extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add links between online manpages

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5228 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-01-14 22:34:51 +00:00
parent 6deeb544fd
commit 84cd88e93d
18 changed files with 302 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
manpages-lite/shorewall-lite.xml
View File

@ -298,9 +298,10 @@
the command produces. They consist of a sequence of the letters <emphasis
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in shorewall.conf(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective
the VERBOSITY parameter in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5). Each
<emphasis role="bold">v</emphasis> adds one to the effective verbosity and
each <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY.</para>
</refsect1>
@ -318,8 +319,9 @@
with VPN's.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the shorewall-interfaces(5) file. A
<emphasis>host-list</emphasis> is comma-separated list whose
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are:</para>
<programlisting> A host or network address
@ -359,8 +361,9 @@
role="bold">add</emphasis> command.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the shorewall-interfaces(5) file. A
<emphasis>host-list</emphasis> is comma-separated list whose
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are:</para>
<programlisting> A host or network address
@ -400,7 +403,9 @@
<para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
and /var/lib/shorewall-lite/save. If no
<emphasis>filename</emphasis> is given then the file specified by
RESTOREFILE in shorewall.conf(5) is assumed.</para>
RESTOREFILE in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
assumed.</para>
</listitem>
</varlistentry>
@ -453,11 +458,12 @@
<term><emphasis role="bold">logwatch</emphasis></term>
<listitem>
<para>Monitors the log file specified by theLOGFILE option in
shorewall.conf(5) and produces an audible alarm when new Shorewall
Lite messages are logged. The <emphasis role="bold">-m</emphasis>
option causes the MAC address of each packet source to be displayed
if that information is available.</para>
<para>Monitors the log file specified by theLOGFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
produces an audible alarm when new Shorewall Lite messages are
logged. The <emphasis role="bold">-m</emphasis> option causes the
MAC address of each packet source to be displayed if that
information is available.</para>
</listitem>
</varlistentry>
@ -499,8 +505,8 @@
a restore file in /var/lib/shorewall-lite created using <emphasis
role="bold">shorewall-lite save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall Lite will be
restored from the file specified by the RESTOREFILE option in
shorewall.conf(5).</para>
restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -514,8 +520,8 @@
<emphasis role="bold">shorewall-lite restore</emphasis> and
<emphasis role="bold">shorewall-lite -f start</emphasis> commands.
If <emphasis>filename</emphasis> is not given then the state is
saved in the file specified by the RESTOREFILE option in
shorewall.conf(5).</para>
saved in the file specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -660,10 +666,10 @@
shorewall-lite managed interfaces are untouched. New connections
will be allowed only if they are allowed by the firewall rules or
policies. If <emphasis role="bold">-f</emphasis> is specified, the
saved configuration specified by the RESTOREFILE option in
shorewall.conf(5) will be restored if that saved configuration
exists and has been modified more recently than the files in
/etc/shorewall.</para>
saved configuration specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
be restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall.</para>
</listitem>
</varlistentry>
@ -672,11 +678,13 @@
<listitem>
<para>Stops the firewall. All existing connections, except those
listed in shorewall-routestopped(5) or permitted by the
ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The
only new traffic permitted through the firewall is from systems
listed in shorewall-routestopped(5) or by
ADMINISABSENTMINDED.</para>
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
are taken down. The only new traffic permitted through the firewall
is from systems listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
</listitem>
</varlistentry>

5
manpages/shorewall-actions.xml
View File

@ -22,8 +22,9 @@
<title>Description</title>
<para>This file allows you to define new ACTIONS for use in rules (see
shorewall-rules(5)). You define the iptables rules to be performed in an
ACTION in /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
the iptables rules to be performed in an ACTION in
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
<para>ACTION names should begin with an upper-case letter to distinguish
them from Shorewall-generated chain names and they must meet the

12
manpages/shorewall-blacklist.xml
View File

@ -73,12 +73,14 @@
</variablelist>
<para>When a packet arrives on an interface that has the <emphasis
role="bold">blacklist</emphasis> option specified in
shorewall-interfaces(5), its source IP address and MAC address is checked
against this file and disposed of according to the <emphasis
role="bold">blacklist</emphasis> option specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5), its
source IP address and MAC address is checked against this file and
disposed of according to the <emphasis
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in shorewall.conf(5).
If <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). If <emphasis
role="bold">PROTOCOL</emphasis> or <emphasis
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
are supplied, only packets matching the protocol (and one of the ports if
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>

60
manpages/shorewall-hosts.xml
View File

@ -26,9 +26,9 @@
place anything in this file.</para>
<para>The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are defined in
shorewall-zones(5) determines the order in which the records in this file
are interpreted.</para>
zone composition. Rather, the order that the zones are defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
in which the records in this file are interpreted.</para>
<warning>
<para>The only time that you need this file is when you have more than
@ -36,9 +36,10 @@
</warning>
<warning>
<para>If you have an entry for a zone and interface in
shorewall-interfaces(5) then do not include any entries in this file for
that same (zone, interface) pair.</para>
<para>If you have an entry for a zone and interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
not include any entries in this file for that same (zone, interface)
pair.</para>
</warning>
<para>The columns in the file are as follows.</para>
@ -49,7 +50,8 @@
<emphasis>zone-name</emphasis></term>
<listitem>
<para>The name of a zone defined in shorewall-zones(5). You may not
<para>The name of a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5). You may not
list the firewall zone in this column.</para>
</listitem>
</varlistentry>
@ -61,9 +63,10 @@
role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>The name of an interface defined in the
shorewall-interfaces(5) file followed by a colon (":") and a
comma-separated list whose elements are either:</para>
<para>The name of an interface defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
followed by a colon (":") and a comma-separated list whose elements
are either:</para>
<orderedlist numeration="loweralpha">
<listitem>
@ -84,12 +87,14 @@
<para>A physical <emphasis>bridge-port</emphasis> name; only
allowed when the interface names a bridge created by the
<command>brctl(8) addbr</command> command. This port must not be
defined in shorewall-interfaces(5) and may be optionally
followed by a colon (":") and a host or network IP or a range.
See <ulink
defined in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
and may be optionally followed by a colon (":") and a host or
network IP or a range. See <ulink
url="http://www.shorewall.net/bridge.html">http://www.shorewall.net/bridge.html</ulink>
for details. Specifying a physical port name requires that you
have BRIDGING=Yes in shorewall.conf(5).</para>
have BRIDGING=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
<listitem>
@ -99,7 +104,8 @@
<blockquote>
<para>You may also exclude certain hosts through use of an
<emphasis>exclusion</emphasis> (see shorewall-exclusion(5).</para>
<emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
</blockquote>
</listitem>
</varlistentry>
@ -119,9 +125,11 @@
<listitem>
<para>Connection requests from these hosts are compared
against the contents of shorewall-maclist(5). If this option
is specified, the interface must be an ethernet NIC or
equivalent and must be up before Shorewall is started.</para>
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC or equivalent and must be up before Shorewall is
started.</para>
</listitem>
</varlistentry>
@ -145,8 +153,9 @@
<para>This option only makes sense for ports on a
bridge.</para>
<para>Check packets arriving on this port against the
shorewall-blacklist(5) file.</para>
<para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
@ -173,8 +182,9 @@
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the
packets are dropped.</para>
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
@ -184,8 +194,10 @@
<listitem>
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the shorewall-zones(5) file then you do NOT need
to specify the 'ipsec' option here.</para>
IPSEC zone in the <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) file
then you do NOT need to specify the 'ipsec' option
here.</para>
</listitem>
</varlistentry>
</variablelist>

30
manpages/shorewall-interfaces.xml
View File

@ -153,7 +153,9 @@ loc eth2 -</programlisting>
<listitem>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure). This option can also be enabled
globally in the shorewall.conf(5) file.</para>
globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</listitem>
</varlistentry>
@ -166,7 +168,9 @@ loc eth2 -</programlisting>
<emphasis role="bold">routefilter</emphasis> on an interface
that you also set <emphasis
role="bold">logmartians</emphasis>. This option may also be
enabled globally in the shorewall.conf(5) file.</para>
enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</listitem>
</varlistentry>
@ -175,7 +179,9 @@ loc eth2 -</programlisting>
<listitem>
<para>Check packets arriving on this interface against the
shorewall-blacklist(5) file.</para>
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
@ -184,9 +190,10 @@ loc eth2 -</programlisting>
<listitem>
<para>Connection requests from this interface are compared
against the contents of shorewall-maclist(5). If this option
is specified, the interface must be an ethernet NIC and must
be up before Shorewall is started.</para>
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
@ -209,8 +216,10 @@ loc eth2 -</programlisting>
<para>Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in shorewall-proxyarp(5). This option is intended
solely for use with Proxy ARP sub-networking as described at:
entries in <ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at:
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet</para>
</listitem>
</varlistentry>
@ -277,8 +286,9 @@ loc eth2 -</programlisting>
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the
packets are dropped.</para>
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>

9
manpages/shorewall-maclist.xml
View File

@ -24,7 +24,9 @@
<para>This file is used to define the MAC addresses and optionally their
associated IP addresses to be allowed to use the specified interface. The
feature is enabled by using the <emphasis role="bold">maclist</emphasis>
option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration
option in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
file.</para>
<para>The columns in the file are as follows.</para>
@ -38,8 +40,9 @@
<listitem>
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in
shorewall.conf(5), then REJECT is also allowed). If specified, the
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
also allowed). If specified, the
<replaceable>log-level</replaceable> causes packets matching the
rule to be logged at that level.</para>
</listitem>

39
manpages/shorewall-masq.xml
View File

@ -32,7 +32,9 @@
<warning>
<para>If you have more than one ISP, adding entries to this file will
*not* force connections to go out through a particular ISP. You must use
PREROUTING entries in /etc/shorewall-tcrules(5) to do that.</para>
PREROUTING entries in <ulink
url="shorewall-tcrules.tcml">shorewall-tcrules</ulink>(5) to do
that.</para>
</warning>
<para>The columns in the file are as follows.</para>
@ -47,19 +49,20 @@
<listitem>
<para>Outgoing <emphasis>interface</emphasis>. This is usually your
internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5),
you may add ":" and a <emphasis>digit</emphasis> to indicate that
you want the alias added with that name (e.g., eth0:0). This will
allow the alias to be displayed with ifconfig. <emphasis
role="bold">That is the only use for the alias name; it may not
appear in any other place in your Shorewall
configuratio</emphasis>n.</para>
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
and a <emphasis>digit</emphasis> to indicate that you want the alias
added with that name (e.g., eth0:0). This will allow the alias to be
displayed with ifconfig. <emphasis role="bold">That is the only use
for the alias name; it may not appear in any other place in your
Shorewall configuratio</emphasis>n.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see shorewall-exclusion(5)).</para>
Exclusion is allowed (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
entry then include the ":" but omit the digit:</para>
@ -68,16 +71,18 @@
eth2::192.0.2.32/27</programlisting>
<para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in shorewall-nat(5)). If you want the rule
to be applied before one-to-one NAT rules, prefix the interface name
with "+":</para>
one-to-one NAT (defined in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
rule to be applied before one-to-one NAT rules, prefix the interface
name with "+":</para>
<programlisting> +eth0
+eth0:192.0.2.32/27
+eth0:2</programlisting>
<para>This feature should only be required if you need to insert
rules in this file that preempt entries in shorewall/nat(5).</para>
rules in this file that preempt entries in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
</listitem>
</varlistentry>
@ -98,7 +103,8 @@
<para>In order to exclude a address of the specified SOURCE, you may
append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
list of IP addresses (host or net) that you wish to exclude (see
shorewall-exclusion(5))).</para>
<ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).</para>
<para>Example: eth1!192.168.1.4,192.168.32.0/27</para>
@ -118,8 +124,9 @@
<listitem>
<para>If you specify an address here, SNAT will be used and this
will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
in shorewall.conf(5) then Shorewall will automatically add this
address to the INTERFACE named in the first column.</para>
in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) then
Shorewall will automatically add this address to the INTERFACE named
in the first column.</para>
<para>You may also specify a range of up to 256 IP addresses if you
want the SNAT address to be assigned from that range in a

15
manpages/shorewall-nat.xml
View File

@ -60,13 +60,14 @@
<listitem>
<para>Interface that has the <emphasis
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
shorewall.conf(5), Shorewall will automatically add the EXTERNAL
address to this interface. Also if ADD_IP_ALIASES=Yes, you may
follow the interface name with ":" and a <emphasis>digit</emphasis>
to indicate that you want Shorewall to add the alias with this name
(e.g., "eth0:0"). That allows you to see the alias with ifconfig.
<emphasis role="bold">That is the only thing that this name is good
for -- you cannot use it anwhere else in your Shorewall
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
Shorewall will automatically add the EXTERNAL address to this
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
name with ":" and a <emphasis>digit</emphasis> to indicate that you
want Shorewall to add the alias with this name (e.g., "eth0:0").
That allows you to see the alias with ifconfig. <emphasis
role="bold">That is the only thing that this name is good for -- you
cannot use it anwhere else in your Shorewall
configuration.</emphasis></para>
<para>If you want to override ADD_IP_ALIASES=Yes for a particular

3
manpages/shorewall-netmap.xml
View File

@ -65,7 +65,8 @@
<listitem>
<para>The name of a network interface. The interface must be defined
in /etc/shorewall-interfaces(5).</para>
in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem>
</varlistentry>

4
manpages/shorewall-params.xml
View File

@ -33,7 +33,9 @@
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918</programlisting>
<para>Example shorewall-interfaces(5) file.</para>
<para>Example <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file.</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
net $NET_IF $NET_BCAST $NET_OPTIONS</programlisting>

11
manpages/shorewall-providers.xml
View File

@ -71,10 +71,12 @@
<emphasis>value</emphasis></term>
<listitem>
<para>A FWMARK <emphasis>value</emphasis> used in your
shorewall-tcrules(5) file to direct packets to this provider.</para>
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) file to
direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), then the value
must be a multiple of 256 between 256 and 65280 or their hexadecimal
equivalents (0x0100 and 0xff00 with the low-order byte of the value
being zero). Otherwise, the value must be between 1 and 255. Each
@ -100,7 +102,8 @@
<listitem>
<para>The name of the network interface to the provider. Must be
listed in shorewall-interfaces(5).</para>
listed in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem>
</varlistentry>

3
manpages/shorewall-route_rules.xml
View File

@ -22,7 +22,8 @@
<title>Description</title>
<para>Entries in this file cause traffic to be routed to one of the
providers listed in shorewall-providers(5).</para>
providers listed in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
<para>The columns in the file are as follows.</para>

3
manpages/shorewall-routestopped.xml
View File

@ -134,7 +134,8 @@
<note>
<para>The <emphasis role="bold">source</emphasis> and <emphasis
role="bold">dest</emphasis> options work best when used in conjunction
with ADMINISABSENTMINDED=Yes in shorewall.conf(5).</para>
with ADMINISABSENTMINDED=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</note>
</refsect1>

43
manpages/shorewall-rules.xml
View File

@ -98,8 +98,9 @@
</note>
<warning>
<para>If you specify FASTACCEPT=Yes in shorewall.conf(5) then the
<emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
<para>If you specify FASTACCEPT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
role="bold">ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections must be empty.</para>
</warning>
@ -263,9 +264,10 @@
<para>Do not process any of the following rules for this
(source zone,destination zone). If the source and/or
destination IP address falls into a zone defined later in
shorewall-zones(5) or in a parent zone of the source or
destination zones, then this connection request will be passed
to the rules defined for that (those) zone(s).</para>
<ulink url="shorewall-zones.html">shorewall-zones</ulink>(5)
or in a parent zone of the source or destination zones, then
this connection request will be passed to the rules defined
for that (those) zone(s).</para>
</listitem>
</varlistentry>
@ -305,9 +307,10 @@
<term><emphasis>action</emphasis></term>
<listitem>
<para>The name of an <emphasis>action</emphasis> defined in
shorewall-actions(5) or in
/usr/share/shorewall/actions.std.</para>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
in /usr/share/shorewall/actions.std.</para>
</listitem>
</varlistentry>
@ -344,7 +347,8 @@
rewritten.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> defined in shorewall-actions(5) or in
<emphasis>action</emphasis> defined in <ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
/usr/share/shorewall/actions.std then:</para>
<itemizedlist>
@ -373,7 +377,8 @@
<para>Actions specifying logging may be followed by a log tag (a
string of alphanumeric characters) which is appended to the string
generated by the LOGPREFIX (in shorewall.conf(5)).</para>
generated by the LOGPREFIX (in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
the log prefix generated by the LOGPREFIX setting.</para>
@ -432,8 +437,8 @@
bindings to be matched.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see
shorewall-exclusion(5)).</para>
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
<para>Examples:</para>
@ -521,11 +526,11 @@
role="bold">+</emphasis><emphasis>ipset</emphasis>}]</term>
<listitem>
<para>Location of Server. May be a zone defined in
shorewall-zones(5), $<emphasis role="bold">FW</emphasis> to indicate
the firewall itself, <emphasis role="bold">all</emphasis>. <emphasis
role="bold">all+</emphasis> or <emphasis
role="bold">none</emphasis>.</para>
<para>Location of Server. May be a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
<emphasis role="bold">none</emphasis>.</para>
<para>When <emphasis role="bold">none</emphasis> is used either in
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@ -544,8 +549,8 @@
role="bold">SOURCE</emphasis> above.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see
shorewall-exclusion(5)).</para>
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
<para>Restrictions:</para>

34
manpages/shorewall-tcrules.xml
View File

@ -25,9 +25,11 @@
classifying them for traffic control or policy routing.</para>
<important>
<para>Unlike rules in the shorewall-rules(5) file, evaluation of rules
in this file will continue after a match. So the final mark for each
packet will be the one assigned by the LAST tcrule that matches.</para>
<para>Unlike rules in the <ulink
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.</para>
<para>If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at
@ -99,7 +101,8 @@
<listitem>
<para>Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf(5).</para>
MARK_IN_FORWARD_CHAIN in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
@ -168,12 +171,15 @@
<para>When using Shorewall's built-in traffic tool, the
<emphasis>major</emphasis> class is the device number (the first
device in shorewall-tcdevices(5) is major class 1, the second
device is major class 2, and so on) and the
<emphasis>minor</emphasis> class is the class's MARK value in
shorewall-tcclasses(5) preceded by the number 1 (MARK 1
corresponds to minor class 11, MARK 5 corresponds to minor class
15, MARK 22 corresponds to minor class 122, etc.).</para>
device in <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
major class 1, the second device is major class 2, and so on)
and the <emphasis>minor</emphasis> class is the class's MARK
value in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
preceded by the number 1 (MARK 1 corresponds to minor class 11,
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
minor class 122, etc.).</para>
</listitem>
<listitem>
@ -254,8 +260,8 @@
<para>Example: ~00-A0-C9-15-39-78</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see
shorewall-exclusion(5)).</para>
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
@ -275,8 +281,8 @@
this column may also contain an interface name.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see
shorewall-exclusion(5)).</para>
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>

6
manpages/shorewall-tos.xml
View File

@ -34,7 +34,8 @@
role="bold">$FW</emphasis>}</term>
<listitem>
<para>Name of a zone declared in shorewall-zones(5), <emphasis
<para>Name of a zone declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), <emphasis
role="bold">all</emphasis> or <emphasis
role="bold">$FW</emphasis>.</para>
@ -59,7 +60,8 @@
role="bold">all</emphasis>}</term>
<listitem>
<para>Name of a zone declared in shorewall-zones(5) or <emphasis
<para>Name of a zone declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) or <emphasis
role="bold">all</emphasis>.</para>
<para>If not <emphasis role="bold">all</emphasis>, may optionally be

122
manpages/shorewall.conf.xml
View File

@ -151,7 +151,8 @@
<para>If you set the value of either option to "None" then no
default action will be used and the default action or macro must be
specified in shorewall-policy(5).</para>
specified in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
</listitem>
</varlistentry>
@ -161,8 +162,9 @@
<listitem>
<para>This parameter determines whether Shorewall automatically adds
the external address(es) in shorewall.nat(5). If the variable is set
to <emphasis role="bold">Yes</emphasis> or <emphasis
the external address(es) in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these
aliases. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these aliases
@ -186,8 +188,9 @@
<listitem>
<para>This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis
the SNAT ADDRESS in <ulink
url="shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these
addresses. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these addresses
@ -212,12 +215,14 @@
<listitem>
<para>The value of this variable affects Shorewall's stopped state.
When ADMINISABSENTMINDES=No, only traffic to/from those addresses
listed in shorewall-routestopped(5) is accepted when Shorewall is
stopped. When ADMINISABSENTMINDED=Yes, in addition to traffic
to/from addresses in shorewall-routestopped(5), connections that
were active when Shorewall stopped continue to work and all new
connections from the firewall system itself are allowed. If this
variable is not set or is given the empty value then
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
in addition to traffic to/from addresses in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
connections that were active when Shorewall stopped continue to work
and all new connections from the firewall system itself are allowed.
If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.</para>
</listitem>
</varlistentry>
@ -301,8 +306,9 @@
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
/etc/shorewall/tcstart file. That way, your traffic shaping rules
can still use the “fwmark” classifier based on packet marking
defined in shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is
assumed.</para>
defined in <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
specified, CLEAR_TC=Yes is assumed.</para>
</listitem>
</varlistentry>
@ -345,8 +351,9 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Users with a large static black list (shorewall-blacklist(5))
may want to set the DELAYBLACKLISTLOAD option to <emphasis
<para>Users with a large static black list (<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)) may
want to set the DELAYBLACKLISTLOAD option to <emphasis
role="bold">Yes</emphasis>. When DELAYBLACKLISTLOAD=Yes, Shorewall
will enable new connections before loading the blacklist rules.
While this may allow connections from blacklisted hosts to slip by
@ -400,7 +407,8 @@
<para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of shorewall-rules(5).</para>
or RELATED sections of <ulink
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
</listitem>
</varlistentry>
@ -410,8 +418,9 @@
<listitem>
<para>Prior to version 3.2.0, it was not possible to use connection
marking in /etc/shorewall/tcrules if you have a multi-ISP
configuration that uses the track option.</para>
marking in <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you
have a multi-ISP configuration that uses the track option.</para>
<para>Beginning with release 3.2.0, you may now set
HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and
@ -457,10 +466,11 @@
differently with respect to policies.</para>
<para>Subzones are defined by following their name with ":" and a
list of parent zones (in /etc/shorewall/zones). Normally, you want
to have a set of special rules for the subzone and if a connection
doesn't match any of those subzone-specific rules then you want the
parent zone rules and policies to be applied. With
list of parent zones (in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
you want to have a set of special rules for the subzone and if a
connection doesn't match any of those subzone-specific rules then
you want the parent zone rules and policies to be applied. With
IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@ -553,8 +563,8 @@
<emphasis role="bold">No</emphasis> which sets both of the above to
zero. If you do not enable martian logging for all interfaces, you
may still enable it for individual interfaces using the <emphasis
role="bold">logmartians</emphasis> interface option in
shorewall-interfaces(5).</para>
role="bold">logmartians</emphasis> interface option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem>
</varlistentry>
@ -726,8 +736,10 @@
<listitem>
<para>The performance of configurations with a large numbers of
entries in /etc/shorewall/maclist can be improved by setting the
MACLIST_TTL variable in shorewall.conf(5).</para>
entries in <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
improved by setting the MACLIST_TTL variable in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>If your iptables and kernel support the "Recent Match" (see
the output of "shorewall check" near the top), you can cache the
@ -736,13 +748,14 @@
<para>When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in
shorewall-maclist(5). If there is a match then the source IP address
is added to the 'Recent' set for that interface. Subsequent
connection attempts from that IP address occurring within
$MACLIST_TTL seconds will be accepted without having to scan all of
the entries. After $MACLIST_TTL from the first accepted connection
request from an IP address, the next connection request from that IP
address will be checked against the entire list.</para>
<ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
there is a match then the source IP address is added to the 'Recent'
set for that interface. Subsequent connection attempts from that IP
address occurring within $MACLIST_TTL seconds will be accepted
without having to scan all of the entries. After $MACLIST_TTL from
the first accepted connection request from an IP address, the next
connection request from that IP address will be checked against the
entire list.</para>
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@ -913,16 +926,18 @@
<listitem>
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and
shorewall-masq(5) are processed then are re-added later. This is
done to help ensure that the addresses can be added with the
specified labels but can have the undesirable side effect of causing
routes to be quietly deleted. When RETAIN_ALIASES is set to Yes,
existing addresses will not be deleted. Regardless of the setting of
RETAIN_ALIASES, addresses added during <emphasis
role="bold">shorewall start</emphasis> are still deleted at a
subsequent <emphasis role="bold">shorewall stop</emphasis> or
<emphasis role="bold">shorewall restart</emphasis>.</para>
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
then are re-added later. This is done to help ensure that the
addresses can be added with the specified labels but can have the
undesirable side effect of causing routes to be quietly deleted.
When RETAIN_ALIASES is set to Yes, existing addresses will not be
deleted. Regardless of the setting of RETAIN_ALIASES, addresses
added during <emphasis role="bold">shorewall start</emphasis> are
still deleted at a subsequent <emphasis role="bold">shorewall
stop</emphasis> or <emphasis role="bold">shorewall
restart</emphasis>.</para>
</listitem>
</varlistentry>
@ -1018,8 +1033,10 @@
<listitem>
<para>Specifies the logging level for smurf packets (see the
nosmurfs option in /etc/shorewall/interfaces). If set to the empty
value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged.</para>
nosmurfs option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
logged.</para>
</listitem>
</varlistentry>
@ -1081,8 +1098,8 @@
<listitem>
<para>Normally, Shorewall tries to protect users from themselves by
preventing PREROUTING and OUTPUT tcrules from being applied to
packets that have been marked by the 'track' option in
shorewall-providers(5).</para>
packets that have been marked by the 'track' option in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
Shorewall will not include these cautionary checks.</para>
@ -1099,11 +1116,12 @@
<listitem>
<para>Determines the disposition of TCP packets that fail the checks
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
option (see shorewall-interfaces(5)) and must have a value of ACCEPT
(accept the packet), REJECT (send an RST response) or DROP (ignore
the packet). If not set or if set to the empty value (e.g.,
TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is
assumed.</para>
option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
must have a value of ACCEPT (accept the packet), REJECT (send an RST
response) or DROP (ignore the packet). If not set or if set to the
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
</listitem>
</varlistentry>

54
manpages/shorewall.xml
View File

@ -443,7 +443,8 @@
the command produces. They consist of a sequence of the letters <emphasis
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in shorewall.conf(5). Each <emphasis
the VERBOSITY parameter in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY.</para>
@ -463,8 +464,9 @@
with VPN's.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the shorewall-interfaces(5) file. A
<emphasis>host-list</emphasis> is comma-separated list whose
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are:</para>
<programlisting> A host or network address
@ -541,8 +543,9 @@
role="bold">add</emphasis> command.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the shorewall-interfaces(5) file. A
<emphasis>host-list</emphasis> is comma-separated list whose
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are:</para>
<programlisting> A host or network address
@ -605,7 +608,8 @@
<listitem>
<para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
given then the file specified by RESTOREFILE in shorewall.conf(5) is
given then the file specified by RESTOREFILE in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) is
assumed.</para>
</listitem>
</varlistentry>
@ -703,11 +707,12 @@
<term><emphasis role="bold">logwatch</emphasis></term>
<listitem>
<para>Monitors the log file specified by theLOGFILE option in
shorewall.conf(5) and produces an audible alarm when new Shorewall
messages are logged. The <emphasis role="bold">-m</emphasis> option
causes the MAC address of each packet source to be displayed if that
information is available.</para>
<para>Monitors the log file specified by theLOGFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) and produces an
audible alarm when new Shorewall messages are logged. The <emphasis
role="bold">-m</emphasis> option causes the MAC address of each
packet source to be displayed if that information is
available.</para>
</listitem>
</varlistentry>
@ -806,8 +811,8 @@
file in /var/lib/shorewall created using <emphasis
role="bold">shorewall save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall will be
restored from the file specified by the RESTOREFILE option in
shorewall.conf(5).</para>
restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -852,8 +857,8 @@
<emphasis role="bold">shorewall restore</emphasis> and <emphasis
role="bold">shorewall -f start</emphasis> commands. If
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in
shorewall.conf(5).</para>
in the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -998,9 +1003,9 @@
will look in that <emphasis>directory</emphasis> first for
configuration files.If <emphasis role="bold">-f</emphasis> is
specified, the saved configuration specified by the RESTOREFILE
option in shorewall.conf(5) will be restored if that saved
configuration exists and has been modified more recently than the
files in /etc/shorewall.</para>
option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)
will be restored if that saved configuration exists and has been
modified more recently than the files in /etc/shorewall.</para>
</listitem>
</varlistentry>
@ -1009,11 +1014,14 @@
<listitem>
<para>Stops the firewall. All existing connections, except those
listed in shorewall-routestopped(5) or permitted by the
ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The
only new traffic permitted through the firewall is from systems
listed in shorewall-routestopped(5) or by
ADMINISABSENTMINDED.</para>
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
The only new traffic permitted through the firewall is from systems
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
</listitem>
</varlistentry>