extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-02 16:05:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix typos in manpages

Browse Source
This commit is contained in:
Roberto C. Sanchez 2013-05-03 12:19:45 -04:00
parent 1012251957
commit a0228e9d3b
68 changed files with 269 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-lite/manpages/shorewall-lite.conf.xml
View File

@ -141,7 +141,7 @@
stops. Creating and removing this file allows Shorewall to work with stops. Creating and removing this file allows Shorewall to work with
your distribution's initscripts. For RedHat, this should be set to your distribution's initscripts. For RedHat, this should be set to
/var/lock/subsys/shorewall. For Debian, the value is /var/lock/subsys/shorewall. For Debian, the value is
/var/state/shorewall and in LEAF it is /var/run/shorwall.</para> /var/state/shorewall and in LEAF it is /var/run/shorewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

12
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -492,9 +492,9 @@
url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
be no white space between <emphasis role="bold">v</emphasis> and the be no white-space between <emphasis role="bold">v</emphasis> and the
VERBOSITY.</para> VERBOSITY.</para>
<para>The <emphasis>options</emphasis> may also include the letter <para>The <emphasis>options</emphasis> may also include the letter
@ -632,7 +632,7 @@
<term><emphasis role="bold">forget</emphasis></term> <term><emphasis role="bold">forget</emphasis></term>
<listitem> <listitem>
<para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
and /var/lib/shorewall-lite/save. If no and /var/lib/shorewall-lite/save. If no
<emphasis>filename</emphasis> is given then the file specified by <emphasis>filename</emphasis> is given then the file specified by
RESTOREFILE in <ulink RESTOREFILE in <ulink
@ -690,7 +690,7 @@
and raw table PREROUTING chains.</para> and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with <para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from facility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall-lite has no control over where the messages go; consult Shorewall-lite has no control over where the messages go; consult
your logging daemon's documentation.</para> your logging daemon's documentation.</para>
@ -747,7 +747,7 @@
<para>The <replaceable>iptables match expression</replaceable> must <para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being be one given in the <command>iptrace</command> command being
cancelled.</para> canceled.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -875,7 +875,7 @@
<term><emphasis role="bold">config</emphasis></term> <term><emphasis role="bold">config</emphasis></term>
<listitem> <listitem>
<para>Dispays distribution-specific defaults.</para> <para>Displays distribution-specific defaults.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

28
Shorewall/manpages/shorewall-accounting.xml
View File

@ -136,7 +136,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">accounout</emphasis> in the <emphasis <para><emphasis role="bold">accountout</emphasis> in the <emphasis
role="bold">OUTPUT</emphasis> section</para> role="bold">OUTPUT</emphasis> section</para>
</listitem> </listitem>
@ -266,8 +266,8 @@
<term><replaceable>network</replaceable></term> <term><replaceable>network</replaceable></term>
<listitem> <listitem>
<para>is an IPv4 networ<emphasis <para>is an IPv4 <emphasis
role="bold">k</emphasis> in CIDR notation (e.g., role="bold">network</emphasis> in CIDR notation (e.g.,
192.168.1.0/24). The network can be as large as a /8 192.168.1.0/24). The network can be as large as a /8
(class A).</para> (class A).</para>
</listitem> </listitem>
@ -300,9 +300,9 @@
<term><emphasis role="bold">INLINE</emphasis></term> <term><emphasis role="bold">INLINE</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.16. Allows freeform iptables <para>Added in Shorewall 4.5.16. Allows free form iptables
matches to be specified following a ';'. In the generated matches to be specified following a ';'. In the generated
iptables rule(s), the freeform matches will follow any matches iptables rule(s), the free form matches will follow any matches
that are generated by the column contents.</para> that are generated by the column contents.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -344,7 +344,7 @@
<listitem> <listitem>
<para>Causes each matching packet to be sent via the currently <para>Causes each matching packet to be sent via the currently
loaded logging backend (usually nfnetlink_log) where it is loaded logging back-end (usually nfnetlink_log) where it is
available to accounting daemons through a netlink available to accounting daemons through a netlink
socket.</para> socket.</para>
</listitem> </listitem>
@ -455,7 +455,7 @@
(136).</para> (136).</para>
<para>You may place a comma-separated list of port names or numbers <para>You may place a comma-separated list of port names or numbers
in this column if your kernel and iptables include multiport match in this column if your kernel and iptables include multi-port match
support.</para> support.</para>
<para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then <para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
@ -478,14 +478,14 @@
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para> UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
<para>You may place a comma-separated list of port numbers in this <para>You may place a comma-separated list of port numbers in this
column if your kernel and iptables include multiport match column if your kernel and iptables include multi-port match
support.</para> support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this <para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -608,7 +608,7 @@
<listitem> <listitem>
<para>The option-list consists of a comma-separated list of options <para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their been decrypted via an SA that matches these options will have their
source address changed.</para> source address changed.</para>
<variablelist> <variablelist>
@ -702,7 +702,7 @@
<listitem> <listitem>
<para>When used by itself, causes all traffic that will be <para>When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to encrypted/encapsulated or has been decrypted/un-encapsulated to
match the rule.</para> match the rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -713,7 +713,7 @@
<listitem> <listitem>
<para>When used by itself, causes all traffic that will not be <para>When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to encrypted/encapsulated or has been decrypted/un-encapsulated to
match the rule.</para> match the rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -770,8 +770,8 @@
role="bold">ACTION</emphasis> and <emphasis role="bold">CHAIN</emphasis>, role="bold">ACTION</emphasis> and <emphasis role="bold">CHAIN</emphasis>,
the values <emphasis role="bold">-</emphasis>, <emphasis the values <emphasis role="bold">-</emphasis>, <emphasis
role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
used as wildcards. Omitted trailing columns are also treated as used as wildcard'gs. Omitted trailing columns are also treated as
wildcard.</para> wildcard'g.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

12
Shorewall/manpages/shorewall-arprules.xml
View File

@ -23,13 +23,13 @@
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file was added in Shorwall 4.5.12 and is used to describe <para>This file was added in Shorewall 4.5.12 and is used to describe
low-level rules managed by arptables (8). These rules only affect Address low-level rules managed by arptables (8). These rules only affect Address
Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
Dynamic Reverse Address Resolution Protocol (DRARP) frames.</para> Dynamic Reverse Address Resolution Protocol (DRARP) frames.</para>
<para>The columns in the file are as shown below. MAC addresses are <para>The columns in the file are as shown below. MAC addresses are
specified normally (6 hexidecimal numbers separated by colons).</para> specified normally (6 hexadecimal numbers separated by colons).</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -186,7 +186,7 @@
<term><replaceable>macmask</replaceable></term> <term><replaceable>macmask</replaceable></term>
<listitem> <listitem>
<para>Mask for MAC address; must be specified as 6 hexidecimal <para>Mask for MAC address; must be specified as 6 hexadecimal
numbers separated by colons.</para> numbers separated by colons.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -249,7 +249,7 @@
<term><replaceable>macmask</replaceable></term> <term><replaceable>macmask</replaceable></term>
<listitem> <listitem>
<para>Mask for MAC address; must be specified as 6 hexidecimal <para>Mask for MAC address; must be specified as 6 hexadecimal
numbers separated by colons.</para> numbers separated by colons.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -352,7 +352,7 @@
</variablelist> </variablelist>
<para>When '!' is specified, the test is inverted and the rule <para>When '!' is specified, the test is inverted and the rule
matches frames which do not match the specifed matches frames which do not match the specified
<replaceable>opcode</replaceable>.</para> <replaceable>opcode</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -362,7 +362,7 @@
<refsect1> <refsect1>
<title>Example</title> <title>Example</title>
<para>The eth1 interface has both a pubiic IP address and a private <para>The eth1 interface has both a public IP address and a private
address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use
the private address as the IP source:</para> the private address as the IP source:</para>

6
Shorewall/manpages/shorewall-blrules.xml
View File

@ -34,7 +34,7 @@
<para>The format of rules in this file is the same as the format of rules <para>The format of rules in this file is the same as the format of rules
in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The
differece in the two files lies in the ACTION (first) column.</para> difference in the two files lies in the ACTION (first) column.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -164,7 +164,7 @@
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term> role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem> <listitem>
<para>queues matching packets to a backend logging daemon via <para>queues matching packets to a back end logging daemon via
a netlink socket then continues to the next rule. See <ulink a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para> url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem> </listitem>
@ -320,7 +320,7 @@
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5), shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),

2
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -389,7 +389,7 @@
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

4
Shorewall/manpages/shorewall-exclusion.xml
View File

@ -31,14 +31,14 @@
<title>Description</title> <title>Description</title>
<para>The first form of exclusion is used when you wish to exclude one or <para>The first form of exclusion is used when you wish to exclude one or
more addresses from a definition. An exclaimation point is followed by a more addresses from a definition. An exclamation point is followed by a
comma-separated list of addresses. The addresses may be single host comma-separated list of addresses. The addresses may be single host
addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange
support, you may also specify ranges of ip addresses of the form support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para> <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
<para>No embedded whitespace is allowed.</para> <para>No embedded white-space is allowed.</para>
<para>Exclusion can appear after a list of addresses and/or address <para>Exclusion can appear after a list of addresses and/or address
ranges. In that case, the final list of address is formed by taking the ranges. In that case, the final list of address is formed by taking the

4
Shorewall/manpages/shorewall-hosts.xml
View File

@ -115,7 +115,7 @@
<listitem> <listitem>
<para>A comma-separated list of options from the following list. The <para>A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list order in which you list the options is not significant but the list
must have no embedded white space.</para> must have no embedded white-space.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -182,7 +182,7 @@
<para>Connection requests from these hosts are compared <para>Connection requests from these hosts are compared
against the contents of <ulink against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet this option is specified, the interface must be an Ethernet
NIC or equivalent and must be up before Shorewall is NIC or equivalent and must be up before Shorewall is
started.</para> started.</para>
</listitem> </listitem>

2
Shorewall/manpages/shorewall-init.xml
View File

@ -143,7 +143,7 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>On a laptop with both ethernet and wireless interfaces, you will <para>On a laptop with both Ethernet and wireless interfaces, you will
want to make both interfaces optional and set the REQUIRE_INTERFACE option want to make both interfaces optional and set the REQUIRE_INTERFACE option
to Yes in <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5) or to Yes in <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5) or
<ulink url="../Manpages6/shorewall6.conf.html">shorewall6.conf</ulink> <ulink url="../Manpages6/shorewall6.conf.html">shorewall6.conf</ulink>

8
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -187,7 +187,7 @@ loc eth2 -</programlisting>
<listitem> <listitem>
<para>A comma-separated list of options from the following list. The <para>A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list order in which you list the options is not significant but the list
should have no embedded white space.</para> should have no embedded white-space.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -283,7 +283,7 @@ loc eth2 -</programlisting>
<blockquote> <blockquote>
<para><emphasis role="bold">WARNING: The 'blacklist' <para><emphasis role="bold">WARNING: The 'blacklist'
option is ignored on mult-zone option is ignored on multi-zone
interfaces</emphasis></para> interfaces</emphasis></para>
</blockquote> </blockquote>
</listitem> </listitem>
@ -420,7 +420,7 @@ loc eth2 -</programlisting>
<para>Connection requests from this interface are compared <para>Connection requests from this interface are compared
against the contents of <ulink against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet this option is specified, the interface must be an Ethernet
NIC and must be up before Shorewall is started.</para> NIC and must be up before Shorewall is started.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -792,7 +792,7 @@ dmz eth2</programlisting>
<term>Example 3:</term> <term>Example 3:</term>
<listitem> <listitem>
<para>You have a simple dial-in system with no ethernet <para>You have a simple dial-in system with no Ethernet
connections.</para> connections.</para>
<programlisting>FORMAT 2 <programlisting>FORMAT 2

5
Shorewall/manpages/shorewall-ipsets.xml
View File

@ -42,12 +42,13 @@
<para>Whether the set is matched against the packet source or destination <para>Whether the set is matched against the packet source or destination
is determined by which column the set name appears (SOURCE or DEST). For is determined by which column the set name appears (SOURCE or DEST). For
those set types that specify a tupple, two alternative syntaxes are those set types that specify a tuple, two alternative syntaxes are
available:</para> available:</para>
<simplelist> <simplelist>
<member>[<replaceable>number</replaceable>] - Indicates that 'src' or <member>[<replaceable>number</replaceable>] - Indicates that 'src' or
'dst' should repleated number times. Example: myset[2].</member> 'dst' should be repeated <replaceable>number</replaceable> times.
Example: myset[2].</member>
<member>[<replaceable>flag</replaceable>,...] where <member>[<replaceable>flag</replaceable>,...] where
<replaceable>flag</replaceable> is <option>src</option> or <replaceable>flag</replaceable> is <option>src</option> or

2
Shorewall/manpages/shorewall-maclist.xml
View File

@ -68,7 +68,7 @@
<listitem> <listitem>
<para>MAC <emphasis>address</emphasis> of the host -- you do not <para>MAC <emphasis>address</emphasis> of the host -- you do not
need to use the Shorewall format for MAC addresses here. If need to use the Shorewall format for MAC addresses here. If
<emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then <emphasis role="bold">IP ADDRESSES</emphasis> is supplied then
<emphasis role="bold">MAC</emphasis> can be supplied as a dash <emphasis role="bold">MAC</emphasis> can be supplied as a dash
(<emphasis role="bold">-</emphasis>)</para> (<emphasis role="bold">-</emphasis>)</para>
</listitem> </listitem>

6
Shorewall/manpages/shorewall-masq.xml
View File

@ -60,7 +60,7 @@
added with that name (e.g., eth0:0). This will allow the alias to be added with that name (e.g., eth0:0). This will allow the alias to be
displayed with ifconfig. <emphasis role="bold">That is the only use displayed with ifconfig. <emphasis role="bold">That is the only use
for the alias name; it may not appear in any other place in your for the alias name; it may not appear in any other place in your
Shorewall configuratio</emphasis>n.</para> Shorewall configuration.</emphasis></para>
<para>Each interface must match an entry in <ulink <para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
@ -80,7 +80,7 @@
<programlisting> eth0(Avvanta)</programlisting> <programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interfaces's <para>In that case, you will want to specify the interface's
address for that provider in the ADDRESS column.</para> address for that provider in the ADDRESS column.</para>
<para>The interface may be qualified by adding the character ":" <para>The interface may be qualified by adding the character ":"
@ -506,7 +506,7 @@
<para>Switch settings are retained over <command>shorewall <para>Switch settings are retained over <command>shorewall
restart</command>.</para> restart</command>.</para>
<para>Beginning with Shoreawll 4.5.10, when the <para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is <option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the initialized to off or on respectively by the

2
Shorewall/manpages/shorewall-nat.xml
View File

@ -79,7 +79,7 @@
want Shorewall to add the alias with this name (e.g., "eth0:0"). want Shorewall to add the alias with this name (e.g., "eth0:0").
That allows you to see the alias with ifconfig. <emphasis That allows you to see the alias with ifconfig. <emphasis
role="bold">That is the only thing that this name is good for -- you role="bold">That is the only thing that this name is good for -- you
cannot use it anwhere else in your Shorewall configuration. cannot use it anywhere else in your Shorewall configuration.
</emphasis></para> </emphasis></para>
<para>Each interface must match an entry in <ulink <para>Each interface must match an entry in <ulink

4
Shorewall/manpages/shorewall-netmap.xml
View File

@ -119,7 +119,7 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE. <para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
It specifies a SOURCE network for DNAT rules and a DESTINATON It specifies a SOURCE network for DNAT rules and a DESTINATION
network for SNAT rules.</para> network for SNAT rules.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -145,7 +145,7 @@
range</emphasis>s; if the protocol is <emphasis range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para> url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>

2
Shorewall/manpages/shorewall-providers.xml
View File

@ -148,7 +148,7 @@
<listitem> <listitem>
<para>A comma-separated list selected from the following. The order <para>A comma-separated list selected from the following. The order
of the options is not significant but the list may contain no of the options is not significant but the list may contain no
embedded whitespace.</para> embedded white-space.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>

6
Shorewall/manpages/shorewall-routestopped.xml
View File

@ -73,7 +73,7 @@
<listitem> <listitem>
<para>Optional. A comma-separated list of options. The order of the <para>Optional. A comma-separated list of options. The order of the
options is not important but the list can contain no embedded options is not important but the list can contain no embedded
whitespace. The currently-supported options are:</para> white-space. The currently-supported options are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -121,7 +121,7 @@
<term>notrack</term> <term>notrack</term>
<listitem> <listitem>
<para>The traffic will be exempted from conntection <para>The traffic will be exempted from connection
tracking.</para> tracking.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -166,7 +166,7 @@
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

48
Shorewall/manpages/shorewall-rules.xml
View File

@ -24,7 +24,7 @@
<title>Description</title> <title>Description</title>
<para>Entries in this file govern connection establishment by defining <para>Entries in this file govern connection establishment by defining
exceptions to the policies layed out in <ulink exceptions to the policies laid out in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5). By default, url="shorewall-policy.html">shorewall-policy</ulink>(5). By default,
subsequent requests and responses are automatically allowed using subsequent requests and responses are automatically allowed using
connection tracking. For any particular (source,dest) pair of zones, the connection tracking. For any particular (source,dest) pair of zones, the
@ -146,7 +146,7 @@
role="bold">RELATED</emphasis> sections must be empty.</para> role="bold">RELATED</emphasis> sections must be empty.</para>
<para>An except is made if you are running Shorewall 4.4.27 or later and <para>An except is made if you are running Shorewall 4.4.27 or later and
you have specified a non-defualt value for RELATED_DISPOSITION or you have specified a non-default value for RELATED_DISPOSITION or
RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED
section of this file.</para> section of this file.</para>
</warning> </warning>
@ -243,7 +243,7 @@
<para>Added in Shorewall 4.4.12. Causes addresses and/or port <para>Added in Shorewall 4.4.12. Causes addresses and/or port
numbers to be added to the named numbers to be added to the named
<replaceable>ipset</replaceable>. The <replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tupple <replaceable>flags</replaceable> specify the address or tuple
to be added to the set and must match the type of ipset to be added to the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be added using or DESTINATION address can be added using
@ -360,10 +360,10 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.12. Causes an entry to be deleted <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
from the named <replaceable>ipset</replaceable>. The from the named <replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tupple <replaceable>flags</replaceable> specify the address or tuple
to be deleted from the set and must match the type of ipset to be deleted from the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be deletec using or DESTINATION address can be deleted using
<replaceable>flags</replaceable> <emphasis <replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -D command in role="bold">dst</emphasis> respectively (see the -D command in
@ -508,7 +508,7 @@
<listitem> <listitem>
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
backend logging daemon via a netlink socket then continues to back end logging daemon via a netlink socket then continues to
the next rule. See <ulink the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para> url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
@ -621,7 +621,7 @@
<listitem> <listitem>
<para>Added in Shorewall 4.5.10. Queues matching packets to a <para>Added in Shorewall 4.5.10. Queues matching packets to a
backend logging daemon via a netlink socket then continues to back end logging daemon via a netlink socket then continues to
the next rule. See <ulink the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para> url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
@ -706,7 +706,7 @@
<para>Beginning with Shorewall 4.4.13, you may use a <para>Beginning with Shorewall 4.4.13, you may use a
<replaceable>zone-list </replaceable>which consists of a <replaceable>zone-list </replaceable>which consists of a
comma-separated list of zones declared in <ulink comma-separated list of zones declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths url="shorewall-zones.html">shorewall-zones</ulink> (5). This
<replaceable>zone-list</replaceable> may be optionally followed by <replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as "+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para> well as inter-zone traffic.</para>
@ -762,8 +762,8 @@
bindings to be matched.</para> bindings to be matched.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a <para>Beginning with Shorewall 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;') firewall interface can be specified by an ampersand ('&amp;')
followed by the logican name of the interface as found in the followed by the logical name of the interface as found in the
INTERFACE column of <ulink INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para> (5).</para>
@ -880,7 +880,7 @@
<para>Beginning with Shorewall 4.4.13, you may use a <para>Beginning with Shorewall 4.4.13, you may use a
<replaceable>zone-list </replaceable>which consists of a <replaceable>zone-list </replaceable>which consists of a
comma-separated list of zones declared in <ulink comma-separated list of zones declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths url="shorewall-zones.html">shorewall-zones</ulink> (5). This
<replaceable>zone-list</replaceable> may be optionally followed by <replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as "+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para> well as inter-zone traffic.</para>
@ -965,7 +965,7 @@
name.</para> name.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a <para>Beginning with Shorewall 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;') firewall interface can be specified by an ampersand ('&amp;')
followed by the logical name of the interface as found in the followed by the logical name of the interface as found in the
INTERFACE column of <ulink INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>
@ -973,7 +973,7 @@
<para>The <replaceable>port</replaceable> that the server is <para>The <replaceable>port</replaceable> that the server is
listening on may be included and separated from the server's IP listening on may be included and separated from the server's IP
address by ":". If omitted, the firewall will not modifiy the address by ":". If omitted, the firewall will not modify the
destination port. A destination port may only be included if the destination port. A destination port may only be included if the
<emphasis role="bold">ACTION</emphasis> is <emphasis <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">DNAT</emphasis> or <emphasis role="bold">DNAT</emphasis> or <emphasis
@ -1043,11 +1043,11 @@
names (from services(5)), port numbers or port ranges; if the names (from services(5)), port numbers or port ranges; if the
protocol is <emphasis role="bold">icmp</emphasis>, this column is protocol is <emphasis role="bold">icmp</emphasis>, this column is
interpreted as the destination icmp-type(s). ICMP types may be interpreted as the destination icmp-type(s). ICMP types may be
specified as a numeric type, a numberic type and code separated by a specified as a numeric type, a numeric type and code separated by a
slash (e.g., 3/4), or a typename. See <ulink slash (e.g., 3/4), or a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>. url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
Note that prior to Shorewall 4.4.19, only a single ICMP type may be Note that prior to Shorewall 4.4.19, only a single ICMP type may be
listsed.</para> listed.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>, <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading this column is interpreted as an ipp2p option without the leading
@ -1071,7 +1071,7 @@
<para>1. There are 15 or less ports listed.</para> <para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and iptables <para>2. No port ranges are included or your kernel and iptables
contain extended multiport match support.</para> contain extended multi-port match support.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1090,7 +1090,7 @@
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
<warning> <warning>
@ -1111,7 +1111,7 @@
<para>1. There are 15 or less ports listed.</para> <para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and iptables <para>2. No port ranges are included or your kernel and iptables
contain extended multiport match support.</para> contain extended multi-port match support.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1139,7 +1139,7 @@
not match any of the addresses listed.</para> not match any of the addresses listed.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a <para>Beginning with Shorewall 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;') firewall interface can be specified by an ampersand ('&amp;')
followed by the logical name of the interface as found in the followed by the logical name of the interface as found in the
INTERFACE column of <ulink INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>
@ -1187,7 +1187,7 @@
interval (<emphasis role="bold">sec</emphasis> or <emphasis interval (<emphasis role="bold">sec</emphasis> or <emphasis
role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
largest burst permitted. If no <emphasis>burst</emphasis> is given, largest burst permitted. If no <emphasis>burst</emphasis> is given,
a value of 5 is assumed. There may be no no whitespace embedded in a value of 5 is assumed. There may be no no white-space embedded in
the specification.</para> the specification.</para>
<para>Example: <emphasis role="bold">10/sec:20</emphasis></para> <para>Example: <emphasis role="bold">10/sec:20</emphasis></para>
@ -1338,7 +1338,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">TIME</emphasis> - <term><emphasis role="bold">TIME</emphasis> -
<emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term> <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
<listitem> <listitem>
<para>May be used to limit the rule to a particular time period each <para>May be used to limit the rule to a particular time period each
@ -1482,7 +1482,7 @@
<para>Switch settings are retained over <command>shorewall <para>Switch settings are retained over <command>shorewall
restart</command>.</para> restart</command>.</para>
<para>Beginning with Shoreawll 4.5.10, when the <para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is <option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the initialized to off or on respectively by the
@ -1707,7 +1707,7 @@
<term>Example 10:</term> <term>Example 10:</term>
<listitem> <listitem>
<para>Add the tupple (source IP, dest port, dest IP) of an incoming <para>Add the tuple (source IP, dest port, dest IP) of an incoming
SSH connection to the ipset S:</para> SSH connection to the ipset S:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST <programlisting> #ACTION SOURCE DEST PROTO DEST
@ -1800,7 +1800,7 @@
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para> url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5), shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5),

4
Shorewall/manpages/shorewall-secmarks.xml
View File

@ -100,7 +100,7 @@
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term> {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
<listitem> <listitem>
<para>This column determines the CHAIN where the SElinux context is <para>This column determines the CHAIN where the SELinux context is
to be applied:</para> to be applied:</para>
<simplelist> <simplelist>
@ -249,7 +249,7 @@
<emphasis>port range</emphasis>s; if the protocol is <emphasis <emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para> url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>

6
Shorewall/manpages/shorewall-stoppedrules.xml
View File

@ -64,7 +64,7 @@
IP/subnet addresses. If your kernel and iptables include iprange IP/subnet addresses. If your kernel and iptables include iprange
match support, IP address ranges are also allowed. Ipsets and match support, IP address ranges are also allowed. Ipsets and
exclusion are also supported. When <option>$FW</option> or interface exclusion are also supported. When <option>$FW</option> or interface
are specified, the list must be preceeded by a colon (":").</para> are specified, the list must be preceded by a colon (":").</para>
<para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para> <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
</listitem> </listitem>
@ -84,7 +84,7 @@
IP/subnet addresses. If your kernel and iptables include iprange IP/subnet addresses. If your kernel and iptables include iprange
match support, IP address ranges are also allowed. Ipsets and match support, IP address ranges are also allowed. Ipsets and
exclusion are also supported. When <option>$FW</option> or interface exclusion are also supported. When <option>$FW</option> or interface
are specified, the list must be preceeded by a colon (":").</para> are specified, the list must be preceded by a colon (":").</para>
<para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para> <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
</listitem> </listitem>
@ -130,7 +130,7 @@
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

14
Shorewall/manpages/shorewall-tcclasses.xml
View File

@ -187,13 +187,13 @@
<replaceable>dmax</replaceable>, the maximum delay in milliseconds <replaceable>dmax</replaceable>, the maximum delay in milliseconds
that the first queued packet for this class should experience. May that the first queued packet for this class should experience. May
be expressed as an integer, optionally followed by 'ms' with no be expressed as an integer, optionally followed by 'ms' with no
intervening white space (e.g., 10ms).</para> intervening white-space (e.g., 10ms).</para>
<para>HFSC leaf classes may also specify <para>HFSC leaf classes may also specify
<replaceable>umax</replaceable>, the largest packet expected in this <replaceable>umax</replaceable>, the largest packet expected in this
class. May be expressed as an integer. The unit of measure is class. May be expressed as an integer. The unit of measure is
<emphasis>bytes</emphasis> and the integer may be optionally <emphasis>bytes</emphasis> and the integer may be optionally
followed by 'b' with no intervening white space (e.g., 800b). followed by 'b' with no intervening white-space (e.g., 800b).
<replaceable>umax</replaceable> may only be given if <replaceable>umax</replaceable> may only be given if
<replaceable>dmax</replaceable> is also given.</para> <replaceable>dmax</replaceable> is also given.</para>
@ -436,7 +436,7 @@
than a system having only a single active connection. The than a system having only a single active connection. The
<option>flow</option> classifier (module cls_flow) works <option>flow</option> classifier (module cls_flow) works
around this by letting you define what a 'flow' is. The around this by letting you define what a 'flow' is. The
clasifier must be used carefully or it can block off all classifier must be used carefully or it can block off all
traffic on an interface! The flow option can be specified for traffic on an interface! The flow option can be specified for
an HTB leaf class (one that has no sub-classes). We recommend an HTB leaf class (one that has no sub-classes). We recommend
that you use the following:</para> that you use the following:</para>
@ -473,7 +473,7 @@
<term>pfifo</term> <term>pfifo</term>
<listitem> <listitem>
<para>When specified for a leaf class, the pfifo queing <para>When specified for a leaf class, the pfifo queuing
discipline is applied to the class rather than the sfq queuing discipline is applied to the class rather than the sfq queuing
discipline.</para> discipline.</para>
</listitem> </listitem>
@ -687,7 +687,7 @@
<listitem> <listitem>
<para>can be used to mark packets instead of dropping <para>can be used to mark packets instead of dropping
them. If ecn has been enabled, noecn can be used to turn them. If ecn has been enabled, noecn can be used to turn
it off and vice-a-versa. By default, ecn is it off and vice-versa. By default, ecn is
enabled.</para> enabled.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -719,8 +719,8 @@
minimum of 100kbps and always be serviced first (because of the low minimum of 100kbps and always be serviced first (because of the low
priority number, giving less delay) and will be granted excess priority number, giving less delay) and will be granted excess
bandwidth (up to 180kbps, the class ceiling) first, before any other bandwidth (up to 180kbps, the class ceiling) first, before any other
traffic. A single VOIP stream, depending upon codecs, after traffic. A single VoIP stream, depending upon codecs, after
encapsulation, can take up to 80kbps on a PPOE/DSL link, so we pad a encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
classes EF and AFF3-1 respectively and are often used by VOIP classes EF and AFF3-1 respectively and are often used by VOIP
devices).</para> devices).</para>

2
Shorewall/manpages/shorewall-tcdevices.xml
View File

@ -149,7 +149,7 @@
<para>What is described above creates a rate/burst policing filter. <para>What is described above creates a rate/burst policing filter.
Beginning with Shorewall 4.4.25, a rate-estimated policing filter Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used may be configured instead. Rate-estimated filters should be used
with ethernet adapters that have Generic Receive Offload enabled by with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink default. See <ulink
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para> 97a</ulink>.</para>

2
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -153,7 +153,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><option>tos-maximuze-throughput</option></para> <para><option>tos-maximize-throughput</option></para>
</listitem> </listitem>
<listitem> <listitem>

2
Shorewall/manpages/shorewall-tcinterfaces.xml
View File

@ -168,7 +168,7 @@
<para>What is described above creates a rate/burst policing filter. <para>What is described above creates a rate/burst policing filter.
Beginning with Shorewall 4.4.25, a rate-estimated policing filter Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used may be configured instead. Rate-estimated filters should be used
with ethernet adapters that have Generic Receive Offload enabled by with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink default. See <ulink
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para> 97a</ulink>.</para>

2
Shorewall/manpages/shorewall-tcpri.xml
View File

@ -131,7 +131,7 @@
[<replaceable>helper</replaceable>]</term> [<replaceable>helper</replaceable>]</term>
<listitem> <listitem>
<para>Optional. Names a Netfiler protocol helper module such as ftp, <para>Optional. Names a Netfilter protocol helper module such as ftp,
sip, amanda, etc. A packet will match if it was accepted by the sip, amanda, etc. A packet will match if it was accepted by the
named helper module. You can also append "-" and a port number to named helper module. You can also append "-" and a port number to
the helper module name (e.g., ftp-21) to specify the port number the helper module name (e.g., ftp-21) to specify the port number

16
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -171,7 +171,7 @@
<term>CT</term> <term>CT</term>
<listitem> <listitem>
<para>Mark the connecdtion in the POSTROUTING chain</para> <para>Mark the connection in the POSTROUTING chain</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -273,7 +273,7 @@
<term>CT</term> <term>CT</term>
<listitem> <listitem>
<para>Mark the connecdtion in the POSTROUTING chain</para> <para>Mark the connection in the POSTROUTING chain</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -388,7 +388,7 @@
<para><emphasis role="bold">DIVERT</emphasis></para> <para><emphasis role="bold">DIVERT</emphasis></para>
<para>Added in Shorewall 4.5.4 and only available when FORMAT is <para>Added in Shorewall 4.5.4 and only available when FORMAT is
2. Two DIVERT rule should preceed the TPROXY rule and should 2. Two DIVERT rule should precede the TPROXY rule and should
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
(assuming that tcp port 80 is being proxied). DIVERT avoids (assuming that tcp port 80 is being proxied). DIVERT avoids
sending packets to the TPROXY target once a socket connection to sending packets to the TPROXY target once a socket connection to
@ -565,7 +565,7 @@
to produce class IDs 1:1 through 1:6. But 1:1 is an invalid to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
class ID since the <replaceable>major</replaceable> and class ID since the <replaceable>major</replaceable> and
<replaceable>minor</replaceable> classes are equal. So you might <replaceable>minor</replaceable> classes are equal. So you might
chose instent to use IPMARK(src,0xFF,0x10100) as in the example choose instead to use IPMARK(src,0xFF,0x10100) as in the example
above so that all of your <replaceable>minor</replaceable> above so that all of your <replaceable>minor</replaceable>
classes will have a value &gt; 256.</para> classes will have a value &gt; 256.</para>
</listitem> </listitem>
@ -903,7 +903,7 @@ Normal-Service =&gt; 0x00</programlisting>
<emphasis>port range</emphasis>s; if the protocol is <emphasis <emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para> url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
@ -938,7 +938,7 @@ Normal-Service =&gt; 0x00</programlisting>
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1139,7 +1139,7 @@ Normal-Service =&gt; 0x00</programlisting>
</emphasis><emphasis>helper</emphasis></term> </emphasis><emphasis>helper</emphasis></term>
<listitem> <listitem>
<para>Names a Netfiler protocol <firstterm>helper</firstterm> module <para>Names a Netfilter protocol <firstterm>helper</firstterm> module
such as <option>ftp</option>, <option>sip</option>, such as <option>ftp</option>, <option>sip</option>,
<option>amanda</option>, etc. A packet will match if it was accepted <option>amanda</option>, etc. A packet will match if it was accepted
by the named helper module.</para> by the named helper module.</para>
@ -1233,7 +1233,7 @@ Normal-Service =&gt; 0x00</programlisting>
4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all 4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting> SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting>
<para>If a packet hasn't been classifed (packet mark is 0), copy the <para>If a packet hasn't been classified (packet mark is 0), copy the
connection mark to the packet mark. If the packet mark is set, we're connection mark to the packet mark. If the packet mark is set, we're
done. If the packet is P2P, set the packet mark to 4. If the packet done. If the packet is P2P, set the packet mark to 4. If the packet
mark has been set, save it to the connection mark.</para> mark has been set, save it to the connection mark.</para>

6
Shorewall/manpages/shorewall-zones.xml
View File

@ -136,7 +136,7 @@ c:a,b ipv4</programlisting>
default if you leave this column empty or if you enter "-" in default if you leave this column empty or if you enter "-" in
the column. Communication with some zone hosts may be the column. Communication with some zone hosts may be
encrypted. Encrypted hosts are designated using the encrypted. Encrypted hosts are designated using the
'ipsec'option in <ulink 'ipsec' option in <ulink
url="shorewall-hosts.html">shorewall-hosts</ulink>(5).</para> url="shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -213,8 +213,8 @@ c:a,b ipv4</programlisting>
<para>When specified in the IN_OPTIONS column, causes all <para>When specified in the IN_OPTIONS column, causes all
traffic from this zone to be passed against the <emphasis traffic from this zone to be passed against the <emphasis
role="bold">src</emphasis> entries in s<ulink role="bold">src</emphasis> entries in <ulink
url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para> url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5).</para>
<para>When specified in the OUT_OPTIONS column, causes all <para>When specified in the OUT_OPTIONS column, causes all
traffic to this zone to be passed against the <emphasis traffic to this zone to be passed against the <emphasis

30
Shorewall/manpages/shorewall.conf.xml
View File

@ -28,7 +28,7 @@
<para>The file consists of Shell comments (lines beginning with '#'), <para>The file consists of Shell comments (lines beginning with '#'),
blank lines and assignment statements blank lines and assignment statements
(<emphasis>variable</emphasis>=<emphasis>value</emphasis>). If the (<emphasis>variable</emphasis>=<emphasis>value</emphasis>). If the
<emphasis>value</emphasis> contains shell metacharacters or white-space, <emphasis>value</emphasis> contains shell meta characters or white-space,
then it must be enclosed in quotes. Example: then it must be enclosed in quotes. Example:
MACLIST_LOG_LEVEL="NFLOG(1,0,1)".</para> MACLIST_LOG_LEVEL="NFLOG(1,0,1)".</para>
</refsect1> </refsect1>
@ -455,7 +455,7 @@
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticably if you have large (will slow down your firewall noticeably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para> the empty value then BLACKLISTNEWONLY=No is assumed.</para>
@ -771,7 +771,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
'loc2net' chain.</para> 'loc2net' chain.</para>
<para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of <ulink or RELATED sections of <ulink
@ -1177,7 +1177,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<filename>/etc/shorewall</filename> are compare with that of <filename>/etc/shorewall</filename> are compare with that of
<filename>/var/lib/shorewall/restore)</filename>. If set to No, then <filename>/var/lib/shorewall/restore)</filename>. If set to No, then
the times are compared with that of /var/lib/shorewall/firewall, the times are compared with that of /var/lib/shorewall/firewall,
which is consistant with the way that <command>restart -f</command> which is consistent with the way that <command>restart -f</command>
works.</para> works.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1712,7 +1712,7 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct <para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
utiliity. If not specified, Shorewall will use the PATH settting to utility. If not specified, Shorewall will use the PATH setting to
find the program.</para> find the program.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1780,7 +1780,7 @@ LOG:info:,bar net fw</programlisting>
<para>Optimization category 2 - Added in Shorewall 4.4.7. When <para>Optimization category 2 - Added in Shorewall 4.4.7. When
set, suppresses superfluous ACCEPT rules in a policy chain that set, suppresses superfluous ACCEPT rules in a policy chain that
implements an ACCEPT policy. Any ACCEPT rules that immediately implements an ACCEPT policy. Any ACCEPT rules that immediately
preceed the final blanket ACCEPT rule in the chain are now precede the final blanket ACCEPT rule in the chain are now
omitted.</para> omitted.</para>
</listitem> </listitem>
@ -1875,7 +1875,7 @@ LOG:info:,bar net fw</programlisting>
compatible if they differ only in their destination ports and compatible if they differ only in their destination ports and
comments.</para> comments.</para>
<para>A sequence of combatible rules is often generated when <para>A sequence of compatible rules is often generated when
macros are invoked in sequence.</para> macros are invoked in sequence.</para>
<para>The ability to combine adjacent rules is limited by two <para>The ability to combine adjacent rules is limited by two
@ -1890,12 +1890,12 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Rules may only be combined until the length of their <para>Rules may only be combined until the length of their
concatinated comment reaches 255 characters.</para> concatenated comment reaches 255 characters.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>When either of these limits would be exceeded, the current <para>When either of these limits would be exceeded, the current
combined rule is emitted and the compiler attemts to combine combined rule is emitted and the compiler attempts to combine
rules beginning with the one that would have exceeded the limit. rules beginning with the one that would have exceeded the limit.
Adjacent combined comments are separated by ', '. Empty comments Adjacent combined comments are separated by ', '. Empty comments
at the front of a group of combined comments are replaced by at the front of a group of combined comments are replaced by
@ -1927,7 +1927,7 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Rules with comments &lt;empty&gt;, "FOO" and "BAR" <para>Rules with comments &lt;empty&gt;, "FOO" and "BAR"
would reult in the combined comment "Others and FOO, BAR". would result in the combined comment "Others and FOO, BAR".
Note: Optimize level 16 requires "Extended Multi-port Note: Optimize level 16 requires "Extended Multi-port
Match" in your iptables and kernel.</para> Match" in your iptables and kernel.</para>
</listitem> </listitem>
@ -2018,7 +2018,7 @@ LOG:info:,bar net fw</programlisting>
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para>Eariler generations of Shorewall Lite required that remote <para>Earlier generations of Shorewall Lite required that remote
root login via ssh be enabled in order to use the root login via ssh be enabled in order to use the
<command>load</command> and <command>reload</command> commands. <command>load</command> and <command>reload</command> commands.
Beginning with release 3.9.5, you may define an alternative means Beginning with release 3.9.5, you may define an alternative means
@ -2034,7 +2034,7 @@ LOG:info:,bar net fw</programlisting>
<member>RCP_COMMAND: scp ${files} <member>RCP_COMMAND: scp ${files}
${root}@${system}:${destination}</member> ${root}@${system}:${destination}</member>
</simplelist>Shell variables that will be set when the commands </simplelist>Shell variables that will be set when the commands
are envoked are as follows:<simplelist> are invoked are as follows:<simplelist>
<member><replaceable>root</replaceable> - root user. Normally <member><replaceable>root</replaceable> - root user. Normally
<option>root</option> but may be overridden using the '-r' <option>root</option> but may be overridden using the '-r'
option.</member> option.</member>
@ -2359,7 +2359,7 @@ LOG:info:,bar net fw</programlisting>
stops. Creating and removing this file allows Shorewall to work with stops. Creating and removing this file allows Shorewall to work with
your distribution's initscripts. For RedHat and OpenSuSE, this your distribution's initscripts. For RedHat and OpenSuSE, this
should be set to /var/lock/subsys/shorewall. For Debian, the value should be set to /var/lock/subsys/shorewall. For Debian, the value
is /var/lock/shorewall and in LEAF it is /var/run/shorwall.</para> is /var/lock/shorewall and in LEAF it is /var/run/shorewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2600,7 +2600,7 @@ LOG:info:,bar net fw</programlisting>
<para><emphasis role="bold">detect</emphasis> may be <para><emphasis role="bold">detect</emphasis> may be
specified for interfaces whose configuration is managed by specified for interfaces whose configuration is managed by
dhcpcd. Shorewall will use dhcpcd's database to find the dhcpcd. Shorewall will use dhcpcd's database to find the
interfaces's gateway.</para> interface's gateway.</para>
</note></para> </note></para>
</listitem> </listitem>
@ -2625,7 +2625,7 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a <para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
Netfilter chain that relates to an interface, it uses the Netfilter chain that relates to an interface, it uses the
interfaces's logical name as the base of the chain name. For interface's logical name as the base of the chain name. For
example, if the logical name for an interface is OAKLAND, then the example, if the logical name for an interface is OAKLAND, then the
input chain for traffic arriving on that interface would be input chain for traffic arriving on that interface would be
'OAKLAND_in'. If this option is set to Yes, then the physical name 'OAKLAND_in'. If this option is set to Yes, then the physical name

18
Shorewall/manpages/shorewall.xml
View File

@ -720,7 +720,7 @@
<emphasis role="bold">q</emphasis> subtracts one from the effective <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
There may be no white space between <emphasis role="bold">v</emphasis> and There may be no white-space between <emphasis role="bold">v</emphasis> and
the VERBOSITY.</para> the VERBOSITY.</para>
<para>The <emphasis>options</emphasis> may also include the letter <para>The <emphasis>options</emphasis> may also include the letter
@ -782,7 +782,7 @@
<term><emphasis role="bold">check</emphasis></term> <term><emphasis role="bold">check</emphasis></term>
<listitem> <listitem>
<para>Compiles the configuraton in the specified <para>Compiles the configuration in the specified
<emphasis>directory</emphasis> and discards the compiled output <emphasis>directory</emphasis> and discards the compiled output
script. If no <emphasis>directory</emphasis> is given, then script. If no <emphasis>directory</emphasis> is given, then
/etc/shorewall is assumed.</para> /etc/shorewall is assumed.</para>
@ -846,7 +846,7 @@
<para>When -e is specified, the compilation is being performed on a <para>When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option system other than where the compiled script will run. This option
disables certain configuration options that require the script to be disables certain configuration options that require the script to be
compiled where it is to be run. The use of -e requires the presense compiled where it is to be run. The use of -e requires the presence
of a configuration file named <filename>capabilities</filename> of a configuration file named <filename>capabilities</filename>
which may be produced using the command <emphasis which may be produced using the command <emphasis
role="bold">shorewall-lite show -f capabilities &gt; role="bold">shorewall-lite show -f capabilities &gt;
@ -984,7 +984,7 @@
<term><emphasis role="bold">forget</emphasis></term> <term><emphasis role="bold">forget</emphasis></term>
<listitem> <listitem>
<para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and <para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is /var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
given then the file specified by RESTOREFILE in <ulink given then the file specified by RESTOREFILE in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) is url="shorewall.conf.html">shorewall.conf</ulink>(5) is
@ -1041,7 +1041,7 @@
and raw table PREROUTING chains.</para> and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with <para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from facility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall has no control over where the messages go; consult your Shorewall has no control over where the messages go; consult your
logging daemon's documentation.</para> logging daemon's documentation.</para>
@ -1145,7 +1145,7 @@
<para>The <replaceable>iptables match expression</replaceable> must <para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being be one given in the <command>iptrace</command> command being
cancelled.</para> canceled.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1445,7 +1445,7 @@
<term><emphasis role="bold">config</emphasis></term> <term><emphasis role="bold">config</emphasis></term>
<listitem> <listitem>
<para>Dispays distribution-specific defaults.</para> <para>Displays distribution-specific defaults.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1606,7 +1606,7 @@
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was <para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
added to <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). added to <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).
When LEGACY_FASTSTART=No, the modificaiotn times of files in When LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall are compared with that of /var/lib/shorewall/firewall /etc/shorewall are compared with that of /var/lib/shorewall/firewall
(the compiled script that last started/restarted the (the compiled script that last started/restarted the
firewall).</para> firewall).</para>
@ -1674,7 +1674,7 @@
<replaceable>directory</replaceable>; otherwise, a <emphasis <replaceable>directory</replaceable>; otherwise, a <emphasis
role="bold">start</emphasis> command is performed using the role="bold">start</emphasis> command is performed using the
specified configuration <replaceable>directory</replaceable>. if an specified configuration <replaceable>directory</replaceable>. if an
error occurs during the compliation phase of the <emphasis error occurs during the compilation phase of the <emphasis
role="bold">restart</emphasis> or <emphasis role="bold">restart</emphasis> or <emphasis
role="bold">start</emphasis>, the command terminates without role="bold">start</emphasis>, the command terminates without
changing the Shorewall state. If an error occurs during the changing the Shorewall state. If an error occurs during the

2
Shorewall6-lite/manpages/shorewall6-lite.conf.xml
View File

@ -141,7 +141,7 @@
stops. Creating and removing this file allows Shorewall6 to work stops. Creating and removing this file allows Shorewall6 to work
with your distribution's initscripts. For RedHat, this should be set with your distribution's initscripts. For RedHat, this should be set
to /var/lock/subsys/shorewall6. For Debian, the value is to /var/lock/subsys/shorewall6. For Debian, the value is
/var/state/shorewall6 and in LEAF it is /var/run/shorwall.</para> /var/state/shorewall6 and in LEAF it is /var/run/shorewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

12
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -492,9 +492,9 @@
url="shorewall.conf.html">shorewall6.conf</ulink>(5). Each <emphasis url="shorewall.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
be no white space between <emphasis role="bold">v</emphasis> and the be no white-space between <emphasis role="bold">v</emphasis> and the
VERBOSITY.</para> VERBOSITY.</para>
<para>The <emphasis>options</emphasis> may also include the letter <para>The <emphasis>options</emphasis> may also include the letter
@ -630,7 +630,7 @@
<term><emphasis role="bold">forget</emphasis></term> <term><emphasis role="bold">forget</emphasis></term>
<listitem> <listitem>
<para>Deletes /var/lib/shorewall6-lite/<emphasis>filenam</emphasis>e <para>Deletes /var/lib/shorewall6-lite/<emphasis>filename</emphasis>
and /var/lib/shorewall6-lite/save. If no and /var/lib/shorewall6-lite/save. If no
<emphasis>filename</emphasis> is given then the file specified by <emphasis>filename</emphasis> is given then the file specified by
RESTOREFILE in <ulink RESTOREFILE in <ulink
@ -688,7 +688,7 @@
and raw table PREROUTING chains.</para> and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with <para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from facility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
shorewall6-lite has no control over where the messages go; consult shorewall6-lite has no control over where the messages go; consult
your logging daemon's documentation.</para> your logging daemon's documentation.</para>
@ -745,7 +745,7 @@
<para>The <replaceable>iptables match expression</replaceable> must <para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being be one given in the <command>iptrace</command> command being
cancelled.</para> canceled.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -873,7 +873,7 @@
<term><emphasis role="bold">config</emphasis></term> <term><emphasis role="bold">config</emphasis></term>
<listitem> <listitem>
<para>Dispays distribution-specific defaults.</para> <para>Displays distribution-specific defaults.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

22
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -136,7 +136,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">accounout</emphasis> in the <emphasis <para><emphasis role="bold">accountout</emphasis> in the <emphasis
role="bold">OUTPUT</emphasis> section</para> role="bold">OUTPUT</emphasis> section</para>
</listitem> </listitem>
@ -242,9 +242,9 @@
<term><emphasis role="bold">INLINE</emphasis></term> <term><emphasis role="bold">INLINE</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.16. Allows freeform ip6tables <para>Added in Shorewall 4.5.16. Allows free form ip6tables
matches to be specified following a ';'. In the generated matches to be specified following a ';'. In the generated
ip6tables rule(s), the freeform matches will follow any ip6tables rule(s), the free form matches will follow any
matches that are generated by the column contents.</para> matches that are generated by the column contents.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -286,7 +286,7 @@
<listitem> <listitem>
<para>Causes each matching packet to be sent via the currently <para>Causes each matching packet to be sent via the currently
loaded logging backend (usually nfnetlink_log) where it is loaded logging back end (usually nfnetlink_log) where it is
available to accounting daemons through a netlink available to accounting daemons through a netlink
socket.</para> socket.</para>
</listitem> </listitem>
@ -396,7 +396,7 @@
(136).</para> (136).</para>
<para>You may place a comma-separated list of port names or numbers <para>You may place a comma-separated list of port names or numbers
in this column if your kernel and ip6tables include multiport match in this column if your kernel and ip6tables include multi-port match
support.</para> support.</para>
<para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then <para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
@ -419,14 +419,14 @@
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para> UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
<para>You may place a comma-separated list of port numbers in this <para>You may place a comma-separated list of port numbers in this
column if your kernel and ip6tables include multiport match column if your kernel and ip6tables include multi-port match
support.</para> support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this <para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -549,7 +549,7 @@
<listitem> <listitem>
<para>The option-list consists of a comma-separated list of options <para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their been decrypted via an SA that matches these options will have their
source address changed. May only be specified when sections are source address changed. May only be specified when sections are
used.</para> used.</para>
@ -644,7 +644,7 @@
<listitem> <listitem>
<para>When used by itself, causes all traffic that will be <para>When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to encrypted/encapsulated or has been decrypted/un-encapsulated to
match the rule.</para> match the rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -655,7 +655,7 @@
<listitem> <listitem>
<para>When used by itself, causes all traffic that will not be <para>When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to encrypted/encapsulated or has been decrypted/un-encapsulated to
match the rule.</para> match the rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -831,7 +831,7 @@
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-actions.xml
View File

@ -137,7 +137,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-blacklist.xml
View File

@ -204,7 +204,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

6
Shorewall6/manpages/shorewall6-blrules.xml
View File

@ -35,7 +35,7 @@
<para>The format of rules in this file is the same as the format of rules <para>The format of rules in this file is the same as the format of rules
in <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>. The in <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>. The
differece in the two files lies in the ACTION (first) column.</para> difference in the two files lies in the ACTION (first) column.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -165,7 +165,7 @@
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term> role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem> <listitem>
<para>queues matching packets to a backend logging daemon via <para>queues matching packets to a back end logging daemon via
a netlink socket then continues to the next rule. See <ulink a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para> url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem> </listitem>
@ -321,7 +321,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -392,7 +392,7 @@ DROP:PO - 2001:1.2.3::4
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-ipsec(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),

6
Shorewall6/manpages/shorewall6-exclusion.xml
View File

@ -31,14 +31,14 @@
<title>Description</title> <title>Description</title>
<para>Exclusion is used when you wish to exclude one or more addresses <para>Exclusion is used when you wish to exclude one or more addresses
from a definition. An exclaimation point is followed by a comma-separated from a definition. An exclamation point is followed by a comma-separated
list of addresses. The addresses may be single host addresses (e.g., list of addresses. The addresses may be single host addresses (e.g.,
fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
(e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include
iprange support, you may also specify ranges of ip addresses of the form iprange support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para> <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
<para>No embedded whitespace is allowed.</para> <para>No embedded white-space is allowed.</para>
<para>Exclusion can appear after a list of addresses and/or address <para>Exclusion can appear after a list of addresses and/or address
ranges. In that case, the final list of address is formed by taking the ranges. In that case, the final list of address is formed by taking the
@ -103,7 +103,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

4
Shorewall6/manpages/shorewall6-hosts.xml
View File

@ -117,7 +117,7 @@
<listitem> <listitem>
<para>An optional comma-separated list of options from the following <para>An optional comma-separated list of options from the following
list. The order in which you list the options is not significant but list. The order in which you list the options is not significant but
the list must have no embedded white space.</para> the list must have no embedded white-space.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -199,7 +199,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

6
Shorewall6/manpages/shorewall6-interfaces.xml
View File

@ -145,7 +145,7 @@ loc eth2 -</programlisting>
<listitem> <listitem>
<para>A comma-separated list of options from the following list. The <para>A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list order in which you list the options is not significant but the list
should have no embedded white space.</para> should have no embedded white-space.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -214,7 +214,7 @@ loc eth2 -</programlisting>
<blockquote> <blockquote>
<para><emphasis role="bold">WARNING: The 'blacklist' <para><emphasis role="bold">WARNING: The 'blacklist'
option is ignored on mult-zone option is ignored on multi-zone
interfaces</emphasis></para> interfaces</emphasis></para>
</blockquote> </blockquote>
</listitem> </listitem>
@ -568,7 +568,7 @@ dmz eth2 -</programlisting>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

8
Shorewall6/manpages/shorewall6-ipsets.xml
View File

@ -42,12 +42,12 @@
<para>Whether the set is matched against the packet source or destination <para>Whether the set is matched against the packet source or destination
is determined by which column the set name appears (SOURCE or DEST). For is determined by which column the set name appears (SOURCE or DEST). For
those set types that specify a tupple, two alternative syntaxes are those set types that specify a tuple, two alternative syntaxes are
available:</para> available:</para>
<simplelist> <simplelist>
<member>[<replaceable>number</replaceable>] - Indicates that 'src' or <member>[<replaceable>number</replaceable>] - Indicates that 'src' or
'dst' should repleated number times. Example: myset[2].</member> 'dst' should repeated number times. Example: myset[2].</member>
<member>[<replaceable>flag</replaceable>,...] where <member>[<replaceable>flag</replaceable>,...] where
<replaceable>flag</replaceable> is <option>src</option> or <replaceable>flag</replaceable> is <option>src</option> or
@ -62,7 +62,7 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>In a DEST column, the following paris are equivalent:</para> <para>In a DEST column, the following pairs are equivalent:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -130,7 +130,7 @@
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

4
Shorewall6/manpages/shorewall6-maclist.xml
View File

@ -66,7 +66,7 @@
<listitem> <listitem>
<para>MAC <emphasis>address</emphasis> of the host -- you do not <para>MAC <emphasis>address</emphasis> of the host -- you do not
need to use the shorewall6 format for MAC addresses here. If need to use the shorewall6 format for MAC addresses here. If
<emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then <emphasis role="bold">IP ADDRESSES</emphasis> is supplied then
<emphasis role="bold">MAC</emphasis> can be supplied as a dash <emphasis role="bold">MAC</emphasis> can be supplied as a dash
(<emphasis role="bold">-</emphasis>)</para> (<emphasis role="bold">-</emphasis>)</para>
</listitem> </listitem>
@ -106,7 +106,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

4
Shorewall6/manpages/shorewall6-masq.xml
View File

@ -73,7 +73,7 @@
<programlisting> eth0(Avvanta)</programlisting> <programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interfaces's <para>In that case, you will want to specify the interface's
address for that provider in the ADDRESS column.</para> address for that provider in the ADDRESS column.</para>
<para>The interface may be qualified by adding the character ":" <para>The interface may be qualified by adding the character ":"
@ -457,7 +457,7 @@
<para>Switch settings are retained over <command>shorewall <para>Switch settings are retained over <command>shorewall
restart</command>.</para> restart</command>.</para>
<para>Beginning with Shoreawll 4.5.10, when the <para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is <option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the initialized to off or on respectively by the

2
Shorewall6/manpages/shorewall6-modules.xml
View File

@ -86,7 +86,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-nesting.xml
View File

@ -109,7 +109,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

6
Shorewall6/manpages/shorewall6-netmap.xml
View File

@ -24,7 +24,7 @@
<title>Description</title> <title>Description</title>
<para>This file is used to map addresses in one network to corresponding <para>This file is used to map addresses in one network to corresponding
addresses in a second network. It was added in Shorewall6 iin addresses in a second network. It was added in Shorewall6
4.4.23.3.</para> 4.4.23.3.</para>
<warning> <warning>
@ -121,7 +121,7 @@
<listitem> <listitem>
<para>Optional - added in Shorewall 4.4.11. If specified, qualifies <para>Optional - added in Shorewall 4.4.11. If specified, qualifies
INTERFACE. It specifies a SOURCE network for DNAT rules and a INTERFACE. It specifies a SOURCE network for DNAT rules and a
DESTINATON network for SNAT rules.</para> DESTINATION network for SNAT rules.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -145,7 +145,7 @@
<emphasis>port range</emphasis>s; if the protocol is <emphasis <emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para> url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>

2
Shorewall6/manpages/shorewall6-params.xml
View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shoewall6-netmap(5),shorewall6-params</refentrytitle> <refentrytitle>shorewall6-netmap(5),shorewall6-params</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>

2
Shorewall6/manpages/shorewall6-policy.xml
View File

@ -316,7 +316,7 @@
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-nat(5), shorewall6-netmap(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

4
Shorewall6/manpages/shorewall6-providers.xml
View File

@ -137,7 +137,7 @@
<listitem> <listitem>
<para>A comma-separated list selected from the following. The order <para>A comma-separated list selected from the following. The order
of the options is not significant but the list may contain no of the options is not significant but the list may contain no
embedded whitespace.</para> embedded white-space.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -333,7 +333,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-policy(5), shorewall6-rtrules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

4
Shorewall6/manpages/shorewall6-proxyndp.xml
View File

@ -23,7 +23,7 @@
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file was added in Shoreall 4.4.16 and is used to define Proxy <para>This file was added in Shorewall 4.4.16 and is used to define Proxy
NDP. There is one entry in this file for each IPv6 address to be NDP. There is one entry in this file for each IPv6 address to be
proxied.</para> proxied.</para>
@ -138,7 +138,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-routes.xml
View File

@ -96,7 +96,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

4
Shorewall6/manpages/shorewall6-routestopped.xml
View File

@ -69,7 +69,7 @@
<listitem> <listitem>
<para>An optional comma-separated list of options. The order of the <para>An optional comma-separated list of options. The order of the
options is not important but the list can contain no embedded options is not important but the list can contain no embedded
whitespace. The currently-supported options are:</para> white-space. The currently-supported options are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -188,7 +188,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

2
Shorewall6/manpages/shorewall6-rtrules.xml
View File

@ -168,7 +168,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

42
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -24,7 +24,7 @@
<title>Description</title> <title>Description</title>
<para>Entries in this file govern connection establishment by defining <para>Entries in this file govern connection establishment by defining
exceptions to the policies layed out in <ulink exceptions to the policies laid out in <ulink
url="shorewall6-policy.html">shorewall6-policy</ulink>(5). By default, url="shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
subsequent requests and responses are automatically allowed using subsequent requests and responses are automatically allowed using
connection tracking. For any particular (source,dest) pair of zones, the connection tracking. For any particular (source,dest) pair of zones, the
@ -138,7 +138,7 @@
role="bold">RELATED</emphasis> sections must be empty.</para> role="bold">RELATED</emphasis> sections must be empty.</para>
<para>An except is made if you are running Shorewall 4.4.27 or later and <para>An except is made if you are running Shorewall 4.4.27 or later and
you have specified a non-defualt value for RELATED_DISPOSITION or you have specified a non-default value for RELATED_DISPOSITION or
RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED
section of this file.</para> section of this file.</para>
</warning> </warning>
@ -216,7 +216,7 @@
<para>Added in Shorewall 4.4.12. Causes addresses and/or port <para>Added in Shorewall 4.4.12. Causes addresses and/or port
numbers to be added to the named numbers to be added to the named
<replaceable>ipset</replaceable>. The <replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tupple <replaceable>flags</replaceable> specify the address or tuple
to be added to the set and must match the type of ipset to be added to the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be added using or DESTINATION address can be added using
@ -333,10 +333,10 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.12. Causes an entry to be deleted <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
from the named <replaceable>ipset</replaceable>. The from the named <replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tupple <replaceable>flags</replaceable> specify the address or tuple
to be deleted from the set and must match the type of ipset to be deleted from the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be deletec using or DESTINATION address can be deleted using
<replaceable>flags</replaceable> <emphasis <replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -D command in role="bold">dst</emphasis> respectively (see the -D command in
@ -482,7 +482,7 @@
<listitem> <listitem>
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
backend logging daemon via a netlink socket then continues to back end logging daemon via a netlink socket then continues to
the next rule. See <ulink the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para> url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
@ -662,7 +662,7 @@
<para>Beginning with Shorewall 4.4.13, you may use a <para>Beginning with Shorewall 4.4.13, you may use a
<replaceable>zone-list </replaceable>which consists of a <replaceable>zone-list </replaceable>which consists of a
comma-separated list of zones declared in <ulink comma-separated list of zones declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths url="shorewall-zones.html">shorewall-zones</ulink> (5). This
<replaceable>zone-list</replaceable> may be optionally followed by <replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as "+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para> well as inter-zone traffic.</para>
@ -711,8 +711,8 @@
bindings to be matched.</para> bindings to be matched.</para>
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;') firewall interface can be specified by an ampersand ('&amp;')
followed by the logican name of the interface as found in the followed by the logical name of the interface as found in the
INTERFACE column of <ulink INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall6-interfaces</ulink> url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
(5).</para> (5).</para>
@ -846,8 +846,8 @@
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para> url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a <para>Beginning with Shorewall6 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;') firewall interface can be specified by an ampersand ('&amp;')
followed by the logican name of the interface as found in the followed by the logical name of the interface as found in the
INTERFACE column of <ulink INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall6-interfaces</ulink> url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
(5).</para> (5).</para>
@ -915,7 +915,7 @@
<para>The <replaceable>port</replaceable> that the server is <para>The <replaceable>port</replaceable> that the server is
listening on may be included and separated from the server's IP listening on may be included and separated from the server's IP
address by ":". If omitted, the firewall will not modifiy the address by ":". If omitted, the firewall will not modify the
destination port. A destination port may only be included if the destination port. A destination port may only be included if the
<emphasis role="bold">ACTION</emphasis> is <emphasis <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">DNAT</emphasis> or <emphasis role="bold">DNAT</emphasis> or <emphasis
@ -996,11 +996,11 @@
names (from services(5)), port numbers or port ranges; if the names (from services(5)), port numbers or port ranges; if the
protocol is <emphasis role="bold">icmp</emphasis>, this column is protocol is <emphasis role="bold">icmp</emphasis>, this column is
interpreted as the destination icmp-type(s). ICMP types may be interpreted as the destination icmp-type(s). ICMP types may be
specified as a numeric type, a numberic type and code separated by a specified as a numeric type, a numeric type and code separated by a
slash (e.g., 3/4), or a typename. See <ulink slash (e.g., 3/4), or a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>. url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
listsed.</para> listed.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>, <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading this column is interpreted as an ipp2p option without the leading
@ -1024,7 +1024,7 @@
<para>1. There are 15 or less ports listed.</para> <para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and ip6tables <para>2. No port ranges are included or your kernel and ip6tables
contain extended multiport match support.</para> contain extended multi-port match support.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1043,7 +1043,7 @@
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
<warning> <warning>
@ -1063,7 +1063,7 @@
<para>1. There are 15 or less ports listed.</para> <para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and ip6tables <para>2. No port ranges are included or your kernel and ip6tables
contain extended multiport match support.</para> contain extended multi-port match support.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1095,7 +1095,7 @@
interval (<emphasis role="bold">sec</emphasis> or <emphasis interval (<emphasis role="bold">sec</emphasis> or <emphasis
role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
largest burst permitted. If no <emphasis>burst</emphasis> is given, largest burst permitted. If no <emphasis>burst</emphasis> is given,
a value of 5 is assumed. There may be no no whitespace embedded in a value of 5 is assumed. There may be no no white-space embedded in
the specification.</para> the specification.</para>
<para>Example: <emphasis role="bold">10/sec:20</emphasis></para> <para>Example: <emphasis role="bold">10/sec:20</emphasis></para>
@ -1244,7 +1244,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">TIME</emphasis> - <term><emphasis role="bold">TIME</emphasis> -
<emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term> <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>
<listitem> <listitem>
<para>May be used to limit the rule to a particular time period each <para>May be used to limit the rule to a particular time period each
@ -1472,7 +1472,7 @@
<para>Switch settings are retained over <command>shorewall6 <para>Switch settings are retained over <command>shorewall6
restart</command>.</para> restart</command>.</para>
<para>Beginning with Shoreawll 4.5.10, when the <para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is <option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the initialized to off or on respectively by the
@ -1645,7 +1645,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-blrules(5), shorewall6-hosts(5), shorewall6-blacklist(5), shorewall6-blrules(5), shorewall6-hosts(5),
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

8
Shorewall6/manpages/shorewall6-secmarks.xml
View File

@ -100,7 +100,7 @@
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term> {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
<listitem> <listitem>
<para>This column determines the CHAIN where the SElinux context is <para>This column determines the CHAIN where the SELinux context is
to be applied:</para> to be applied:</para>
<simplelist> <simplelist>
@ -243,7 +243,7 @@
<emphasis>port range</emphasis>s; if the protocol is <emphasis <emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para> url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
@ -274,7 +274,7 @@
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -416,7 +416,7 @@ RESTORE I:ER</programlisting>
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

6
Shorewall6/manpages/shorewall6-stoppedrules.xml
View File

@ -64,7 +64,7 @@
IP/subnet addresses. If your kernel and iptables include iprange IP/subnet addresses. If your kernel and iptables include iprange
match support, IP address ranges are also allowed. Ipsets and match support, IP address ranges are also allowed. Ipsets and
exclusion are also supported. When <option>$FW</option> or interface exclusion are also supported. When <option>$FW</option> or interface
are specified, the list must be preceeded by a colon (":").</para> are specified, the list must be preceded by a colon (":").</para>
<para>If left empty or supplied as "-", ::/0 is assumed.</para> <para>If left empty or supplied as "-", ::/0 is assumed.</para>
</listitem> </listitem>
@ -84,7 +84,7 @@
IP/subnet addresses. If your kernel and iptables include iprange IP/subnet addresses. If your kernel and iptables include iprange
match support, IP address ranges are also allowed. Ipsets and match support, IP address ranges are also allowed. Ipsets and
exclusion are also supported. When <option>$FW</option> or interface exclusion are also supported. When <option>$FW</option> or interface
are specified, the list must be preceeded by a colon (":").</para> are specified, the list must be preceded by a colon (":").</para>
<para>If left empty or supplied as "-", ::/0 is assumed.</para> <para>If left empty or supplied as "-", ::/0 is assumed.</para>
</listitem> </listitem>
@ -130,7 +130,7 @@
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

14
Shorewall6/manpages/shorewall6-tcclasses.xml
View File

@ -184,13 +184,13 @@
<replaceable>dmax</replaceable>, the maximum delay in milliseconds <replaceable>dmax</replaceable>, the maximum delay in milliseconds
that the first queued packet for this class should experience. May that the first queued packet for this class should experience. May
be expressed as an integer, optionally followed by 'ms' with no be expressed as an integer, optionally followed by 'ms' with no
intervening white space (e.g., 10ms).</para> intervening white-space (e.g., 10ms).</para>
<para>HFSC leaf classes may also specify <para>HFSC leaf classes may also specify
<replaceable>umax</replaceable>, the largest packet expected in this <replaceable>umax</replaceable>, the largest packet expected in this
class. May be expressed as an integer. The unit of measure is class. May be expressed as an integer. The unit of measure is
<emphasis>bytes</emphasis> and the integer may be optionally <emphasis>bytes</emphasis> and the integer may be optionally
followed by 'b' with no intervening white space (e.g., 800b). followed by 'b' with no intervening white-space (e.g., 800b).
<replaceable>umax</replaceable> may only be given if <replaceable>umax</replaceable> may only be given if
<replaceable>dmax</replaceable> is also given.</para> <replaceable>dmax</replaceable> is also given.</para>
@ -388,7 +388,7 @@
than a system having only a single active connection. The than a system having only a single active connection. The
<option>flow</option> classifier (module cls_flow) works <option>flow</option> classifier (module cls_flow) works
around this by letting you define what a 'flow' is. The around this by letting you define what a 'flow' is. The
clasifier must be used carefully or it can block off all classifier must be used carefully or it can block off all
traffic on an interface! The flow option can be specified for traffic on an interface! The flow option can be specified for
an HTB leaf class (one that has no sub-classes). We recommend an HTB leaf class (one that has no sub-classes). We recommend
that you use the following:</para> that you use the following:</para>
@ -425,7 +425,7 @@
<term>pfifo</term> <term>pfifo</term>
<listitem> <listitem>
<para>When specified for a leaf class, the pfifo queing <para>When specified for a leaf class, the pfifo queuing
discipline is applied to the class rather than the sfq queuing discipline is applied to the class rather than the sfq queuing
discipline.</para> discipline.</para>
</listitem> </listitem>
@ -671,8 +671,8 @@
minimum of 100kbps and always be serviced first (because of the low minimum of 100kbps and always be serviced first (because of the low
priority number, giving less delay) and will be granted excess priority number, giving less delay) and will be granted excess
bandwidth (up to 180kbps, the class ceiling) first, before any other bandwidth (up to 180kbps, the class ceiling) first, before any other
traffic. A single VOIP stream, depending upon codecs, after traffic. A single VoIP stream, depending upon codecs, after
encapsulation, can take up to 80kbps on a PPOE/DSL link, so we pad a encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
classes EF and AFF3-1 respectively and are often used by VOIP classes EF and AFF3-1 respectively and are often used by VOIP
devices).</para> devices).</para>
@ -725,7 +725,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

4
Shorewall6/manpages/shorewall6-tcdevices.xml
View File

@ -150,7 +150,7 @@
<para>What is described above creates a rate/burst policing filter. <para>What is described above creates a rate/burst policing filter.
Beginning with Shorewall 4.4.25, a rate-estimated policing filter Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used may be configured instead. Rate-estimated filters should be used
with ethernet adapters that have Generic Receive Offload enabled by with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink default. See <ulink
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para> 97a</ulink>.</para>
@ -292,7 +292,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcrules(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcrules(5),

2
Shorewall6/manpages/shorewall6-tcfilters.xml
View File

@ -149,7 +149,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><option>tos-maximuze-throughput</option></para> <para><option>tos-maximize-throughput</option></para>
</listitem> </listitem>
<listitem> <listitem>

6
Shorewall6/manpages/shorewall6-tcinterfaces.xml
View File

@ -155,7 +155,7 @@
<para>If you don't want any traffic to be dropped, set this to a <para>If you don't want any traffic to be dropped, set this to a
value to zero in which case Shorewall will not create an ingress value to zero in which case Shorewall will not create an ingress
qdisc.Must be set to zero if the REDIRECTED INTERFACES column is qdisc. Must be set to zero if the REDIRECTED INTERFACES column is
non-empty.</para> non-empty.</para>
<para>The optional burst option was added in Shorewall 4.4.18. The <para>The optional burst option was added in Shorewall 4.4.18. The
@ -168,7 +168,7 @@
<para>What is described above creates a rate/burst policing filter. <para>What is described above creates a rate/burst policing filter.
Beginning with Shorewall 4.4.25, a rate-estimated policing filter Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used may be configured instead. Rate-estimated filters should be used
with ethernet adapters that have Generic Receive Offload enabled by with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink default. See <ulink
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para> 97a</ulink>.</para>
@ -221,7 +221,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcpri, shorewall6-tos(5), shorewall6-secmarks(5), shorewall6-tcpri, shorewall6-tos(5),

4
Shorewall6/manpages/shorewall6-tcpri.xml
View File

@ -131,7 +131,7 @@
[<replaceable>helper</replaceable>]</term> [<replaceable>helper</replaceable>]</term>
<listitem> <listitem>
<para>Optional. Names a Netfiler protocol helper module such as ftp, <para>Optional. Names a Netfilter protocol helper module such as ftp,
sip, amanda, etc. A packet will match if it was accepted by the sip, amanda, etc. A packet will match if it was accepted by the
named helper module. You can also append "-" and a port number to named helper module. You can also append "-" and a port number to
the helper module name (e.g., ftp-21) to specify the port number the helper module name (e.g., ftp-21) to specify the port number
@ -152,7 +152,7 @@
<para>PRIO(8), shorewall6(8), shorewall6-accounting(5), <para>PRIO(8), shorewall6(8), shorewall6-accounting(5),
shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-secmarks(5), shorewall6-tcinterfaces(5), shorewall6-tos(5),

16
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -279,7 +279,7 @@
<term>CT</term> <term>CT</term>
<listitem> <listitem>
<para>Mark the connecdtion in the POSTROUTING chain</para> <para>Mark the connection in the POSTROUTING chain</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -393,7 +393,7 @@
<listitem> <listitem>
<para><emphasis role="bold">DIVERT</emphasis></para> <para><emphasis role="bold">DIVERT</emphasis></para>
<para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed <para>Added in Shorewall 4.5.3. Two DIVERT rule should precede
the TPROXY rule and should select DEST PORT tcp 80 and SOURCE the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
PORT tcp 80 respectively (assuming that tcp port 80 is being PORT tcp 80 respectively (assuming that tcp port 80 is being
proxied). DIVERT avoids sending packets to the TPROXY target proxied). DIVERT avoids sending packets to the TPROXY target
@ -731,7 +731,7 @@ Normal-Service =&gt; 0x00</programlisting>
iprange match support, IP address ranges are also allowed. List iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
<emphasis role="bold">ACTION</emphasis> column specificies a <emphasis role="bold">ACTION</emphasis> column specifies a
classification of the form classification of the form
<emphasis>major</emphasis>:<emphasis>minor</emphasis> then this <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
column may also contain an interface name.</para> column may also contain an interface name.</para>
@ -779,7 +779,7 @@ Normal-Service =&gt; 0x00</programlisting>
<emphasis>port range</emphasis>s; if the protocol is <emphasis <emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">ipv6-icmp</emphasis>, this column is interpreted as the role="bold">ipv6-icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or type, a numeric type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para> url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
@ -814,7 +814,7 @@ Normal-Service =&gt; 0x00</programlisting>
column, provided that the DEST PORT(S) column is non-empty. This column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multiport match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1001,7 +1001,7 @@ Normal-Service =&gt; 0x00</programlisting>
</emphasis><emphasis>helper</emphasis></term> </emphasis><emphasis>helper</emphasis></term>
<listitem> <listitem>
<para>Optional. Names a Netfiler protocol <para>Optional. Names a Netfilter protocol
<firstterm>helper</firstterm> module such as <option>ftp</option>, <firstterm>helper</firstterm> module such as <option>ftp</option>,
<option>sip</option>, <option>amanda</option>, etc. A packet will <option>sip</option>, <option>amanda</option>, etc. A packet will
match if it was accepted by the named helper module.</para> match if it was accepted by the named helper module.</para>
@ -1151,7 +1151,7 @@ Normal-Service =&gt; 0x00</programlisting>
4 ::/0 ::/0 ipp2p:all 4 ::/0 ::/0 ipp2p:all
SAVE ::/0 ::/0 all - - - !0</programlisting> SAVE ::/0 ::/0 all - - - !0</programlisting>
<para>If a packet hasn't been classifed (packet mark is 0), copy the <para>If a packet hasn't been classified (packet mark is 0), copy the
connection mark to the packet mark. If the packet mark is set, we're connection mark to the packet mark. If the packet mark is set, we're
done. If the packet is P2P, set the packet mark to 4. If the packet done. If the packet is P2P, set the packet mark to 4. If the packet
mark has been set, save it to the connection mark.</para> mark has been set, save it to the connection mark.</para>
@ -1184,7 +1184,7 @@ Normal-Service =&gt; 0x00</programlisting>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5), shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-template.xml
View File

@ -54,7 +54,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rtrules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),

2
Shorewall6/manpages/shorewall6-tos.xml
View File

@ -170,7 +170,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-tunnels.xml
View File

@ -244,7 +244,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

2
Shorewall6/manpages/shorewall6-vardir.xml
View File

@ -55,7 +55,7 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

8
Shorewall6/manpages/shorewall6-zones.xml
View File

@ -134,7 +134,7 @@ c:a,b ipv6</programlisting>
default if you leave this column empty or if you enter "-" in default if you leave this column empty or if you enter "-" in
the column. Communication with some zone hosts may be the column. Communication with some zone hosts may be
encrypted. Encrypted hosts are designated using the encrypted. Encrypted hosts are designated using the
'ipsec'option in <ulink 'ipsec' option in <ulink
url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para> url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -211,8 +211,8 @@ c:a,b ipv6</programlisting>
<para>When specified in the IN_OPTIONS column, causes all <para>When specified in the IN_OPTIONS column, causes all
traffic from this zone to be passed against the <emphasis traffic from this zone to be passed against the <emphasis
role="bold">src</emphasis> entries in s<ulink role="bold">src</emphasis> entries in <ulink
url="shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para> url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5).</para>
<para>When specified in the OUT_OPTIONS column, causes all <para>When specified in the OUT_OPTIONS column, causes all
traffic to this zone to be passed against the <emphasis traffic to this zone to be passed against the <emphasis
@ -358,7 +358,7 @@ c:a,b ipv6</programlisting>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-maclist(5), shorewall6-nesting(8),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

32
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -28,7 +28,7 @@
<para>The file consists of Shell comments (lines beginning with '#'), <para>The file consists of Shell comments (lines beginning with '#'),
blank lines and assignment statements blank lines and assignment statements
(<emphasis>variable</emphasis>=<emphasis>value</emphasis>). If the (<emphasis>variable</emphasis>=<emphasis>value</emphasis>). If the
<emphasis>value</emphasis> contains shell metacharacters or white-space, <emphasis>value</emphasis> contains shell meta characters or white-space,
then it must be enclosed in quotes. Example: then it must be enclosed in quotes. Example:
LOG_LEVEL="NFLOG(1,0,1)".</para> LOG_LEVEL="NFLOG(1,0,1)".</para>
</refsect1> </refsect1>
@ -59,7 +59,7 @@
<para>For most Shorewall6 logging, a level of 6 (info) is appropriate. <para>For most Shorewall6 logging, a level of 6 (info) is appropriate.
Shorewall6 log messages are generated by NetFilter and are logged using Shorewall6 log messages are generated by NetFilter and are logged using
facility 'kern' and the level that you specifify. If you are unsure of the facility 'kern' and the level that you specify. If you are unsure of the
level to choose, 6 (info) is a safe bet. You may specify levels by name or level to choose, 6 (info) is a safe bet. You may specify levels by name or
by number.</para> by number.</para>
@ -385,7 +385,7 @@
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticably if you have large (will slow down your firewall noticeably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para> the empty value then BLACKLISTNEWONLY=No is assumed.</para>
@ -660,7 +660,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
'loc2net' chain.</para> 'loc2net' chain.</para>
<para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of <ulink or RELATED sections of <ulink
@ -1033,7 +1033,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<filename>/etc/shorewall6</filename> are compare with that of <filename>/etc/shorewall6</filename> are compare with that of
<filename>/var/lib/shorewall6/restore</filename>). If set to No, <filename>/var/lib/shorewall6/restore</filename>). If set to No,
then the times are compared with that of then the times are compared with that of
/var/lib/shorewall6/firewall, which is consistant with the way that /var/lib/shorewall6/firewall, which is consistent with the way that
<command>restart -f</command> works.</para> <command>restart -f</command> works.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1501,7 +1501,7 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct <para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
utiliity. If not specified, Shorewall will use the PATH settting to utility. If not specified, Shorewall will use the PATH setting to
find the program.</para> find the program.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1541,7 +1541,7 @@ LOG:info:,bar net fw</programlisting>
<para>Optimization category 2 - Added in Shorewall 4.4.7. When <para>Optimization category 2 - Added in Shorewall 4.4.7. When
set, suppresses superfluous ACCEPT rules in a policy chain that set, suppresses superfluous ACCEPT rules in a policy chain that
implements an ACCEPT policy. Any ACCEPT rules that immediately implements an ACCEPT policy. Any ACCEPT rules that immediately
preceed the final blanket ACCEPT rule in the chain are now precede the final blanket ACCEPT rule in the chain are now
omitted.</para> omitted.</para>
</listitem> </listitem>
@ -1628,7 +1628,7 @@ LOG:info:,bar net fw</programlisting>
compatible if they differ only in their destination ports and compatible if they differ only in their destination ports and
comments.</para> comments.</para>
<para>A sequence of combatible rules is often generated when <para>A sequence of compatible rules is often generated when
macros are invoked in sequence.</para> macros are invoked in sequence.</para>
<para>The ability to combine adjacent rules is limited by two <para>The ability to combine adjacent rules is limited by two
@ -1643,12 +1643,12 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Rules may only be combined until the length of their <para>Rules may only be combined until the length of their
concatinated comment reaches 255 characters.</para> concatenated comment reaches 255 characters.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>When either of these limits would be exceeded, the current <para>When either of these limits would be exceeded, the current
combined rule is emitted and the compiler attemts to combine combined rule is emitted and the compiler attempts to combine
rules beginning with the one that would have exceeded the limit. rules beginning with the one that would have exceeded the limit.
Adjacent combined comments are separated by ', '. Empty comments Adjacent combined comments are separated by ', '. Empty comments
at the front of a group of combined comments are replaced by at the front of a group of combined comments are replaced by
@ -1680,7 +1680,7 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Rules with comments &lt;empty&gt;, "FOO" and "BAR" <para>Rules with comments &lt;empty&gt;, "FOO" and "BAR"
would reult in the combined comment "Others and FOO, BAR". would result in the combined comment "Others and FOO, BAR".
Note: Optimize level 16 requires "Extended Multi-port Note: Optimize level 16 requires "Extended Multi-port
Match" in your iptables and kernel.</para> Match" in your iptables and kernel.</para>
</listitem> </listitem>
@ -1771,7 +1771,7 @@ LOG:info:,bar net fw</programlisting>
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para>Eariler generations of Shorewall6 Lite required that remote <para>Earlier generations of Shorewall6 Lite required that remote
root login via ssh be enabled in order to use the root login via ssh be enabled in order to use the
<command>load</command> and <command>reload</command> commands. <command>load</command> and <command>reload</command> commands.
Beginning with release 3.9.5, you may define an alternative means Beginning with release 3.9.5, you may define an alternative means
@ -1787,7 +1787,7 @@ LOG:info:,bar net fw</programlisting>
<member>RCP_COMMAND: scp ${files} <member>RCP_COMMAND: scp ${files}
${root}@${system}:${destination}</member> ${root}@${system}:${destination}</member>
</simplelist>Shell variables that will be set when the commands </simplelist>Shell variables that will be set when the commands
are envoked are as follows:<simplelist> are invoked are as follows:<simplelist>
<member><replaceable>root</replaceable> - root user. Normally <member><replaceable>root</replaceable> - root user. Normally
<option>root</option> but may be overridden using the '-r' <option>root</option> but may be overridden using the '-r'
option.</member> option.</member>
@ -2020,7 +2020,7 @@ LOG:info:,bar net fw</programlisting>
stops. Creating and removing this file allows Shorewall6 to work stops. Creating and removing this file allows Shorewall6 to work
with your distribution's initscripts. For RedHat, this should be set with your distribution's initscripts. For RedHat, this should be set
to /var/lock/subsys/shorewall6. For Debian, the value is to /var/lock/subsys/shorewall6. For Debian, the value is
/var/lock/shorewall6 and in LEAF it is /var/run/shorwall.</para> /var/lock/shorewall6 and in LEAF it is /var/run/shorewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2281,7 +2281,7 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a <para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
Netfilter chain that relates to an interface, it uses the Netfilter chain that relates to an interface, it uses the
interfaces's logical name as the base of the chain name. For interface's logical name as the base of the chain name. For
example, if the logical name for an interface is OAKLAND, then the example, if the logical name for an interface is OAKLAND, then the
input chain for traffic arriving on that interface would be input chain for traffic arriving on that interface would be
'OAKLAND_in'. If this option is set to Yes, then the physical name 'OAKLAND_in'. If this option is set to Yes, then the physical name
@ -2415,7 +2415,7 @@ LOG:info:,bar net fw</programlisting>
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-nat(5), shorewall6-netmap(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),

20
Shorewall6/manpages/shorewall6.xml
View File

@ -637,7 +637,7 @@
<emphasis role="bold">q</emphasis> subtracts one from the effective <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
There may be no white space between <emphasis role="bold">v</emphasis> and There may be no white-space between <emphasis role="bold">v</emphasis> and
the VERBOSITY.</para> the VERBOSITY.</para>
<para>The <emphasis>options</emphasis> may also include the letter <para>The <emphasis>options</emphasis> may also include the letter
@ -699,7 +699,7 @@
<term><emphasis role="bold">check</emphasis></term> <term><emphasis role="bold">check</emphasis></term>
<listitem> <listitem>
<para>Compiles the configuraton in the specified <para>Compiles the configuration in the specified
<emphasis>directory</emphasis> and discards the compiled output <emphasis>directory</emphasis> and discards the compiled output
script. If no <emphasis>directory</emphasis> is given, then script. If no <emphasis>directory</emphasis> is given, then
/etc/shorewall6 is assumed.</para> /etc/shorewall6 is assumed.</para>
@ -757,7 +757,7 @@
<para>When -e is specified, the compilation is being performed on a <para>When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option system other than where the compiled script will run. This option
disables certain configuration options that require the script to be disables certain configuration options that require the script to be
compiled where it is to be run. The use of -e requires the presense compiled where it is to be run. The use of -e requires the presence
of a configuration file named <filename>capabilities</filename> of a configuration file named <filename>capabilities</filename>
which may be produced using the command <emphasis which may be produced using the command <emphasis
role="bold">shorewall6-lite show -f capabilities &gt; role="bold">shorewall6-lite show -f capabilities &gt;
@ -897,7 +897,7 @@
<term><emphasis role="bold">forget</emphasis></term> <term><emphasis role="bold">forget</emphasis></term>
<listitem> <listitem>
<para>Deletes /var/lib/shorewall6/<emphasis>filenam</emphasis>e and <para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
/var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is /var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
given then the file specified by RESTOREFILE in <ulink given then the file specified by RESTOREFILE in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) is url="shorewall6.conf.html">shorewall6.conf</ulink>(5) is
@ -926,7 +926,7 @@
and raw table PREROUTING chains.</para> and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with <para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from facility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall has no control over where the messages go; consult your Shorewall has no control over where the messages go; consult your
logging daemon's documentation.</para> logging daemon's documentation.</para>
@ -1030,7 +1030,7 @@
<para>The <replaceable>iptables match expression</replaceable> must <para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being be one given in the <command>iptrace</command> command being
cancelled.</para> canceled.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1327,7 +1327,7 @@
<term><emphasis role="bold">config</emphasis></term> <term><emphasis role="bold">config</emphasis></term>
<listitem> <listitem>
<para>Dispays distribution-specific defaults.</para> <para>Displays distribution-specific defaults.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1455,7 +1455,7 @@
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option <para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
was added to <ulink was added to <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When
LEGACY_FASTSTART=No, the modificaiotn times of files in LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall6 are compared with that of /etc/shorewall6 are compared with that of
/var/lib/shorewall6/firewall (the compiled script that last /var/lib/shorewall6/firewall (the compiled script that last
started/restarted the firewall).</para> started/restarted the firewall).</para>
@ -1513,7 +1513,7 @@
<replaceable>directory</replaceable>; otherwise, a <emphasis <replaceable>directory</replaceable>; otherwise, a <emphasis
role="bold">start</emphasis> command is performed using the role="bold">start</emphasis> command is performed using the
specified configuration <replaceable>directory</replaceable>. if an specified configuration <replaceable>directory</replaceable>. if an
error occurs during the compliation phase of the <emphasis error occurs during the compilation phase of the <emphasis
role="bold">restart</emphasis> or <emphasis role="bold">restart</emphasis> or <emphasis
role="bold">start</emphasis>, the command terminates without role="bold">start</emphasis>, the command terminates without
changing the Shorewall6 state. If an error occurs during the changing the Shorewall6 state. If an error occurs during the
@ -1602,7 +1602,7 @@
<para>shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),