column, then place "-" in this column.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
@ -182,18 +190,19 @@
</listitem>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each port.</para>
<para>Otherwise, a separate rule will be generated for each
port.</para>
</listitem>
<listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><programlisting> &#60;<emphasis>rate</emphasis>&#62;/&#60;<emphasis>interval</emphasis>&#62;[:&#60;<emphasis>burst</emphasis>&#62;]</programlisting>where
&#60;<emphasis>rate</emphasis>&#62; is the number of connections per
&#60;<emphasis>interval</emphasis>&#62; (<quote>sec</quote> or
<quote>min</quote>) and &#60;<emphasis>burst</emphasis>&#62; is the
largest burst permitted. If no &#60;<emphasis>burst</emphasis>&#62; is
<para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
&lt;<emphasis>rate</emphasis>&gt; is the number of connections per
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
@ -207,30 +216,33 @@
any of the following:</para>
<simplelist>
<member>[!]&#60;<emphasis>user number</emphasis>&#62;[:]</member>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;[:]</member>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
<member>[!]:&#60;<emphasis>group number</emphasis>&#62;</member>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
<member>[!]:&#60;<emphasis>group name</emphasis>&#62;</member>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user number</emphasis>&#62;:&#60;<emphasis>group
number</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
number</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user inumber</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
</simplelist>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash (&#34;-:).</para>
<para>Omitted column entries should be entered using a dash ("-:).</para>
<para>Example:</para>
@ -244,13 +256,123 @@
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc fw tcp 22</programlisting>
<para>Prior to Shorewall 2.1.2, specifying a log level (and optionally a
log tag) on a rule that specified a user-defined (or Shorewall-defined)
action would log all traffic passed to the action. Beginning with
Shorewall 2.1.2, specifying a log level in a rule that specifies a user-
or Shorewall-defined action will cause each rule in the action to be
logged with the specified level (and tag).</para>
<para>The extent to which logging of action rules occur is goverend by the
following:</para>
<orderedlist>
<listitem>
<para>When you invoke an action and specify a log level, only those
rules in the action that have no log level will be changed to log at
the level specified at the action invocation.</para>
<para>Example:</para>
<para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug fw net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
bar:info</programlisting>
</listitem>
<listitem>
<para>If you follow the log level with "!" then logging will be at
that level for all rules recursively invoked by the action.</para>
<para>Example:</para>
<para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug! fw net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
bar:debug</programlisting>
</listitem>
</orderedlist>
<para>The change in Shorewall 2.1.2 has an effect on extension scripts
used with user-defined actions. If you define an action 'acton' and you
have an <filename>/etc/shorewall/acton</filename> script then when that
script is invoked, the following three variables will be set for use by
the script:</para>
<itemizedlist>
<listitem>
<para>$CHAIN = the name of the chain where your rules are to be
placed. When logging is used on an action invocation, Shorewall
creates a chain with a slightly different name from the action
itself.</para>
</listitem>
<listitem>
<para>$LEVEL = Log level. If empty, no logging was specified.</para>
</listitem>
<listitem>
<para>$TAG = Log Tag.</para>
</listitem>
</itemizedlist>
<para>Example:</para>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST
acton:info:test fw net</programlisting>
<para>Your /etc/shorewall/acton file will be run with:</para>
<itemizedlist>
<listitem>
<para>$CHAIN="%acton1"</para>
</listitem>
<listitem>
<para>$LEVEL="info"</para>
</listitem>
<listitem>
<para>$TAG="test"</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Standard Actions In Shorewall 2.0</title>
<para>Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of
defined actions. These defined actions are listed in <filename>/usr/share/shorewall/actions.std</filename>.</para>
defined actions. These defined actions are listed in
<filename>/usr/share/shorewall/actions.std</filename>.</para>
<para>The <filename>/usr/share/shorewall/actions.std</filename> file
includes the common actions <quote>Drop</quote> for DROP policies and
@ -268,27 +390,32 @@ AllowFTP loc fw</programlisting>
<para><filename>/usr/share/shorewall/actions.std</filename> is processed
before <filename>/etc/shorewall/actions</filename> and if you have any
actions defined with the same name as one in <filename>/usr/share/shorewall/actions.std</filename>,
your version in <filename class="directory">/etc/shorewall</filename> will
be the one used. So if you wish to modify a standard action, simply copy
the associated action file from <filename class="directory">/usr/share/shorewall
</filename>to <filename class="directory">/etc/shorewall and modify</filename>
it to suit your needs. The next <command>shorewall restart</command> will
cause your action to be installed in place of the standard one. In
particular, if you want to modify the common actions <quote>Drop</quote>
or <quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
<filename>Action.Reject</filename> to <filename class="directory">/etc/shorewall</filename>
and modify that copy as desired.</para>
actions defined with the same name as one in
<filename>/usr/share/shorewall/actions.std</filename>, your version in
<filename class="directory">/etc/shorewall</filename> will be the one
used. So if you wish to modify a standard action, simply copy the
associated action file from <filename
class="directory">/usr/share/shorewall </filename>to <filename
class="directory">/etc/shorewall and modify</filename> it to suit your
needs. The next <command>shorewall restart</command> will cause your
action to be installed in place of the standard one. In particular, if you
want to modify the common actions <quote>Drop</quote> or
<quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
<filename>Action.Reject</filename> to <filename
class="directory">/etc/shorewall</filename> and modify that copy as
desired.</para>
</section>
<section>
<title>Creating an Action using an Extension Script</title>
<para>There may be cases where you wish to create a chain with rules that
can&#39;t be constructed using the tools defined in the action.template.
In that case, you can use an extension script.<note><para>If you actually
need an action to drop broadcast packets, use the <command>dropBcast</command>
standard action rather than create one like this.</para></note></para>
can't be constructed using the tools defined in the action.template. In
that case, you can use an extension script.<note>
<para>If you actually need an action to drop broadcast packets, use
the <command>dropBcast</command> standard action rather than create
one like this.</para>
</note></para>
<example>
<title>An action to drop all broadcast packets</title>

10
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-23</pubdate>
<pubdate>2004-10-04</pubdate>
<copyright>
<year>2004</year>
@ -433,6 +433,12 @@ loc eth1 detect</programlisting></para>
net br0:eth0
dmz br0:eth2</programlisting>
</listitem>
<listitem>
<para>The DMZ systems need a route to the 192.168.201.0/24 network via
192.0.2.176 to enable them to communicate with the local
network.</para>
</listitem>
</orderedlist>
</section>
@ -456,4 +462,4 @@ dmz br0:eth2</programlisting>
</listitem>
</itemizedlist>
</section>
</article>
</article>

16
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-07</pubdate>
<pubdate>2004-10-02</pubdate>
<copyright>
<year>2001-2004</year>
@ -213,8 +213,7 @@ OMAK=&lt;ip address of tipper while we are at our second home&gt;
LOG=info
EXT_IF=eth1
INT_IF=eth0
DMZ_IF=eth2
</programlisting></para>
DMZ_IF=eth2</programlisting></para>
</blockquote>
</section>
@ -223,10 +222,10 @@ DMZ_IF=eth2
<blockquote>
<programlisting>#ZONE DISPLAY COMMENTS
omak Omak Our Laptop at our second home
net Internet Internet
dmz DMZ Demilitarized zone
loc Local Local networks
omak Omak Our Laptop at our second home
tx Texas Peer Network in Dallas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
@ -242,7 +241,7 @@ tx Texas Peer Network in Dallas
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
loc $INT_IF detect dhcp
loc $INT_IF 192.168.1.255 dhcp
dmz $DMZ_IF -
- texas -
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -351,9 +350,8 @@ all all REJECT $LOG
<blockquote>
<para>Although most of our internal systems use one-to-one NAT, my
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors
with laptops.</para>
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
does our laptop (192.168.3.8) and visitors with laptops.</para>
<para>The first entry allows access to the DSL modem and uses features
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
@ -861,4 +859,4 @@ default via 192.168.1.254 dev br0</programlisting>
</blockquote>
</section>
</section>
</article>
</article>

259
Shorewall-docs2/standalone.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-14</pubdate>
<pubdate>2004-09-12</pubdate>
<copyright>
<year>2002-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -39,9 +40,9 @@
<para>Setting up Shorewall on a standalone Linux system is very easy if
you understand the basics and follow the documentation.</para>
<para>This guide doesn&#39;t attempt to acquaint you with all of the
features of Shorewall. It rather focuses on what is required to configure
Shorewall in one of its most common configurations:</para>
<para>This guide doesn't attempt to acquaint you with all of the features
of Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</para>
<itemizedlist>
<listitem>
@ -62,11 +63,11 @@
<title>Requirements</title>
<para>Shorewall requires that you have the iproute/iproute2 package
installed (on RedHat, the package is called <emphasis>iproute</emphasis>).
You can tell if this package is installed by the presence of an
<emphasis role="bold">ip</emphasis> program on your firewall system. As
root, you can use the <quote>which</quote> command to check for this
program:</para>
installed (on RedHat, the package is called
<emphasis>iproute</emphasis>). You can tell if this package is installed
by the presence of an <emphasis role="bold">ip</emphasis> program on
your firewall system. As root, you can use the <quote>which</quote>
command to check for this program:</para>
<programlisting>[root@gateway root]# <command>which ip</command>
/sbin/ip
@ -77,8 +78,8 @@
<title>Before you start</title>
<para>I recommend that you read through the guide first to familiarize
yourself with what&#39;s involved then go back through it again making
your configuration changes.</para>
yourself with what's involved then go back through it again making your
configuration changes.</para>
<caution>
<para>If you edit your configuration files on a Windows system, you
@ -92,8 +93,9 @@
<member><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</ulink></member>
<member><ulink url="http://www.megaloman.com/~hany/software/hd2u/">Linux
Version of dos2unix</ulink></member>
<member><ulink
url="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</ulink></member>
</simplelist>
</caution>
</section>
@ -102,7 +104,8 @@
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
with <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" />.</para>
</section>
</section>
@ -112,10 +115,11 @@
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If you have an ADSL Modem and you use PPTP to communicate with a
server in that modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
recommended here</ulink> <emphasis role="underline">in addition to those
described in the steps below</emphasis>. ADSL with PPTP is most commonly
found in Europe, notably in Austria.</para>
server in that modem, you must make the <ulink
url="PPTP.htm#PPTP_ADSL">changes recommended here</ulink> <emphasis
role="underline">in addition to those described in the steps
below</emphasis>. ADSL with PPTP is most commonly found in Europe, notably
in Austria.</para>
</section>
<section>
@ -126,12 +130,13 @@
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
setups, you only need to deal with a few of these as described in this
guide. After you have <ulink url="Install.htm">installed Shorewall</ulink>,
<emphasis role="bold">download the <ulink
guide. After you have <ulink url="Install.htm">installed
Shorewall</ulink>, <emphasis role="bold">download the <ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
files to /etc/shorewall (they will replace files with the same names that
were placed in /etc/shorewall during Shorewall installation)</emphasis>.</para>
were placed in /etc/shorewall during Shorewall
installation)</emphasis>.</para>
<warning>
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
@ -139,11 +144,14 @@
<para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para>
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
<para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall/default-config/modules to <filename
class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
@ -177,10 +185,12 @@
</tgroup>
</informaltable>
<para>Shorewall zones are defined in <ulink url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
<para>Shorewall zones are defined in <ulink
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis role="bold">fw</emphasis>.</para>
default, the firewall itself is known as <emphasis
role="bold">fw</emphasis>.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.</para>
@ -188,7 +198,8 @@
<itemizedlist>
<listitem>
<para>You express your default policy for connections from one zone to
another zone in the <ulink url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
another zone in the <ulink
url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
file.</para>
</listitem>
@ -200,12 +211,13 @@
</itemizedlist>
<para>For each connection request entering the firewall, the request is
first checked against the <filename><filename>/etc/shorewall/rules</filename></filename>
file. If no rule in that file matches the connection request then the
first policy in <filename>/etc/shorewall/policy</filename> that matches
the request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
first checked against the
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
rule in that file matches the connection request then the first policy in
<filename>/etc/shorewall/policy</filename> that matches the request is
applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon
action</ulink> defined for the policy in
<filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied.</para>
@ -221,7 +233,8 @@ all all REJECT info</programlisting>
<orderedlist>
<listitem>
<para>allow all connection requests from the firewall to the internet</para>
<para>allow all connection requests from the firewall to the
internet</para>
</listitem>
<listitem>
@ -244,15 +257,16 @@ all all REJECT info</programlisting>
<para>The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL <quote>Modem</quote>, the
<emphasis>External Interface</emphasis> will be the ethernet adapter (<emphasis
role="bold">eth0</emphasis>) that is connected to that <quote>Modem</quote>
<emphasis role="underline">unless</emphasis> you connect via
<emphasis>Point-to-Point Protocol over Ethernet</emphasis> (PPPoE) or
<emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP) in which
case the External Interface will be a <emphasis role="bold">ppp0</emphasis>.
If you connect via a regular modem, your External Interface will also be
<emphasis role="bold">ppp0</emphasis>. If you connect using ISDN, your
external interface will be <emphasis role="bold">ippp0</emphasis>.</para>
<emphasis>External Interface</emphasis> will be the ethernet adapter
(<emphasis role="bold">eth0</emphasis>) that is connected to that
<quote>Modem</quote> <emphasis role="underline">unless</emphasis> you
connect via <emphasis>Point-to-Point Protocol over Ethernet</emphasis>
(PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP)
in which case the External Interface will be a <emphasis
role="bold">ppp0</emphasis>. If you connect via a regular modem, your
External Interface will also be <emphasis role="bold">ppp0</emphasis>. If
you connect using ISDN, your external interface will be <emphasis
role="bold">ippp0</emphasis>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -264,25 +278,28 @@ all all REJECT info</programlisting>
Some hints:</para>
<tip>
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
or <emphasis role="bold">ippp0</emphasis>, you can replace the
<quote>detect</quote> in the second column with <quote>-</quote>.</para>
<para>If your external interface is <emphasis
role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis>,
you can replace the <quote>detect</quote> in the second column with
<quote>-</quote>.</para>
</tip>
<tip>
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
or <emphasis role="bold">ippp0</emphasis> or if you have a static IP
address, you can remove <quote>dhcp</quote> from the option list.</para>
<para>If your external interface is <emphasis
role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis> or
if you have a static IP address, you can remove <quote>dhcp</quote> from
the option list.</para>
</tip>
<tip>
<para>If you specify <emphasis>norfc1918</emphasis> for your external
interface, you will want to check the <ulink url="errata.htm">Shorewall
Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/rfc1918
file</filename>. Alternatively, you can copy <filename>/usr/share/shorewall/rfc1918</filename>
to <filename>/etc/shorewall/rfc1918</filename> then <ulink
url="myfiles.htm#RFC1918">strip down your <filename>/etc/shorewall/rfc1918</filename>
file as I do</ulink>.</para>
Errata</ulink> periodically for updates to the
<filename>/usr/share/shorewall/rfc1918 file</filename>. Alternatively,
you can copy <filename>/usr/share/shorewall/rfc1918</filename> to
<filename>/etc/shorewall/rfc1918</filename> then <ulink
url="myfiles.htm#RFC1918">strip down your
<filename>/etc/shorewall/rfc1918</filename> file as I do</ulink>.</para>
</tip>
</section>
@ -296,12 +313,12 @@ all all REJECT info</programlisting>
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</programlisting>
<para>These addresses are sometimes referred to as <emphasis>non-routable</emphasis>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <emphasis>Network Address
Translation</emphasis> to rewrite packet headers when forwarding to/from
the internet.</para>
<para>These addresses are sometimes referred to as
<emphasis>non-routable</emphasis> because the Internet backbone routers
will not forward a packet whose destination address is reserved by RFC
1918. In some cases though, ISPs are assigning these addresses then using
<emphasis>Network Address Translation</emphasis> to rewrite packet headers
when forwarding to/from the internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -319,7 +336,8 @@ all all REJECT info</programlisting>
actions included in your version of Shorewall in the file
<filename>/usr/share/shorewall/actions.std</filename>.</para>
<para>Those actions that allow a connection begin with <quote>Allow</quote>.</para>
<para>Those actions that allow a connection begin with
<quote>Allow</quote>.</para>
<para>If you wish to enable connections from the internet to your firewall
and you find an appropriate <quote>Allow</quote> action in
@ -327,7 +345,7 @@ all all REJECT info</programlisting>
rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
&#60;<emphasis>action</emphasis>&#62; net fw</programlisting>
&lt;<emphasis>action</emphasis>&gt; net fw</programlisting>
<example>
<title>You want to run a Web Server and a POP3 Server on your firewall
@ -341,10 +359,11 @@ AllowPOP3 net fw</programlisting>
<para>You may also choose to code your rules directly without using the
pre-defined actions. This will be necessary in the event that there is not
a pre-defined action that meets your requirements. In that case the
general format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
general format of a rule in <filename>/etc/shorewall/rules</filename>
is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net fw <emphasis>&#60;protocol&#62;</emphasis> <emphasis>&#60;port&#62;</emphasis></programlisting>
ACCEPT net fw <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example>
<title>You want to run a Web Server and a POP3 Server on your firewall
@ -355,12 +374,12 @@ ACCEPT net fw tcp 80
ACCEPT net fw tcp 110</programlisting></para>
</example>
<para>If you don&#39;t know what port and protocol a particular
application uses, see <ulink url="ports.htm">here</ulink>.</para>
<para>If you don't know what port and protocol a particular application
uses, see <ulink url="ports.htm">here</ulink>.</para>
<important>
<para>I don&#39;t recommend enabling telnet to/from the internet because
it uses clear text (even for login!). If you want shell access to your
<para>I don't recommend enabling telnet to/from the internet because it
uses clear text (even for login!). If you want shell access to your
firewall from the internet, use SSH:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
@ -380,34 +399,46 @@ AllowSSH net fw </programlisting>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won&#39;t try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable
Shorewall startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>.</para>
with Shorewall version 1.3.9 startup is disabled so that your system won't
try to start Shorewall before configuration is complete. Once you have
completed configuration of your firewall, you can enable Shorewall startup
by removing the file
<filename>/etc/shorewall/startup_disabled</filename>.</para>
<important>
<para><emphasis role="bold">Users of the .deb package must edit
<filename>/etc/default/shorewall</filename> and set <quote>startup=1</quote>.</emphasis></para>
<filename>/etc/default/shorewall</filename> and set
<quote>startup=1</quote>.</emphasis></para>
</important>
<para>The firewall is started using the <quote><command>shorewall start</command></quote>
command and stopped using <quote><command>shorewall stop</command></quote>.
When the firewall is stopped, routing is enabled on those hosts that have
an entry in <filename><ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
<important>
<para><emphasis role="bold">If you are running Shorewall 2.1.3 or later,
you must enable startup by editing /etc/shorewall/shorewall.conf and
setting STARTUP_ENABLED=Yes.</emphasis></para>
</important>
<para>The firewall is started using the <quote><command>shorewall
start</command></quote> command and stopped using
<quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in
<filename><ulink
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
A running firewall may be restarted using the <quote><command>shorewall
restart</command></quote> command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use <quote><command>shorewall
clear</command></quote>.</para>
of Shorewall from your Netfilter configuration, use
<quote><command>shorewall clear</command></quote>.</para>
<warning>
<para>If you are connected to your firewall from the internet, do not
issue a <quote><command>shorewall stop</command></quote> command unless
you have added an entry for the IP address that you are connected from
to <ulink url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
Also, I don&#39;t recommend using <quote><command>shorewall restart</command></quote>;
it is better to create an <emphasis><ulink
url="configuration_file_basics.htm#Configs">alternate configuration</ulink></emphasis>
and test it using the <ulink url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
to <ulink
url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an <emphasis><ulink
url="configuration_file_basics.htm#Configs">alternate
configuration</ulink></emphasis> and test it using the <ulink
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
try</command></quote> command</ulink>.</para>
</warning>
</section>
@ -424,11 +455,57 @@ AllowSSH net fw </programlisting>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-16</date><authorinitials>TE</authorinitials><revremark>Move
/etc/shorewall/rfc1918 to /usr/share/shorewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Update
for Shorewall 2.0</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
Changes</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Add
tip about /etc/shorewall/rfc1918 updates.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-11-15</date><authorinitials>TE</authorinitials><revremark>Initial
Docbook Conversion</revremark></revision></revhistory></para>
<para><revhistory>
<revision>
<revnumber>1.7</revnumber>
<date>2004-02-16</date>
<authorinitials>TE</authorinitials>
<revremark>Move /etc/shorewall/rfc1918 to
/usr/share/shorewall.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-02-05</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-01-05</date>
<authorinitials>TE</authorinitials>
<revremark>Standards Changes</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-12-30</date>
<authorinitials>TE</authorinitials>
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2003-11-15</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Docbook Conversion</revremark>
</revision>
</revhistory></para>
</appendix>
</article>

7
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-08-10</pubdate>
<pubdate>2004-09-12</pubdate>
<copyright>
<year>2004</year>
@ -176,7 +176,10 @@
file <filename>/etc/shorewall/startup_disabled</filename>. Note:
Users of the .deb package must edit
<filename>/etc/default/shorewall</filename> and set
<quote>startup=1</quote>.</para>
<quote>startup=1</quote> while users who are running Shorewall
2.1.3 or later must edit
<filename>/etc/shorewall/shorewall.conf</filename> and set
STARTUP_ENABLED=Yes.</para>
</listitem>
<listitem>

75
Shorewall-docs2/support.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-07</pubdate>
<pubdate>2004-09-21</pubdate>
<copyright>
<year>2001-2004</year>
@ -269,7 +269,8 @@
<section>
<title>Where to Send your Problem Report or to Ask for Help</title>
<para><emphasis role="bold">If you run the current development
<para><emphasis role="bold">If you run the current development release and
your question involves a feature that is only available in the development
release</emphasis> (see the <ulink url="ReleaseModel.html">Shorewall
Release Model page</ulink>) -- please post your question or problem to the
<ulink url="mailto:shorewall-devel@lists.shorewall.net">Shorewall
@ -303,72 +304,4 @@
url="http://lists.shorewall.net">http://lists.shorewall.net</ulink>
.</para>
</section>
<appendix>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.6</revnumber>
<date>2003-07-03</date>
<authorinitials>TE</authorinitials>
<revremark>New Release Model</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2003-05-16</date>
<authorinitials>TE</authorinitials>
<revremark>Add link to the troubleshooting section</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-03-15</date>
<authorinitials>TE</authorinitials>
<revremark>Remove Newbies Mailing List.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2003-02-19</date>
<authorinitials>TE</authorinitials>
<revremark>Admonish against including "iptables -L"
output.</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2003-01-01</date>
<authorinitials>TE</authorinitials>
<revremark>Removed .GIF and moved note about unsupported releases.
Move Revision History to this Appendix.</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-12-19</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected URL for Newbies List</revremark>
</revision>
</revhistory></para>
</appendix>
</article>
</article>

5
Shorewall-docs2/template.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>Operating Shorewall</title>
<title></title>
<authorgroup>
<author>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>

6
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-06</pubdate>
<pubdate>2004-09-12</pubdate>
<copyright>
<year>2002-2004</year>
@ -931,6 +931,10 @@ ACCEPT net fw tcp 80 </programlisting><it
<para>Users of the <filename>.deb</filename> package must edit
<filename>/etc/default/shorewall</filename> and set
<varname>startup=1</varname>.</para>
</important><important>
<para>Users running Shorewall 2.1.3 or later should edit
<filename>/etc/shorewall/shorewall.conf</filename> and set
STARTUP_ENABLED=Yes.</para>
</important>The firewall is started using the <command>shorewall
start</command> command and stopped using <command>shorewall
stop</command>. When the firewall is stopped, routing is enabled on those

3
Shorewall-docs2/two-interface.xml
View File

@ -859,6 +859,9 @@ ACCEPT loc fw tcp 80 #Allow Weblet to work</progra
<para>Users of the .deb package must edit <filename
class="directory">/etc/default/</filename><filename>shorewall</filename>
and set <varname>startup=1</varname>.</para>
</important><important>
<para>Users running Shorewall 2.1.3 or later must edit
/etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes.</para>
</important> The firewall is started using the <quote><command>shorewall
start</command></quote> command and stopped using
<quote><command>shorewall stop</command></quote>. When the firewall is