mirror of
https://gitlab.com/shorewall/code.git
synced 2025-04-02 20:06:49 +02:00
More formatting fixes for manpages
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7311 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
428f4aabf1
commit
a06ad0e518
@ -137,6 +137,8 @@ loc eth2 -</programlisting>
|
|||||||
will be the value specified (if any) or 1 if no value is
|
will be the value specified (if any) or 1 if no value is
|
||||||
given.</para>
|
given.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option does not work with a wild-card
|
<para>This option does not work with a wild-card
|
||||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||||
@ -168,12 +170,16 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<para>8 - do not reply for all local addresses</para>
|
<para>8 - do not reply for all local addresses</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option does not work with a wild-card
|
<para>This option does not work with a wild-card
|
||||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||||
the INTERFACE column.</para>
|
the INTERFACE column.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Do not specify <emphasis
|
<para>Do not specify <emphasis
|
||||||
role="bold">arp_ignore</emphasis> for any interface involved
|
role="bold">arp_ignore</emphasis> for any interface involved
|
||||||
@ -210,6 +216,8 @@ loc eth2 -</programlisting>
|
|||||||
to include only those hosts routed through the
|
to include only those hosts routed through the
|
||||||
interface.</para>
|
interface.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Do not set the <emphasis
|
<para>Do not set the <emphasis
|
||||||
role="bold">detectnets</emphasis> option on your internet
|
role="bold">detectnets</emphasis> option on your internet
|
||||||
@ -281,6 +289,8 @@ loc eth2 -</programlisting>
|
|||||||
1
|
1
|
||||||
teastep@lists:~$ </programlisting>
|
teastep@lists:~$ </programlisting>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option does not work with a wild-card
|
<para>This option does not work with a wild-card
|
||||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||||
@ -368,20 +378,26 @@ loc eth2 -</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>I specify <option>optional</option> on interfaces to Xen
|
<para></para>
|
||||||
virtual machines that may or may not be running when Shorewall
|
|
||||||
is [re]started.</para>
|
|
||||||
|
|
||||||
<caution>
|
<blockquote>
|
||||||
<para>Use <option>optional</option> at your own risk. If you
|
<para>I specify <option>optional</option> on interfaces to
|
||||||
[re]start Shorewall when an 'optional' interface is not
|
Xen virtual machines that may or may not be running when
|
||||||
available and then do a <command>shorewall save</command>,
|
Shorewall is [re]started.</para>
|
||||||
subsequent <command>shorewall restore</command> and
|
|
||||||
<command>shorewall -f start</command> operations will
|
<para></para>
|
||||||
instantiate a ruleset that does not support that interface,
|
|
||||||
even if it is available at the time of the
|
<caution>
|
||||||
restore/start.</para>
|
<para>Use <option>optional</option> at your own risk. If
|
||||||
</caution>
|
you [re]start Shorewall when an 'optional' interface is
|
||||||
|
not available and then do a <command>shorewall
|
||||||
|
save</command>, subsequent <command>shorewall
|
||||||
|
restore</command> and <command>shorewall -f
|
||||||
|
start</command> operations will instantiate a ruleset that
|
||||||
|
does not support that interface, even if it is available
|
||||||
|
at the time of the restore/start.</para>
|
||||||
|
</caution>
|
||||||
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -397,12 +413,14 @@ loc eth2 -</programlisting>
|
|||||||
This option is intended solely for use with Proxy ARP
|
This option is intended solely for use with Proxy ARP
|
||||||
sub-networking as described at: <ulink
|
sub-networking as described at: <ulink
|
||||||
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
||||||
</ulink><note>
|
</ulink></para>
|
||||||
<para>This option does not work with a wild-card
|
|
||||||
<replaceable>interface</replaceable> name (e.g., eth0.+)
|
<para><emphasis role="bold">Note</emphasis>: This option does
|
||||||
in the INTERFACE column.</para>
|
not work with a wild-card <replaceable>interface</replaceable>
|
||||||
</note>The option value (0 or 1) may only be specified if
|
name (e.g., eth0.+) in the INTERFACE column.</para>
|
||||||
you are using Shorewall-perl. With Shorewall-perl, only those
|
|
||||||
|
<para>The option value (0 or 1) may only be specified if you
|
||||||
|
are using Shorewall-perl. With Shorewall-perl, only those
|
||||||
interfaces with the <option>proxyarp</option> option will have
|
interfaces with the <option>proxyarp</option> option will have
|
||||||
their setting changes; the value assigned to the setting will
|
their setting changes; the value assigned to the setting will
|
||||||
be the value specified (if any) or 1 if no value is
|
be the value specified (if any) or 1 if no value is
|
||||||
@ -438,6 +456,8 @@ loc eth2 -</programlisting>
|
|||||||
will be the value specified (if any) or 1 if no value is
|
will be the value specified (if any) or 1 if no value is
|
||||||
given.</para>
|
given.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option does not work with a wild-card
|
<para>This option does not work with a wild-card
|
||||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||||
@ -472,6 +492,8 @@ loc eth2 -</programlisting>
|
|||||||
will be the value specified (if any) or 1 if no value is
|
will be the value specified (if any) or 1 if no value is
|
||||||
given.</para>
|
given.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option does not work with a wild-card
|
<para>This option does not work with a wild-card
|
||||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||||
|
|||||||
@ -108,6 +108,8 @@
|
|||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>The Shorewall implementation of Multi-ISP support assumes
|
<para>The Shorewall implementation of Multi-ISP support assumes
|
||||||
that each provider has its own interface.</para>
|
that each provider has its own interface.</para>
|
||||||
|
|||||||
@ -207,6 +207,8 @@
|
|||||||
<para>This is the default class for that interface where all
|
<para>This is the default class for that interface where all
|
||||||
traffic should go, that is not classified otherwise.</para>
|
traffic should go, that is not classified otherwise.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>You must define <emphasis
|
<para>You must define <emphasis
|
||||||
role="bold">default</emphasis> for exactly one class per
|
role="bold">default</emphasis> for exactly one class per
|
||||||
@ -265,6 +267,8 @@
|
|||||||
limited to 64 bytes because we want only packets WITHOUT
|
limited to 64 bytes because we want only packets WITHOUT
|
||||||
payload to match.</para>
|
payload to match.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option is only valid for ONE class per
|
<para>This option is only valid for ONE class per
|
||||||
interface.</para>
|
interface.</para>
|
||||||
|
|||||||
@ -140,6 +140,8 @@
|
|||||||
speed you can refer as "full" if you define the tc classes in <ulink
|
speed you can refer as "full" if you define the tc classes in <ulink
|
||||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
||||||
Outgoing traffic above this rate will be dropped.</para>
|
Outgoing traffic above this rate will be dropped.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|||||||
@ -95,20 +95,14 @@
|
|||||||
nor <emphasis role="bold">:T</emphasis> follow the mark value
|
nor <emphasis role="bold">:T</emphasis> follow the mark value
|
||||||
then the chain is determined as follows:</para>
|
then the chain is determined as follows:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<para>- If the SOURCE is <emphasis
|
||||||
<listitem>
|
role="bold">$FW</emphasis>[<emphasis
|
||||||
<para>If the SOURCE is <emphasis
|
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
|
||||||
role="bold">$FW</emphasis>[<emphasis
|
then the rule is inserted into the OUTPUT chain.</para>
|
||||||
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
|
|
||||||
then the rule is inserted into the OUTPUT chain.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
<para>- Otherwise, the chain is determined by the setting of
|
||||||
<para>Otherwise, the chain is determined by the setting of
|
MARK_IN_FORWARD_CHAIN in <ulink
|
||||||
MARK_IN_FORWARD_CHAIN in <ulink
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
|
|
||||||
<para>If your kernel and iptables include CONNMARK support then
|
<para>If your kernel and iptables include CONNMARK support then
|
||||||
you can also mark the connection rather than the packet.</para>
|
you can also mark the connection rather than the packet.</para>
|
||||||
|
|||||||
@ -295,7 +295,10 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||||
role="bold">yes</emphasis>, enables Shorewall Bridging support.<note>
|
role="bold">yes</emphasis>, enables Shorewall Bridging
|
||||||
|
support.</para>
|
||||||
|
|
||||||
|
<para><note>
|
||||||
<para>BRIDGING=Yes may not work properly with Linux kernel
|
<para>BRIDGING=Yes may not work properly with Linux kernel
|
||||||
2.6.20 or later and is not supported by Shorewall-perl.</para>
|
2.6.20 or later and is not supported by Shorewall-perl.</para>
|
||||||
</note></para>
|
</note></para>
|
||||||
@ -316,10 +319,8 @@
|
|||||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||||
the feature is not enabled.</para>
|
the feature is not enabled.</para>
|
||||||
|
|
||||||
<note>
|
<para><emphasis role="bold">Important</emphasis>: This option
|
||||||
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
|
requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel.</para>
|
||||||
kernel.</para>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<para>You may also set CLAMPMSS to a numeric
|
<para>You may also set CLAMPMSS to a numeric
|
||||||
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
|
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
|
||||||
@ -370,15 +371,19 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>If CONFIG_PATH is not given or if it is set to the empty value
|
<blockquote>
|
||||||
then the contents of /usr/share/shorewall/configpath are used. As
|
<para></para>
|
||||||
released from shorewall.net, that file sets the CONFIG_PATH to
|
|
||||||
/etc/shorewall:/usr/share/shorewall but your particular distribution
|
|
||||||
may set it differently. See the output of shorewall show config for
|
|
||||||
the default on your system.</para>
|
|
||||||
|
|
||||||
<para>Note that the setting in /usr/share/shorewall/configpath is
|
<para>If CONFIG_PATH is not given or if it is set to the empty
|
||||||
always used to locate shorewall.conf.</para>
|
value then the contents of /usr/share/shorewall/configpath are
|
||||||
|
used. As released from shorewall.net, that file sets the
|
||||||
|
CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your
|
||||||
|
particular distribution may set it differently. See the output of
|
||||||
|
shorewall show config for the default on your system.</para>
|
||||||
|
|
||||||
|
<para>Note that the setting in /usr/share/shorewall/configpath is
|
||||||
|
always used to locate shorewall.conf.</para>
|
||||||
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -490,6 +495,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
or RELATED sections of <ulink
|
or RELATED sections of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>FASTACCEPT=Yes is incompatible with
|
<para>FASTACCEPT=Yes is incompatible with
|
||||||
BLACKLISTNEWONLY=No.</para>
|
BLACKLISTNEWONLY=No.</para>
|
||||||
@ -608,8 +615,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>If this variable is not set or is given an empty value
|
<para></para>
|
||||||
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
|
|
||||||
|
<blockquote>
|
||||||
|
<para>If this variable is not set or is given an empty value
|
||||||
|
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
|
||||||
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -711,23 +722,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
<para></para>
|
||||||
logging from the nat table's PREROUTING chain is:</para>
|
|
||||||
|
|
||||||
<programlisting> Shorewall:nat:PREROUTING
|
<blockquote>
|
||||||
|
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||||
|
logging from the nat table's PREROUTING chain is:</para>
|
||||||
|
|
||||||
|
<programlisting> Shorewall:nat:PREROUTING
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>There is no rate limiting on these logging rules so use
|
<para>There is no rate limiting on these logging rules so use
|
||||||
LOGALLNEW at your own risk; it may cause high CPU and disk
|
LOGALLNEW at your own risk; it may cause high CPU and disk
|
||||||
utilization and you may not be able to control your firewall after
|
utilization and you may not be able to control your firewall
|
||||||
you enable this option.</para>
|
after you enable this option.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<caution>
|
<para></para>
|
||||||
<para>Do not use this option if the resulting log messages will be
|
|
||||||
sent to another system.</para>
|
<caution>
|
||||||
</caution>
|
<para>Do not use this option if the resulting log messages will
|
||||||
|
be sent to another system.</para>
|
||||||
|
</caution>
|
||||||
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -910,6 +927,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
|
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
|
||||||
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
|
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
|
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
|
||||||
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
|
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
|
||||||
@ -1040,10 +1059,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>If you are experiencing either of these problems, setting
|
<para></para>
|
||||||
PKTTYPE=No will prevent Shorewall from trying to use the packet type
|
|
||||||
match extension and to use IP address matching to determine which
|
<blockquote>
|
||||||
packets are broadcasts or multicasts.</para>
|
<para>If you are experiencing either of these problems, setting
|
||||||
|
PKTTYPE=No will prevent Shorewall from trying to use the packet
|
||||||
|
type match extension and to use IP address matching to determine
|
||||||
|
which packets are broadcasts or multicasts.</para>
|
||||||
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1177,6 +1200,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<para>If not specified or specified as empty (e.g.,
|
<para>If not specified or specified as empty (e.g.,
|
||||||
RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.</para>
|
RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.</para>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>RFC1918_STRICT=Yes requires that your kernel and iptables
|
<para>RFC1918_STRICT=Yes requires that your kernel and iptables
|
||||||
support 'Connection Tracking' match.</para>
|
support 'Connection Tracking' match.</para>
|
||||||
|
|||||||
@ -840,11 +840,11 @@
|
|||||||
the command while <command>restart</command> recreates the entire
|
the command while <command>restart</command> recreates the entire
|
||||||
Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
|
Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
|
||||||
the static blacklisting chain <emphasis
|
the static blacklisting chain <emphasis
|
||||||
role="bold">blacklst</emphasis> is assumed.<note>
|
role="bold">blacklst</emphasis> is assumed.</para>
|
||||||
<para>Specifying chains in the command requires Shorewall-perl
|
|
||||||
4.0.3 or later. Earlier versions only refresh the <emphasis
|
<para><emphasis role="bold">Note</emphasis>: Specifying chains in
|
||||||
role="bold">blacklst</emphasis> chain.</para>
|
the command requires Shorewall-perl 4.0.3 or later. Earlier versions
|
||||||
</note></para>
|
only refresh the blacklst chain</para>
|
||||||
|
|
||||||
<para>The listed chains are assumed to be in the filter table. You
|
<para>The listed chains are assumed to be in the filter table. You
|
||||||
can refresh chains in other tables by prefixing the chain name with
|
can refresh chains in other tables by prefixing the chain name with
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user