extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-16 06:36:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improvements to interfaces manpages

Browse Source 
- Indicate when 'routefilter' cannot be used.
- Clarify use of 'sfilter'

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-11 06:42:03 -07:00
parent 6e6be468a9
commit acefd0a75b
2 changed files with 46 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
manpages/shorewall-interfaces.xml
View File

@ -552,6 +552,35 @@ loc eth2 -</programlisting>
<para>This option can also be enabled globally in the <ulink <para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para> file.</para>
<note>
<para>There are certain cases where
<option>routefilter</option> cannot be used on an
interface:</para>
<itemizedlist>
<listitem>
<para>If USE_DEFAULT_RT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) and
the interface is listed in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>
<listitem>
<para>If there is an entry for the interface in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5)
that doesn't specify the <option>balance</option>
option.</para>
</listitem>
<listitem>
<para>If IPSEC is used to allow a road-warrior to have a
local address, then any interface through which the
road-warrior might connect cannot specify
<option>routefilter</option>.</para>
</listitem>
</itemizedlist>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -559,11 +588,13 @@ loc eth2 -</programlisting>
<term>sfilter=(<emphasis>net</emphasis>[,...])</term> <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. This option should be used on <para>Added in Shorewall 4.4.20. This option provides an
bridges or other interfaces with the anti-spoofing alternative to <option>routefilter</option> on
<option>routeback</option> option. On these interfaces, it interfaces where that option cannot be used, but where the
should list those local networks that are not routed out of <option>routeback</option> option is required (on a bridge,
the bridge or interface.</para> for example). On these interfaces, <option>sfilter</option>
should list those local networks that are connected to the
firewall through other interfaces.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

15
manpages6/shorewall6-interfaces.xml
View File

@ -341,11 +341,16 @@ loc eth2 -</programlisting>
<term>sfilter=(<emphasis>net</emphasis>[,...])</term> <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. This option should be used on <para>Added in Shorewall 4.4.20. At this writing (spring
bridges or other interfaces with the 2011), Linux does not support reverse path filtering (RFC3704)
<option>routeback</option> option. On these interfaces, it for IPv6. In its absense, <option>sfilter</option> may be used
should list those local networks that are not routed out of as an anti-spoofing measure.</para>
the bridge or interface.</para>
<para>This option should be used on bridges or other
interfaces with the <option>routeback</option> option. On
these interfaces, <option>sfilter</option> should list those
local networks that are connected to the firewall through
other interfaces.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>