extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updates for routestopped -> stoppedrules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-10-05 07:51:43 -07:00
parent 0385b2cd37
commit 89122c0d55
10 changed files with 65 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/CompiledPrograms.xml
View File

@ -186,8 +186,8 @@
configuring Shorewall on the firewall system itself</emphasis>). configuring Shorewall on the firewall system itself</emphasis>).
It's a good idea to include the IP address of the administrative It's a good idea to include the IP address of the administrative
system in the <ulink system in the <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename> url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules
file</ulink>.</para> </filename> file</ulink>.</para>
<para>It is important to understand that with Shorewall Lite, <para>It is important to understand that with Shorewall Lite,
the firewall's export directory on the administrative system the firewall's export directory on the administrative system
@ -493,7 +493,7 @@ clean:
<para>Be sure that the IP address of the administrative system is <para>Be sure that the IP address of the administrative system is
included in the firewall's export directory included in the firewall's export directory
<filename>routestopped</filename> file.</para> <filename>stoppedrules</filename> file.</para>
<programlisting><command>shorewall stop</command></programlisting> <programlisting><command>shorewall stop</command></programlisting>
@ -514,7 +514,7 @@ clean:
<para>It's a good idea to include the IP address of the <para>It's a good idea to include the IP address of the
administrative system in the firewall system's <ulink administrative system in the firewall system's <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename> url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
file</ulink>.</para> file</ulink>.</para>
<para>Also, edit the <filename>shorewall.conf</filename> file in <para>Also, edit the <filename>shorewall.conf</filename> file in

10
docs/FAQ.xml
View File

@ -247,7 +247,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>You are trying to test from inside your firewall (no, that <para>You are trying to test from inside your firewall (no, that
won't work -- see <xref linkend="faq2" />).</para> won't work -- see <xref linkend="faq2"/>).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -2029,7 +2029,7 @@ Dec 15 16:47:30 heath-desktop last message repeated 2 times</programlisting>
ADMINISABSENTMINDED in <ulink ADMINISABSENTMINDED in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and the url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and the
contents of <ulink contents of <ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink> url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>
(5). To totally open the firewall, use the <command>clear</command> (5). To totally open the firewall, use the <command>clear</command>
command.</para> command.</para>
</section> </section>
@ -2138,8 +2138,8 @@ Creating input Chains...
<para><command>/sbin/shorewall stop</command> places the firewall in a <para><command>/sbin/shorewall stop</command> places the firewall in a
<firstterm>safe state</firstterm>, the details of which depend on your <firstterm>safe state</firstterm>, the details of which depend on your
<filename>/etc/shorewall/routestopped</filename> file (<ulink <filename>/etc/shorewall/stoppedrules</filename> file (<ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)) url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5))
and on the setting of ADMINISABSENTMINDED in and on the setting of ADMINISABSENTMINDED in
<filename>/etc/shorewall/shorewall.conf</filename> (<ulink <filename>/etc/shorewall/shorewall.conf</filename> (<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para> url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
@ -3065,7 +3065,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
Persistent SNAT: Available Persistent SNAT: Available
gateway:~# </programlisting> gateway:~# </programlisting>
<para></para> <para/>
</section> </section>
<section id="faq19"> <section id="faq19">

2
docs/Manpages.xml
View File

@ -37,7 +37,7 @@
<warning> <warning>
<para>These manpages are for Shorewall 5.0 and later only. They describe <para>These manpages are for Shorewall 5.0 and later only. They describe
features and options not available on earlier releases. The manpages for features and options not available on earlier releases. The manpages for
Shorewall 4.4-4.6 are available<ulink url="/Manpages4/Manpages.html"> Shorewall 4.4-4.6 are available<ulink url="/manpages4/Manpages.html">
here</ulink>.</para> here</ulink>.</para>
</warning> </warning>

2
docs/Manpages6.xml
View File

@ -38,7 +38,7 @@
<para>These manpages are for Shorewall6 5.0 and later only. They describe <para>These manpages are for Shorewall6 5.0 and later only. They describe
features and options not available on earlier releases.The manpages for features and options not available on earlier releases.The manpages for
Shorewall 4.4-4.6 are available <ulink Shorewall 4.4-4.6 are available <ulink
url="/Manpages4/Manpages.html">here</ulink>.</para> url="/manpages4/Manpages.html">here</ulink>.</para>
</warning> </warning>
<section id="Section5"> <section id="Section5">

6
docs/Shorewall-Lite.xml
View File

@ -191,7 +191,7 @@
configuring Shorewall on the firewall system itself</emphasis>). configuring Shorewall on the firewall system itself</emphasis>).
It's a good idea to include the IP address of the administrative It's a good idea to include the IP address of the administrative
system in the <ulink system in the <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename> url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
file</ulink>.</para> file</ulink>.</para>
<para>It is important to understand that with Shorewall Lite, <para>It is important to understand that with Shorewall Lite,
@ -412,7 +412,7 @@
<para>Be sure that the IP address of the administrative system is <para>Be sure that the IP address of the administrative system is
included in the firewall's export directory included in the firewall's export directory
<filename>routestopped</filename> file.</para> <filename>stoppedrules</filename> file.</para>
<programlisting><command>shorewall stop</command></programlisting> <programlisting><command>shorewall stop</command></programlisting>
@ -433,7 +433,7 @@
<para>It's a good idea to include the IP address of the <para>It's a good idea to include the IP address of the
administrative system in the firewall system's <ulink administrative system in the firewall system's <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename> url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
file</ulink>.</para> file</ulink>.</para>
<para>Also, edit the <filename>shorewall.conf</filename> file in <para>Also, edit the <filename>shorewall.conf</filename> file in

4
docs/ipsets.xml
View File

@ -146,8 +146,10 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<listitem> <listitem>
<para>You cannot use an ipset in <ulink <para>You cannot use an ipset in <ulink
url="manpages/shorewall-stoppedulres.html">shorewall-stoppedrules</ulink>
(5) (<ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink> url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
(5).</para> (5)).</para>
</listitem> </listitem>
<listitem> <listitem>

4
docs/shorewall_extension_scripts.xml
View File

@ -174,8 +174,8 @@ esac</programlisting><caution>
indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink output on an interface is not allowed by <ulink
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink>(8)
the isuasable script must blow it's own holes in the firewall then the isuasable script must blow it's own holes in the firewall
before probing.</para> before probing.</para>
</caution></para> </caution></para>
</listitem> </listitem>

59
docs/shorewall_setup_guide.xml
View File

@ -67,7 +67,7 @@
yourself with what's involved then go back through it again making your yourself with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are configuration changes. Points at which configuration changes are
recommended are flagged with <inlinegraphic recommended are flagged with <inlinegraphic
fileref="images/BD21298_.gif" />.</para> fileref="images/BD21298_.gif"/>.</para>
</caution> </caution>
<caution> <caution>
@ -96,7 +96,7 @@
<section id="Concepts"> <section id="Concepts">
<title>Shorewall Concepts</title> <title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>The configuration files for Shorewall are contained in the directory <para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for most setups, <filename class="directory">/etc/shorewall</filename> -- for most setups,
@ -195,7 +195,7 @@ dmz ipv4</programlisting>
the Internet zone</quote> or <quote>because that is the the Internet zone</quote> or <quote>because that is the
DMZ</quote>.</para> DMZ</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Edit the /etc/shorewall/zones file and make any changes <para>Edit the /etc/shorewall/zones file and make any changes
necessary.</para> necessary.</para>
@ -304,7 +304,7 @@ all all REJECT info</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, edit your <filename>/etc/shorewall/policy <para>At this point, edit your <filename>/etc/shorewall/policy
</filename>and make any changes that you wish.</para> </filename>and make any changes that you wish.</para>
@ -338,7 +338,7 @@ all all REJECT info</programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<graphic align="center" fileref="images/dmz3.png" /> <graphic align="center" fileref="images/dmz3.png"/>
<para>The simplest way to define zones is to associate the zone name <para>The simplest way to define zones is to associate the zone name
(previously defined in /etc/shorewall/zones) with a network interface. (previously defined in /etc/shorewall/zones) with a network interface.
@ -357,7 +357,7 @@ all all REJECT info</programlisting>
external interface will be <filename external interface will be <filename
class="devicefile">ippp0</filename>.</para> class="devicefile">ippp0</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>If your external interface is <filename <para>If your external interface is <filename
class="devicefile">ppp0</filename> or <filename class="devicefile">ppp0</filename> or <filename
@ -424,7 +424,7 @@ dmz eth2 detect</programlisting>
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry <para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
in the /etc/shorewall/interfaces file.</para> in the /etc/shorewall/interfaces file.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Edit the <filename>/etc/shorewall/interfaces</filename> file and <para>Edit the <filename>/etc/shorewall/interfaces</filename> file and
define the network interfaces on your firewall and associate each define the network interfaces on your firewall and associate each
@ -441,7 +441,7 @@ loc eth1 detect
loc eth2 detect</programlisting> loc eth2 detect</programlisting>
</example> </example>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>You may define more complicated zones using the<filename> <ulink <para>You may define more complicated zones using the<filename> <ulink
url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink></filename> url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink></filename>
@ -1231,7 +1231,7 @@ tcpdump: listening on eth2
<para>Before we begin, there is one thing for you to check:</para> <para>Before we begin, there is one thing for you to check:</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>If you are using the Debian package, please check your <para>If you are using the Debian package, please check your
shorewall.conf file to ensure that the following are set correctly; if shorewall.conf file to ensure that the following are set correctly; if
@ -1254,7 +1254,7 @@ tcpdump: listening on eth2
this many IP addresses, you are able to subnet your /28 into two /29's this many IP addresses, you are able to subnet your /28 into two /29's
and set up your network as shown in the following diagram.</para> and set up your network as shown in the following diagram.</para>
<graphic align="center" fileref="images/dmz4.png" /> <graphic align="center" fileref="images/dmz4.png"/>
<para>Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local <para>Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
@ -1362,19 +1362,19 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
address and the source IP address of Internet requests sent from that address and the source IP address of Internet requests sent from that
zone.</para> zone.</para>
<graphic align="center" fileref="images/dmz5.png" /> <graphic align="center" fileref="images/dmz5.png"/>
<para>The local zone has been subnetted as 192.168.201.0/29 (netmask <para>The local zone has been subnetted as 192.168.201.0/29 (netmask
255.255.255.248).</para> 255.255.255.248).</para>
<simplelist> <simplelist>
<member><inlinegraphic fileref="images/BD21298_.gif" /></member> <member><inlinegraphic fileref="images/BD21298_.gif"/></member>
<member>The systems in the local zone would be configured with a <member>The systems in the local zone would be configured with a
default gateway of 192.168.201.1 (the IP address of the firewall's default gateway of 192.168.201.1 (the IP address of the firewall's
local interface).</member> local interface).</member>
<member><inlinegraphic fileref="images/BD21298_.gif" /></member> <member><inlinegraphic fileref="images/BD21298_.gif"/></member>
<member>SNAT is configured in Shorewall using the <filename><ulink <member>SNAT is configured in Shorewall using the <filename><ulink
url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename> url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
@ -1401,7 +1401,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
systems do not have a public IP address. DNAT provides a way to allow systems do not have a public IP address. DNAT provides a way to allow
selected connections from the Internet.</para> selected connections from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Suppose that your daughter wants to run a web server on her <para>Suppose that your daughter wants to run a web server on her
system <quote>Local 3</quote>. You could allow connections to the system <quote>Local 3</quote>. You could allow connections to the
@ -1475,7 +1475,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
<para>Let us suppose that we decide to use Proxy ARP on the DMZ in our <para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
example network.</para> example network.</para>
<graphic align="center" fileref="images/dmz6.png" /> <graphic align="center" fileref="images/dmz6.png"/>
<para>Here, we've assigned the IP addresses 192.0.2.177 to system DMZ <para>Here, we've assigned the IP addresses 192.0.2.177 to system DMZ
1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an
@ -1483,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
the firewall. That address and netmask isn't relevant - just be sure the firewall. That address and netmask isn't relevant - just be sure
it doesn't overlap another subnet that you've defined.</para> it doesn't overlap another subnet that you've defined.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>The Shorewall configuration of Proxy ARP is done using the<ulink <para>The Shorewall configuration of Proxy ARP is done using the<ulink
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink> url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
@ -1591,7 +1591,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
example involving your daughter's web server running on system Local example involving your daughter's web server running on system Local
3.</para> 3.</para>
<graphic align="center" fileref="images/dmz6.png" /> <graphic align="center" fileref="images/dmz6.png"/>
<para>Recall that in this setup, the local network is using SNAT and <para>Recall that in this setup, the local network is using SNAT and
is sharing the firewall external IP (192.0.2.176) for outbound is sharing the firewall external IP (192.0.2.176) for outbound
@ -1601,7 +1601,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
<programlisting>#INTERFACE SUBNET ADDRESS <programlisting>#INTERFACE SUBNET ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting> eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Suppose now that you have decided to give your daughter her own <para>Suppose now that you have decided to give your daughter her own
IP address (192.0.2.179) for both inbound and outbound connections. IP address (192.0.2.179) for both inbound and outbound connections.
@ -1615,7 +1615,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
and the other two local systems share the firewall's IP and the other two local systems share the firewall's IP
address.</para> address.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Once the relationship between 192.0.2.179 and 192.168.201.4 is <para>Once the relationship between 192.0.2.179 and 192.168.201.4 is
established by the nat file entry above, it is no longer appropriate established by the nat file entry above, it is no longer appropriate
@ -1708,7 +1708,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
not use those macros but rather defines the rules directly.</para> not use those macros but rather defines the rules directly.</para>
</note> </note>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>With the default policies described earlier in this document, your <para>With the default policies described earlier in this document, your
local systems (Local 1-3) can access any server on the Internet and the local systems (Local 1-3) can access any server on the Internet and the
@ -1799,7 +1799,7 @@ ACCEPT net $FW tcp ssh #SSH to the
prefer to use NAT only in cases where a system that is part of an RFC prefer to use NAT only in cases where a system that is part of an RFC
1918 subnet needs to have its own public IP.</para> 1918 subnet needs to have its own public IP.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>If you haven't already, it would be a good idea to browse through <para>If you haven't already, it would be a good idea to browse through
<ulink <ulink
@ -2400,26 +2400,27 @@ foobar.net. 86400 IN A 192.0.2.177
<para>The firewall is started using the <quote>shorewall start</quote> <para>The firewall is started using the <quote>shorewall start</quote>
command and stopped using <quote>shorewall stop</quote>. When the firewall command and stopped using <quote>shorewall stop</quote>. When the firewall
is stopped, routing is enabled on those hosts that have an entry in is stopped, routing is enabled on those hosts that have an ACCEPT entry in
<filename><ulink <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>. url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
A running firewall may be restarted using the <quote>shorewall A running firewall may be restarted using the <quote>shorewall
restart</quote> command. If you want to totally remove any trace of restart</quote> command. If you want to totally remove any trace of
Shorewall from your Netfilter configuration, use <quote>shorewall Shorewall from your Netfilter configuration, use <quote>shorewall
clear</quote>.</para> clear</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Edit the <filename><ulink <para>Edit the <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename> url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
file and configure those systems that you want to be able to access the file and add ACCEPT rules for those systems that you want to be able to
firewall when it is stopped.</para> access the firewall when it is stopped.</para>
<caution> <caution>
<para>If you are connected to your firewall from the Internet, do not <para>If you are connected to your firewall from the Internet, do not
issue a <quote>shorewall stop</quote> command unless you have added an issue a <quote>shorewall stop</quote> command unless you have added an
entry for the IP address that you are connected from to <filename><ulink ACCEPT entry for the IP address that you are connected from to
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>. <filename><ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
Also, I don't recommend using <quote>shorewall restart</quote>; it is Also, I don't recommend using <quote>shorewall restart</quote>; it is
better to create an <ulink better to create an <ulink
url="starting_and_stopping_shorewall.htm"><emphasis>an alternate url="starting_and_stopping_shorewall.htm"><emphasis>an alternate

27
docs/standalone.xml
View File

@ -119,19 +119,18 @@
<title>Conventions</title> <title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged <para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif" with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
format="GIF" />.</para>
<para>Configuration notes that are unique to Debian and it's derivatives <para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png" are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para> format="GIF"/>.</para>
</section> </section>
</section> </section>
<section id="PPTP"> <section id="PPTP">
<title>PPTP/ADSL</title> <title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an <acronym>ADSL</acronym> Modem and you use <para>If you have an <acronym>ADSL</acronym> Modem and you use
<acronym>PPTP</acronym> to communicate with a server in that modem, you <acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -144,7 +143,7 @@
<section id="Concepts"> <section id="Concepts">
<title>Shorewall Concepts</title> <title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The configuration files for Shorewall are contained in the directory <para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple <filename class="directory">/etc/shorewall</filename> -- for simple
@ -177,7 +176,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If <para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
you installed using a Shorewall 4.x .deb, the samples are in <emphasis you installed using a Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename role="bold"><filename
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..</emphasis> class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..</emphasis>
@ -352,7 +351,7 @@ root@lists:~# </programlisting>
the external interface.</para> the external interface.</para>
</caution> </caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The Shorewall one-interface sample configuration assumes that the <para>The Shorewall one-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename>. If external interface is <filename class="devicefile">eth0</filename>. If
@ -460,7 +459,7 @@ root@lists:~# </programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs Netfilter messages to a <para>If you are running a distribution that logs Netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the log other than <filename>/var/log/messages</filename>, then modify the
@ -500,7 +499,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to <filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para> <filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para> <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section> </section>
@ -571,7 +570,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
SSH(ACCEPT) net $FW </programlisting> SSH(ACCEPT) net $FW </programlisting>
</important> </important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit <filename>/etc/shorewall/rules</filename> to add <para>At this point, edit <filename>/etc/shorewall/rules</filename> to add
other connections as desired.</para> other connections as desired.</para>
@ -580,7 +579,7 @@ SSH(ACCEPT) net $FW </programlisting>
<section id="Starting"> <section id="Starting">
<title>Starting and Stopping Your Firewall</title> <title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink> <para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is configures your system to start Shorewall at system boot but startup is
@ -588,7 +587,7 @@ SSH(ACCEPT) net $FW </programlisting>
configuration is complete. Once you have completed configuration of your configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.<graphic align="left" STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /></para> fileref="images/openlogo-nd-25.png"/></para>
<important> <important>
<para>Users of the .deb package must edit <para>Users of the .deb package must edit
@ -610,7 +609,7 @@ SSH(ACCEPT) net $FW </programlisting>
<para>The firewall is started using the <quote><command>shorewall <para>The firewall is started using the <quote><command>shorewall
start</command></quote> command and stopped using start</command></quote> command and stopped using
<quote><command>shorewall stop</command></quote>. When the firewall is <quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in stopped, traffic is enabled on those hosts that have an entry in
<filename><ulink <filename><ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename> url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
(<filename><ulink (<filename><ulink
@ -713,7 +712,7 @@ SSH(ACCEPT) net $FW </programlisting>
<programlisting><command>systemctl disable iptables.service</command></programlisting> <programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para> <para>At this point, disable your existing firewall service.</para>
</section> </section>

6
docs/starting_and_stopping_shorewall.xml
View File

@ -151,7 +151,7 @@
all Netfilter rules and open your firewall for all traffic to pass. all Netfilter rules and open your firewall for all traffic to pass.
It rather places your firewall in a safe state defined by the It rather places your firewall in a safe state defined by the
contents of your <ulink contents of your <ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink> url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink>
file and the setting of ADMINISABSENTMINDED in <ulink file and the setting of ADMINISABSENTMINDED in <ulink
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para> url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
</important> </important>
@ -638,8 +638,8 @@
<entry>firewall stop</entry> <entry>firewall stop</entry>
<entry>Only traffic to/from hosts listed in <entry>Only traffic allowed by ACCEPT entries in
/etc/shorewall/routestopped is passed to/from/through the /etc/shorewall/stoppedrules is passed to/from/through the
firewall. If ADMINISABSENTMINDED=Yes in firewall. If ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf then in addition, all existing /etc/shorewall/shorewall.conf then in addition, all existing
connections are retained and all connection requests from the connections are retained and all connection requests from the