diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml
index 62c4cfedf..e87c09dd4 100644
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -186,8 +186,8 @@
configuring Shorewall on the firewall system itself).
It's a good idea to include the IP address of the administrative
system in the routestopped
- file.
+ url="manpages/shorewall-stoppedrules.html">stoppedrules
+ file.
It is important to understand that with Shorewall Lite,
the firewall's export directory on the administrative system
@@ -493,7 +493,7 @@ clean:
Be sure that the IP address of the administrative system is
included in the firewall's export directory
- routestopped file.
+ stoppedrules file.
shorewall stop
@@ -514,7 +514,7 @@ clean:
It's a good idea to include the IP address of the
administrative system in the firewall system's routestopped
+ url="manpages/shorewall-stoppedrules.html">stoppedrules
file.
Also, edit the shorewall.conf file in
diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 2538b1496..605176903 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -247,7 +247,7 @@ DNAT net:address loc:local-IP-address
You are trying to test from inside your firewall (no, that
- won't work -- see ).
+ won't work -- see ).
@@ -2029,7 +2029,7 @@ Dec 15 16:47:30 heath-desktop last message repeated 2 times
ADMINISABSENTMINDED in shorewall.conf (5) and the
contents of shorewall-routestopped
+ url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules
(5). To totally open the firewall, use the clear
command.
@@ -2138,8 +2138,8 @@ Creating input Chains...
/sbin/shorewall stop places the firewall in a
safe state, the details of which depend on your
- /etc/shorewall/routestopped file (shorewall-routestopped(5))
+ /etc/shorewall/stoppedrules file (shorewall-stoppedrules(5))
and on the setting of ADMINISABSENTMINDED in
/etc/shorewall/shorewall.conf (shorewall.conf(5)).
@@ -3065,7 +3065,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
Persistent SNAT: Available
gateway:~#
-
+
diff --git a/docs/Manpages.xml b/docs/Manpages.xml
index 45c1fb040..48a8d7bae 100644
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -37,7 +37,7 @@
These manpages are for Shorewall 5.0 and later only. They describe
features and options not available on earlier releases. The manpages for
- Shorewall 4.4-4.6 are available
+ Shorewall 4.4-4.6 are available
here.
diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml
index d4042fc5f..8dd027b3d 100644
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -38,7 +38,7 @@
These manpages are for Shorewall6 5.0 and later only. They describe
features and options not available on earlier releases.The manpages for
Shorewall 4.4-4.6 are available here.
+ url="/manpages4/Manpages.html">here.
diff --git a/docs/Shorewall-Lite.xml b/docs/Shorewall-Lite.xml
index b6ffb6411..4ab0995c4 100644
--- a/docs/Shorewall-Lite.xml
+++ b/docs/Shorewall-Lite.xml
@@ -191,7 +191,7 @@
configuring Shorewall on the firewall system itself).
It's a good idea to include the IP address of the administrative
system in the routestopped
+ url="manpages/shorewall-stoppedrules.html">stoppedrules
file.
It is important to understand that with Shorewall Lite,
@@ -412,7 +412,7 @@
Be sure that the IP address of the administrative system is
included in the firewall's export directory
- routestopped file.
+ stoppedrules file.
shorewall stop
@@ -433,7 +433,7 @@
It's a good idea to include the IP address of the
administrative system in the firewall system's routestopped
+ url="manpages/shorewall-stoppedrules.html">stoppedrules
file.
Also, edit the shorewall.conf file in
diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index 4640fc04f..468761d07 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -146,8 +146,10 @@ ACCEPT net:+sshok $FW tcp 22
You cannot use an ipset in shorewall-stoppedrules
+ (5) (shorewall-routestopped
- (5).
+ (5)).
diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml
index dae67b5b1..7ffbe4620 100644
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -174,8 +174,8 @@ esac
indeterminate. So if you have ADMINISABSENTMINDED=No in shorewall.conf(8) and
output on an interface is not allowed by routestopped(8) then
- the isuasable script must blow it's own holes in the firewall
+ url="manpages/shorewall-stoppedrules.html">stoppedrules(8)
+ then the isuasable script must blow it's own holes in the firewall
before probing.
diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml
index a83bc3b1f..de44d7869 100644
--- a/docs/shorewall_setup_guide.xml
+++ b/docs/shorewall_setup_guide.xml
@@ -67,7 +67,7 @@
yourself with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with .
+ fileref="images/BD21298_.gif"/>.
@@ -96,7 +96,7 @@
Shorewall Concepts
-
+
The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for most setups,
@@ -195,7 +195,7 @@ dmz ipv4
the Internet zone or because that is the
DMZ
.
-
+
Edit the /etc/shorewall/zones file and make any changes
necessary.
@@ -304,7 +304,7 @@ all all REJECT info
-
+
At this point, edit your /etc/shorewall/policy
and make any changes that you wish.
@@ -338,7 +338,7 @@ all all REJECT info
- ![]()
+ ![]()
The simplest way to define zones is to associate the zone name
(previously defined in /etc/shorewall/zones) with a network interface.
@@ -357,7 +357,7 @@ all all REJECT info
external interface will be ippp0.
-
+
If your external interface is ppp0 or
Note that the $FW zone has no entry
in the /etc/shorewall/interfaces file.
-
+
Edit the /etc/shorewall/interfaces file and
define the network interfaces on your firewall and associate each
@@ -441,7 +441,7 @@ loc eth1 detect
loc eth2 detect
-
+
You may define more complicated zones using the /etc/shorewall/hosts
@@ -1231,7 +1231,7 @@ tcpdump: listening on eth2
Before we begin, there is one thing for you to check:
-
+
If you are using the Debian package, please check your
shorewall.conf file to ensure that the following are set correctly; if
@@ -1254,7 +1254,7 @@ tcpdump: listening on eth2
this many IP addresses, you are able to subnet your /28 into two /29's
and set up your network as shown in the following diagram.
- ![]()
+ ![]()
Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
@@ -1362,19 +1362,19 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
address and the source IP address of Internet requests sent from that
zone.
- ![]()
+ ![]()
The local zone has been subnetted as 192.168.201.0/29 (netmask
255.255.255.248).
-
+
The systems in the local zone would be configured with a
default gateway of 192.168.201.1 (the IP address of the firewall's
local interface).
-
+
SNAT is configured in Shorewall using the /etc/shorewall/masq
@@ -1401,7 +1401,7 @@ eth0 192.168.201.0/29 192.0.2.176
systems do not have a public IP address. DNAT provides a way to allow
selected connections from the Internet.
-
+
Suppose that your daughter wants to run a web server on her
system Local 3
. You could allow connections to the
@@ -1475,7 +1475,7 @@ DNAT net loc:192.168.201.4 tcp www
Let us suppose that we decide to use Proxy ARP on the DMZ in our
example network.
- ![]()
+ ![]()
Here, we've assigned the IP addresses 192.0.2.177 to system DMZ
1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an
@@ -1483,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www
the firewall. That address and netmask isn't relevant - just be sure
it doesn't overlap another subnet that you've defined.
-
+
The Shorewall configuration of Proxy ARP is done using the/etc/shorewall/proxyarp
@@ -1591,7 +1591,7 @@ DNAT net loc:192.168.201.4 tcp www
example involving your daughter's web server running on system Local
3.
- ![]()
+ ![]()
Recall that in this setup, the local network is using SNAT and
is sharing the firewall external IP (192.0.2.176) for outbound
@@ -1601,7 +1601,7 @@ DNAT net loc:192.168.201.4 tcp www
#INTERFACE SUBNET ADDRESS
eth0 192.168.201.0/29 192.0.2.176
-
+
Suppose now that you have decided to give your daughter her own
IP address (192.0.2.179) for both inbound and outbound connections.
@@ -1615,7 +1615,7 @@ eth0 192.168.201.0/29 192.0.2.176
and the other two local systems share the firewall's IP
address.
-
+
Once the relationship between 192.0.2.179 and 192.168.201.4 is
established by the nat file entry above, it is no longer appropriate
@@ -1708,7 +1708,7 @@ ACCEPT net loc:192.168.201.4 tcp www
not use those macros but rather defines the rules directly.
-
+
With the default policies described earlier in this document, your
local systems (Local 1-3) can access any server on the Internet and the
@@ -1799,7 +1799,7 @@ ACCEPT net $FW tcp ssh #SSH to the
prefer to use NAT only in cases where a system that is part of an RFC
1918 subnet needs to have its own public IP.
-
+
If you haven't already, it would be a good idea to browse through
The firewall is started using the shorewall start
command and stopped using shorewall stop
. When the firewall
- is stopped, routing is enabled on those hosts that have an entry in
+ is stopped, routing is enabled on those hosts that have an ACCEPT entry in
/etc/shorewall/routestopped.
+ url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules.
A running firewall may be restarted using the shorewall
restart
command. If you want to totally remove any trace of
Shorewall from your Netfilter configuration, use shorewall
clear
.
-
+
Edit the /etc/shorewall/routestopped
- file and configure those systems that you want to be able to access the
- firewall when it is stopped.
+ url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules
+ file and add ACCEPT rules for those systems that you want to be able to
+ access the firewall when it is stopped.
If you are connected to your firewall from the Internet, do not
issue a shorewall stop
command unless you have added an
- entry for the IP address that you are connected from to /etc/shorewall/routestopped.
+ ACCEPT entry for the IP address that you are connected from to
+ /etc/shorewall/stoppedrules.
Also, I don't recommend using shorewall restart
; it is
better to create an an alternate
diff --git a/docs/standalone.xml b/docs/standalone.xml
index 96dd2aa8c..d47e46754 100644
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -119,19 +119,18 @@
Conventions
Points at which configuration changes are recommended are flagged
- with .
+ with .
Configuration notes that are unique to Debian and it's derivatives
are marked with .
+ format="GIF"/>.
PPTP/ADSL
-
+
If you have an ADSL Modem and you use
PPTP to communicate with a server in that modem, you
@@ -144,7 +143,7 @@
Shorewall Concepts
-
+
The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple
@@ -177,7 +176,7 @@
- ![]()
If
+ ![]()
If
you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall/examples/one-interface..
@@ -352,7 +351,7 @@ root@lists:~#
the external interface.
-
+
The Shorewall one-interface sample configuration assumes that the
external interface is eth0. If
@@ -460,7 +459,7 @@ root@lists:~#
-
+
If you are running a distribution that logs Netfilter messages to a
log other than /var/log/messages, then modify the
@@ -500,7 +499,7 @@ root@lists:~#
/usr/share/shorewall/modules then copy the file to
/etc/shorewall and modify the copy.
-
+
Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -571,7 +570,7 @@ ACCEPT net $FW tcp 143
SSH(ACCEPT) net $FW
-
+
At this point, edit /etc/shorewall/rules to add
other connections as desired.
@@ -580,7 +579,7 @@ SSH(ACCEPT) net $FW
Starting and Stopping Your Firewall
-
+
The installation procedure
configures your system to start Shorewall at system boot but startup is
@@ -588,7 +587,7 @@ SSH(ACCEPT) net $FW
configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.![]()
+ fileref="images/openlogo-nd-25.png"/>
Users of the .deb package must edit
@@ -610,7 +609,7 @@ SSH(ACCEPT) net $FW
The firewall is started using the shorewall
start
command and stopped using
shorewall stop
. When the firewall is
- stopped, routing is enabled on those hosts that have an entry in
+ stopped, traffic is enabled on those hosts that have an entry in
/etc/shorewall/stoppedrules
(
systemctl disable iptables.service
-
+
At this point, disable your existing firewall service.
diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml
index 317db0f03..dc514a74e 100644
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@@ -151,7 +151,7 @@
all Netfilter rules and open your firewall for all traffic to pass.
It rather places your firewall in a safe state defined by the
contents of your /etc/shorewall/routestopped
+ url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules
file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf.
@@ -638,8 +638,8 @@
firewall stop
- Only traffic to/from hosts listed in
- /etc/shorewall/routestopped is passed to/from/through the
+ Only traffic allowed by ACCEPT entries in
+ /etc/shorewall/stoppedrules is passed to/from/through the
firewall. If ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf then in addition, all existing
connections are retained and all connection requests from the