Updated Comments For 1.4.6 Shorewall Distrubution Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@669 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -19,6 +19,10 @@
 #			once in this file. You may NOT specify the name of
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
+#			
+#			You may specify wildcards here. For example, if you 
+#			want to make a entry that applies to all PPP
+#			interfaces, use 'ppp+'
 #
 #			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
 #
@@ -94,6 +98,14 @@
 #					intended soley for use with Proxy ARP
 #					sub-networking as described at:
 #					http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
+#			newnotsyn
+#					TCP packets that don't have the SYN flag set and 
+#					which are not part of an established connection
+#					will be accepted from this interface, even if
+#					NEWNOTSYN=No has been specified in 
+#					/etc/shorewall/shorewall.conf.
+#
+#					This option has no effect if NEWNOTSYN=Yes
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white

Samples/one-interface/rules

@@ -16,7 +16,7 @@
 #
 #
 #	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
-#				CONTINUE or LOG.
+#				REDIRECT-, CONTINUE or LOG.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -121,6 +121,12 @@
 #			3.	You may not specify both an interface and
 #				an address
 #
+#			Unlike in the SOURCE column, you may specify a range of
+#			up to 256 IP addresses using the syntax
+#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
+#			the connections will be assigned to addresses in the
+#			range in a round-robin fashion.
+#
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
@@ -136,7 +142,7 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number or
 #			"all".
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
@@ -147,11 +153,11 @@
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following ields are supplied.
+#			entered if any of the following fields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
@@ -168,7 +174,7 @@
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			If your kernel contains multiport match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
@@ -183,6 +189,16 @@
 #			that address will be forwarded to the IP and port
 #			specified in the DEST column.
 #
+#			A comma-separated list of addresses may also be used.
+#			This is usually most useful with the REDIRECT target
+#			where you want to redirect traffic destined for
+#			a particular set of hosts.
+#			
+#			Finally, if the list of addresses begins with "!" then
+#			the rule will be followed only if the original
+#			destination address in the connection request does not
+#			match any of the addresses listed.
+#
 #			The address may optionally be followed by
 #			a colon (":") and a second IP address. This causes
 #			Shorewall to use the second IP address as the source

Samples/one-interface/zones

@@ -4,7 +4,7 @@
 #
 #	This file determines your network zones. Columns are:
 #
-#	ZONE		Short name of the zone
+#	ZONE		Short name of the zone (5 Characters or less in length).
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #

Samples/three-interfaces/interfaces

@@ -98,6 +98,14 @@
 #				intended soley for use with Proxy ARP
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
+#		netnotsyn	
+#				TCP packets that don't have the SYN flag set and
+#				which are not part of an established connection
+#				will be accepted from this interface, even if
+#				NEWNOTSYN=No has been specified in 
+#				/etc/shorewall/shorewall.conf.
+#
+#				This option has no effect if NEWNOTSYN=Yes.
 #
 #		The order in which you list the options is not
 #		significant but the list should have no embedded white

Samples/three-interfaces/masq

@@ -45,12 +45,14 @@
 #			will automatically add this address to the
 #			INTERFACE named in the first column.
 #
-#			WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
+#			You may also specify a range of up to 256 IP addresses
-#			the address given in this column is the primary
+#			if you want the SNAT address to be assigned from that
-#			IP address for the interface in the INTERFACE
+#			range in a round-robin range by connection. The range is
-#			column.
+#			specified by <first ip in range>-<last ip in range>.
 #
-#			This column may not contain a DNS Name.
+#			Example: 206.124.146.177-206.124.146.180
+#
+#			This column may not contain a DNS Names.
 #
 #		Example 1:
 #

Samples/three-interfaces/rules

@@ -16,7 +16,7 @@
 #
 #
 #	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
-#				CONTINUE or LOG.
+#				REDIRECT-, CONTINUE or LOG.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -121,6 +121,12 @@
 #			3.	You may not specify both an interface and
 #				an address.
 #
+#			Unlike in the SOURCE column, you may specify a range of
+#			up to 256 IP addresses using the syntax
+#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
+#			the connections will be assigned to addresses in the
+#			range in a round-robin fashion.
+#
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
@@ -147,11 +153,11 @@
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following ields are supplied.
+#			entered if any of the following fields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
@@ -168,7 +174,7 @@
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
@@ -183,6 +189,16 @@
 #			that address will be forwarded to the IP and port
 #			specified in the DEST column.
 #
+#			A comma separated list of addresses may also be used.
+#			This is usually most useful with the REDIRECT target
+#			where you want to redirect traffic destined for
+#			a particular set of hosts.
+#
+#			Finally, if the list of addresses begines with "!" then
+#			the rule will be followed only if the original
+#			destination address in the connection request does not
+#			match any of the addresses listed.
+#
 #			The address may optionally be followed by
 #			a colon (":") and a second IP address. This causes
 #			Shorewall to use the second IP address as the source
@@ -247,7 +263,7 @@ ACCEPT		loc		dmz		tcp	22
 ACCEPT		dmz		net		tcp	53
 ACCEPT		dmz		net		udp	53
 #
-#	Make ping work bi-directionally between the dmz, net, Firewall and local zone 
+#	Make ping work bi-directionally between the dmz, net, Firewall and local zone
 #	(assumes that the loc-> net policy is ACCEPT).
 #
 ACCEPT		net		fw		icmp	8

Samples/three-interfaces/zones

@@ -4,7 +4,7 @@
 #
 # This file determines your network zones. Columns are:
 #
-#	ZONE		Short name of the zone
+#	ZONE		Short name of the zone (5 Characters or less in length).
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #

Samples/two-interfaces/interfaces

@@ -22,6 +22,10 @@
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
+#			You may specify wildcards here. For example, if you
+#			want to make a entry that applies to all PPP
+#			interfaces, use 'ppp+'.
+#
 #			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
 #
 #	BROADCAST
@@ -98,6 +102,14 @@
 #				intended soley for use with Proxy ARP
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
+#		newnotsyn
+#				TCP packets that don't have the SYN flag set and
+#				which are not part of an established connection
+#				will be accepted from this interface, even if
+#				NEWNOTSYN=No has been specified in
+#				/etc/shorewall/shorewall.conf.
+#
+#				This option has no effect if NEWNOTSYN=Yes.
 #
 #		The order in which you list the options is not
 #		significant but the list should have no embedded white

Samples/two-interfaces/masq

@@ -44,13 +44,16 @@
 #			/etc/shorewall/shorewall.conf then Shorewall
 #			will automatically add this address to the
 #			INTERFACE named in the first column.
+#			
+#			You may also specify a range of up to 256 IP
+#			addresses if you want the SNAT address to be
+#			assigned from that range in a round robin range
+#			by connection. The range is specified by
+#			<first ip in range>-<last ip in range>.
+#			
+#			Example: 206.124.146.177-206.124.146.180
 #
-#			WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
+#			This column may not contain DNS names.
-#			the address given in this column is the primary
-#			IP address for the interface in the INTERFACE
-#			column.
-#
-#			This column may not contain a DNS Name.
 #
 #		Example 1:
 #

Samples/two-interfaces/rules

@@ -16,7 +16,7 @@
 #
 #
 #	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
-#				CONTINUE or LOG.
+#				REDIRECT-, CONTINUE or LOG.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -121,6 +121,12 @@
 #			3	You may not specify both an interface and 
 #				an address.
 #
+#			Unlike in the SOURCE column, you may specify a range of
+#			up to 256 IP addresses using the syntax
+#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
+#			the connections will be assigned to the addresses in the
+#			range in a round-robin fashion.
+#
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
@@ -136,7 +142,7 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number or
 #			"all".
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
@@ -147,11 +153,11 @@
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following ields are supplied.
+#			entered if any of the following fields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
@@ -168,7 +174,7 @@
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
@@ -183,6 +189,16 @@
 #			that address will be forwarded to the IP and port
 #			specified in the DEST column.
 #
+#			A comma-separated list of addresses may also be used.
+#			This is usually most useful with the REDIRECT target
+#			where you want to redirect traffic destined for
+#			a particular set of hosts.
+#
+#			Finally, if the list of addresses begins with "!" then
+#			the rule will be followed only if the original
+#			destination address in the connection request does not
+#			match any of the addresses listed.
+#
 #			The address may optionally be followed by
 #			a colon (":") and a second IP address. This causes
 #			Shorewall to use the second IP address as the source

Samples/two-interfaces/zones

@@ -4,7 +4,7 @@
 #
 # This file determines your network zones. Columns are:
 #
-#	ZONE		Short name of the zone
+#	ZONE		Short name of the zone (5 Characters or less in length).
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #