extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updates for routestopped -> stoppedrules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-10-05 07:51:43 -07:00
parent 0385b2cd37
commit 89122c0d55
10 changed files with 65 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/CompiledPrograms.xml
View File

@ -186,8 +186,8 @@
configuring Shorewall on the firewall system itself</emphasis>).
It's a good idea to include the IP address of the administrative
system in the <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
file</ulink>.</para>
url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules
</filename> file</ulink>.</para>
<para>It is important to understand that with Shorewall Lite,
the firewall's export directory on the administrative system
@ -493,7 +493,7 @@ clean:
<para>Be sure that the IP address of the administrative system is
included in the firewall's export directory
<filename>routestopped</filename> file.</para>
<filename>stoppedrules</filename> file.</para>
<programlisting><command>shorewall stop</command></programlisting>
@ -514,7 +514,7 @@ clean:
<para>It's a good idea to include the IP address of the
administrative system in the firewall system's <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
file</ulink>.</para>
<para>Also, edit the <filename>shorewall.conf</filename> file in

10
docs/FAQ.xml
View File

@ -247,7 +247,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
<itemizedlist>
<listitem>
<para>You are trying to test from inside your firewall (no, that
won't work -- see <xref linkend="faq2" />).</para>
won't work -- see <xref linkend="faq2"/>).</para>
</listitem>
<listitem>
@ -2029,7 +2029,7 @@ Dec 15 16:47:30 heath-desktop last message repeated 2 times</programlisting>
ADMINISABSENTMINDED in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and the
contents of <ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>
(5). To totally open the firewall, use the <command>clear</command>
command.</para>
</section>
@ -2138,8 +2138,8 @@ Creating input Chains...
<para><command>/sbin/shorewall stop</command> places the firewall in a
<firstterm>safe state</firstterm>, the details of which depend on your
<filename>/etc/shorewall/routestopped</filename> file (<ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5))
<filename>/etc/shorewall/stoppedrules</filename> file (<ulink
url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5))
and on the setting of ADMINISABSENTMINDED in
<filename>/etc/shorewall/shorewall.conf</filename> (<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
@ -3065,7 +3065,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
Persistent SNAT: Available
gateway:~# </programlisting>
<para></para>
<para/>
</section>
<section id="faq19">

2
docs/Manpages.xml
View File

@ -37,7 +37,7 @@
<warning>
<para>These manpages are for Shorewall 5.0 and later only. They describe
features and options not available on earlier releases. The manpages for
Shorewall 4.4-4.6 are available<ulink url="/Manpages4/Manpages.html">
Shorewall 4.4-4.6 are available<ulink url="/manpages4/Manpages.html">
here</ulink>.</para>
</warning>

2
docs/Manpages6.xml
View File

@ -38,7 +38,7 @@
<para>These manpages are for Shorewall6 5.0 and later only. They describe
features and options not available on earlier releases.The manpages for
Shorewall 4.4-4.6 are available <ulink
url="/Manpages4/Manpages.html">here</ulink>.</para>
url="/manpages4/Manpages.html">here</ulink>.</para>
</warning>
<section id="Section5">

6
docs/Shorewall-Lite.xml
View File

@ -191,7 +191,7 @@
configuring Shorewall on the firewall system itself</emphasis>).
It's a good idea to include the IP address of the administrative
system in the <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
file</ulink>.</para>
<para>It is important to understand that with Shorewall Lite,
@ -412,7 +412,7 @@
<para>Be sure that the IP address of the administrative system is
included in the firewall's export directory
<filename>routestopped</filename> file.</para>
<filename>stoppedrules</filename> file.</para>
<programlisting><command>shorewall stop</command></programlisting>
@ -433,7 +433,7 @@
<para>It's a good idea to include the IP address of the
administrative system in the firewall system's <ulink
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</filename>
file</ulink>.</para>
<para>Also, edit the <filename>shorewall.conf</filename> file in

4
docs/ipsets.xml
View File

@ -146,8 +146,10 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<listitem>
<para>You cannot use an ipset in <ulink
url="manpages/shorewall-stoppedulres.html">shorewall-stoppedrules</ulink>
(5) (<ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
(5).</para>
(5)).</para>
</listitem>
<listitem>

4
docs/shorewall_extension_scripts.xml
View File

@ -174,8 +174,8 @@ esac</programlisting><caution>
indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
the isuasable script must blow it's own holes in the firewall
url="manpages/shorewall-stoppedrules.html">stoppedrules</ulink>(8)
then the isuasable script must blow it's own holes in the firewall
before probing.</para>
</caution></para>
</listitem>

59
docs/shorewall_setup_guide.xml
View File

@ -67,7 +67,7 @@
yourself with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <inlinegraphic
fileref="images/BD21298_.gif" />.</para>
fileref="images/BD21298_.gif"/>.</para>
</caution>
<caution>
@ -96,7 +96,7 @@
<section id="Concepts">
<title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for most setups,
@ -195,7 +195,7 @@ dmz ipv4</programlisting>
the Internet zone</quote> or <quote>because that is the
DMZ</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Edit the /etc/shorewall/zones file and make any changes
necessary.</para>
@ -304,7 +304,7 @@ all all REJECT info</programlisting>
</listitem>
</orderedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, edit your <filename>/etc/shorewall/policy
</filename>and make any changes that you wish.</para>
@ -338,7 +338,7 @@ all all REJECT info</programlisting>
</listitem>
</itemizedlist>
<graphic align="center" fileref="images/dmz3.png" />
<graphic align="center" fileref="images/dmz3.png"/>
<para>The simplest way to define zones is to associate the zone name
(previously defined in /etc/shorewall/zones) with a network interface.
@ -357,7 +357,7 @@ all all REJECT info</programlisting>
external interface will be <filename
class="devicefile">ippp0</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>If your external interface is <filename
class="devicefile">ppp0</filename> or <filename
@ -424,7 +424,7 @@ dmz eth2 detect</programlisting>
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
in the /etc/shorewall/interfaces file.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Edit the <filename>/etc/shorewall/interfaces</filename> file and
define the network interfaces on your firewall and associate each
@ -441,7 +441,7 @@ loc eth1 detect
loc eth2 detect</programlisting>
</example>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>You may define more complicated zones using the<filename> <ulink
url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink></filename>
@ -1231,7 +1231,7 @@ tcpdump: listening on eth2
<para>Before we begin, there is one thing for you to check:</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>If you are using the Debian package, please check your
shorewall.conf file to ensure that the following are set correctly; if
@ -1254,7 +1254,7 @@ tcpdump: listening on eth2
this many IP addresses, you are able to subnet your /28 into two /29's
and set up your network as shown in the following diagram.</para>
<graphic align="center" fileref="images/dmz4.png" />
<graphic align="center" fileref="images/dmz4.png"/>
<para>Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
@ -1362,19 +1362,19 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
address and the source IP address of Internet requests sent from that
zone.</para>
<graphic align="center" fileref="images/dmz5.png" />
<graphic align="center" fileref="images/dmz5.png"/>
<para>The local zone has been subnetted as 192.168.201.0/29 (netmask
255.255.255.248).</para>
<simplelist>
<member><inlinegraphic fileref="images/BD21298_.gif" /></member>
<member><inlinegraphic fileref="images/BD21298_.gif"/></member>
<member>The systems in the local zone would be configured with a
default gateway of 192.168.201.1 (the IP address of the firewall's
local interface).</member>
<member><inlinegraphic fileref="images/BD21298_.gif" /></member>
<member><inlinegraphic fileref="images/BD21298_.gif"/></member>
<member>SNAT is configured in Shorewall using the <filename><ulink
url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
@ -1401,7 +1401,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
systems do not have a public IP address. DNAT provides a way to allow
selected connections from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Suppose that your daughter wants to run a web server on her
system <quote>Local 3</quote>. You could allow connections to the
@ -1475,7 +1475,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
<para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
example network.</para>
<graphic align="center" fileref="images/dmz6.png" />
<graphic align="center" fileref="images/dmz6.png"/>
<para>Here, we've assigned the IP addresses 192.0.2.177 to system DMZ
1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an
@ -1483,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
the firewall. That address and netmask isn't relevant - just be sure
it doesn't overlap another subnet that you've defined.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>The Shorewall configuration of Proxy ARP is done using the<ulink
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
@ -1591,7 +1591,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
example involving your daughter's web server running on system Local
3.</para>
<graphic align="center" fileref="images/dmz6.png" />
<graphic align="center" fileref="images/dmz6.png"/>
<para>Recall that in this setup, the local network is using SNAT and
is sharing the firewall external IP (192.0.2.176) for outbound
@ -1601,7 +1601,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Suppose now that you have decided to give your daughter her own
IP address (192.0.2.179) for both inbound and outbound connections.
@ -1615,7 +1615,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
and the other two local systems share the firewall's IP
address.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Once the relationship between 192.0.2.179 and 192.168.201.4 is
established by the nat file entry above, it is no longer appropriate
@ -1708,7 +1708,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
not use those macros but rather defines the rules directly.</para>
</note>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>With the default policies described earlier in this document, your
local systems (Local 1-3) can access any server on the Internet and the
@ -1799,7 +1799,7 @@ ACCEPT net $FW tcp ssh #SSH to the
prefer to use NAT only in cases where a system that is part of an RFC
1918 subnet needs to have its own public IP.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>If you haven't already, it would be a good idea to browse through
<ulink
@ -2400,26 +2400,27 @@ foobar.net. 86400 IN A 192.0.2.177
<para>The firewall is started using the <quote>shorewall start</quote>
command and stopped using <quote>shorewall stop</quote>. When the firewall
is stopped, routing is enabled on those hosts that have an entry in
is stopped, routing is enabled on those hosts that have an ACCEPT entry in
<filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
A running firewall may be restarted using the <quote>shorewall
restart</quote> command. If you want to totally remove any trace of
Shorewall from your Netfilter configuration, use <quote>shorewall
clear</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Edit the <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
file and configure those systems that you want to be able to access the
firewall when it is stopped.</para>
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
file and add ACCEPT rules for those systems that you want to be able to
access the firewall when it is stopped.</para>
<caution>
<para>If you are connected to your firewall from the Internet, do not
issue a <quote>shorewall stop</quote> command unless you have added an
entry for the IP address that you are connected from to <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
ACCEPT entry for the IP address that you are connected from to
<filename><ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
Also, I don't recommend using <quote>shorewall restart</quote>; it is
better to create an <ulink
url="starting_and_stopping_shorewall.htm"><emphasis>an alternate

27
docs/standalone.xml
View File

@ -119,19 +119,18 @@
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" />.</para>
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
<para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para>
format="GIF"/>.</para>
</section>
</section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an <acronym>ADSL</acronym> Modem and you use
<acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -144,7 +143,7 @@
<section id="Concepts">
<title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
@ -177,7 +176,7 @@
</listitem>
<listitem>
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..</emphasis>
@ -352,7 +351,7 @@ root@lists:~# </programlisting>
the external interface.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The Shorewall one-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename>. If
@ -460,7 +459,7 @@ root@lists:~# </programlisting>
</listitem>
</itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs Netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the
@ -500,7 +499,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section>
@ -571,7 +570,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
SSH(ACCEPT) net $FW </programlisting>
</important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit <filename>/etc/shorewall/rules</filename> to add
other connections as desired.</para>
@ -580,7 +579,7 @@ SSH(ACCEPT) net $FW </programlisting>
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is
@ -588,7 +587,7 @@ SSH(ACCEPT) net $FW </programlisting>
configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /></para>
fileref="images/openlogo-nd-25.png"/></para>
<important>
<para>Users of the .deb package must edit
@ -610,7 +609,7 @@ SSH(ACCEPT) net $FW </programlisting>
<para>The firewall is started using the <quote><command>shorewall
start</command></quote> command and stopped using
<quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in
stopped, traffic is enabled on those hosts that have an entry in
<filename><ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
(<filename><ulink
@ -713,7 +712,7 @@ SSH(ACCEPT) net $FW </programlisting>
<programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para>
</section>

6
docs/starting_and_stopping_shorewall.xml
View File

@ -151,7 +151,7 @@
all Netfilter rules and open your firewall for all traffic to pass.
It rather places your firewall in a safe state defined by the
contents of your <ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink>
file and the setting of ADMINISABSENTMINDED in <ulink
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
</important>
@ -638,8 +638,8 @@
<entry>firewall stop</entry>
<entry>Only traffic to/from hosts listed in
/etc/shorewall/routestopped is passed to/from/through the
<entry>Only traffic allowed by ACCEPT entries in
/etc/shorewall/stoppedrules is passed to/from/through the
firewall. If ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf then in addition, all existing
connections are retained and all connection requests from the