More 3.0 changes for the config file basics doc

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2756 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-30 14:01:04 +00:00
parent b25040c8d1
commit 9b293f5ed6

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-09-12</pubdate> <pubdate>2005-09-29</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -207,16 +207,6 @@
</itemizedlist></para> </itemizedlist></para>
</section> </section>
<section>
<title>Special Note about /etc/shorewall/shorewall.conf</title>
<para>It is a good idea to modify your /etc/shorewall/shorewall.conf file,
even if you just add a comment that says "I modified this file". That way,
your package manager won't overwrite the file with future updated
versions. Such overwrites can cause unwanted changes in the behavior of
Shorewall.</para>
</section>
<section id="Comments"> <section id="Comments">
<title>Comments</title> <title>Comments</title>
@ -530,9 +520,8 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
comma-separated list of ports or port ranges may also be entered. comma-separated list of ports or port ranges may also be entered.
Shorewall will use the Netfilter <emphasis Shorewall will use the Netfilter <emphasis
role="bold">multiport</emphasis> match capability if it is available (see role="bold">multiport</emphasis> match capability if it is available (see
the output of "<emphasis role="bold">shorewall check</emphasis>" under the the output of "<emphasis role="bold">shorewall show
heading "Shorewall has detected the following iptables/netfilter capabilities</emphasis>") and if its use is appropriate.</para>
capabilities:") and if its use is appropriate.</para>
<para>Shorewall can use multiport match if:</para> <para>Shorewall can use multiport match if:</para>
@ -544,9 +533,10 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
<listitem> <listitem>
<para>There are no port ranges listed OR your iptables/kernel support <para>There are no port ranges listed OR your iptables/kernel support
the Extended <emphasis role="bold">multiport</emphasis> match (again the Extended <emphasis role="bold">multiport</emphasis> match (again
see the output of "shorewall check"). Where the Extended <emphasis see the output of "<command>shorewall show capabilities</command>").
role="bold">multiport</emphasis> match is available, each port range Where the Extended <emphasis role="bold">multiport</emphasis> match is
counts as two ports toward the maximum of 15.</para> available, each port range counts as two ports toward the maximum of
15.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -644,6 +634,15 @@ wookie:~ #</programlisting>
<programlisting>EXT_IF=$(getcfg-interface bus-pci-0000:00:05.0) <programlisting>EXT_IF=$(getcfg-interface bus-pci-0000:00:05.0)
INT_IF=$(getcfg-interface bus-pci-0000:00:03.0)</programlisting> INT_IF=$(getcfg-interface bus-pci-0000:00:03.0)</programlisting>
</example> </example>
<caution>
<para>The <command>shorewall save</command> and <command>shorewall
restore</command> commands should be used carefully if you use the above
workaround for unstable interface names. In particular, you should set
OPTIONS="" in <filename>/etc/default/shorewall</filename> or
<filename>/etc/sysconfig/shorewall</filename> so that the "-f" option
will not be specified on startup at boot time. </para>
</caution>
</section> </section>
<section id="MAC"> <section id="MAC">