From a82c3f147192f6f778afdd9f6676c90770a9df03 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 11 Jun 2011 06:42:03 -0700 Subject: [PATCH] Improvements to interfaces manpages - Indicate when 'routefilter' cannot be used. - Clarify use of 'sfilter' Signed-off-by: Tom Eastep --- manpages/shorewall-interfaces.xml | 41 +++++++++++++++++++++++++---- manpages6/shorewall6-interfaces.xml | 15 +++++++---- 2 files changed, 46 insertions(+), 10 deletions(-) diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index 6f977c84c..3acfce9f5 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -552,6 +552,35 @@ loc eth2 - This option can also be enabled globally in the shorewall.conf(5) file. + + + There are certain cases where + cannot be used on an + interface: + + + + If USE_DEFAULT_RT=Yes in shorewall.conf(5) and + the interface is listed in shorewall-providers(5). + + + + If there is an entry for the interface in shorewall-providers(5) + that doesn't specify the + option. + + + + If IPSEC is used to allow a road-warrior to have a + local address, then any interface through which the + road-warrior might connect cannot specify + . + + + @@ -559,11 +588,13 @@ loc eth2 - sfilter=(net[,...]) - Added in Shorewall 4.4.20. This option should be used on - bridges or other interfaces with the - option. On these interfaces, it - should list those local networks that are not routed out of - the bridge or interface. + Added in Shorewall 4.4.20. This option provides an + anti-spoofing alternative to on + interfaces where that option cannot be used, but where the + option is required (on a bridge, + for example). On these interfaces, + should list those local networks that are connected to the + firewall through other interfaces. diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index 8c58b694f..352bf007a 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -341,11 +341,16 @@ loc eth2 - sfilter=(net[,...]) - Added in Shorewall 4.4.20. This option should be used on - bridges or other interfaces with the - option. On these interfaces, it - should list those local networks that are not routed out of - the bridge or interface. + Added in Shorewall 4.4.20. At this writing (spring + 2011), Linux does not support reverse path filtering (RFC3704) + for IPv6. In its absense, may be used + as an anti-spoofing measure. + + This option should be used on bridges or other + interfaces with the option. On + these interfaces, should list those + local networks that are connected to the firewall through + other interfaces.