mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Corrections in the shorewall[6].conf manpages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
31d35e0cbd
commit
a05b957498
@ -307,6 +307,9 @@
|
|||||||
that were active when Shorewall stopped continue to work and
|
that were active when Shorewall stopped continue to work and
|
||||||
all new connections from the firewall system itself are
|
all new connections from the firewall system itself are
|
||||||
allowed.</para>
|
allowed.</para>
|
||||||
|
|
||||||
|
<para>Note that the routestopped file is not supported in
|
||||||
|
Shorewall 5.0 and later versions.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -481,8 +484,8 @@
|
|||||||
|
|
||||||
<para>ALL sends all packets through the blacklist chains.</para>
|
<para>ALL sends all packets through the blacklist chains.</para>
|
||||||
|
|
||||||
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
|
<para>Note: The ESTABLISHED state may not be specified if
|
||||||
is specified.</para>
|
FASTACCEPT=Yes is specified.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -577,13 +580,14 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||||
then Shorewall won't clear the current traffic control rules during
|
then Shorewall won't clear the current traffic control rules during
|
||||||
[re]start. This setting is intended for use by people who prefer to
|
[<command>re</command>]<command>start</command> or
|
||||||
configure traffic shaping when the network interfaces come up rather
|
<command>reload</command>. This setting is intended for use by
|
||||||
than when the firewall is started. If that is what you want to do,
|
people who prefer to configure traffic shaping when the network
|
||||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
interfaces come up rather than when the firewall is started. If that
|
||||||
/etc/shorewall/tcstart file. That way, your traffic shaping rules
|
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
|
||||||
can still use the “fwmark” classifier based on packet marking
|
not supply an /etc/shorewall/tcstart file. That way, your traffic
|
||||||
defined in <ulink
|
shaping rules can still use the “fwmark” classifier based on packet
|
||||||
|
marking defined in <ulink
|
||||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
||||||
If not specified, CLEAR_TC=Yes is assumed.</para>
|
If not specified, CLEAR_TC=Yes is assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -677,8 +681,8 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If set to Yes (the default value), entries in the
|
<para>If set to Yes (the default value), entries in the
|
||||||
/etc/shorewall/route_stopped files cause an 'ip rule del' command to
|
/etc/shorewall/rtrules files cause an 'ip rule del' command to be
|
||||||
be generated in addition to an 'ip rule add' command. Setting this
|
generated in addition to an 'ip rule add' command. Setting this
|
||||||
option to No, causes the 'ip rule del' command to be omitted.</para>
|
option to No, causes the 'ip rule del' command to be omitted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -829,7 +833,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
helpers file from the administrative system into the script. When
|
helpers file from the administrative system into the script. When
|
||||||
set to No or not specified, the compiler will not copy the modules
|
set to No or not specified, the compiler will not copy the modules
|
||||||
or helpers file from <filename>/usr/share/shorewall</filename> but
|
or helpers file from <filename>/usr/share/shorewall</filename> but
|
||||||
will copy the found in another location on the CONFIG_PATH.</para>
|
will copy those found in another location on the CONFIG_PATH.</para>
|
||||||
|
|
||||||
<para>When compiling for direct use by Shorewall, causes the
|
<para>When compiling for direct use by Shorewall, causes the
|
||||||
contents of the local module or helpers file to be copied into the
|
contents of the local module or helpers file to be copied into the
|
||||||
@ -863,7 +867,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
|
<para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
|
||||||
cleared the packet mark in the first rule in the mangle FORWARD
|
cleared the packet mark in the first rule in the mangle FORWARD
|
||||||
chain. This behavior is maintained with the default setting of this
|
chain. This behavior is maintained with the default setting of this
|
||||||
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
||||||
@ -2194,18 +2198,18 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
#TARGET SOURCE DEST PROTO
|
#TARGET SOURCE DEST PROTO
|
||||||
Broadcast(DROP) - - -
|
Broadcast(DROP) - - -
|
||||||
DROP - - 2
|
DROP - - 2
|
||||||
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
|
INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
|
||||||
?if __ENHANCED_REJECT
|
?if __ENHANCED_REJECT
|
||||||
INLINE - - 17 ; -j REJECT
|
INLINE - - 17 ;; -j REJECT
|
||||||
?if __IPV4
|
?if __IPV4
|
||||||
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
|
INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
|
||||||
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
|
INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
|
||||||
?else
|
?else
|
||||||
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
|
INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
|
||||||
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
|
INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
|
||||||
?endif
|
?endif
|
||||||
?else
|
?else
|
||||||
INLINE - - - ; -j REJECT
|
INLINE - - - ;; -j REJECT
|
||||||
?endif</programlisting>
|
?endif</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -2275,7 +2279,7 @@ INLINE - - - ; -j REJECT
|
|||||||
restored unconditionally at the top of the mangle OUTPUT and
|
restored unconditionally at the top of the mangle OUTPUT and
|
||||||
PREROUTING chains, even if the saved mark is zero. When this option
|
PREROUTING chains, even if the saved mark is zero. When this option
|
||||||
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
||||||
even when it is zero. If you have problems with IPSEC ESP packets
|
only if it is non-zero. If you have problems with IPSEC ESP packets
|
||||||
not being routed correctly on output, try setting this option to
|
not being routed correctly on output, try setting this option to
|
||||||
<emphasis role="bold">No</emphasis>.</para>
|
<emphasis role="bold">No</emphasis>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2451,10 +2455,9 @@ INLINE - - - ; -j REJECT
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This option is used to specify the shell program to be used to
|
<para>This option is used to specify the shell program to be used to
|
||||||
run the Shorewall compiler and to interpret the compiled script. If
|
interpret the compiled script. If not specified or specified as a
|
||||||
not specified or specified as a null value, /bin/sh is assumed.
|
null value, /bin/sh is assumed. Using a light-weight shell such as
|
||||||
Using a light-weight shell such as ash or dash can significantly
|
ash or dash can significantly improve performance.</para>
|
||||||
improve performance.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@ -239,6 +239,9 @@
|
|||||||
that were active when Shorewall stopped continue to work and
|
that were active when Shorewall stopped continue to work and
|
||||||
all new connections from the firewall system itself are
|
all new connections from the firewall system itself are
|
||||||
allowed.</para>
|
allowed.</para>
|
||||||
|
|
||||||
|
<para>Note that the routestopped file is not supported in
|
||||||
|
Shorewall 5.0 and later versions.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -497,13 +500,14 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||||
then Shorewall6 won't clear the current traffic control rules during
|
then Shorewall6 won't clear the current traffic control rules during
|
||||||
[re]start. This setting is intended for use by people that prefer to
|
[<command>re</command>]<command>start</command> or
|
||||||
configure traffic shaping when the network interfaces come up rather
|
<command>reload</command>. This setting is intended for use by
|
||||||
than when the firewall is started. If that is what you want to do,
|
people that prefer to configure traffic shaping when the network
|
||||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
interfaces come up rather than when the firewall is started. If that
|
||||||
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
|
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
|
||||||
can still use the “fwmark” classifier based on packet marking
|
not supply an /etc/shorewall6/tcstart file. That way, your traffic
|
||||||
defined in <ulink
|
shaping rules can still use the “fwmark” classifier based on packet
|
||||||
|
marking defined in <ulink
|
||||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
||||||
If not specified, CLEAR_TC=No is assumed.</para>
|
If not specified, CLEAR_TC=No is assumed.</para>
|
||||||
|
|
||||||
@ -604,10 +608,9 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If set to Yes (the default value), entries in the
|
<para>If set to Yes (the default value), entries in the
|
||||||
/etc/shorewall6/route_stopped files cause an 'ip rule del' command
|
/etc/shorewall6/rtrules file cause an 'ip rule del' command to be
|
||||||
to be generated in addition to an 'ip rule add' command. Setting
|
generated in addition to an 'ip rule add' command. Setting this
|
||||||
this option to No, causes the 'ip rule del' command to be
|
option to No, causes the 'ip rule del' command to be omitted.</para>
|
||||||
omitted.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -691,7 +694,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
helpers file from the administrative system into the script. When
|
helpers file from the administrative system into the script. When
|
||||||
set to No or not specified, the compiler will not copy the modules
|
set to No or not specified, the compiler will not copy the modules
|
||||||
or helpers file from <filename>/usr/share/shorewall6</filename> but
|
or helpers file from <filename>/usr/share/shorewall6</filename> but
|
||||||
will copy the found in another location on the CONFIG_PATH.</para>
|
will copy those found in another location on the CONFIG_PATH.</para>
|
||||||
|
|
||||||
<para>When compiling for direct use by Shorewall6, causes the
|
<para>When compiling for direct use by Shorewall6, causes the
|
||||||
contents of the local module or helpers file to be copied into the
|
contents of the local module or helpers file to be copied into the
|
||||||
@ -725,7 +728,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
|
<para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
|
||||||
cleared the packet mark in the first rule in the mangle FORWARD
|
cleared the packet mark in the first rule in the mangle FORWARD
|
||||||
chain. This behavior is maintained with the default setting of this
|
chain. This behavior is maintained with the default setting of this
|
||||||
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
||||||
@ -1922,18 +1925,18 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
#TARGET SOURCE DEST PROTO
|
#TARGET SOURCE DEST PROTO
|
||||||
Broadcast(DROP) - - -
|
Broadcast(DROP) - - -
|
||||||
DROP - - 2
|
DROP - - 2
|
||||||
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
|
INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
|
||||||
?if __ENHANCED_REJECT
|
?if __ENHANCED_REJECT
|
||||||
INLINE - - 17 ; -j REJECT
|
INLINE - - 17 ;; -j REJECT
|
||||||
?if __IPV4
|
?if __IPV4
|
||||||
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
|
INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
|
||||||
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
|
INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
|
||||||
?else
|
?else
|
||||||
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
|
INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
|
||||||
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
|
INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
|
||||||
?endif
|
?endif
|
||||||
?else
|
?else
|
||||||
INLINE - - - ; -j REJECT
|
INLINE - - - ;; -j REJECT
|
||||||
?endif</programlisting>
|
?endif</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1982,7 +1985,7 @@ INLINE - - - ; -j REJECT
|
|||||||
restored unconditionally at the top of the mangle OUTPUT and
|
restored unconditionally at the top of the mangle OUTPUT and
|
||||||
PREROUTING chains, even if the saved mark is zero. When this option
|
PREROUTING chains, even if the saved mark is zero. When this option
|
||||||
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
||||||
even when it is zero. If you have problems with IPSEC ESP packets
|
only if it is non-zero. If you have problems with IPSEC ESP packets
|
||||||
not being routed correctly on output, try setting this option to
|
not being routed correctly on output, try setting this option to
|
||||||
<emphasis role="bold">No</emphasis>.</para>
|
<emphasis role="bold">No</emphasis>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user