mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
More formatting fixes for manpages
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7311 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
428f4aabf1
commit
a06ad0e518
@ -137,6 +137,8 @@ loc eth2 -</programlisting>
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
@ -168,12 +170,16 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>8 - do not reply for all local addresses</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
the INTERFACE column.</para>
|
||||
</note>
|
||||
|
||||
<para></para>
|
||||
|
||||
<warning>
|
||||
<para>Do not specify <emphasis
|
||||
role="bold">arp_ignore</emphasis> for any interface involved
|
||||
@ -210,6 +216,8 @@ loc eth2 -</programlisting>
|
||||
to include only those hosts routed through the
|
||||
interface.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<warning>
|
||||
<para>Do not set the <emphasis
|
||||
role="bold">detectnets</emphasis> option on your internet
|
||||
@ -281,6 +289,8 @@ loc eth2 -</programlisting>
|
||||
1
|
||||
teastep@lists:~$ </programlisting>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
@ -368,20 +378,26 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>I specify <option>optional</option> on interfaces to Xen
|
||||
virtual machines that may or may not be running when Shorewall
|
||||
is [re]started.</para>
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>Use <option>optional</option> at your own risk. If you
|
||||
[re]start Shorewall when an 'optional' interface is not
|
||||
available and then do a <command>shorewall save</command>,
|
||||
subsequent <command>shorewall restore</command> and
|
||||
<command>shorewall -f start</command> operations will
|
||||
instantiate a ruleset that does not support that interface,
|
||||
even if it is available at the time of the
|
||||
restore/start.</para>
|
||||
</caution>
|
||||
<blockquote>
|
||||
<para>I specify <option>optional</option> on interfaces to
|
||||
Xen virtual machines that may or may not be running when
|
||||
Shorewall is [re]started.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>Use <option>optional</option> at your own risk. If
|
||||
you [re]start Shorewall when an 'optional' interface is
|
||||
not available and then do a <command>shorewall
|
||||
save</command>, subsequent <command>shorewall
|
||||
restore</command> and <command>shorewall -f
|
||||
start</command> operations will instantiate a ruleset that
|
||||
does not support that interface, even if it is available
|
||||
at the time of the restore/start.</para>
|
||||
</caution>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -397,12 +413,14 @@ loc eth2 -</programlisting>
|
||||
This option is intended solely for use with Proxy ARP
|
||||
sub-networking as described at: <ulink
|
||||
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
||||
</ulink><note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+)
|
||||
in the INTERFACE column.</para>
|
||||
</note>The option value (0 or 1) may only be specified if
|
||||
you are using Shorewall-perl. With Shorewall-perl, only those
|
||||
</ulink></para>
|
||||
|
||||
<para><emphasis role="bold">Note</emphasis>: This option does
|
||||
not work with a wild-card <replaceable>interface</replaceable>
|
||||
name (e.g., eth0.+) in the INTERFACE column.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>proxyarp</option> option will have
|
||||
their setting changes; the value assigned to the setting will
|
||||
be the value specified (if any) or 1 if no value is
|
||||
@ -438,6 +456,8 @@ loc eth2 -</programlisting>
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
@ -472,6 +492,8 @@ loc eth2 -</programlisting>
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
|
@ -108,6 +108,8 @@
|
||||
listed in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>The Shorewall implementation of Multi-ISP support assumes
|
||||
that each provider has its own interface.</para>
|
||||
|
@ -207,6 +207,8 @@
|
||||
<para>This is the default class for that interface where all
|
||||
traffic should go, that is not classified otherwise.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>You must define <emphasis
|
||||
role="bold">default</emphasis> for exactly one class per
|
||||
@ -265,6 +267,8 @@
|
||||
limited to 64 bytes because we want only packets WITHOUT
|
||||
payload to match.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>This option is only valid for ONE class per
|
||||
interface.</para>
|
||||
|
@ -140,6 +140,8 @@
|
||||
speed you can refer as "full" if you define the tc classes in <ulink
|
||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
||||
Outgoing traffic above this rate will be dropped.</para>
|
||||
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -95,20 +95,14 @@
|
||||
nor <emphasis role="bold">:T</emphasis> follow the mark value
|
||||
then the chain is determined as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the SOURCE is <emphasis
|
||||
role="bold">$FW</emphasis>[<emphasis
|
||||
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
|
||||
then the rule is inserted into the OUTPUT chain.</para>
|
||||
</listitem>
|
||||
<para>- If the SOURCE is <emphasis
|
||||
role="bold">$FW</emphasis>[<emphasis
|
||||
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
|
||||
then the rule is inserted into the OUTPUT chain.</para>
|
||||
|
||||
<listitem>
|
||||
<para>Otherwise, the chain is determined by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>- Otherwise, the chain is determined by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>If your kernel and iptables include CONNMARK support then
|
||||
you can also mark the connection rather than the packet.</para>
|
||||
|
@ -295,7 +295,10 @@
|
||||
|
||||
<listitem>
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, enables Shorewall Bridging support.<note>
|
||||
role="bold">yes</emphasis>, enables Shorewall Bridging
|
||||
support.</para>
|
||||
|
||||
<para><note>
|
||||
<para>BRIDGING=Yes may not work properly with Linux kernel
|
||||
2.6.20 or later and is not supported by Shorewall-perl.</para>
|
||||
</note></para>
|
||||
@ -316,10 +319,8 @@
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
the feature is not enabled.</para>
|
||||
|
||||
<note>
|
||||
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
|
||||
kernel.</para>
|
||||
</note>
|
||||
<para><emphasis role="bold">Important</emphasis>: This option
|
||||
requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel.</para>
|
||||
|
||||
<para>You may also set CLAMPMSS to a numeric
|
||||
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
|
||||
@ -370,15 +371,19 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>If CONFIG_PATH is not given or if it is set to the empty value
|
||||
then the contents of /usr/share/shorewall/configpath are used. As
|
||||
released from shorewall.net, that file sets the CONFIG_PATH to
|
||||
/etc/shorewall:/usr/share/shorewall but your particular distribution
|
||||
may set it differently. See the output of shorewall show config for
|
||||
the default on your system.</para>
|
||||
<blockquote>
|
||||
<para></para>
|
||||
|
||||
<para>Note that the setting in /usr/share/shorewall/configpath is
|
||||
always used to locate shorewall.conf.</para>
|
||||
<para>If CONFIG_PATH is not given or if it is set to the empty
|
||||
value then the contents of /usr/share/shorewall/configpath are
|
||||
used. As released from shorewall.net, that file sets the
|
||||
CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your
|
||||
particular distribution may set it differently. See the output of
|
||||
shorewall show config for the default on your system.</para>
|
||||
|
||||
<para>Note that the setting in /usr/share/shorewall/configpath is
|
||||
always used to locate shorewall.conf.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -490,6 +495,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
or RELATED sections of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>FASTACCEPT=Yes is incompatible with
|
||||
BLACKLISTNEWONLY=No.</para>
|
||||
@ -608,8 +615,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>If this variable is not set or is given an empty value
|
||||
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>If this variable is not set or is given an empty value
|
||||
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -711,23 +722,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
logging from the nat table's PREROUTING chain is:</para>
|
||||
<para></para>
|
||||
|
||||
<programlisting> Shorewall:nat:PREROUTING
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
logging from the nat table's PREROUTING chain is:</para>
|
||||
|
||||
<programlisting> Shorewall:nat:PREROUTING
|
||||
</programlisting>
|
||||
|
||||
<important>
|
||||
<para>There is no rate limiting on these logging rules so use
|
||||
LOGALLNEW at your own risk; it may cause high CPU and disk
|
||||
utilization and you may not be able to control your firewall after
|
||||
you enable this option.</para>
|
||||
</important>
|
||||
<important>
|
||||
<para>There is no rate limiting on these logging rules so use
|
||||
LOGALLNEW at your own risk; it may cause high CPU and disk
|
||||
utilization and you may not be able to control your firewall
|
||||
after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will be
|
||||
sent to another system.</para>
|
||||
</caution>
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
be sent to another system.</para>
|
||||
</caution>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -910,6 +927,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
|
||||
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
|
||||
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
|
||||
@ -1040,10 +1059,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>If you are experiencing either of these problems, setting
|
||||
PKTTYPE=No will prevent Shorewall from trying to use the packet type
|
||||
match extension and to use IP address matching to determine which
|
||||
packets are broadcasts or multicasts.</para>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>If you are experiencing either of these problems, setting
|
||||
PKTTYPE=No will prevent Shorewall from trying to use the packet
|
||||
type match extension and to use IP address matching to determine
|
||||
which packets are broadcasts or multicasts.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1177,6 +1200,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>If not specified or specified as empty (e.g.,
|
||||
RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<warning>
|
||||
<para>RFC1918_STRICT=Yes requires that your kernel and iptables
|
||||
support 'Connection Tracking' match.</para>
|
||||
|
@ -840,11 +840,11 @@
|
||||
the command while <command>restart</command> recreates the entire
|
||||
Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
|
||||
the static blacklisting chain <emphasis
|
||||
role="bold">blacklst</emphasis> is assumed.<note>
|
||||
<para>Specifying chains in the command requires Shorewall-perl
|
||||
4.0.3 or later. Earlier versions only refresh the <emphasis
|
||||
role="bold">blacklst</emphasis> chain.</para>
|
||||
</note></para>
|
||||
role="bold">blacklst</emphasis> is assumed.</para>
|
||||
|
||||
<para><emphasis role="bold">Note</emphasis>: Specifying chains in
|
||||
the command requires Shorewall-perl 4.0.3 or later. Earlier versions
|
||||
only refresh the blacklst chain</para>
|
||||
|
||||
<para>The listed chains are assumed to be in the filter table. You
|
||||
can refresh chains in other tables by prefixing the chain name with
|
||||
|
Loading…
Reference in New Issue
Block a user