From aac55dbac407f731111a25f1e24ef139bfda4494 Mon Sep 17 00:00:00 2001 From: el_cubano Date: Fri, 15 Aug 2008 01:26:15 +0000 Subject: [PATCH] Spell check pass through first half of docs. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/6to4.xml | 2 +- docs/Accounting.xml | 2 +- docs/Actions.xml | 4 +-- docs/Anatomy.xml | 4 +-- docs/CompiledPrograms.xml | 2 +- docs/ECN.xml | 2 +- docs/FAQ.xml | 74 +++++++++++++++++++-------------------- docs/FTP.xml | 4 +-- docs/GenericTunnels.xml | 2 +- docs/IPIP.xml | 2 +- docs/IPP2P.xml | 4 +-- docs/IPSEC-2.6.xml | 22 ++++++------ docs/IPSEC.xml | 12 +++---- docs/Install.xml | 14 ++++---- docs/Introduction.xml | 22 ++++++------ docs/KVM.xml | 4 +-- docs/MAC_Validation.xml | 6 ++-- docs/Manpages.xml | 2 +- docs/Modularization.xml | 2 +- docs/MultiISP.xml | 26 +++++++------- docs/Multiple_Zones.xml | 10 +++--- 21 files changed, 111 insertions(+), 111 deletions(-) diff --git a/docs/6to4.xml b/docs/6to4.xml index 11e7c9c84..d4b994860 100644 --- a/docs/6to4.xml +++ b/docs/6to4.xml @@ -26,7 +26,7 @@ 2003-2004 - Eric de Thoars and Tom Eastep + Eric de Thouars and Tom Eastep diff --git a/docs/Accounting.xml b/docs/Accounting.xml index 240ea46a0..44938d519 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -202,7 +202,7 @@ on outbound ones. Accounting rules are not stateful -- each rule only handles traffic - in one direction. For example, if eth0 is your internet interface, and you + in one direction. For example, if eth0 is your Internet interface, and you have a web server in your DMZ connected to eth1, then to count HTTP traffic in both directions requires two rules: diff --git a/docs/Actions.xml b/docs/Actions.xml index eb98a94d0..c13fc58a5 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -144,9 +144,9 @@ ACCEPT - - tcp 135,139,445 Ensure correct operation. Default actions can also avoid common pitfalls like dropping connection requests on port TCP port 113. If these connections are dropped (rather than rejected) then you may - encounter problems connecting to internet services that utilize the + encounter problems connecting to Internet services that utilize the AUTH protocol of client authentication - AUTH is actually pretty silly on today's internet but it's + AUTH is actually pretty silly on today's Internet but it's amazing how many servers still employ it. diff --git a/docs/Anatomy.xml b/docs/Anatomy.xml index ea653ffe0..b116fbc13 100644 --- a/docs/Anatomy.xml +++ b/docs/Anatomy.xml @@ -81,7 +81,7 @@ class="directory">/usr/share/shorewall, /etc/shorewall, /etc/init.d and /var/lilb/shorewall/. These are described in + class="directory">/var/lib/shorewall/. These are described in the sub-sections that follow.
@@ -363,7 +363,7 @@ class="directory">/usr/share/shorewall-lite, /etc/shorewall-lite, /etc/init.d and /var/lilb/shorewall/. These are described in + class="directory">/var/lib/shorewall/. These are described in the sub-sections that follow.
diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index cd6316cba..00cc44ba1 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -226,7 +226,7 @@ The firewall systems do NOT need to have the full Shorewall product installed but rather only - the Shorewall Lite product. Shorewall and Shorewall LIte may be + the Shorewall Lite product. Shorewall and Shorewall Lite may be installed on the same system but that isn't encouraged. diff --git a/docs/ECN.xml b/docs/ECN.xml index d45b5af19..9b3c2f656 100644 --- a/docs/ECN.xml +++ b/docs/ECN.xml @@ -50,7 +50,7 @@ Explicit Congestion Notification (ECN) Explicit Congestion Notification (ECN) is described in RFC 3168 and - is a proposed internet standard. Unfortunately, not all sites support ECN + is a proposed Internet standard. Unfortunately, not all sites support ECN and when a TCP connection offering ECN is sent to sites that don't support it, the result is often that the connection request is ignored. diff --git a/docs/FAQ.xml b/docs/FAQ.xml index fe52582d2..1f68b2a83 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -135,7 +135,7 @@
(FAQ 76) I just upgraded my Debian system and now masquerading - doesn work? What happened? + doesn't work? What happened? Answer: This happens to people who ignore our advice and @@ -149,7 +149,7 @@
(FAQ 76a) I just upgraded my Ubuntu system and now masquerading - doesn work? What happened? + doesn't work? What happened? Answer: See above. @@ -157,7 +157,7 @@
(FAQ 76b) I just upgraded my Kubuntu system and now - masquerading doesn work? What happened? + masquerading doesn't work? What happened? Answer: See above. @@ -193,7 +193,7 @@ DNAT net loc:192.168.1.5 udp 7777 # PORT DEST. DNAT net loc:local-IP-address>[:local-port] protocol port-number - external-IP - If you want to forward requests from a particular internet address + If you want to forward requests from a particular Internet address ( address ): #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL @@ -253,7 +253,7 @@ DNAT net:address loc:local-IP-address As root, type shorewall reset ("shorewall-lite reset", if you are - running Shorewall Lite). This clears all NetFilter + running Shorewall Lite). This clears all Netfilter counters. @@ -315,7 +315,7 @@ DNAT net:address loc:local-IP-addressshorewall show zones" + root prompt, type "shorewall show zones" ("shorewall-lite show zones") then be sure that in the DEST column you have specified the first zone in the list that matches @@ -335,7 +335,7 @@ DNAT net:address loc:local-IP-address
- (FAQ 1c) From the internet, I want to connect to port 1022 on + <title>(FAQ 1c) From the Internet, I want to connect to port 1022 on my firewall and have the firewall forward the connection to port 22 on local system 192.168.1.3. How do I do that? @@ -462,7 +462,7 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21 (FAQ 1g) I would like to redirect port 80 on my public IP - address (206.124.146.176) to port 993 on internet host + address (206.124.146.176) to port 993 on Internet host 66.249.93.111 Answer: This requires a vile @@ -497,8 +497,8 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 appropriate for your setup; the guides cover this topic in a tutorial fashion. DNAT rules should be used for connections that need to go the opposite direction from SNAT/MASQUERADE. So if you masquerade - or use SNAT from your local network to the internet then you will need - to use DNAT rules to allow connections from the internet to your local + or use SNAT from your local network to the Internet then you will need + to use DNAT rules to allow connections from the Internet to your local network. You also want to use DNAT rules when you intentionally want to rewrite the destination IP address or port number. In all other cases, you use ACCEPT unless you need to hijack connections as they go through @@ -537,7 +537,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 - Having an internet-accessible server in your local network is + Having an Internet-accessible server in your local network is like raising foxes in the corner of your hen house. If the server is compromised, there's nothing between that server and your other internal systems. For the cost of another NIC and a cross-over @@ -559,7 +559,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 So the best and most secure way to solve this problem is to move - your internet-accessible server(s) to a separate LAN segment with it's + your Internet-accessible server(s) to a separate LAN segment with it's own interface to your firewall and follow FAQ 2b. That way, your local systems are still safe if your server gets hacked and you don't have to run a split DNS configuration @@ -643,7 +643,7 @@ DNAT loc loc:192.168.1.5 tcp www - If the ALL INTERFACES column in /etc/shorewall/nat is empty or contains Yes, you will also see log messages like the following when trying to access a host in Z from another host in Z - using the destination hosts's public address: + using the destination host's public address: Oct 4 10:26:40 netgw kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200 @@ -685,7 +685,7 @@ DNAT loc loc:192.168.1.5 tcp www - #ZONE INTERFACE BROADCAST OPTIONS dmz eth2 192.168.2.255 routeback - In /etc/shorewall/nat, be sure that you + In /etc/shorewall/nat, be sure that you have Yes in the ALL INTERFACES column. In /etc/shorewall/masq: @@ -802,7 +802,7 @@ DNAT loc dmz:192.168.2.4 tcp 80 - > I know PoM -ng is going to address this issue, but till it is ready, and > all the extras are ported to it, is there any way to use the h.323 -> contrack module kernel patch with a 2.6 kernel? +> conntrack module kernel patch with a 2.6 kernel? > Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not > an option... The module is not ported yet to 2.6, sorry. > Do I have any options besides a gatekeeper app (does not work in my @@ -831,7 +831,7 @@ to debug/develop the newnat interface. url="shorewall_quickstart_guide.htm">Quick Start Guides should have to ask this question. - Regardless of which guide you used, all outbound communcation is + Regardless of which guide you used, all outbound communication is open by default. So you do not need to 'open ports' for output. For input: @@ -877,7 +877,7 @@ to debug/develop the newnat interface. Answer: The default Shorewall setup invokes the Drop action prior to enforcing a DROP policy and the default policy to all zones from the - internet is DROP. The Drop action is defined in + Internet is DROP. The Drop action is defined in /usr/share/shorewall/action.Drop which in turn invokes the Auth macro (defined in /usr/share/shorewall/macro.Auth) specifying the @@ -916,7 +916,7 @@ to debug/develop the newnat interface. establishment of new connections. Once a connection is established through the firewall it will be usable until disconnected (tcp) or until it times out (other protocols). If you stop telnet and try to - establish a new session your firerwall will block that attempt. + establish a new session your firewall will block that attempt.
@@ -973,7 +973,7 @@ to debug/develop the newnat interface. The DNS settings on the local systems are wrong or the user is running a DNS server on the firewall and hasn't enabled UDP and TCP port 53 from the local net to the firewall or from the firewall to - the internet. + the Internet. @@ -1042,7 +1042,7 @@ to debug/develop the newnat interface. may no longer be defined in terms of bridge ports. See the new Shorewall-shell bridging documentation for information about configuring a - bridge/firewall under kernel 2.6.20 and later with Shoreawall shell or + bridge/firewall under kernel 2.6.20 and later with Shorewall shell or the Shorewall-perl bridging documentation if you use Shorewall-perl (highly-recommended). @@ -1167,7 +1167,7 @@ DROP net fw udp 10619 - the ethernet frame type (2 bytes) + the Ethernet frame type (2 bytes) @@ -1216,7 +1216,7 @@ teastep@ursa:~$ The first number determines the maximum log less than this number are sent to the console. On the system shown in the example above, priorities 0-5 are sent to the console. Since Shorewall defaults to using 'info' (6), the - Shorewall-generated Netfilter ruleset will generate log messages that + Shorewall-generated Netfilter rule set will generate log messages that will not appear on the console. The second number is the default log level for kernel printk() @@ -1252,7 +1252,7 @@ teastep@ursa:~$ The first number determines the maximum log messages or the content of the messages. The actual log file where Netfilter messages are written is not - standardized and will vary by distribution and distribusion version. + standardized and will vary by distribution and distribution version. But anytime you see no logging, it's time to look outside the Shorewall configuration for the cause. As an example, recent SuSE releases use syslog-ng by default and @@ -1376,7 +1376,7 @@ teastep@ursa:~$ The first number determines the maximum log - blacklst + blacklist The packet is being logged because the source IP is @@ -1634,7 +1634,7 @@ modprobe: Can't locate module iptable_raw Routing
- (FAQ 32) My firewall has two connections to the internet from two + <title>(FAQ 32) My firewall has two connections to the Internet from two different ISPs. How do I set this up in Shorewall? Answer: See /sbin/shorewall (and /sbin/shorewall-lite). For more information on the - tradeoffs involved when deciding whether to use the Debian package, see + factors involved when deciding whether to use the Debian package, see this article.
@@ -2004,7 +2004,7 @@ iptables: Invalid argument Traffic Shaping
- (FAQ 67) I just configured Shorewall's builtin traffic shaping + <title>(FAQ 67) I just configured Shorewall's built in traffic shaping and now Shorewall fails to Start. The error I receive is as follows:RTNETLINK answers: No such file or directory @@ -2086,7 +2086,7 @@ We have an error talking to the kernel
(FAQ 25a) How do I tell which version of Shorewall-perl and - Shorewall-shell that I have intalled? + Shorewall-shell that I have installed? Answer: At the shell prompt, type: @@ -2174,7 +2174,7 @@ We have an error talking to the kernel
(FAQ 14) I'm connected via a cable modem and it has an internal web server that allows me to configure/monitor it but as expected if I - enable rfc1918 blocking for my eth0 interface (the internet one), it + enable rfc1918 blocking for my eth0 interface (the Internet one), it also blocks the cable modems web server. Is there any way it can add a rule before the rfc1918 blocking @@ -2217,7 +2217,7 @@ We have an error talking to the kernel
- (FAQ 14b) I connect to the internet with PPPoE. When I try to + <title>(FAQ 14b) I connect to the Internet with PPPoE. When I try to access the built-in web server in my DSL Modem, I get connection Refused. @@ -2285,7 +2285,7 @@ eth0 eth1 # eth1 = interface to local netwo
(FAQ 18) Is there any way to use aliased ip addresses with - Shorewall, and maintain separate rulesets for different IPs? + Shorewall, and maintain separate rule sets for different IPs? Answer: Yes. See Shorewall and Aliased @@ -2369,7 +2369,7 @@ eth0 eth1 # eth1 = interface to local netwo iptables-restore to instantiate the Netfilter configuration. So it runs much faster than the script generated by the Shorewall-shell compiler and doesn't disable new connections - during ruleset installation. + during rule set installation. @@ -2432,7 +2432,7 @@ rmmod nf_conntrack_sipThen change the DONT_LOAD specification
(FAQ 20) I have just set up a server. Do I have to change - Shorewall to allow access to my server from the internet? + Shorewall to allow access to my server from the Internet? Answer: Yes. Consult the QuickStart guide that you @@ -2441,8 +2441,8 @@ rmmod nf_conntrack_sipThen change the DONT_LOAD specification
- (FAQ 24) How can I allow conections to let's say the ssh port - only from specific IP Addresses on the internet? + (FAQ 24) How can I allow connections to let's say the ssh port + only from specific IP Addresses on the Internet? Answer: In the SOURCE column of the rule, follow net by a colon and a list of the @@ -2540,14 +2540,14 @@ REJECT fw net:pagead2.googlesyndication.com all When you specify a domain name in a Shorewall rule, the iptables program resolves that name to one - or more IP addresses and the actual netfilter rules that are created are + or more IP addresses and the actual Netfilter rules that are created are expressed in terms of those IP addresses. So the rule that you entered was equivalent to: diff --git a/docs/FTP.xml b/docs/FTP.xml index 7b10e3be2..41f732b86 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -319,7 +319,7 @@ xt_tcpudp 3328 0 if you run an FTP server that listens on port 49 or you need to - access a server on the internet that listens on that port then you would + access a server on the Internet that listens on that port then you would have: loadmodule nf_conntrack_ftp ports=21,49 @@ -414,7 +414,7 @@ FTP/ACCEPT dmz net Note that the FTP connection tracking in the kernel cannot handle cases where a PORT command (or PASV reply) is broken across two packets or - is misssing the ending <cr>/<lf>. When such cases occur, you + is missing the ending <cr>/<lf>. When such cases occur, you will see a console message similar to this one: Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1 diff --git a/docs/GenericTunnels.xml b/docs/GenericTunnels.xml index 5fe5837d2..425c3b95f 100644 --- a/docs/GenericTunnels.xml +++ b/docs/GenericTunnels.xml @@ -54,7 +54,7 @@ We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is - accomplished through use of the /etc/shorwall/tunnels file, the + accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall. diff --git a/docs/IPIP.xml b/docs/IPIP.xml index 8f06edcfc..607615903 100644 --- a/docs/IPIP.xml +++ b/docs/IPIP.xml @@ -43,7 +43,7 @@ - GRE and IPIP Tunnels are insecure when used over the internet; use + GRE and IPIP Tunnels are insecure when used over the Internet; use them at your own risk diff --git a/docs/IPP2P.xml b/docs/IPP2P.xml index 464b5bd6b..64483d887 100644 --- a/docs/IPP2P.xml +++ b/docs/IPP2P.xml @@ -48,9 +48,9 @@
Introduction - Shorewall verions 2.2.0 and later include support for the ipp2p + Shorewall versions 2.2.0 and later include support for the ipp2p match facility. This is a departure from my usual policy in that the ipp2p - match facility is included in Patch-O-Matic-NG and is unlikely to ever be + match facility is included in Patch-O-Matic-ENG and is unlikely to ever be included in the kernel.org source tree. Questions about how to install the patch or how to build your kernel and/or iptables should not be posted on the Shorewall mailing lists but should rather be referred to the Netfilter diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index a105ab942..0e614bcf8 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -76,7 +76,7 @@ broken when used with a bridge device. The problem has been reported to the responsible Netfilter developer who has confirmed the problem. The problem was presumably corrected in Kernel 2.6.20 as a result of the - removal of defered FORWARD/OUTPUT processing of traffic destined for a + removal of deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See the "Shorewall-perl and Bridged Firewalls" article. @@ -134,7 +134,7 @@ by normal rules and policies. Under the 2.4 Linux Kernel, the association of unencrypted traffic - and zones was made easy by the presense of IPSEC pseudo-interfaces with + and zones was made easy by the presence of IPSEC pseudo-interfaces with names of the form ipsecn (e.g. ipsec0). Outgoing unencrypted traffic (case 1.) was send through an For simple zones such as are shown in the following examples, the - two techniques are equivalent and are used interchangably. + two techniques are equivalent and are used interchangeably. - It is redundent to have ipsec in + It is redundant to have ipsec in the TYPE column of the /etc/shorewall/zones entry for a zone and to also have the ipsec option in /etc/shorewall/hosts entries for that @@ -234,13 +234,13 @@
IPSec Gateway on the Firewall System - Suppose that we have the following sutuation: + Suppose that we have the following situation: We want systems in the 192.168.1.0/24 sub-network to be able to communicate with systems in the 10.0.0.0/8 network. We assume that on both - systems A and B, eth0 is the internet interface. + systems A and B, eth0 is the Internet interface. To make this work, we need to do two things: @@ -301,7 +301,7 @@ net ipv4 Remember the assumption that both systems A and B have eth0 as their - internet interface. + Internet interface. You must define the vpn zone using the /etc/shorewall/hosts file. The hosts file entries @@ -448,11 +448,11 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any } - If you have hosts that access the internet through an IPSEC + If you have hosts that access the Internet through an IPSEC tunnel, then it is a good idea to set the MSS value for traffic from those hosts explicitly in the /etc/shorewall/zones file. For example, if hosts - in the sec zone access the internet + in the sec zone access the Internet through an ESP tunnel then the following entry would be appropriate: @@ -605,7 +605,7 @@ spdflush; On the mobile system (system B), it is not possible to create a static IPSEC configuration because the IP address of the laptop's - internet connection isn't static. I have created an 'ipsecvpn' script + Internet connection isn't static. I have created an 'ipsecvpn' script and included in the tarball and in the RPM's documentation directory; this script can be used to start and stop the connection. @@ -726,7 +726,7 @@ loc ipv4 Since the L2TP will require the use of pppd, you will end up with one or more ppp interfaces (each representing an individual road warrior connection) for which you will need to account. This can be done by - modifying the inerfaces file. (Modify with additional options as + modifying the interfaces file. (Modify with additional options as needed.)
diff --git a/docs/IPSEC.xml b/docs/IPSEC.xml index 5600ea637..c50c0f792 100644 --- a/docs/IPSEC.xml +++ b/docs/IPSEC.xml @@ -105,13 +105,13 @@ conn packetdefault
IPSec Gateway on the Firewall System - Suppose that we have the following sutuation: + Suppose that we have the following situation: We want systems in the 192.168.1.0/24 sub-network to be able to communicate with systems in the 10.0.0.0/8 network. We assume that on both - systems A and B, eth0 is the internet interface. + systems A and B, eth0 is the Internet interface. To make this work, we need to do two things: @@ -177,7 +177,7 @@ vpn ipsec0 /etc/shorewall/zones. Remember the assumption that both systems A and B have eth0 as - their internet interface. + their Internet interface. You must define the vpn zone using the /etc/shorewall/hosts file. @@ -193,7 +193,7 @@ vpn eth0:10.0.0.0/8 vpn eth0:192.168.1.0/24 In addition, if you are using Masquerading - or SNAT on your firewalls, you need to elmiinate the remote + or SNAT on your firewalls, you need to eliminate the remote network from Masquerade/SNAT. These entries replace your current masquerade/SNAT entries for the local networks. @@ -229,7 +229,7 @@ vpn loc ACCEPT Shorewall can be used in a VPN Hub environment where multiple remote networks are connected to a gateway running Shorewall. This environment is - shown in this diatram. + shown in this diagram. @@ -425,7 +425,7 @@ ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 Shorewall will issue warnings to that effect. These warnings may be safely ignored. FreeS/Wan may now be configured to have three different Road Warrior connections with the choice of connection being based on X-509 - certificates or some other means. Each of these connectioins will utilize + certificates or some other means. Each of these connections will utilize a different updown script that adds the remote station to the appropriate zone when the connection comes up and that deletes the remote station when the connection comes down. For example, when 134.28.54.2 connects for the diff --git a/docs/Install.xml b/docs/Install.xml index e53191248..1f984a7ba 100644 --- a/docs/Install.xml +++ b/docs/Install.xml @@ -38,7 +38,7 @@ This article applies to Shorewall 3.0 and - later. If you are installing or upgradeing to a version of Shorewall + later. If you are installing or upgrading to a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release. @@ -490,12 +490,12 @@ tar -jxf shorewall-shell-4.0.0.tar.bz2 (if you use this compiler) It's *VERY* simple...just put in a new CD and reboot!  :-) Actually, I'm only slightly kidding...that's exactly how I upgrade my - prodution firewalls.  The partial backup feature I added to Dachstein - allows configuration data to be stored seperately from the rest of the + production firewalls.  The partial backup feature I added to Dachstein + allows configuration data to be stored separately from the rest of the package. - Once the config data is seperated from the rest of the package, - it's an easy matter to upgrade the pacakge while keeping your current + Once the config data is separated from the rest of the package, + it's an easy matter to upgrade the package while keeping your current configuration (in my case, just inserting a new CD and re-booting). @@ -521,7 +521,7 @@ tar -jxf shorewall-shell-4.0.0.tar.bz2 (if you use this compiler) Make sure you have a working copy of your existing firewall - ('OLD') in a safe place, that you *DO NOT* use durring this process. + ('OLD') in a safe place, that you *DO NOT* use during this process. That way, if anything goes wrong you can simply reboot off the OLD disk to get back to a working configuration. @@ -593,7 +593,7 @@ tar -xzvf /mnt/package2.lrp <package>.list file that resides in /etc or /var/lib/lrpkg is part of the configuration data and is used to create the partial backup.  If shorewall puts anything in /etc that isn't a user modified - configuration file, a proper shorwall.local file should be created + configuration file, a proper shorewall.local file should be created prior to making the partial backup [Editor's note: Shorewall places only user-modifiable files in /etc]. diff --git a/docs/Introduction.xml b/docs/Introduction.xml index f5ad190f1..2e20aa1d0 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -65,8 +65,8 @@ iptables-restore - a program included with iptables that allows for atomic installation of a set of Netfilter rules. This is - a much more efficient way to install a ruleset than running the - iptables utility once for each rule in the ruleset. + a much more efficient way to install a rule set than running the + iptables utility once for each rule in the rule set. @@ -269,17 +269,17 @@ loc net ACCEPT net all DROP info all all REJECT infoIn the three-interface sample, the line below is included but commented out. If you want your - firewall system to have full access to servers on the internet, uncomment + firewall system to have full access to servers on the Internet, uncomment that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT The above policy will: Allow all connection requests from your local network to the - internet + Internet - Drop (ignore) all connection requests from the internet to + Drop (ignore) all connection requests from the Internet to your firewall or local networks; these ignored connection requests will be logged using the info syslog priority (log level). @@ -287,7 +287,7 @@ $FW net ACCEPT The above policy will: Optionally accept all connection requests from the firewall to - the internet (if you uncomment the additional policy) + the Internet (if you uncomment the additional policy) @@ -298,8 +298,8 @@ $FW net ACCEPT The above policy will: To illustrate how rules provide exceptions to policies, suppose that - you have the polcies listed above but you want to be able to connect to - your firewall from the internet using Secure Shell (SSH). Recall that SSH + you have the polices listed above but you want to be able to connect to + your firewall from the Internet using Secure Shell (SSH). Recall that SSH connects uses TCP port 22. #ACTION SOURCE DEST PROTO DEST @@ -307,7 +307,7 @@ $FW net ACCEPT The above policy will: ACCEPT net $FW tcp 22 So although you have a policy of ignoring all connection attempts - from the net zone (from the internet), the above exception to that policy + from the net zone (from the Internet), the above exception to that policy allows you to connect to the SSH server running on your firewall. Because Shorewall makes no assumptions about what traffic you want @@ -317,7 +317,7 @@ ACCEPT net $FW tcp 22 The QuickStart - guildes point to pre-populated files for use in common setups + guides point to pre-populated files for use in common setups and the Shorewall Setup Guide shows you examples for use with other more complex setups. @@ -377,7 +377,7 @@ ACCEPT net $FW tcp 22 highly portable to those Unix-like platforms that support Perl (including Cygwin) and is the compiler of choice for new Shorewall installations. Scripts created using Shorewall-perl use - iptables-restore to install the generated Netfilter ruleset. + iptables-restore to install the generated Netfilter rule set. diff --git a/docs/KVM.xml b/docs/KVM.xml index a096f8258..8aa3620dd 100644 --- a/docs/KVM.xml +++ b/docs/KVM.xml @@ -53,10 +53,10 @@ My personal laptop (Ursa) hosts the virtual machines. As shown in - the diagram, Ursa has routes to the internet through both the + the diagram, Ursa has routes to the Internet through both the Linksys WRT300N and through my Shorewall firewall. This allows me to test the Shorewall Multi-ISP - feature, even though I only have a single internet + feature, even though I only have a single Internet connection The Linux Bridges shown in the diagram are, of course, actually diff --git a/docs/MAC_Validation.xml b/docs/MAC_Validation.xml index d8054ecfe..b0a2ffe1c 100644 --- a/docs/MAC_Validation.xml +++ b/docs/MAC_Validation.xml @@ -41,7 +41,7 @@ MAC addresses are only visible within an - ethernet segment so all MAC addresses used in verification must belong to + Ethernet segment so all MAC addresses used in verification must belong to devices physically connected to one of the LANs to which your firewall is connected. @@ -175,7 +175,7 @@ INTERFACE - The name of an ethernet interface on the Shorewall + The name of an Ethernet interface on the Shorewall system. @@ -184,7 +184,7 @@ MAC - The MAC address of a device on the ethernet segment connected + The MAC address of a device on the Ethernet segment connected by INTERFACE. It is not necessary to use the Shorewall MAC format in this column although you may use that format if you so choose. Beginning with Shorewall 3.1, you may specify "-" here if you enter diff --git a/docs/Manpages.xml b/docs/Manpages.xml index a935ee98b..82a1e6e24 100644 --- a/docs/Manpages.xml +++ b/docs/Manpages.xml @@ -105,7 +105,7 @@ providers - Define - routing tables, usually for mutliple internet links. + routing tables, usually for multiple Internet links. proxyarp - Define Proxy ARP. diff --git a/docs/Modularization.xml b/docs/Modularization.xml index 6d20e14b9..52ca063a1 100644 --- a/docs/Modularization.xml +++ b/docs/Modularization.xml @@ -90,7 +90,7 @@ Optional libraries are loaded upon demand based on the user's configuration. - In Shorewall 3.4, the optional librares are as follows. + In Shorewall 3.4, the optional libraries are as follows. diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index b5992b29e..d685bcb5b 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -75,7 +75,7 @@ Multiple Internet Connection Support Beginning with Shorewall 2.3.2, limited support is included for - multiple internet connections. Limitations of this support are as + multiple Internet connections. Limitations of this support are as follows: @@ -110,7 +110,7 @@ Overview Let's assume that a firewall is connected via two separate - ethernet interfaces to two different ISPs as in the following + Ethernet interfaces to two different ISPs as in the following diagram. @@ -148,7 +148,7 @@ When you use the track option in /etc/shorewall/providers, connections from the - internet are automatically routed back out of the correct interface and + Internet are automatically routed back out of the correct interface and through the correct ISP gateway. This works whether the connection is handled by the firewall itself or if it is routed or port-forwarded to a system behind the firewall. @@ -304,7 +304,7 @@ be tracked so that responses may be routed back out this same interface. - You want to specify 'track' if internet hosts will be + You want to specify 'track' if Internet hosts will be connecting to local servers through this provider. Any time that you specify 'track', you will also want to specify 'balance' (see below). @@ -338,7 +338,7 @@ If you are using /etc/shorewall/providers because you - have multiple internet connections, we recommend that you + have multiple Internet connections, we recommend that you specify 'track' even if you don't need it. It helps maintain long-term connections in which there are significant periods with no traffic. @@ -367,7 +367,7 @@ If you are using /etc/shorewall/providers because you - have multiple internet connections, we recommend that you + have multiple Internet connections, we recommend that you specify 'balance' even if you don't need it. You can still use entries in /etc/shorewall/tcrules to force all traffic to one provider or another. @@ -464,7 +464,7 @@ - For those of you who are termnally confused betweenFor those of you who are terminally confused between track and balance: @@ -494,7 +494,7 @@ Shorewall copies all routes through the interface specified in the INTERFACE column plus the interfaces listed in this column. Normally, you will list all interfaces on your firewall in this - column except those internet interfaces specified in the INTERFACE + column except those Internet interfaces specified in the INTERFACE column of entries in this file. @@ -532,7 +532,7 @@ and any interfaces that do not have an IPv4 configuration. You should also omit interfaces like tun interfaces that are created dynamically. Traffic to networks handled by - those intefaces should be routed through the main table using entries in + those interfaces should be routed through the main table using entries in /etc/shorewall/route_rules (see Example 2 below). @@ -608,7 +608,7 @@ Martians One problem that often arises with Multi-ISP configuration is - 'Martians'. If your internet interfaces are configured with the + 'Martians'. If your Internet interfaces are configured with the routefilter option in /etc/shorewall/interfaces (remember that if you set that option, you should also select Note that because we used a priority of 1000, the OpenVPN (routed setup w/tunX) in combination with multiple providers. In this case you have to set up a rule to ensure that the OpenVPN traffic is routed back through the tunX interface(s) rather than - through any of the providers. 10.8.0.0/24 is the subnet choosen in + through any of the providers. 10.8.0.0/24 is the subnet chosen in your OpenVPN configuration (server 10.8.0.0 255.255.255.0). #SOURCE DEST PROVIDER PRIORITY @@ -981,7 +981,7 @@ gateway:~ #Note that because we used a priority of 1000, the - Only ethernet (or ethernet-like) interfaces can be used. For + Only Ethernet (or Ethernet-like) interfaces can be used. For inbound traffic, the MAC addresses of the gateway routers are used to determine which provider a packet was received through. Note that only routed traffic can be categorized using this technique. @@ -1129,4 +1129,4 @@ linksys 1 1 - wlan0 172.20.1.1 track,balance=1,optional shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional/etc/shorewall/rules:#SOURCE DEST PROVIDER PRIORITY - - shorewall 11999
- \ No newline at end of file + diff --git a/docs/Multiple_Zones.xml b/docs/Multiple_Zones.xml index aad71012e..b3b6c79d6 100644 --- a/docs/Multiple_Zones.xml +++ b/docs/Multiple_Zones.xml @@ -90,7 +90,7 @@ The order of entries in /etc/shorewall/hosts is immaterial as - far as the generated ruleset is concerned. + far as the generated rule set is concerned. @@ -125,7 +125,7 @@ - The firewall requirements to/from the internet are the same + The firewall requirements to/from the Internet are the same for 192.168.1.0/24 and 192.168.2.0/24. @@ -180,7 +180,7 @@ Nested Zones You can define one zone (called it loc) as being - all hosts connectied to eth1 and a second zone loc1 + all hosts connected to eth1 and a second zone loc1 (192.168.2.0/24) as a sub-zone. @@ -190,7 +190,7 @@ connection request doesn't match a loc1 rule, it will be matched against the loc rules. For example, if your loc1->net policy is CONTINUE then if a connection request from loc1 - to the internet doesn't match any rules for loc1->net then it will + to the Internet doesn't match any rules for loc1->net then it will be checked against the loc->net rules. /etc/shorewall/zones @@ -302,7 +302,7 @@ loc1 loc NONE Nested zones may also be used to configure a one-armed router (I don't call it a firewall - because it is very insecure. For example, if you connect to the internet + because it is very insecure. For example, if you connect to the Internet via cable modem, your next door neighbor has full access to your local systems as does everyone else connected to the same cable modem head-end controller). Here eth0 is configured with both a public IP address and an