From 84cd88e93d665ae9926c155e86a3b0face415609 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 14 Jan 2007 22:34:51 +0000 Subject: [PATCH] Add links between online manpages git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5228 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages-lite/shorewall-lite.xml | 60 ++++++++------ manpages/shorewall-actions.xml | 5 +- manpages/shorewall-blacklist.xml | 12 +-- manpages/shorewall-hosts.xml | 60 ++++++++------ manpages/shorewall-interfaces.xml | 30 ++++--- manpages/shorewall-maclist.xml | 9 +- manpages/shorewall-masq.xml | 39 +++++---- manpages/shorewall-nat.xml | 15 ++-- manpages/shorewall-netmap.xml | 3 +- manpages/shorewall-params.xml | 4 +- manpages/shorewall-providers.xml | 11 ++- manpages/shorewall-route_rules.xml | 3 +- manpages/shorewall-routestopped.xml | 3 +- manpages/shorewall-rules.xml | 43 +++++----- manpages/shorewall-tcrules.xml | 34 ++++---- manpages/shorewall-tos.xml | 6 +- manpages/shorewall.conf.xml | 122 ++++++++++++++++------------ manpages/shorewall.xml | 54 ++++++------ 18 files changed, 302 insertions(+), 211 deletions(-) diff --git a/manpages-lite/shorewall-lite.xml b/manpages-lite/shorewall-lite.xml index f35896bf7..90f68cd57 100644 --- a/manpages-lite/shorewall-lite.xml +++ b/manpages-lite/shorewall-lite.xml @@ -298,9 +298,10 @@ the command produces. They consist of a sequence of the letters v and q. If the options are omitted, the amount of output is determined by the setting of - the VERBOSITY parameter in shorewall.conf(5). Each v adds one to the effective verbosity and each - q subtracts one from the effective + the VERBOSITY parameter in shorewall-lite.conf(5). Each + v adds one to the effective verbosity and + each q subtracts one from the effective VERBOSITY. @@ -318,8 +319,9 @@ with VPN's. The interface argument names an interface - defined in the shorewall-interfaces(5) file. A - host-list is comma-separated list whose + defined in the shorewall-interfaces(5) + file. A host-list is comma-separated list whose elements are: A host or network address @@ -359,8 +361,9 @@ role="bold">add command. The interface argument names an interface - defined in the shorewall-interfaces(5) file. A - host-list is comma-separated list whose + defined in the shorewall-interfaces(5) + file. A host-list is comma-separated list whose elements are: A host or network address @@ -400,7 +403,9 @@ Deletes /var/lib/shorewall-lite/filename and /var/lib/shorewall-lite/save. If no filename is given then the file specified by - RESTOREFILE in shorewall.conf(5) is assumed. + RESTOREFILE in shorewall-lite.conf(5) is + assumed. @@ -453,11 +458,12 @@ logwatch - Monitors the log file specified by theLOGFILE option in - shorewall.conf(5) and produces an audible alarm when new Shorewall - Lite messages are logged. The -m - option causes the MAC address of each packet source to be displayed - if that information is available. + Monitors the log file specified by theLOGFILE option in shorewall-lite.conf(5) and + produces an audible alarm when new Shorewall Lite messages are + logged. The -m option causes the + MAC address of each packet source to be displayed if that + information is available. @@ -499,8 +505,8 @@ a restore file in /var/lib/shorewall-lite created using shorewall-lite save; if no filename is given then Shorewall Lite will be - restored from the file specified by the RESTOREFILE option in - shorewall.conf(5). + restored from the file specified by the RESTOREFILE option in shorewall-lite.conf(5). @@ -514,8 +520,8 @@ shorewall-lite restore and shorewall-lite -f start commands. If filename is not given then the state is - saved in the file specified by the RESTOREFILE option in - shorewall.conf(5). + saved in the file specified by the RESTOREFILE option in shorewall-lite.conf(5). @@ -660,10 +666,10 @@ shorewall-lite managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. If -f is specified, the - saved configuration specified by the RESTOREFILE option in - shorewall.conf(5) will be restored if that saved configuration - exists and has been modified more recently than the files in - /etc/shorewall. + saved configuration specified by the RESTOREFILE option in shorewall-lite.conf(5) will + be restored if that saved configuration exists and has been modified + more recently than the files in /etc/shorewall. @@ -672,11 +678,13 @@ Stops the firewall. All existing connections, except those - listed in shorewall-routestopped(5) or permitted by the - ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The - only new traffic permitted through the firewall is from systems - listed in shorewall-routestopped(5) or by - ADMINISABSENTMINDED. + listed in shorewall-routestopped(5) + or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5), + are taken down. The only new traffic permitted through the firewall + is from systems listed in shorewall-routestopped(5) + or by ADMINISABSENTMINDED. diff --git a/manpages/shorewall-actions.xml b/manpages/shorewall-actions.xml index 7b612a1d8..6e54ea12e 100644 --- a/manpages/shorewall-actions.xml +++ b/manpages/shorewall-actions.xml @@ -22,8 +22,9 @@ Description This file allows you to define new ACTIONS for use in rules (see - shorewall-rules(5)). You define the iptables rules to be performed in an - ACTION in /etc/shorewall/action.action-name. + shorewall-rules(5)). You define + the iptables rules to be performed in an ACTION in + /etc/shorewall/action.action-name. ACTION names should begin with an upper-case letter to distinguish them from Shorewall-generated chain names and they must meet the diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml index 98d2ce809..2170f6d02 100644 --- a/manpages/shorewall-blacklist.xml +++ b/manpages/shorewall-blacklist.xml @@ -73,12 +73,14 @@ When a packet arrives on an interface that has the blacklist option specified in - shorewall-interfaces(5), its source IP address and MAC address is checked - against this file and disposed of according to the blacklist option specified in shorewall-interfaces(5), its + source IP address and MAC address is checked against this file and + disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall.conf(5). - If PROTOCOL or BLACKLIST_LOGLEVEL variables in shorewall.conf(5). If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching the protocol (and one of the ports if PORTS supplied) are blocked. diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml index b59f2d11a..2c5586354 100644 --- a/manpages/shorewall-hosts.xml +++ b/manpages/shorewall-hosts.xml @@ -26,9 +26,9 @@ place anything in this file. The order of entries in this file is not significant in determining - zone composition. Rather, the order that the zones are defined in - shorewall-zones(5) determines the order in which the records in this file - are interpreted. + zone composition. Rather, the order that the zones are defined in shorewall-zones(5) determines the order + in which the records in this file are interpreted. The only time that you need this file is when you have more than @@ -36,9 +36,10 @@ - If you have an entry for a zone and interface in - shorewall-interfaces(5) then do not include any entries in this file for - that same (zone, interface) pair. + If you have an entry for a zone and interface in shorewall-interfaces(5) then do + not include any entries in this file for that same (zone, interface) + pair. The columns in the file are as follows. @@ -49,7 +50,8 @@ zone-name - The name of a zone defined in shorewall-zones(5). You may not + The name of a zone defined in shorewall-zones(5). You may not list the firewall zone in this column. @@ -61,9 +63,10 @@ role="bold">+ipset}[exclusion] - The name of an interface defined in the - shorewall-interfaces(5) file followed by a colon (":") and a - comma-separated list whose elements are either: + The name of an interface defined in the shorewall-interfaces(5) file + followed by a colon (":") and a comma-separated list whose elements + are either: @@ -84,12 +87,14 @@ A physical bridge-port name; only allowed when the interface names a bridge created by the brctl(8) addbr command. This port must not be - defined in shorewall-interfaces(5) and may be optionally - followed by a colon (":") and a host or network IP or a range. - See shorewall-interfaces(5) + and may be optionally followed by a colon (":") and a host or + network IP or a range. See http://www.shorewall.net/bridge.html for details. Specifying a physical port name requires that you - have BRIDGING=Yes in shorewall.conf(5). + have BRIDGING=Yes in shorewall.conf(5). @@ -99,7 +104,8 @@
You may also exclude certain hosts through use of an - exclusion (see shorewall-exclusion(5). + exclusion (see shorewall-exclusion(5).
@@ -119,9 +125,11 @@ Connection requests from these hosts are compared - against the contents of shorewall-maclist(5). If this option - is specified, the interface must be an ethernet NIC or - equivalent and must be up before Shorewall is started. + against the contents of shorewall-maclist(5). If + this option is specified, the interface must be an ethernet + NIC or equivalent and must be up before Shorewall is + started. @@ -145,8 +153,9 @@ This option only makes sense for ports on a bridge. - Check packets arriving on this port against the - shorewall-blacklist(5) file. + Check packets arriving on this port against the shorewall-blacklist(5) + file. @@ -173,8 +182,9 @@ address as the source). Smurfs will be optionally logged based on the setting of - SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the - packets are dropped. + SMURF_LOG_LEVEL in shorewall.conf(5). After + logging, the packets are dropped. @@ -184,8 +194,10 @@ The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an - IPSEC zone in the shorewall-zones(5) file then you do NOT need - to specify the 'ipsec' option here. + IPSEC zone in the shorewall-zones(5) file + then you do NOT need to specify the 'ipsec' option + here. diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index d1921e71d..3493212c7 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -153,7 +153,9 @@ loc eth2 - Turn on kernel route filtering for this interface (anti-spoofing measure). This option can also be enabled - globally in the shorewall.conf(5) file. + globally in the shorewall.conf(5) + file. @@ -166,7 +168,9 @@ loc eth2 - routefilter on an interface that you also set logmartians. This option may also be - enabled globally in the shorewall.conf(5) file. + enabled globally in the shorewall.conf(5) + file. @@ -175,7 +179,9 @@ loc eth2 - Check packets arriving on this interface against the - shorewall-blacklist(5) file. + shorewall-blacklist(5) + file. @@ -184,9 +190,10 @@ loc eth2 - Connection requests from this interface are compared - against the contents of shorewall-maclist(5). If this option - is specified, the interface must be an ethernet NIC and must - be up before Shorewall is started. + against the contents of shorewall-maclist(5). If + this option is specified, the interface must be an ethernet + NIC and must be up before Shorewall is started. @@ -209,8 +216,10 @@ loc eth2 - Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use this option if you are employing Proxy ARP through - entries in shorewall-proxyarp(5). This option is intended - solely for use with Proxy ARP sub-networking as described at: + entries in shorewall-proxyarp(5). + This option is intended solely for use with Proxy ARP + sub-networking as described at: http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet @@ -277,8 +286,9 @@ loc eth2 - address as the source). Smurfs will be optionally logged based on the setting of - SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the - packets are dropped. + SMURF_LOG_LEVEL in shorewall.conf(5). After + logging, the packets are dropped. diff --git a/manpages/shorewall-maclist.xml b/manpages/shorewall-maclist.xml index 3f47707a1..23fc962ee 100644 --- a/manpages/shorewall-maclist.xml +++ b/manpages/shorewall-maclist.xml @@ -24,7 +24,9 @@ This file is used to define the MAC addresses and optionally their associated IP addresses to be allowed to use the specified interface. The feature is enabled by using the maclist - option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration + option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration file. The columns in the file are as follows. @@ -38,8 +40,9 @@ ACCEPT or DROP (if MACLIST_TABLE=filter in - shorewall.conf(5), then REJECT is also allowed). If specified, the + role="bold">DROP (if MACLIST_TABLE=filter in shorewall.conf(5), then REJECT is + also allowed). If specified, the log-level causes packets matching the rule to be logged at that level. diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index acc9b8d83..7a52e8e81 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -32,7 +32,9 @@ If you have more than one ISP, adding entries to this file will *not* force connections to go out through a particular ISP. You must use - PREROUTING entries in /etc/shorewall-tcrules(5) to do that. + PREROUTING entries in shorewall-tcrules(5) to do + that. The columns in the file are as follows. @@ -47,19 +49,20 @@ Outgoing interface. This is usually your - internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), - you may add ":" and a digit to indicate that - you want the alias added with that name (e.g., eth0:0). This will - allow the alias to be displayed with ifconfig. That is the only use for the alias name; it may not - appear in any other place in your Shorewall - configuration. + internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you may add ":" + and a digit to indicate that you want the alias + added with that name (e.g., eth0:0). This will allow the alias to be + displayed with ifconfig. That is the only use + for the alias name; it may not appear in any other place in your + Shorewall configuration. The interface may be qualified by adding the character ":" followed by a comma-separated list of destination host or subnet addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations. - Exclusion is allowed (see shorewall-exclusion(5)). + Exclusion is allowed (see shorewall-exclusion(5)). If you wish to inhibit the action of ADD_SNAT_ALIASES for this entry then include the ":" but omit the digit: @@ -68,16 +71,18 @@ eth2::192.0.2.32/27 Normally Masq/SNAT rules are evaluated after those for - one-to-one NAT (defined in shorewall-nat(5)). If you want the rule - to be applied before one-to-one NAT rules, prefix the interface name - with "+": + one-to-one NAT (defined in shorewall-nat(5)). If you want the + rule to be applied before one-to-one NAT rules, prefix the interface + name with "+": +eth0 +eth0:192.0.2.32/27 +eth0:2 This feature should only be required if you need to insert - rules in this file that preempt entries in shorewall/nat(5). + rules in this file that preempt entries in shorewall-nat(5). @@ -98,7 +103,8 @@ In order to exclude a address of the specified SOURCE, you may append an exclusion ("!" and a comma-separated list of IP addresses (host or net) that you wish to exclude (see - shorewall-exclusion(5))). + shorewall-exclusion(5))). Example: eth1!192.168.1.4,192.168.32.0/27 @@ -118,8 +124,9 @@ If you specify an address here, SNAT will be used and this will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes - in shorewall.conf(5) then Shorewall will automatically add this - address to the INTERFACE named in the first column. + in shorewall.conf(5) then + Shorewall will automatically add this address to the INTERFACE named + in the first column. You may also specify a range of up to 256 IP addresses if you want the SNAT address to be assigned from that range in a diff --git a/manpages/shorewall-nat.xml b/manpages/shorewall-nat.xml index 8a781ccfc..f01ce0c1e 100644 --- a/manpages/shorewall-nat.xml +++ b/manpages/shorewall-nat.xml @@ -60,13 +60,14 @@ Interface that has the EXTERNAL address. If ADD_IP_ALIASES=Yes in - shorewall.conf(5), Shorewall will automatically add the EXTERNAL - address to this interface. Also if ADD_IP_ALIASES=Yes, you may - follow the interface name with ":" and a digit - to indicate that you want Shorewall to add the alias with this name - (e.g., "eth0:0"). That allows you to see the alias with ifconfig. - That is the only thing that this name is good - for -- you cannot use it anwhere else in your Shorewall + shorewall.conf(5), + Shorewall will automatically add the EXTERNAL address to this + interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface + name with ":" and a digit to indicate that you + want Shorewall to add the alias with this name (e.g., "eth0:0"). + That allows you to see the alias with ifconfig. That is the only thing that this name is good for -- you + cannot use it anwhere else in your Shorewall configuration. If you want to override ADD_IP_ALIASES=Yes for a particular diff --git a/manpages/shorewall-netmap.xml b/manpages/shorewall-netmap.xml index 18affccbb..0028e689b 100644 --- a/manpages/shorewall-netmap.xml +++ b/manpages/shorewall-netmap.xml @@ -65,7 +65,8 @@ The name of a network interface. The interface must be defined - in /etc/shorewall-interfaces(5). + in shorewall-interfaces(5). diff --git a/manpages/shorewall-params.xml b/manpages/shorewall-params.xml index 1d3186421..f5d2c563c 100644 --- a/manpages/shorewall-params.xml +++ b/manpages/shorewall-params.xml @@ -33,7 +33,9 @@ NET_BCAST=130.252.100.255 NET_OPTIONS=routefilter,norfc1918 - Example shorewall-interfaces(5) file. + Example shorewall-interfaces(5) + file. ZONE INTERFACE BROADCAST OPTIONS net $NET_IF $NET_BCAST $NET_OPTIONS diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml index 153ff3f36..6c617f159 100644 --- a/manpages/shorewall-providers.xml +++ b/manpages/shorewall-providers.xml @@ -71,10 +71,12 @@ value - A FWMARK value used in your - shorewall-tcrules(5) file to direct packets to this provider. + A FWMARK value used in your shorewall-tcrules(5) file to + direct packets to this provider. - If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value + If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value must be a multiple of 256 between 256 and 65280 or their hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte of the value being zero). Otherwise, the value must be between 1 and 255. Each @@ -100,7 +102,8 @@ The name of the network interface to the provider. Must be - listed in shorewall-interfaces(5). + listed in shorewall-interfaces(5). diff --git a/manpages/shorewall-route_rules.xml b/manpages/shorewall-route_rules.xml index 9a0d43dc0..e0170ffe1 100644 --- a/manpages/shorewall-route_rules.xml +++ b/manpages/shorewall-route_rules.xml @@ -22,7 +22,8 @@ Description Entries in this file cause traffic to be routed to one of the - providers listed in shorewall-providers(5). + providers listed in shorewall-providers(5). The columns in the file are as follows. diff --git a/manpages/shorewall-routestopped.xml b/manpages/shorewall-routestopped.xml index 5a4657d71..3c70d3667 100644 --- a/manpages/shorewall-routestopped.xml +++ b/manpages/shorewall-routestopped.xml @@ -134,7 +134,8 @@ The source and dest options work best when used in conjunction - with ADMINISABSENTMINDED=Yes in shorewall.conf(5). + with ADMINISABSENTMINDED=Yes in shorewall.conf(5). diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index a5696688d..7b0880750 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -98,8 +98,9 @@ - If you specify FASTACCEPT=Yes in shorewall.conf(5) then the - ESTABLISHED and If you specify FASTACCEPT=Yes in shorewall.conf(5) then the ESTABLISHED and RELATED sections must be empty. @@ -263,9 +264,10 @@ Do not process any of the following rules for this (source zone,destination zone). If the source and/or destination IP address falls into a zone defined later in - shorewall-zones(5) or in a parent zone of the source or - destination zones, then this connection request will be passed - to the rules defined for that (those) zone(s). + shorewall-zones(5) + or in a parent zone of the source or destination zones, then + this connection request will be passed to the rules defined + for that (those) zone(s). @@ -305,9 +307,10 @@ action - The name of an action defined in - shorewall-actions(5) or in - /usr/share/shorewall/actions.std. + The name of an action declared in + shorewall-actions(5) or + in /usr/share/shorewall/actions.std. @@ -344,7 +347,8 @@ rewritten. If the ACTION names an - action defined in shorewall-actions(5) or in + action defined in shorewall-actions(5) or in /usr/share/shorewall/actions.std then: @@ -373,7 +377,8 @@ Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string - generated by the LOGPREFIX (in shorewall.conf(5)). + generated by the LOGPREFIX (in shorewall.conf(5)). Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix generated by the LOGPREFIX setting. @@ -432,8 +437,8 @@ bindings to be matched. You may exclude certain hosts from the set already defined - through use of an exclusion (see - shorewall-exclusion(5)). + through use of an exclusion (see shorewall-exclusion(5)). Examples: @@ -521,11 +526,11 @@ role="bold">+ipset}] - Location of Server. May be a zone defined in - shorewall-zones(5), $FW to indicate - the firewall itself, all. all+ or none. + Location of Server. May be a zone defined in shorewall-zones(5), $FW to indicate the firewall itself, all. all+ or + none. When none is used either in the SOURCE or SOURCE above. You may exclude certain hosts from the set already defined - through use of an exclusion (see - shorewall-exclusion(5)). + through use of an exclusion (see shorewall-exclusion(5)). Restrictions: diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index 5b199bb9b..8509ea8fd 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -25,9 +25,11 @@ classifying them for traffic control or policy routing. - Unlike rules in the shorewall-rules(5) file, evaluation of rules - in this file will continue after a match. So the final mark for each - packet will be the one assigned by the LAST tcrule that matches. + Unlike rules in the shorewall-rules(5) file, evaluation + of rules in this file will continue after a match. So the final mark for + each packet will be the one assigned by the LAST tcrule that + matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall/providers be sure to read the restrictions at @@ -99,7 +101,8 @@ Otherwise, the chain is determined by the setting of - MARK_IN_FORWARD_CHAIN in shorewall.conf(5). + MARK_IN_FORWARD_CHAIN in shorewall.conf(5). @@ -168,12 +171,15 @@ When using Shorewall's built-in traffic tool, the major class is the device number (the first - device in shorewall-tcdevices(5) is major class 1, the second - device is major class 2, and so on) and the - minor class is the class's MARK value in - shorewall-tcclasses(5) preceded by the number 1 (MARK 1 - corresponds to minor class 11, MARK 5 corresponds to minor class - 15, MARK 22 corresponds to minor class 122, etc.). + device in shorewall-tcdevices(5) is + major class 1, the second device is major class 2, and so on) + and the minor class is the class's MARK + value in shorewall-tcclasses(5) + preceded by the number 1 (MARK 1 corresponds to minor class 11, + MARK 5 corresponds to minor class 15, MARK 22 corresponds to + minor class 122, etc.). @@ -254,8 +260,8 @@ Example: ~00-A0-C9-15-39-78 You may exclude certain hosts from the set already defined - through use of an exclusion (see - shorewall-exclusion(5)). + through use of an exclusion (see shorewall-exclusion(5)). @@ -275,8 +281,8 @@ this column may also contain an interface name. You may exclude certain hosts from the set already defined - through use of an exclusion (see - shorewall-exclusion(5)). + through use of an exclusion (see shorewall-exclusion(5)). diff --git a/manpages/shorewall-tos.xml b/manpages/shorewall-tos.xml index 2b5bbd90a..bb86015c6 100644 --- a/manpages/shorewall-tos.xml +++ b/manpages/shorewall-tos.xml @@ -34,7 +34,8 @@ role="bold">$FW} - Name of a zone declared in shorewall-zones(5), Name of a zone declared in shorewall-zones(5), all or $FW. @@ -59,7 +60,8 @@ role="bold">all} - Name of a zone declared in shorewall-zones(5) or Name of a zone declared in shorewall-zones(5) or all. If not all, may optionally be diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 1a828db35..0c479977a 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -151,7 +151,8 @@ If you set the value of either option to "None" then no default action will be used and the default action or macro must be - specified in shorewall-policy(5). + specified in shorewall-policy(5). @@ -161,8 +162,9 @@ This parameter determines whether Shorewall automatically adds - the external address(es) in shorewall.nat(5). If the variable is set - to Yes or shorewall-nat(5). If the variable + is set to Yes or yes then Shorewall automatically adds these aliases. If it is set to No or no, you must add these aliases @@ -186,8 +188,9 @@ This parameter determines whether Shorewall automatically adds - the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set to - Yes or shorewall-masq(5). If the variable + is set to Yes or yes then Shorewall automatically adds these addresses. If it is set to No or no, you must add these addresses @@ -212,12 +215,14 @@ The value of this variable affects Shorewall's stopped state. When ADMINISABSENTMINDES=No, only traffic to/from those addresses - listed in shorewall-routestopped(5) is accepted when Shorewall is - stopped. When ADMINISABSENTMINDED=Yes, in addition to traffic - to/from addresses in shorewall-routestopped(5), connections that - were active when Shorewall stopped continue to work and all new - connections from the firewall system itself are allowed. If this - variable is not set or is given the empty value then + listed in shorewall-routestopped(5) + is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes, + in addition to traffic to/from addresses in shorewall-routestopped(5), + connections that were active when Shorewall stopped continue to work + and all new connections from the firewall system itself are allowed. + If this variable is not set or is given the empty value then ADMINISABSENTMINDED=No is assumed. @@ -301,8 +306,9 @@ set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, your traffic shaping rules can still use the “fwmark” classifier based on packet marking - defined in shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is - assumed. + defined in shorewall-tcrules(5). If not + specified, CLEAR_TC=Yes is assumed. @@ -345,8 +351,9 @@ role="bold">Yes|No} - Users with a large static black list (shorewall-blacklist(5)) - may want to set the DELAYBLACKLISTLOAD option to Users with a large static black list (shorewall-blacklist(5)) may + want to set the DELAYBLACKLISTLOAD option to Yes. When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before loading the blacklist rules. While this may allow connections from blacklisted hosts to slip by @@ -400,7 +407,8 @@ If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED - or RELATED sections of shorewall-rules(5). + or RELATED sections of shorewall-rules(5). @@ -410,8 +418,9 @@ Prior to version 3.2.0, it was not possible to use connection - marking in /etc/shorewall/tcrules if you have a multi-ISP - configuration that uses the track option. + marking in shorewall-tcrules(5) if you + have a multi-ISP configuration that uses the track option. Beginning with release 3.2.0, you may now set HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and @@ -457,10 +466,11 @@ differently with respect to policies. Subzones are defined by following their name with ":" and a - list of parent zones (in /etc/shorewall/zones). Normally, you want - to have a set of special rules for the subzone and if a connection - doesn't match any of those subzone-specific rules then you want the - parent zone rules and policies to be applied. With + list of parent zones (in shorewall-zones(5)). Normally, + you want to have a set of special rules for the subzone and if a + connection doesn't match any of those subzone-specific rules then + you want the parent zone rules and policies to be applied. With IMPLICIT_CONTINUE=Yes, that happens automatically. If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, @@ -553,8 +563,8 @@ No which sets both of the above to zero. If you do not enable martian logging for all interfaces, you may still enable it for individual interfaces using the logmartians interface option in - shorewall-interfaces(5). + role="bold">logmartians interface option in shorewall-interfaces(5). @@ -726,8 +736,10 @@ The performance of configurations with a large numbers of - entries in /etc/shorewall/maclist can be improved by setting the - MACLIST_TTL variable in shorewall.conf(5). + entries in shorewall-maclist(5) can be + improved by setting the MACLIST_TTL variable in shorewall.conf(5). If your iptables and kernel support the "Recent Match" (see the output of "shorewall check" near the top), you can cache the @@ -736,13 +748,14 @@ When a new connection arrives from a 'maclist' interface, the packet passes through then list of entries for that interface in - shorewall-maclist(5). If there is a match then the source IP address - is added to the 'Recent' set for that interface. Subsequent - connection attempts from that IP address occurring within - $MACLIST_TTL seconds will be accepted without having to scan all of - the entries. After $MACLIST_TTL from the first accepted connection - request from an IP address, the next connection request from that IP - address will be checked against the entire list. + shorewall-maclist(5). If + there is a match then the source IP address is added to the 'Recent' + set for that interface. Subsequent connection attempts from that IP + address occurring within $MACLIST_TTL seconds will be accepted + without having to scan all of the entries. After $MACLIST_TTL from + the first accepted connection request from an IP address, the next + connection request from that IP address will be checked against the + entire list. If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL="" or is specified as zero then 'maclist' lookups will @@ -913,16 +926,18 @@ During shorewall start, IP addresses to be added as a consequence of ADD_IP_ALIASES=Yes and - ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and - shorewall-masq(5) are processed then are re-added later. This is - done to help ensure that the addresses can be added with the - specified labels but can have the undesirable side effect of causing - routes to be quietly deleted. When RETAIN_ALIASES is set to Yes, - existing addresses will not be deleted. Regardless of the setting of - RETAIN_ALIASES, addresses added during shorewall start are still deleted at a - subsequent shorewall stop or - shorewall restart. + ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and shorewall-masq(5) are processed + then are re-added later. This is done to help ensure that the + addresses can be added with the specified labels but can have the + undesirable side effect of causing routes to be quietly deleted. + When RETAIN_ALIASES is set to Yes, existing addresses will not be + deleted. Regardless of the setting of RETAIN_ALIASES, addresses + added during shorewall start are + still deleted at a subsequent shorewall + stop or shorewall + restart. @@ -1018,8 +1033,10 @@ Specifies the logging level for smurf packets (see the - nosmurfs option in /etc/shorewall/interfaces). If set to the empty - value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged. + nosmurfs option in shorewall-interfaces(5)). If + set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not + logged. @@ -1081,8 +1098,8 @@ Normally, Shorewall tries to protect users from themselves by preventing PREROUTING and OUTPUT tcrules from being applied to - packets that have been marked by the 'track' option in - shorewall-providers(5). + packets that have been marked by the 'track' option in shorewall-providers(5). If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall will not include these cautionary checks. @@ -1099,11 +1116,12 @@ Determines the disposition of TCP packets that fail the checks enabled by the tcpflags interface - option (see shorewall-interfaces(5)) and must have a value of ACCEPT - (accept the packet), REJECT (send an RST response) or DROP (ignore - the packet). If not set or if set to the empty value (e.g., - TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is - assumed. + option (see shorewall-interfaces(5)) and + must have a value of ACCEPT (accept the packet), REJECT (send an RST + response) or DROP (ignore the packet). If not set or if set to the + empty value (e.g., TCP_FLAGS_DISPOSITION="") then + TCP_FLAGS_DISPOSITION=DROP is assumed. diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index c163e40f1..b644dd054 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -443,7 +443,8 @@ the command produces. They consist of a sequence of the letters v and q. If the options are omitted, the amount of output is determined by the setting of - the VERBOSITY parameter in shorewall.conf(5). Each shorewall.conf(5). Each v adds one to the effective verbosity and each q subtracts one from the effective VERBOSITY. @@ -463,8 +464,9 @@ with VPN's. The interface argument names an interface - defined in the shorewall-interfaces(5) file. A - host-list is comma-separated list whose + defined in the shorewall-interfaces(5) + file. A host-list is comma-separated list whose elements are: A host or network address @@ -541,8 +543,9 @@ role="bold">add command. The interface argument names an interface - defined in the shorewall-interfaces(5) file. A - host-list is comma-separated list whose + defined in the shorewall-interfaces(5) + file. A host-list is comma-separated list whose elements are: A host or network address @@ -605,7 +608,8 @@ Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If no filename is - given then the file specified by RESTOREFILE in shorewall.conf(5) is + given then the file specified by RESTOREFILE in shorewall.conf(5) is assumed. @@ -703,11 +707,12 @@ logwatch - Monitors the log file specified by theLOGFILE option in - shorewall.conf(5) and produces an audible alarm when new Shorewall - messages are logged. The -m option - causes the MAC address of each packet source to be displayed if that - information is available. + Monitors the log file specified by theLOGFILE option in shorewall.conf(5) and produces an + audible alarm when new Shorewall messages are logged. The -m option causes the MAC address of each + packet source to be displayed if that information is + available. @@ -806,8 +811,8 @@ file in /var/lib/shorewall created using shorewall save; if no filename is given then Shorewall will be - restored from the file specified by the RESTOREFILE option in - shorewall.conf(5). + restored from the file specified by the RESTOREFILE option in shorewall.conf(5). @@ -852,8 +857,8 @@ shorewall restore and shorewall -f start commands. If filename is not given then the state is saved - in the file specified by the RESTOREFILE option in - shorewall.conf(5). + in the file specified by the RESTOREFILE option in shorewall.conf(5). @@ -998,9 +1003,9 @@ will look in that directory first for configuration files.If -f is specified, the saved configuration specified by the RESTOREFILE - option in shorewall.conf(5) will be restored if that saved - configuration exists and has been modified more recently than the - files in /etc/shorewall. + option in shorewall.conf(5) + will be restored if that saved configuration exists and has been + modified more recently than the files in /etc/shorewall. @@ -1009,11 +1014,14 @@ Stops the firewall. All existing connections, except those - listed in shorewall-routestopped(5) or permitted by the - ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The - only new traffic permitted through the firewall is from systems - listed in shorewall-routestopped(5) or by - ADMINISABSENTMINDED. + listed in shorewall-routestopped(5) + or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. + The only new traffic permitted through the firewall is from systems + listed in shorewall-routestopped(5) + or by ADMINISABSENTMINDED.