mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 08:44:05 +01:00
Merge branch 'master' of ssh://teastep@shorewall.git.sourceforge.net/gitroot/shorewall/shorewall
This commit is contained in:
Tom Eastep
commit
94d039bf56
@ -161,7 +161,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>Only those interfaces with the
|
||||
<option>arp_filter</option> option will have their setting
|
||||
changes; the value assigned to the setting will be the value
|
||||
changed; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para></para>
|
||||
@ -188,7 +188,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>2 - reply only if the target IP address is local address
|
||||
configured on the incoming interface and the sender's IP
|
||||
address is part from same subnet on this interface</para>
|
||||
address is part from same subnet on this interface's address</para>
|
||||
|
||||
<para>3 - do not reply for local addresses configured with
|
||||
scope host, only resolutions for global and link</para>
|
||||
@ -290,11 +290,11 @@ loc eth2 -</programlisting>
|
||||
role="bold">logmartians</emphasis>. Even if you do not specify
|
||||
the <option>routefilter</option> option, it is a good idea to
|
||||
specify <option>logmartians</option> because your distribution
|
||||
may be enabling route filtering without you knowing it.</para>
|
||||
may have enabled route filtering without you knowing it.</para>
|
||||
|
||||
<para>Only those interfaces with the
|
||||
<option>logmartians</option> option will have their setting
|
||||
changes; the value assigned to the setting will be the value
|
||||
changed; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para>To find out if route filtering is set on a given
|
||||
@ -510,12 +510,12 @@ loc eth2 -</programlisting>
|
||||
(sets
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
|
||||
to 1). Only set this option if you know what you are doing.
|
||||
This might represent a security risk and is not usually
|
||||
needed.</para>
|
||||
This might represent a security risk and is usually
|
||||
unneeded.</para>
|
||||
|
||||
<para>Only those interfaces with the
|
||||
<option>sourceroute</option> option will have their setting
|
||||
changes; the value assigned to the setting will be the value
|
||||
changed; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para></para>
|
||||
@ -579,7 +579,7 @@ loc eth2 -</programlisting>
|
||||
<listitem>
|
||||
<para>Suppose you have eth0 connected to a DSL modem and eth1
|
||||
connected to your local network and that your local subnet is
|
||||
192.168.1.0/24. The interface gets it's IP address via DHCP from
|
||||
192.168.1.0/24. The interface gets its IP address via DHCP from
|
||||
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
|
||||
using eth2.</para>
|
||||
|
||||
|
||||
@ -409,7 +409,7 @@
|
||||
<para>Only locally-generated connections will match if this column
|
||||
is non-empty.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
<para>When this column is non-empty, the rule matches only if the
|
||||
program generating the output is running under the effective
|
||||
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
||||
specified (or is NOT running under that id if "!" is given).</para>
|
||||
|
||||
@ -63,7 +63,7 @@
|
||||
role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Interfacees that have the <emphasis
|
||||
<para>Interfaces that have the <emphasis
|
||||
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
Shorewall will automatically add the EXTERNAL address to this
|
||||
|
||||
@ -43,7 +43,7 @@
|
||||
<para>Must be DNAT or SNAT.</para>
|
||||
|
||||
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
|
||||
it's destination address rewritten to the corresponding address in
|
||||
its destination address rewritten to the corresponding address in
|
||||
NET2.</para>
|
||||
|
||||
<para>If SNAT, traffic leaving INTERFACE with a source address in
|
||||
|
||||
@ -41,7 +41,7 @@
|
||||
|
||||
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
|
||||
the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||
logging or TCP connection rate limiting but may be overridden by an
|
||||
logging or TCP connection rate limiting) but may be overridden by an
|
||||
entry in this file. The overriding entry must be explicit (cannot use
|
||||
"all" in the SOURCE or DEST).</para>
|
||||
|
||||
@ -95,7 +95,7 @@
|
||||
<listitem>
|
||||
<para>Policy if no match from the rules file is found.</para>
|
||||
|
||||
<para>If the policy is other than CONTINUE or NONE then the policy
|
||||
<para>If the policy is neither CONTINUE nor NONE then the policy
|
||||
may be followed by ":" and one of the following:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
|
||||
@ -175,7 +175,7 @@
|
||||
specified will get outbound traffic load-balanced among them.
|
||||
By default, all interfaces with <option>balance</option>
|
||||
specified will have the same weight (1). You can change the
|
||||
weight of an interface by specifiying
|
||||
weight of an interface by specifying
|
||||
<option>balance=</option><replaceable>weight</replaceable>
|
||||
where <replaceable>weight</replaceable> is the weight of the
|
||||
route out of this interface.</para>
|
||||
|
||||
@ -67,8 +67,8 @@
|
||||
or <emphasis role="bold">yes</emphasis> in this column. Otherwise,
|
||||
enter <emphasis role="bold">no</emphasis> or <emphasis
|
||||
role="bold">No</emphasis> or leave the column empty and Shorewall
|
||||
will add the route for you. If Shorewall adds the route,the route
|
||||
will be persistent if the <emphasis
|
||||
will add the route for you. If Shorewall adds the route, its
|
||||
persistence depends on the value of the<emphasis
|
||||
role="bold">PERSISTENT</emphasis> column contains <emphasis
|
||||
role="bold">Yes</emphasis>; otherwise, <emphasis
|
||||
role="bold">shorewall stop</emphasis> or <emphasis
|
||||
|
||||
@ -68,7 +68,7 @@
|
||||
(although it probably isn't installed by default). Ulogd is also available
|
||||
from <ulink
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
|
||||
and can be configured to log all Shorewall message to their own log
|
||||
and can be configured to log all Shorewall messages to their own log
|
||||
file</para>
|
||||
|
||||
<para>The following options may be set in shorewall.conf.</para>
|
||||
@ -262,7 +262,7 @@
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If set, the behavior of the 'start' command is change; if no
|
||||
<para>If set, the behavior of the 'start' command is changed; if no
|
||||
files in /etc/shorewall have been changed since the last successful
|
||||
<command>start</command> or <command>restart</command> command, then
|
||||
the compilation step is skipped and the compiled script that
|
||||
@ -362,7 +362,7 @@
|
||||
<listitem>
|
||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||
then Shorewall won't clear the current traffic control rules during
|
||||
[re]start. This setting is intended for use by people that prefer to
|
||||
[re]start. This setting is intended for use by people who prefer to
|
||||
configure traffic shaping when the network interfaces come up rather
|
||||
than when the firewall is started. If that is what you want to do,
|
||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
||||
|
||||
Loading…
Reference in New Issue
Block a user