Clarify zone definition with wildcards

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8042 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-17 02:00:57 +01:00 · 2008-01-10 23:53:13 +00:00 · 2008-01-10 23:53:13 +00:00 · 93e0f6cb51
commit 93e0f6cb51
parent 8a22a4e05a
2 changed files with 34 additions and 2 deletions
--- a/manpages/shorewall-hosts.xml
+++ b/manpages/shorewall-hosts.xml
@ -193,6 +193,29 @@
    </variablelist>
  </refsect1>

+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1</term>
+
+        <listitem>
+          <para>The firewall runs a PPTP server which creates a ppp interface
+          for each remote client. The clients are assigned IP addresses in the
+          network 192.168.3.0/24 and in a zone named 'vpn'.<programlisting>#ZONE       HOST(S)               OPTIONS
+vpn         ppp+:192.168.3.0/24</programlisting></para>
+
+          <para>It is especially recommended to define such a zone using this
+          file rather than <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8) if
+          there is another zone that uses a fixed PPP interface (for example,
+          if the 'net' zone always interfaces through ppp0).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@ -68,8 +68,17 @@ loc     eth2            -</programlisting>

          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
-          applies to all PPP interfaces, use 'ppp+'; that would match ppp1,
-          ppp2, …</para>
+          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
+          ppp1, ppp2, …</para>
+
+          <para>Care must be exercised when using wildcards where there is
+          another zone that uses a matching specific interface. In that case,
+          it is probably better to place a '-' in the ZONE column of the
+          wildcard entry and define the zone(s) associated with the wildcard
+          in <ulink
+          url="../../branches/4.0/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(8).
+          This is particularly true if you use DNAT or REDIRECT rules; see
+          <ulink url="shorewall-rules.xml">shorewall-rules</ulink>(8).</para>

          <para>There is no need to define the loopback interface (lo) in this
          file.</para>