diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml
index 25af3688c..400b2c35e 100644
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -30,7 +30,7 @@
2006
- Thomas M. Eastep
+ 2009 Thomas M. Eastep
@@ -62,22 +62,19 @@
have IPSEC end-points on the same system where Shorewall is used.
-
- To use the features described in this article, your kernel must be
- 2.6.16 or later or your kernel and
- iptables must include the Netfilter+ipsec patches and policy match
- support. The Netfilter patches are available from Netfilter
- Patch-O-Matic-NG and are also included in some commercial distributions
- (most notably SUSE 9.1 through 10.0).
-
+
+ While this article shows configuration of IPSEC using ipsec-tools,
+ Shorewall configuration is exactly the same when using OpenSwan or
+ FreeSwan.
+
- As of this writing, the Netfilter+ipsec and policy match support are
- broken when used with a bridge device. The problem has been reported to
- the responsible Netfilter developer who has confirmed the problem. The
- problem was presumably corrected in Kernel 2.6.20 as a result of the
- removal of deferred FORWARD/OUTPUT processing of traffic destined for a
- bridge. See the When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
+ policy match support are broken when used with a bridge device. The
+ problem has been reported to the responsible Netfilter developer who has
+ confirmed the problem. The problem was corrected in Kernel 2.6.20 as a
+ result of the removal of deferred FORWARD/OUTPUT processing of traffic
+ destined for a bridge. See the "Shorewall-perl and Bridged
Firewalls" article.
@@ -247,7 +244,7 @@
Open the firewall so that the IPSEC tunnel can be established
- (allow the ESP and AH protocols and UDP Port 500).
+ (allow the ESP protocol and UDP Port 500).
@@ -895,7 +892,7 @@ net eth0 detect routefilter,dhcp,tcpflags
#TYPE ZONE GATEWAY GATEWAY
# ZONE
-ipsec:noah net 192.168.20.0/24 loc
+ipsec net 192.168.20.0/24 loc
/etc/shorewall/zones:
diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index ef5c2326c..85ff1491a 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -40,11 +40,10 @@
What are Ipsets?Ipsets are an extension to Netfilter/iptables that are currently
- available in Patch-O-Matic-ng (http://www.netfilter.org). Using
- ipsets requires that you patch your kernel and iptables and that you build
- and install the ipset utility from http://ipset.netfilter.org/.
+ available in xtables-addons.
+ Instructions for installing xtables-addons may be found in the Dynamic Zones article.
Ipset allows you to create one or more named sets of addresses then
use those sets to define Netfilter/iptables rules. Possible uses of ipsets
@@ -59,9 +58,9 @@
Zone definition. Using the /etc/shorewall/hosts file, you can
- define a zone based on the (dynamic) contents of an ipset. Again, you
- can then add or delete addresses to the ipset without restarting
- Shorewall.
+ define a zone based on the (dynamic)
+ contents of an ipset. Again, you can then add or delete
+ addresses to the ipset without restarting Shorewall.
@@ -103,7 +102,7 @@
Example 2: Allow SSH from all hosts in an ipset named "sshok:/etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S)
-ACCEPT +sshok $FW tcp 22
+ACCEPT net:+sshok $FW tcp 22
Shorewall is not in the ipset load/reload business because the
Netfilter rule set is never cleared. That means that there is no
@@ -150,34 +149,4 @@ fi
ignore /etc/shorewall/ipsets and will issue a warning
if you set SAVE_IPSETS=Yes in shorewall.conf
-
-
- Defining Dynamic Zones using Ipsets
-
- The use of ipsets provides a much better way to define dynamic zones
- than is provided by the native Shorewall implementation. To define a
- dynamic zone of hosts dyn that is a
- sub-zone of zone loc and that interfaces
- through interface eth3, use:
-
- /etc/shorewall/zones:
-
- #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
-loc ipv4
-dyn:loc ipv4
-
- /etc/shorewall/interfaces:
-
- #ZONE INTERFACE OPTIONS
-loc eth3 …
-
- /etc/shorewall/hosts:
-
- #ZONE HOSTS OPTIONS
-dyn eth3:+Dyn
-
- Now create an ipmap named Dyn and
- you're all set. You can add and delete addresses from Dyn without having
- to touch Shorewall.
-
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index 52e543ab7..b05322357 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -254,7 +254,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
- provider as the connection over which that ‒‒last packet was
+ provider as the connection over which that last packet was
sent.
When used in the OUTPUT chain, it causes all matching
@@ -336,7 +336,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
shift = 0
- and specify
+ and specify
whether the mark is to be based on the source or destination
address respectively. The selected address is first shifted
right by shift, then LANDed with
@@ -348,7 +348,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
Example:
- IPMARK(src,0xff,0x10100)
+ IPMARK(src,0xff,0x10100)Suppose that the source IP address is 192.168.4.3 =
diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml
index f0b894e69..4a5120e14 100644
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@@ -231,6 +231,37 @@
ip6tables/Netfilter provides the necessary support.
+
+ SAME (Added in Shorewall
+ 4.3.5) -- Some websites run applications that require multiple
+ connections from a client browser. Where multiple 'balanced'
+ providers are configured, this can lead to problems when some of
+ the connections are routed through one provider and some through
+ another. The SAME target allows you to work around that problem.
+ SAME may be used in the PREROUTING and OUTPUT chains. When used
+ in PREROUTING, it causes matching connections from an individual
+ local system to all use the same provider. For example:
+ #MARK/ SOURCE DEST PROTO DEST
+#CLASSIFY PORT(S)
+SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
+ If a host in 192.168.1.0/24 attempts a connection on TCP port 80
+ or 443 and it has sent a packet on either of those ports in the
+ last five minutes then the new connection will use the same
+ provider as the connection over which that last packet was
+ sent.
+
+ When used in the OUTPUT chain, it causes all matching
+ connections to an individual remote system to all use the same
+ provider. For example:#MARK/ SOURCE DEST PROTO DEST
+#CLASSIFY PORT(S)
+SAME $FW 0.0.0.0/0 tcp 80,443
+ If the firewall attempts a connection on TCP port 80 or 443 and
+ it has sent a packet on either of those ports in the last five
+ minutes to the same remote system then the new connection will
+ use the same provider as the connection over which that last
+ packet was sent.
+
+
COMMENT -- the rest of
the line will be attached as a comment to the Netfilter rule(s)