diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index a2114a968..a7a35f4ec 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -50,7 +50,7 @@ The new structure is enabled by sectioning the accounting file in a - manner similar to the rules + manner similar to the rules file. The sections are INPUT, OUTPUT and FORWARD and must appear in that order (although any @@ -295,7 +295,7 @@ the iptaccount utility are only available when xtables-addons is installed. See http://www.shorewall.net/Accounting.html#perIP + url="/Accounting.html#perIP">http://www.shorewall.net/Accounting.html#perIP for additional information. @@ -788,14 +788,14 @@ See ALSO http://shorewall.net/Accounting.html + url="/Accounting.html">http://www.shorewall.net/Accounting.html http://shorewall.net/shorewall_logging.html + url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml index f6313aa28..a8c586a45 100644 --- a/Shorewall/manpages/shorewall-actions.xml +++ b/Shorewall/manpages/shorewall-actions.xml @@ -24,7 +24,7 @@ Description This file allows you to define new ACTIONS for use in rules (see - shorewall-rules(5)). You define + shorewall-rules(5)). You define the iptables rules to be performed in an ACTION in /etc/shorewall/action.action-name. @@ -58,7 +58,7 @@ target that is supported by your iptables but is not directly supported by Shorewall. The action may be used as the rule target in an INLINE rule in shorewall-rules(5). + url="/manpages/shorewall-rules.html">shorewall-rules(5). Beginning with Shorewall 4.6.0, the Netfilter table(s) in which the builtin can be @@ -147,7 +147,7 @@ See ALSO http://shorewall.net/Actions.html + url="/Actions.html">http://www.shorewall.net/Actions.html shorewall(8), shorewall-accounting(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), diff --git a/Shorewall/manpages/shorewall-blacklist.xml b/Shorewall/manpages/shorewall-blacklist.xml index 5b17feb7d..95393785f 100644 --- a/Shorewall/manpages/shorewall-blacklist.xml +++ b/Shorewall/manpages/shorewall-blacklist.xml @@ -44,7 +44,7 @@ (if your kernel and iptables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match). Exclusion (shorewall-exclusion(5)) is + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)) is supported. MAC addresses must be prefixed with "~" and use "-" as a @@ -98,7 +98,7 @@ interface that has the 'blacklist' option set. So to block traffic from your local network to an internet host, you had to specify on your internal interface in shorewall-interfaces + url="/manpages/shorewall-interfaces.html">shorewall-interfaces (5). @@ -106,7 +106,7 @@ Beginning with Shorewall 4.4.13, entries are applied based on the blacklist setting in shorewall-zones(5): + url="/manpages/shorewall-zones.html">shorewall-zones(5): @@ -182,10 +182,10 @@ See ALSO http://shorewall.net/blacklisting_support.htm + url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), diff --git a/Shorewall/manpages/shorewall-blrules.xml b/Shorewall/manpages/shorewall-blrules.xml index 58d50f98d..05960fbff 100644 --- a/Shorewall/manpages/shorewall-blrules.xml +++ b/Shorewall/manpages/shorewall-blrules.xml @@ -27,13 +27,13 @@ Rules in this file are applied depending on the setting of BLACKLISTNEWONLY in shorewall.conf(5). If + url="/manpages/shorewall.conf.html">shorewall.conf(5). If BLACKLISTNEWONLY=No, then they are applied regardless of the connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to connections in the NEW and INVALID states. The format of rules in this file is the same as the format of rules - in shorewall-rules (5). The + in shorewall-rules (5). The difference in the two files lies in the ACTION (first) column. @@ -69,7 +69,7 @@ If BLACKLIST_LOGLEVEL is specified in shorewall.conf(5), then + url="/manpages/shorewall.conf.html">shorewall.conf(5), then the macro expands to blacklog. @@ -77,7 +77,7 @@ Otherwise it expands to the action specified for BLACKLIST_DISPOSITION in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -88,10 +88,10 @@ May only be used if BLACKLIST_LOGLEVEL is specified in - shorewall.conf (5). + shorewall.conf (5). Logs, audits (if specified) and applies the BLACKLIST_DISPOSITION specified in shorewall.conf (5). + url="/manpages/shorewall.conf.html">shorewall.conf (5). @@ -166,7 +166,7 @@ queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html. @@ -205,7 +205,7 @@ The name of an action declared in shorewall-actions(5) or + url="/manpages/shorewall-actions.html">shorewall-actions(5) or in /usr/share/shorewall/actions.std. @@ -237,7 +237,7 @@ If the ACTION names an action declared in shorewall-actions(5) or in + url="/manpages/shorewall-actions.html">shorewall-actions(5) or in /usr/share/shorewall/actions.std then: @@ -267,13 +267,13 @@ Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in shorewall.conf(5)). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). For the remaining columns, see shorewall-rules (5). + url="/manpages/shorewall-rules.html">shorewall-rules (5). @@ -313,10 +313,10 @@ See ALSO http://shorewall.net/blacklisting_support.htm + url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5), diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 4c5aa6d8c..76d281fb7 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -266,7 +266,7 @@ This error message may be eliminated by adding target as a builtin action in shorewall-actions(5). + url="/manpages/shorewall-actions.html">shorewall-actions(5). @@ -344,7 +344,7 @@ interface is an interface to that zone, and address-list is a comma-separated list of addresses (may contain exclusion - see shorewall-exclusion + url="/manpages/shorewall-exclusion.html">shorewall-exclusion (5)). Beginning with Shorewall 4.5.7, can be @@ -365,7 +365,7 @@ Where interface is an interface to that zone, and address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall-exclusion + shorewall-exclusion (5)). COMMENT is only allowed in format 1; the remainder of the line @@ -381,7 +381,7 @@ where address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall6-exclusion + shorewall-exclusion (5)). @@ -532,7 +532,7 @@ DROP:PO - 1.2.3.4 See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-exclusion.xml b/Shorewall/manpages/shorewall-exclusion.xml index e607e4cc2..3dba2c739 100644 --- a/Shorewall/manpages/shorewall-exclusion.xml +++ b/Shorewall/manpages/shorewall-exclusion.xml @@ -88,7 +88,7 @@ ACCEPT all!z2 net tcp 22 In most contexts, ipset names can be used as an address-or-range. Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may also be included (see shorewall-ipsets (5)). The semantics + url="/manpages/shorewall-ipsets.html">shorewall-ipsets (5)). The semantics of these lists when used in an exclusion are as follows: diff --git a/Shorewall/manpages/shorewall-hosts.xml b/Shorewall/manpages/shorewall-hosts.xml index 9153a76ec..902184627 100644 --- a/Shorewall/manpages/shorewall-hosts.xml +++ b/Shorewall/manpages/shorewall-hosts.xml @@ -29,7 +29,7 @@ The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall-zones(5) determines the order + url="/manpages/shorewall-zones.html">shorewall-zones(5) determines the order in which the records in this file are interpreted. @@ -39,7 +39,7 @@ If you have an entry for a zone and interface in shorewall-interfaces(5) then do + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) then do not include any entries in this file for that same (zone, interface) pair. @@ -53,7 +53,7 @@ The name of a zone declared in shorewall-zones(5). You may not + url="/manpages/shorewall-zones.html">shorewall-zones(5). You may not list the firewall zone in this column. @@ -67,7 +67,7 @@ The name of an interface defined in the shorewall-interfaces(5) file + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) file followed by a colon (":") and a comma-separated list whose elements are either: @@ -102,7 +102,7 @@
You may also exclude certain hosts through use of an exclusion (see shorewall-exclusion(5). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5).
@@ -123,7 +123,7 @@ Check packets arriving on this port against the shorewall-blacklist(5) + url="/manpages/shorewall-blacklist.html">shorewall-blacklist(5) file. @@ -145,7 +145,7 @@ The zone does not have an entry for this interface in shorewall-interfaces(5). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5).
@@ -169,7 +169,7 @@ The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the shorewall-zones(5) file + url="/manpages/shorewall-zones.html">shorewall-zones(5) file then you do NOT need to specify the 'ipsec' option here. @@ -181,7 +181,7 @@ Connection requests from these hosts are compared against the contents of shorewall-maclist(5). If + url="/manpages/shorewall-maclist.html">shorewall-maclist(5). If this option is specified, the interface must be an Ethernet NIC or equivalent and must be up before Shorewall is started. @@ -212,7 +212,7 @@ Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in shorewall.conf(5). After + url="/manpages/shorewall.conf.html">shorewall.conf(5). After logging, the packets are dropped. @@ -274,7 +274,7 @@ vpn ppp+:192.168.3.0/24 See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), diff --git a/Shorewall/manpages/shorewall-init.xml b/Shorewall/manpages/shorewall-init.xml index f8ad07914..20c5db07c 100644 --- a/Shorewall/manpages/shorewall-init.xml +++ b/Shorewall/manpages/shorewall-init.xml @@ -145,8 +145,8 @@ On a laptop with both Ethernet and wireless interfaces, you will want to make both interfaces optional and set the REQUIRE_INTERFACE option - to Yes in shorewall.conf (5) or - shorewall6.conf + to Yes in shorewall.conf (5) or + shorewall6.conf (5). This causes the firewall to remain stopped until at least one of the interfaces comes up. diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index 67784e0f2..e9988d7dd 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -71,7 +71,7 @@ in this column. If the interface serves multiple zones that will be defined in - the shorewall-hosts(5) + the shorewall-hosts(5) file, you should place "-" in this column. If there are multiple interfaces to the same zone, you must @@ -97,7 +97,7 @@ loc eth2 - Logical name of interface. Each interface may be listed only once in this file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18. + url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18. If the option is not specified, then the logical name is also the name of the actual interface. @@ -111,7 +111,7 @@ loc eth2 - When using Shorewall versions before 4.1.4, care must be exercised when using wildcards where there is another zone that uses a matching specific interface. See shorewall-nesting(5) for a + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) for a discussion of this problem. Shorewall allows '+' as an interface name. @@ -154,7 +154,7 @@ loc eth2 - Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' interface, then that zone must be defined as type in shorewall6-zones(5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5). @@ -268,7 +268,7 @@ loc eth2 - Checks packets arriving on this interface against the shorewall-blacklist(5) + url="/manpages/shorewall-blacklist.html">shorewall-blacklist(5) file. Beginning with Shorewall 4.4.13: @@ -279,7 +279,7 @@ loc eth2 - ZONES column, then the behavior is as if blacklist had been specified in the IN_OPTIONS column of shorewall-zones(5). + url="/manpages/shorewall-zones.html">shorewall-zones(5). @@ -348,7 +348,7 @@ loc eth2 - url="../bridge-Shorewall-perl.html">Shorewall-perl for firewall/bridging, then you need to include DHCP-specific rules in shorewall-rules(8). + url="/manpages/shorewall-rules.html">shorewall-rules(8). DHCP uses UDP ports 67 and 68. @@ -421,7 +421,7 @@ loc eth2 -
This option may also be enabled globally in the shorewall.conf(5) + url="/manpages/shorewall.conf.html">shorewall.conf(5) file.
@@ -433,7 +433,7 @@ loc eth2 - Connection requests from this interface are compared against the contents of shorewall-maclist(5). If + url="/manpages/shorewall-maclist.html">shorewall-maclist(5). If this option is specified, the interface must be an Ethernet NIC and must be up before Shorewall is started. @@ -472,7 +472,7 @@ loc eth2 - Defines the zone as dynamic. Requires ipset match support in your iptables and kernel. See http://www.shorewall.net/Dynamic.html + url="/Dynamic.html">http://www.shorewall.net/Dynamic.html for further information. @@ -486,7 +486,7 @@ loc eth2 - Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in shorewall.conf(5). After + url="/manpages/shorewall.conf.html">shorewall.conf(5). After logging, the packets are dropped. @@ -527,7 +527,7 @@ loc eth2 - refers to the name given in this option. It is useful when you want to specify the same wildcard port name on two or more bridges. See http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple. + url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple. If the interface name is a wildcard name (ends with '+'), then the physical @@ -547,7 +547,7 @@ loc eth2 - /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use this option if you are employing Proxy ARP through entries in shorewall-proxyarp(5). + url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp(5). This option is intended solely for use with Proxy ARP sub-networking as described at: http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html. @@ -626,12 +626,12 @@ loc eth2 - This option can also be enabled globally via the ROUTE_FILTER option in the shorewall.conf(5) + url="/manpages/shorewall.conf.html">shorewall.conf(5) file. If ROUTE_FILTER=Yes in shorewall.conf(5), or if + url="/manpages/shorewall.conf.html">shorewall.conf(5), or if your distribution sets net.ipv4.conf.all.rp_filter=1 in /etc/sysctl.conf, then setting routefilter=0 in an @@ -653,14 +653,14 @@ loc eth2 - If USE_DEFAULT_RT=Yes in shorewall.conf(5) and + url="/manpages/shorewall.conf.html">shorewall.conf(5) and the interface is listed in shorewall-providers(5). + url="/manpages/shorewall-providers.html">shorewall-providers(5). If there is an entry for the interface in shorewall-providers(5) + url="/manpages/shorewall-providers.html">shorewall-providers(5) that doesn't specify the option. @@ -797,7 +797,7 @@ loc eth2 - Incoming requests from this interface may be remapped via UPNP (upnpd). See http://www.shorewall.net/UPnP.html. + url="/UPnP.html">http://www.shorewall.net/UPnP.html. @@ -912,7 +912,7 @@ net ppp0 - See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5), diff --git a/Shorewall/manpages/shorewall-ipsets.xml b/Shorewall/manpages/shorewall-ipsets.xml index 59a071a13..71ffbb7ee 100644 --- a/Shorewall/manpages/shorewall-ipsets.xml +++ b/Shorewall/manpages/shorewall-ipsets.xml @@ -77,7 +77,7 @@ specified, matching packets must match all of the listed sets. For information about set lists and exclusion, see shorewall-exclusion (5). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion (5). Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects each time a packet matches an ipset. You do that by listing diff --git a/Shorewall/manpages/shorewall-maclist.xml b/Shorewall/manpages/shorewall-maclist.xml index 2b82684aa..fe4c45be3 100644 --- a/Shorewall/manpages/shorewall-maclist.xml +++ b/Shorewall/manpages/shorewall-maclist.xml @@ -27,8 +27,8 @@ associated IP addresses to be allowed to use the specified interface. The feature is enabled by using the maclist option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) or shorewall-hosts(5) configuration file. The columns in the file are as follows (where the column name is @@ -45,7 +45,7 @@ ACCEPT or DROP (if MACLIST_TABLE=filter in shorewall.conf(5), then REJECT is + url="/manpages/shorewall.conf.html">shorewall.conf(5), then REJECT is also allowed). If specified, the log-level causes packets matching the rule to be logged at that level. @@ -101,10 +101,10 @@ See ALSO http://shorewall.net/MAC_Validation.html + url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index e88b3db75..6cbf7be40 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -24,13 +24,13 @@ Description This file was introduced in Shorewall 4.6.0 and is intended to - replace shorewall-rules(5). + replace shorewall-rules(5). This file is only processed by the compiler if: No file named 'tcrules' exists on the current CONFIG_PATH (see - shorewall.conf(5)); or + shorewall.conf(5)); or @@ -44,14 +44,14 @@ Unlike rules in the shorewall-rules(5) file, evaluation + url="/manpages/shorewall-rules.html">shorewall-rules(5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html. + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html. The columns in the file are as follows (where the column name is @@ -104,7 +104,7 @@ Unless otherwise specified for the particular command, the default chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5), and FORWARD + url="/manpages/shorewall.conf.html">shorewall.conf(5), and FORWARD when MARK_IN_FORWARD_CHAIN=Yes. A chain-designator may not be specified if the SOURCE or DEST @@ -159,11 +159,11 @@ When using Shorewall's built-in traffic shaping tool, the major class is the device number (the first device in shorewall-tcdevices(5) + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5) is major class 1, the second device is major class 2, and so on) and the minor class is the class's MARK value in shorewall-tcclasses(5) + url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses(5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.). @@ -297,7 +297,7 @@ specified at the end of the rule. If the target is not one known to Shorewall, then it must be defined as a builtin action in shorewall-actions + url="/manpages/shorewall-actions.html">shorewall-actions (5). The following rules are equivalent: @@ -310,7 +310,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark If INLINE_MATCHES=Yes in shorewall6.conf(5) then the + url="/manpages/shorewall.conf.html">shorewall6.conf(5) then the third rule above can be specified as follows: 2:P eth0 - ; -p tcp @@ -443,7 +443,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark This error message may be eliminated by adding the target as a builtin action in shorewall-actions(5). + url="/manpages/shorewall-actions.html">shorewall-actions(5). @@ -485,7 +485,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark then the assigned mark values are 0x200, 0x300 and 0x400 in equal proportions. If no mask is specified, then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall.conf(5)). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). @@ -586,7 +586,7 @@ Normal-Service => 0x00 Transparently redirects a packet without altering the IP header. Requires a tproxy provider to be defined in shorewall-providers(5). + url="/manpages/shorewall-providers.html">shorewall-providers(5). There are three parameters to TPROXY - neither is required: @@ -712,7 +712,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). @@ -749,7 +749,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). @@ -784,7 +784,7 @@ Normal-Service => 0x00 destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -1167,16 +1167,16 @@ Normal-Service => 0x00 See ALSO http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/PacketMarking.html + url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index 7c4812018..3ed306846 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -35,9 +35,9 @@ If you have more than one ISP link, adding entries to this file will not force connections to go out through a particular link. You must use entries in shorewall-rtrules(5) or PREROUTING + url="/manpages/shorewall-rtrules.html">shorewall-rtrules(5) or PREROUTING entries in shorewall-mangle(5) to do + url="/manpages/shorewall-mangle.html">shorewall-mangle(5) to do that. @@ -55,7 +55,7 @@ Outgoing interfacelist. This may be a comma-separated list of interface names. This is usually your internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you may add ":" + url="/manpages/shorewall.conf.html">shorewall.conf(5), you may add ":" and a digit to indicate that you want the alias added with that name (e.g., eth0:0). This will allow the alias to be displayed with ifconfig. That is the only use @@ -63,17 +63,17 @@ Shorewall configuration. Each interface must match an entry in shorewall-interfaces(5). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). For example, ppp0 in this file will match a shorewall-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) entry that defines ppp+. Where more that + url="/4.4/MultiISP.html#Shared">more that one internet provider share a single interface, the provider is specified by including the provider name or number in parentheses: @@ -88,7 +88,7 @@ addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations. Exclusion is allowed (see shorewall-exclusion(5)) as + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)) as are ipset names preceded by a plus sign '+'; If you wish to inhibit the action of ADD_SNAT_ALIASES for this @@ -99,7 +99,7 @@ Normally Masq/SNAT rules are evaluated after those for one-to-one NAT (defined in shorewall-nat(5)). If you want the + url="/manpages/shorewall-nat.html">shorewall-nat(5)). If you want the rule to be applied before one-to-one NAT rules, prefix the interface name with "+": @@ -109,7 +109,7 @@ This feature should only be required if you need to insert rules in this file that preempt entries in shorewall-nat(5). + url="/manpages/shorewall-nat.html">shorewall-nat(5). Comments may be attached to Netfilter rules generated from entries in this file through the use of COMMENT lines. These lines @@ -174,7 +174,7 @@ If you specify an address here, SNAT will be used and this will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes - in shorewall.conf(5) then + in shorewall.conf(5) then Shorewall will automatically add this address to the INTERFACE named in the first column. @@ -679,7 +679,7 @@ If INLINE_MATCHES=Yes in shorewall.conf(5), then these + url="/manpages/shorewall.conf.html">shorewall.conf(5), then these rules may be specified as follows: /etc/shorewall/masq: @@ -703,7 +703,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5), diff --git a/Shorewall/manpages/shorewall-modules.xml b/Shorewall/manpages/shorewall-modules.xml index cc5fcbbf8..19144c6ab 100644 --- a/Shorewall/manpages/shorewall-modules.xml +++ b/Shorewall/manpages/shorewall-modules.xml @@ -32,7 +32,7 @@ The modules file is used when LOAD_HELPERS_ONLY=No in shorewall.conf(8); the + url="/manpages/shorewall.conf.html">shorewall.conf(8); the helpers file is used when LOAD_HELPERS_ONLY=Yes @@ -50,7 +50,7 @@ The modulename names a kernel module (without suffix). Shorewall will search for modules based on your MODULESDIR and MODULE_SUFFIX settings in shorewall.conf(8). The + url="/manpages/shorewall.conf.html">shorewall.conf(8). The moduleoptions are passed to modprobe (if installed) or to insmod. diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index 18a81ed80..0b1795ddf 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -29,9 +29,9 @@ If all you want to do is simple port forwarding, do NOT use this file. See http://www.shorewall.net/FAQ.htm#faq1. + url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1. Also, in many cases, Proxy ARP (shorewall-proxyarp(5)) is a better + url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp(5)) is a better solution that one-to-one NAT. @@ -72,7 +72,7 @@ Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in - shorewall.conf(5), + shorewall.conf(5), Shorewall will automatically add the EXTERNAL address to this interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface name with ":" and a digit to indicate that you @@ -83,12 +83,12 @@ Each interface must match an entry in shorewall-interfaces(5). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). For example, ppp0 in this file will match a shorewall-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) entry that defines ppp+. @@ -143,10 +143,10 @@ See ALSO http://shorewall.net/NAT.htm + url="/NAT.htm">http://www.shorewall.net/NAT.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-nesting.xml b/Shorewall/manpages/shorewall-nesting.xml index e626df678..435bcfedd 100644 --- a/Shorewall/manpages/shorewall-nesting.xml +++ b/Shorewall/manpages/shorewall-nesting.xml @@ -24,7 +24,7 @@ Description - In shorewall-zones(5), a + In shorewall-zones(5), a zone may be declared to be a sub-zone of one or more other zones using the above syntax. The child-zone may be neither the firewall zone nor a vserver zone. The firewall zone may not appear as a @@ -32,7 +32,7 @@ firewall zone. Where zones are nested, the CONTINUE policy in shorewall-policy(5) allows hosts that + url="/manpages/shorewall-policy.html">shorewall-policy(5) allows hosts that are within multiple zones to be managed under the rules of all of these zones. @@ -74,7 +74,7 @@ under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all). You can have this policy generated for you automatically by using the IMPLICIT_CONTINUE option in - shorewall.conf(5). + shorewall.conf(5). Partial /etc/shorewall/rules: diff --git a/Shorewall/manpages/shorewall-netmap.xml b/Shorewall/manpages/shorewall-netmap.xml index 798f34a2c..9fa517638 100644 --- a/Shorewall/manpages/shorewall-netmap.xml +++ b/Shorewall/manpages/shorewall-netmap.xml @@ -81,7 +81,7 @@ Network in CIDR format (e.g., 192.168.1.0/24). Beginning with Shorewall 4.4.24, exclusion is + url="/manpages/shorewall-exclusion.html">exclusion is supported. @@ -93,12 +93,12 @@ The name of a network interface. The interface must be defined in shorewall-interfaces(5). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). For example, ppp0 in this file will match a shorewall-interfaces(8) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(8) entry that defines ppp+. @@ -147,7 +147,7 @@ destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -189,10 +189,10 @@ See ALSO http://shorewall.net/netmap.html + url="/netmap.html">http://www.shorewall.net/netmap.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-params.xml b/Shorewall/manpages/shorewall-params.xml index b71484f15..024c23515 100644 --- a/Shorewall/manpages/shorewall-params.xml +++ b/Shorewall/manpages/shorewall-params.xml @@ -26,7 +26,7 @@ Assign any shell variables that you need in this file. The file is always processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in shorewall.conf (5) so the full range of + url="/manpages/shorewall.conf.html">shorewall.conf (5) so the full range of shell capabilities may be used. It is suggested that variable names begin with an upper case letter @@ -40,7 +40,7 @@ Any option from shorewall.conf (5) + url="/manpages/shorewall.conf.html">shorewall.conf (5) COMMAND @@ -107,7 +107,7 @@ NET_BCAST=130.252.100.255 NET_OPTIONS=routefilter,norfc1918 Example shorewall-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) file. ZONE INTERFACE BROADCAST OPTIONS @@ -129,7 +129,7 @@ net eth0 130.252.100.255 routefilter,norfc1918 See ALSO http://www.shorewall.net/configuration_file_basics.htm#Variables + url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index 6d4d7a67c..dac200fce 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -25,7 +25,7 @@ This file defines the high-level policy for connections between zones defined in shorewall-zones(5). + url="/manpages/shorewall-zones.html">shorewall-zones(5). The order of entries in this file is important @@ -66,7 +66,7 @@ Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, "all" or + url="/manpages/shorewall-zones.html">shorewall-zones(5), $FW, "all" or "all+". Support for "all+" was added in Shorewall 4.5.17. "all" does @@ -84,7 +84,7 @@ Destination zone. Must be the name of a zone defined in shorewall-zones(5), $FW, "all" or + url="/manpages/shorewall-zones.html">shorewall-zones(5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be "all", "all+", another bport zone associated with the same bridge, or it must be an ipv4 zone that is associated with only the same @@ -118,7 +118,7 @@ The word "None" or "none". This causes any default action defined in shorewall.conf(5) to be + url="/manpages/shorewall.conf.html">shorewall.conf(5) to be omitted for this policy. @@ -191,7 +191,7 @@ might also match (where the source or destination zone in those rules is a superset of the SOURCE or DEST in this policy). See shorewall-nesting(5) for + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) for additional information. @@ -231,7 +231,7 @@ url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html). For a description of log levels, see http://www.shorewall.net/shorewall_logging.html. + url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html. If you don't want to log but need to specify the following column, place "-" here. @@ -327,7 +327,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-providers.xml b/Shorewall/manpages/shorewall-providers.xml index 22e8f4a17..8e050afae 100644 --- a/Shorewall/manpages/shorewall-providers.xml +++ b/Shorewall/manpages/shorewall-providers.xml @@ -77,11 +77,11 @@ A FWMARK value used in your shorewall-mangle(5) file to + url="/manpages/shorewall-mangle.html">shorewall-mangle(5) file to direct packets to this provider. If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value + url="/manpages/shorewall.conf.html">shorewall.conf(5), then the value must be a multiple of 256 between 256 and 65280 or their hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte of the value being zero). Otherwise, the value must be between 1 and 255. Each @@ -101,7 +101,7 @@ previously listed provider. You may select only certain entries from the table to copy by using the COPY column below. This column should contain a dash ("-') when USE_DEFAULT_RT=Yes in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -112,7 +112,7 @@ The name of the network interface to the provider. Must be listed in shorewall-interfaces(5). In + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). In general, that interface should not have the option specified unless is given in the OPTIONS column of this @@ -177,7 +177,7 @@ Beginning with Shorewall 4.4.3, defaults to the setting of the TRACK_PROVIDERS option in - shorewall.conf (5). + shorewall.conf (5). If you set TRACK_PROVIDERS=Yes and want to override that setting for an individual provider, then specify (see below). @@ -241,7 +241,7 @@ and configured with an IPv4 address then ignore this provider. If not specified, the value of the option for the INTERFACE in shorewall-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) is assumed. Use of that option is preferred to this one, unless an address is provider in the INTERFACE column. @@ -300,7 +300,7 @@ Added in Shorewall 4.5.4. Used for supporting the TPROXY action in shorewall-mangle(5). See http://www.shorewall.net/Shorewall_Squid_Usage.html. + url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html. When specified, the MARK, DUPLICATE and GATEWAY columns should be empty, INTERFACE should be set to 'lo' and should be the only OPTION. Only one @@ -416,10 +416,10 @@ See ALSO http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-proxyarp.xml b/Shorewall/manpages/shorewall-proxyarp.xml index 9eef0ea76..d11aa607e 100644 --- a/Shorewall/manpages/shorewall-proxyarp.xml +++ b/Shorewall/manpages/shorewall-proxyarp.xml @@ -132,10 +132,10 @@ See ALSO http://shorewall.net/ProxyARP.htm + url="/ProxyARP.htm">http://www.shorewall.net/ProxyARP.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-routes.xml b/Shorewall/manpages/shorewall-routes.xml index 0cfaa95e8..c1d7cf993 100644 --- a/Shorewall/manpages/shorewall-routes.xml +++ b/Shorewall/manpages/shorewall-routes.xml @@ -34,7 +34,7 @@ The name or number of a provider defined in shorewall-providers (5). + url="/manpages/shorewall-providers.html">shorewall-providers (5). Beginning with Shorewall 4.5.14, you may also enter in this column to add routes to the main routing table. @@ -73,7 +73,7 @@ Specifies the device route. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in shorewall-providers (5). This + url="/manpages/shorewall-providers.html">shorewall-providers (5). This column must be omitted if , or is specified in the GATEWAY column. @@ -92,7 +92,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-routestopped.xml b/Shorewall/manpages/shorewall-routestopped.xml index afc3392d4..3aca6d8bf 100644 --- a/Shorewall/manpages/shorewall-routestopped.xml +++ b/Shorewall/manpages/shorewall-routestopped.xml @@ -25,7 +25,7 @@ Description This file is deprecated in favor of the shorewall-stoppedrules(5) + url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules(5) file. This file is used to define the hosts that are accessible when the @@ -84,7 +84,7 @@ themselves. Beginning with Shorewall 4.4.9, this option is automatically set if routeback is specified in shorewall-interfaces + url="/manpages/shorewall-interfaces.html">shorewall-interfaces (5) or if the rules compiler detects that the interface is a bridge. @@ -176,7 +176,7 @@ The source and dest options work best when used in conjunction with ADMINISABSENTMINDED=Yes in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -210,10 +210,10 @@ See ALSO http://shorewall.net/starting_and_stopping_shorewall.htm + url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-rtrules.xml b/Shorewall/manpages/shorewall-rtrules.xml index f6e02e1d0..797a7a922 100644 --- a/Shorewall/manpages/shorewall-rtrules.xml +++ b/Shorewall/manpages/shorewall-rtrules.xml @@ -25,7 +25,7 @@ Entries in this file cause traffic to be routed to one of the providers listed in shorewall-providers(5). + url="/manpages/shorewall-providers.html">shorewall-providers(5). The columns in the file are as follows. @@ -181,10 +181,10 @@ See ALSO http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 88b4df638..ed4aa491e 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -25,7 +25,7 @@ Entries in this file govern connection establishment by defining exceptions to the policies laid out in shorewall-policy(5). By default, + url="/manpages/shorewall-policy.html">shorewall-policy(5). By default, subsequent requests and responses are automatically allowed using connection tracking. For any particular (source,dest) pair of zones, the rules are evaluated in the order in which they appear in this file and the @@ -87,7 +87,7 @@ There is an implicit rule added at the end of this section that invokes the RELATED_DISPOSITION (shorewall.conf(5)). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). @@ -103,7 +103,7 @@ There is an implicit rule added at the end of this section that invokes the INVALID_DISPOSITION (shorewall.conf(5)). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). @@ -119,7 +119,7 @@ There is an implicit rule added at the end of this section that invokes the UNTRACKED_DISPOSITION (shorewall.conf(5)). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). @@ -145,7 +145,7 @@ If you specify FASTACCEPT=Yes in shorewall.conf(5) then the shorewall.conf(5) then the ALL, ESTABLISHED and RELATED sections must be empty. @@ -224,7 +224,7 @@ like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -234,7 +234,7 @@ The name of an action declared in shorewall-actions(5) or + url="/manpages/shorewall-actions.html">shorewall-actions(5) or in /usr/share/shorewall/actions.std. @@ -329,11 +329,11 @@ Do not process any of the following rules for this (source zone,destination zone). If the source and/or destination IP address falls into a zone defined later in - shorewall-zones(5) + shorewall-zones(5) or in a parent zone of the source or destination zones, then this connection request will be passed to the rules defined for that (those) zone(s). See shorewall-nesting(5) for + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) for additional information. @@ -344,7 +344,7 @@ like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -414,7 +414,7 @@ like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -445,7 +445,7 @@ INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In this case, you must declare the target as a builtin action in shorewall-actions(5). + url="/manpages/shorewall-actions.html">shorewall-actions(5). Some considerations when using INLINE: @@ -490,7 +490,7 @@ This error message may be eliminated by adding the target as a builtin action in shorewall-actions(5). + url="/manpages/shorewall-actions.html">shorewall-actions(5). @@ -536,7 +536,7 @@ Added in Shorewall 4.5.9.3. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html. Similar to LOG:NFLOG[(nflog-parameters)], @@ -565,7 +565,7 @@ like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -596,7 +596,7 @@ like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -615,7 +615,7 @@ like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -649,7 +649,7 @@ Added in Shorewall 4.5.10. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html. Similar to LOG:ULOG[(ulog-parameters)], @@ -671,7 +671,7 @@ If the ACTION names an action declared in shorewall-actions(5) or in + url="/manpages/shorewall-actions.html">shorewall-actions(5) or in /usr/share/shorewall/actions.std then: @@ -702,7 +702,7 @@ Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in shorewall.conf(5)). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix generated by the LOGPREFIX setting. @@ -732,7 +732,7 @@ Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall-zones (5). This + url="/manpages/shorewall-zones.html">shorewall-zones (5). This zone-list may be optionally followed by "+" to indicate that the rule is to apply to intra-zone traffic as well as inter-zone traffic. @@ -751,7 +751,7 @@ role="bold">-] is "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13, exclusion is supported -- see see shorewall-exclusion(5). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5). Except when all[+][-] or @@ -791,7 +791,7 @@ firewall interface can be specified by an ampersand ('&') followed by the logical name of the interface as found in the INTERFACE column of shorewall-interfaces + url="/manpages/shorewall-interfaces.html">shorewall-interfaces (5). Beginning with Shorewall 4.5.4, A @@ -801,14 +801,14 @@ preceded by a caret ('^'). When a single country code is given, the square brackets may be omitted. A list of country codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html. + url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list requires GeoIP Match support in your iptables and Kernel. You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). Examples: @@ -906,7 +906,7 @@ Location of Server. May be a zone declared in shorewall-zones(5), $shorewall-zones(5), $FW to indicate the firewall itself, all. all+ or none. @@ -914,7 +914,7 @@ Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall-zones (5). This + url="/manpages/shorewall-zones.html">shorewall-zones (5). This zone-list may be optionally followed by "+" to indicate that the rule is to apply to intra-zone traffic as well as inter-zone traffic. @@ -926,7 +926,7 @@ preceded by a caret ('^'). When a single country code is given, the square brackets may be omitted. A list of country codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html. + url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list requires GeoIP Match support in your iptables and Kernel. @@ -941,7 +941,7 @@ affected. When all+ is used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13, exclusion is supported -- see see shorewall-exclusion(5). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5). any is equivalent to all when there are no nested zones. @@ -976,7 +976,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). Restriction: MAC addresses are not allowed (this is a Netfilter restriction). @@ -1002,7 +1002,7 @@ firewall interface can be specified by an ampersand ('&') followed by the logical name of the interface as found in the INTERFACE column of shorewall-interfaces + url="/manpages/shorewall-interfaces.html">shorewall-interfaces (5). The port that the server is @@ -1079,7 +1079,7 @@ interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. Note that prior to Shorewall 4.4.19, only a single ICMP type may be listed. @@ -1176,7 +1176,7 @@ firewall interface can be specified by an ampersand ('&') followed by the logical name of the interface as found in the INTERFACE column of shorewall-interfaces + url="/manpages/shorewall-interfaces.html">shorewall-interfaces (5). For other actions, this column may be included and may contain @@ -1194,10 +1194,10 @@ role="bold">192.168.1.0/24!192.168.1.16/28 specifies the addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255. See shorewall-exclusion(5). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5). See http://shorewall.net/PortKnocking.html + url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html for an example of using an entry in this column with a user-defined action rule. @@ -1567,7 +1567,7 @@ If the HELPERS option is specified in shorewall.conf(5), then any module + url="/manpages/shorewall.conf.html">shorewall.conf(5), then any module specified in this column must be listed in the HELPERS setting. @@ -1696,21 +1696,21 @@ example: shorewall-zones(8): #ZONE TYPE OPTIONS + url="/manpages/shorewall-zones.html">shorewall-zones(5): #ZONE TYPE OPTIONS fw firewall net ipv4 dmz ipv4 loc ipv4 shorewall-interfaces(8): #ZONE INTERFACE BROADCAST OPTIONS + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5): #ZONE INTERFACE BROADCAST OPTIONS net ppp0 loc eth1 detect dmz eth2 detect - ppp+ # Addresses are assigned from 192.168.3.0/24 shorewall-host(8): #ZONE HOST(S) OPTIONS + url="/manpages/shorewall-hosts.html">shorewall-host(5): #ZONE HOST(S) OPTIONS loc ppp+:192.168.3.0/24 rules: @@ -1806,7 +1806,7 @@ -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 Note that SECCTX must be defined as a builtin action in shorewall-actions(5): + url="/manpages/shorewall-actions.html">shorewall-actions(5): #ACTION OPTIONS SECCTX builtin @@ -1825,13 +1825,13 @@ See ALSO http://www.shorewall.net/ipsets.html + url="/ipsets.html">http://www.shorewall.net/ipsets.html http://www.shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs http://www.shorewall.net/shorewall_logging.html + url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5), diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml index a54fa3c41..ec171807c 100644 --- a/Shorewall/manpages/shorewall-secmarks.xml +++ b/Shorewall/manpages/shorewall-secmarks.xml @@ -25,7 +25,7 @@ Unlike rules in the shorewall-rules(5) file, evaluation + url="/manpages/shorewall-rules.html">shorewall-rules(5) file, evaluation of rules in this file will continue after a match. So the final secmark for each packet will be the one assigned by the LAST rule that matches. @@ -182,7 +182,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). Addresses may be specified using an ipset name preceded by '+'. @@ -213,7 +213,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). Addresses may be specified using an ipset name preceded by '+'. @@ -251,7 +251,7 @@ destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -411,7 +411,7 @@ RESTORE I:ER url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml index b5581d3ac..219f22462 100644 --- a/Shorewall/manpages/shorewall-stoppedrules.xml +++ b/Shorewall/manpages/shorewall-stoppedrules.xml @@ -147,10 +147,10 @@ See ALSO http://shorewall.net/starting_and_stopping_shorewall.htm + url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-tcclasses.xml b/Shorewall/manpages/shorewall-tcclasses.xml index b20ea3dc6..963abb188 100644 --- a/Shorewall/manpages/shorewall-tcclasses.xml +++ b/Shorewall/manpages/shorewall-tcclasses.xml @@ -125,7 +125,7 @@ You may specify the interface number rather than the interface name. If the classify option is given for the interface in shorewall-tcdevices(5), then + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5), then you must also specify an interface class (an integer that must be unique within classes associated with this interface). If the classify option is not given, you may still specify a @@ -139,12 +139,12 @@ Please note that you can only use interface names in here that have a bandwidth defined in the shorewall-tcdevices(5) + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5) file. Normally, all classes defined here are sub-classes of a root class that is implicitly defined from the entry in shorewall-tcdevices(5). You + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5). You can establish a class hierarchy by specifying a parent class -- the number of a class that you have previously defined. The sub-class may borrow unused bandwidth @@ -159,11 +159,11 @@ The mark value which is an integer in the range 1-255. You set mark values in the shorewall-mangle(5) file, + url="/manpages/shorewall-mangle.html">shorewall-mangle(5) file, marking the traffic you want to fit in the classes defined in here. Must be specified as '-' if the classify option is given for the interface in - shorewall-tcdevices(5) + shorewall-tcdevices(5) and you are running Shorewall 4.5.5 or earlier. You can use the same marks for different interfaces. @@ -417,7 +417,7 @@ of the class. So the total RATE represented by an entry with 'occurs' will be the listed RATE multiplied by number. For additional information, see - tcrules + shorewall-tcrules (5). @@ -762,10 +762,10 @@ See ALSO http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs tc-hfsc(7) diff --git a/Shorewall/manpages/shorewall-tcdevices.xml b/Shorewall/manpages/shorewall-tcdevices.xml index d8240aa73..5ff9b3411 100644 --- a/Shorewall/manpages/shorewall-tcdevices.xml +++ b/Shorewall/manpages/shorewall-tcdevices.xml @@ -104,7 +104,7 @@ Name of interface. Each interface may be listed only once in this file. You may NOT specify the name of an alias (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18 + url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18 You may NOT specify wildcards here, e.g. if you have multiple ppp interfaces, you need to put them all in here! @@ -151,7 +151,7 @@ may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by default. See Shorewall FAQ + url="/FAQ.htm#faq97a">Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with @@ -171,7 +171,7 @@ The outgoing bandwidth of that interface. This is the maximum speed your connection can handle. It is also the speed you can refer as "full" if you define the tc classes in shorewall-tcclasses(5). + url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses(5). Outgoing traffic above this rate will be dropped. @@ -195,7 +195,7 @@ ― When specified, Shorewall will not generate tc or Netfilter rules to classify traffic based on packet marks. You must do all classification using CLASSIFY rules in shorewall-mangle(5). + url="/manpages/shorewall-mangle.html">shorewall-mangle(5). - Use the Hierarchical Token Bucket queuing discipline. This is the default. @@ -283,10 +283,10 @@ tc-hfsc (7) http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt diff --git a/Shorewall/manpages/shorewall-tcfilters.xml b/Shorewall/manpages/shorewall-tcfilters.xml index ba9c5d53e..2b79ce009 100644 --- a/Shorewall/manpages/shorewall-tcfilters.xml +++ b/Shorewall/manpages/shorewall-tcfilters.xml @@ -70,10 +70,10 @@ The name or number of an interface defined in shorewall-tcdevices(5) + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5) followed by a class number defined for that interface in shorewall-tcclasses(5). + url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses(5). @@ -99,7 +99,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). @@ -318,16 +318,16 @@ See ALSO http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/PacketMarking.html + url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), diff --git a/Shorewall/manpages/shorewall-tcinterfaces.xml b/Shorewall/manpages/shorewall-tcinterfaces.xml index af1b9bded..87d045a3b 100644 --- a/Shorewall/manpages/shorewall-tcinterfaces.xml +++ b/Shorewall/manpages/shorewall-tcinterfaces.xml @@ -25,7 +25,7 @@ This file lists the interfaces that are subject to simple traffic shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in - shorewall.conf(5). + shorewall.conf(5). A note on the bandwidth definition used in this file: @@ -162,7 +162,7 @@ may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by default. See Shorewall FAQ + url="/FAQ.htm#faq97a">Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with diff --git a/Shorewall/manpages/shorewall-tcpri.xml b/Shorewall/manpages/shorewall-tcpri.xml index 7eb820ab7..908bfd812 100644 --- a/Shorewall/manpages/shorewall-tcpri.xml +++ b/Shorewall/manpages/shorewall-tcpri.xml @@ -25,12 +25,12 @@ This file is used to specify the priority of traffic for simple traffic shaping (TC_ENABLED=Simple in shorewall.conf(5)). The priority band of + url="/manpages/shorewall.conf.html">shorewall.conf(5)). The priority band of each packet is determined by the last entry that the packet matches. If a packet doesn't match any entry in this file, then its priority will be determined by its TOS field. The default mapping is as follows but can be changed by setting the TC_PRIOMAP option - in shorewall.conf(5). + in shorewall.conf(5). TOS Bits Means Linux Priority BAND ------------------------------------------------------------ @@ -63,7 +63,7 @@ Classifies matching traffic as High Priority (1), Medium Priority (2) or Low Priority (3). For those interfaces listed in shorewall-tcinterfaces(5), + url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces(5), Priority 2 traffic will be deferred so long and there is Priority 1 traffic queued and Priority 3 traffic will be deferred so long as there is Priority 1 or Priority 2 traffic to send. @@ -151,7 +151,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs prio(8), shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index 22e4a7c39..4e443a08a 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -28,14 +28,14 @@ Unlike rules in the shorewall-rules(5) file, evaluation + url="/manpages/shorewall-rules.html">shorewall-rules(5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html. + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html. Beginning with Shorewall 4.5.4, the tcrules file supports two @@ -123,7 +123,7 @@ - Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). Please note that :I is included for completeness and affects neither traffic shaping @@ -203,7 +203,7 @@ then the assigned mark values are 0x200, 0x300 and 0x400 in equal proportions. If no mask is specified, then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall.conf(5)). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). May optionally be followed by :P, - Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). Please note that :I is included for completeness and affects neither traffic shaping @@ -311,11 +311,11 @@ When using Shorewall's built-in traffic shaping tool, the major class is the device number (the first device in shorewall-tcdevices(5) is + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5) is major class 1, the second device is major class 2, and so on) and the minor class is the class's MARK value in shorewall-tcclasses(5) + url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses(5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.). @@ -487,7 +487,7 @@ [option] ...") after any matches specified at the end of the rule. If the target is not one known to Shorewall, then it must be defined as a builtin action in - shorewall-actions + shorewall-actions (5). The following rules are equivalent: @@ -500,7 +500,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark If INLINE_MATCHES=Yes in shorewall6.conf(5) then the + url="/manpages/shorewall.conf.html">shorewall.conf(5) then the third rule above can be specified as follows: 2:P eth0 - ; -p tcp @@ -724,7 +724,7 @@ Normal-Service => 0x00 Transparently redirects a packet without altering the IP header. Requires a local provider to be defined in shorewall-providers(5). + url="/manpages/shorewall-providers.html">shorewall-providers(5). There are three parameters to TPROXY - only the first (mark) is required: @@ -733,7 +733,7 @@ Normal-Service => 0x00 mark - the MARK value corresponding to the local provider in shorewall-providers(5). + url="/manpages/shorewall-providers.html">shorewall-providers(5). @@ -758,7 +758,7 @@ Normal-Service => 0x00 Transparently redirects a packet without altering the IP header. Requires a tproxy provider to be defined in shorewall-providers(5). + url="/manpages/shorewall-providers.html">shorewall-providers(5). There are three parameters to TPROXY - neither is required: @@ -862,7 +862,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). @@ -879,7 +879,7 @@ Normal-Service => 0x00 An interface name. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The + url="/manpages/shorewall.conf">shorewall.conf (5)). The interface name may be optionally followed by a colon (":") and an IP address list. @@ -899,7 +899,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion(5)). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)). @@ -934,7 +934,7 @@ Normal-Service => 0x00 destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -1317,16 +1317,16 @@ Normal-Service => 0x00 See ALSO http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/PacketMarking.html + url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), diff --git a/Shorewall/manpages/shorewall-tos.xml b/Shorewall/manpages/shorewall-tos.xml index da3107d5f..76c39cca4 100644 --- a/Shorewall/manpages/shorewall-tos.xml +++ b/Shorewall/manpages/shorewall-tos.xml @@ -25,7 +25,7 @@ This file defines rules for setting Type Of Service (TOS). Its use is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in - shorewall-mangle (5). + shorewall-mangle (5). The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in @@ -167,7 +167,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-tunnels.xml b/Shorewall/manpages/shorewall-tunnels.xml index 375c68d8a..c252ab310 100644 --- a/Shorewall/manpages/shorewall-tunnels.xml +++ b/Shorewall/manpages/shorewall-tunnels.xml @@ -27,7 +27,7 @@ encrypted) traffic to pass between the Shorewall system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism. See http://www.shorewall.net/VPNBasics.html + url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html for details. The columns in the file are as follows. @@ -143,7 +143,7 @@ Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (shorewall-exclusion (5) ) is + url="/manpages/shorewall-exclusion.html">shorewall-exclusion (5) ) is not supported. @@ -281,7 +281,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall-zones.xml b/Shorewall/manpages/shorewall-zones.xml index 3620beb18..4215b7a81 100644 --- a/Shorewall/manpages/shorewall-zones.xml +++ b/Shorewall/manpages/shorewall-zones.xml @@ -45,14 +45,14 @@ "none", "any", "SOURCE" and "DEST" are reserved and may not be used as zone names. The maximum length of a zone name is determined by the setting of the LOGFORMAT option in shorewall.conf(5). With the + url="/manpages/shorewall.conf.html">shorewall.conf(5). With the default LOGFORMAT, zone names can be at most 5 characters long.
The maximum length of an iptables log prefix is 29 bytes. As explained in shorewall.conf (5), the default + url="/manpages/shorewall.conf.html">shorewall.conf (5), the default LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first %s is replaced by the chain name and the second is replaced by the disposition. @@ -97,7 +97,7 @@ (sub)zone name by ":" and a comma-separated list of the parent zones. The parent zones must have been declared in earlier records in this file. See shorewall-nesting(5) for + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) for additional information. Example: @@ -110,7 +110,7 @@ c:a,b ipv4 Currently, Shorewall uses this information to reorder the zone list so that parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE option in shorewall.conf(5) can also create + url="/manpages/shorewall.conf.html">shorewall.conf(5) can also create implicit CONTINUE policies to/from the subzone. Where an ipsec zone is @@ -137,7 +137,7 @@ c:a,b ipv4 the column. Communication with some zone hosts may be encrypted. Encrypted hosts are designated using the 'ipsec' option in shorewall-hosts(5). + url="/manpages/shorewall-hosts.html">shorewall-hosts(5). @@ -180,7 +180,7 @@ c:a,b ipv4 Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver guests. The zone contents must be defined in - shorewall-hosts + shorewall-hosts (5). Vserver zones are implicitly handled as subzones of the @@ -208,7 +208,7 @@ c:a,b ipv4 $FW rules are defined, they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -290,12 +290,12 @@ c:a,b ipv4 When specified in the IN_OPTIONS column, causes all traffic from this zone to be passed against the src entries in shorewall-blacklist(5). + url="/manpages/shorewall-blacklist.html">shorewall-blacklist(5). When specified in the OUT_OPTIONS column, causes all traffic to this zone to be passed against the dst entries in shorewall-blacklist(5). + url="/manpages/shorewall-blacklist.html">horewall-blacklist(5). Specifying this option in the OPTIONS column is equivalent to entering it in both of the IN_OPTIONS and @@ -310,7 +310,7 @@ c:a,b ipv4 Added in Shorewall 4.5.9. May only be specified in the OPTIONS column and indicates that only a single ipset should be created for this zone if it has multiple dynamic entries in - shorewall-hosts(5). + shorewall-hosts(5). Without this option, a separate ipset is created for each interface. @@ -354,7 +354,7 @@ c:a,b ipv4 sets the MSS field in TCP packets. If you supply this option, you should also set FASTACCEPT=No in shorewall.conf(5) to insure + url="/manpages/shorewall.conf.html">shorewall.conf(5) to insure that both the SYN and SYN,ACK packets have their MSS field adjusted. @@ -427,10 +427,10 @@ c:a,b ipv4 See ALSO http://www.shorewall.net/Multiple_Zones.html. + url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html. http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 5e34f839e..4ad18bb77 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -183,7 +183,7 @@ If you set the value of either option to "None" then no default action will be used and the default action or macro must be specified in shorewall-policy(5). + url="/manpages/shorewall-policy.html">shorewall-policy(5). You can pass parameters to the specified action (e.g., @@ -204,7 +204,7 @@ Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting is enabled (see shorewall-accounting(5)). If + url="/manpages/shorewall-accounting.html">shorewall-accounting(5)). If not specified or set to the empty value, ACCOUNTING=Yes is assumed. @@ -219,7 +219,7 @@ Added in Shorewall 4.4.20. This setting determines which Netfilter table the accounting rules are added in. By default, ACCOUNTING_TABLE=filter is assumed. See also shorewall-accounting(5). + url="/manpages/shorewall-accounting.html">shorewall-accounting(5). @@ -230,7 +230,7 @@ This parameter determines whether Shorewall automatically adds the external address(es) in shorewall-nat(5). If the variable + url="/manpages/shorewall-nat.html">shorewall-nat(5). If the variable is set to Yes or yes then Shorewall automatically adds these aliases. If it is set to No or @@ -256,7 +256,7 @@ This parameter determines whether Shorewall automatically adds the SNAT ADDRESS in shorewall-masq(5). If the variable + url="/manpages/shorewall-masq.html">shorewall-masq(5). If the variable is set to Yes or yes then Shorewall automatically adds these addresses. If it is set to No or @@ -283,10 +283,10 @@ The value of this variable affects Shorewall's stopped state. When ADMINISABSENTMINDED=No, only traffic to/from those addresses listed in shorewall-routestopped(5) + url="/manpages/shorewall-routestopped.html">shorewall-routestopped(5) is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in shorewall-routestopped(5), + url="/manpages/shorewall-routestopped.html">shorewall-routestopped(5), connections that were active when Shorewall stopped continue to work and all new connections from the firewall system itself are allowed. If this variable is not set or is given the empty value then @@ -350,13 +350,13 @@ Modify shorewall-conntrack + url="/manpages/shorewall-conntrack.html">shorewall-conntrack (5) to only apply helpers where they are required; or Specify the appropriate helper in the HELPER column in - shorewall-rules + shorewall-rules (5). @@ -427,10 +427,10 @@ The BLACKLIST_DISPOSITION setting has no effect on entries in the BLACKLIST section of shorewall-rules (5). It + url="/manpages/shorewall-rules.html">shorewall-rules (5). It determines the disposition of packets sent to the blacklog target of shorewall-blrules (5). + url="/manpages/shorewall-blrules.html">shorewall-blrules (5). @@ -447,7 +447,7 @@ hosts are not logged. The setting determines the log level of packets sent to the blacklog target of shorewall-blrules(5). + url="/manpages/shorewall-blrules.html">shorewall-blrules(5). @@ -463,9 +463,9 @@ role="bold">yes, blacklists are only consulted for new connections and for packets in the INVALID connection state (such as TCP SYN,ACK when there has been no corresponding SYN). That includes - entries in the shorewall-blrules (5) file + entries in the shorewall-blrules (5) file and in the BLACKLIST section of shorewall-rules (5). + url="/manpages/shorewall-rules.html">shorewall-rules (5). When set to No or no, blacklists are consulted for every packet @@ -534,7 +534,7 @@ /etc/shorewall/tcstart file. That way, your traffic shaping rules can still use the “fwmark” classifier based on packet marking defined in shorewall-tcrules(5). If not + url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed. @@ -669,7 +669,7 @@ Install, configure and start Shorewall6. + url="/IPv6Support.html">Shorewall6. @@ -789,7 +789,7 @@ net all DROP infothen the chain name is 'net2all' are accepted early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of shorewall-rules(5). + url="/manpages/shorewall-rules.html">shorewall-rules(5). FASTACCEPT=Yes is incompatible with @@ -820,7 +820,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.4. Specifies the pathname of the directory containing the GeoIP Match database. See http://www.shorewall.net/ISO-3661.html. + url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html. If not specified, the default value is /usr/share/xt_geoip/LE which is the default location of the little-endian database. @@ -907,7 +907,7 @@ net all DROP infothen the chain name is 'net2all' Prior to version 3.2.0, it was not possible to use connection marking in shorewall-tcrules(5) if you had + url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5) if you had a multi-ISP configuration that uses the track option. You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the @@ -990,11 +990,11 @@ net all DROP infothen the chain name is 'net2all' Subzones are defined by following their name with ":" and a list of parent zones (in shorewall-zones(5)). Normally, + url="/manpages/shorewall-zones.html">shorewall-zones(5)). Normally, you want to have a set of special rules for the subzone and if a connection doesn't match any of those subzone-specific rules then you want the parent zone rules and policies to be applied; see - shorewall-nesting(5). + shorewall-nesting(5). With IMPLICIT_CONTINUE=Yes, that happens automatically. If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, @@ -1011,9 +1011,9 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.6.0. Traditionally in shorewall-rules(5), a semicolon + url="/manpages/shorewall-rules.html">shorewall-rules(5), a semicolon separates column-oriented specifications on the left from alternative + url="/configuration_file_basics.htm#Pairs">alternative specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the specifications on the right are interpreted as if INLINE had been specified in the ACTION column. If not specified or @@ -1029,7 +1029,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID packets through the NEW section of shorewall-rules (5). When a + url="/manpages/shorewall-rules.html">shorewall-rules (5). When a packet in INVALID state fails to match any rule in the INVALID section, the packet is disposed of based on this setting. The default value is CONTINUE for compatibility with earlier @@ -1044,7 +1044,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.13. Packets in the INVALID state that do not match any rule in the INVALID section of shorewall-rules (5) are + url="/manpages/shorewall-rules.html">shorewall-rules (5) are logged at this level. The default value is empty which means no logging is performed. @@ -1117,7 +1117,7 @@ net all DROP infothen the chain name is 'net2all' This option indicates that zone-related ipsec information is found in the zones file (shorewall-zones(5)). The option + url="/manpages/shorewall-zones.html">shorewall-zones(5)). The option indicates to the compiler that this is not a legacy configuration where the ipsec information was contained in a separate file. The value of this option must not be changed and the option must not be @@ -1255,7 +1255,7 @@ net all DROP infothen the chain name is 'net2all' you do not enable martian logging for all interfaces, you may still enable it for individual interfaces using the logmartians interface option in shorewall-interfaces(5). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). The value Keep causes Shorewall to ignore the option. If the option is set to then the chain name is 'net2all' interfaces. If the option is set to No, then martian logging is disabled on all interfaces except those specified in shorewall-interfaces(5). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). @@ -1351,7 +1351,7 @@ net all DROP infothen the chain name is 'net2all' log, and hits commands. If not assigned or if assigned an empty value, /var/log/messages is assumed. For further information, see http://www.shorewall.net/shorewall_logging.html. + url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html. @@ -1378,7 +1378,7 @@ net all DROP infothen the chain name is 'net2all' The setting of LOGFORMAT has an effect of the permitted length of zone names. See shorewall-zones (5). + url="/manpages/shorewall-zones.html">shorewall-zones (5). @@ -1546,9 +1546,9 @@ LOG:info:,bar net fw The performance of configurations with a large numbers of entries in shorewall-maclist(5) can be + url="/manpages/shorewall-maclist.html">shorewall-maclist(5) can be improved by setting the MACLIST_TTL variable in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). If your iptables and kernel support the "Recent Match" (see the output of "shorewall check" near the top), you can cache the @@ -1557,7 +1557,7 @@ LOG:info:,bar net fw When a new connection arrives from a 'maclist' interface, the packet passes through then list of entries for that interface in - shorewall-maclist(5). If + shorewall-maclist(5). If there is a match then the source IP address is added to the 'Recent' set for that interface. Subsequent connection attempts from that IP address occurring within $MACLIST_TTL seconds will be accepted @@ -1763,7 +1763,7 @@ LOG:info:,bar net fw When combined with route filtering (ROUTE_FILTER=Yes or in shorewall-interfaces(5)), + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)), this option ensures that packets with an RFC1918 source address are only accepted from interfaces having known routes to networks using such addresses. @@ -1772,7 +1772,7 @@ LOG:info:,bar net fw , or to set the type of route to be created. See http://www.shorewall.net/MultiISP.html#null_routing. + url="/MultiISP.html#null_routing">http://www.shorewall.net/MultiISP.html#null_routing. @@ -1794,7 +1794,7 @@ LOG:info:,bar net fw Optimization category 1 - Traditionally, Shorewall has created rules for the complete matrix of + url="/ScalabilityAndPerformance.html">the complete matrix of host groups defined by the zones, interfaces and hosts files. Any traffic that didn't correspond to an element of that matrix was rejected in one of the built-in chains. When @@ -2104,7 +2104,7 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED packets that don't match any rule in the RELATED - section of shorewall-rules + section of shorewall-rules (5). Concern about the safety of this practice resulted in the addition of this option. When a packet in RELATED state fails to match any rule in the RELATED section, the packet is disposed of @@ -2120,7 +2120,7 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Packets in the related state that do not match any rule in the RELATED section of shorewall-rules (5) are logged at + url="/manpages/shorewall-rules.html">shorewall-rules (5) are logged at this level. The default value is empty which means no logging is performed. @@ -2203,7 +2203,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.10. The default is No. If set to Yes, at least one optional interface must be up in order for the firewall to be in the started state. Intended to be used with the Shorewall Init Package. + url="/manpages/shorewall-init.html">Shorewall Init Package. @@ -2266,8 +2266,8 @@ INLINE - - - ; -j REJECT During shorewall start, IP addresses to be added as a consequence of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and shorewall-masq(5) are processed + url="/manpages/shorewall-nat.html">shorewall-nat(5) and shorewall-masq(5) are processed then are re-added later. This is done to help ensure that the addresses can be added with the specified labels but can have the undesirable side effect of causing routes to be quietly deleted. @@ -2299,14 +2299,14 @@ INLINE - - - ; -j REJECT interfaces. If the option is set to No, then route filtering is disabled on all interfaces except those specified in shorewall-interfaces(5). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). If you need to disable route filtering on any interface, then you must set ROUTE_FILTER=No then set routefilter=1 or routefilter=2 on those interfaces where you want route filtering. See shorewall-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) for additional details. @@ -2321,7 +2321,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.7. Determines the disposition of packets entering from interfaces the option (see shorewall-interfaces(5)). + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)). Packets disposed of by this option are those whose response packets would not be sent through the same interface receiving the packet. @@ -2374,7 +2374,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.20. Determines the disposition of packets matching the option (see shorewall-interfaces(5)) and + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) and of hairpin packets on interfaces without the option. Hairpin packets are packets that are routed out of the @@ -2390,7 +2390,7 @@ INLINE - - - ; -j REJECT Added on Shorewall 4.4.20. Determines the logging of packets matching the option (see shorewall-interfaces(5)) and + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) and of hairpin packets on interfaces without the option. Hairpin packets are packets that are routed out of the @@ -2421,7 +2421,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.20. The default setting is DROP which causes smurf packets (see the nosmurfs option in shorewall-interfaces(5)) to + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) to be dropped. A_DROP causes the packets to be audited prior to being dropped and requires AUDIT_TARGET support in the kernel and iptables. @@ -2435,7 +2435,7 @@ INLINE - - - ; -j REJECT Specifies the logging level for smurf packets (see the nosmurfs option in shorewall-interfaces(5)). If + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)). If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged. @@ -2524,8 +2524,8 @@ INLINE - - - ; -j REJECT If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), simple traffic shaping using shorewall-tcinterfaces(5) - and shorewall-tcpri(5) is + url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces(5) + and shorewall-tcpri(5) is enabled. If you set TC_ENABLED=Internal or internal or leave the option @@ -2552,7 +2552,7 @@ INLINE - - - ; -j REJECT Normally, Shorewall tries to protect users from themselves by preventing PREROUTING and OUTPUT tcrules from being applied to packets that have been marked by the 'track' option in shorewall-providers(5). + url="/manpages/shorewall-providers.html">shorewall-providers(5). If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall will not include these cautionary checks. @@ -2566,7 +2566,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to priority bands. See shorewall-tcpri(5). The + url="/manpages/shorewall-tcpri.html">shorewall-tcpri(5). The map consists of 16 space-separated digits with values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2. The first entry gives @@ -2589,7 +2589,7 @@ INLINE - - - ; -j REJECT Determines the disposition of TCP packets that fail the checks enabled by the tcpflags interface option (see shorewall-interfaces(5)) and + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet). If not set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") then @@ -2621,13 +2621,13 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.3. When set to Yes, causes the option to be assumed on all providers defined in shorewall-providers(5). May + url="/manpages/shorewall-providers.html">shorewall-providers(5). May be overridden on an individual provider through use of the option. The default value is 'No'. Beginning in Shorewall 4.4.6, setting this option to 'Yes' also simplifies PREROUTING rules in shorewall-tcrules(5). + url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5). Previously, when TC_EXPERT=No, packets arriving through 'tracked' provider interfaces were unconditionally passed to the PREROUTING tcrules. This was done so that tcrules could reset the packet mark @@ -2669,7 +2669,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED packets through the NEW section of shorewall-rules (5). When a + url="/manpages/shorewall-rules.html">shorewall-rules (5). When a packet in UNTRACKED state fails to match any rule in the UNTRACKED section, the packet is disposed of based on this setting. The default value is CONTINUE for compatibility with earlier @@ -2684,7 +2684,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match any rule in the UNTRACKED section of shorewall-rules (5) are logged at + url="/manpages/shorewall-rules.html">shorewall-rules (5) are logged at this level. The default value is empty which means no logging is performed. @@ -2708,7 +2708,7 @@ INLINE - - - ; -j REJECT Both the DUPLICATE and the COPY columns in providers(5) file must + url="/manpages/shorewall-providers.html">providers(5) file must remain empty (or contain "-"). @@ -2725,7 +2725,7 @@ INLINE - - - ; -j REJECT Packets are sent through the main routing table by a rule with priority 999. In routing_rules(5), the + url="/manpages/shorewall-routing_rules.html">routing_rules(5), the range 1-998 may be used for inserting rules that bypass the main table. diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index a6193d054..92ebd4d1f 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -730,7 +730,7 @@ The and options are used for debugging. See http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace. + url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace. The nolock prevents the command from attempting to acquire the Shorewall lockfile. It is useful if you need to @@ -742,7 +742,7 @@ role="bold">v and q. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in shorewall.conf(5). Each shorewall.conf(5). Each v adds one to the effective verbosity and each q subtracts one from the effective VERBOSITY. Alternatively, v may be @@ -770,7 +770,7 @@ The interface argument names an interface defined in the shorewall-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) file. A host-list is comma-separated list whose elements are host or network addresses. The add command is not very robust. If @@ -784,7 +784,7 @@ Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5)) allows a + url="/manpages/shorewall-zones.html">shorewall-zones(5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the add command has the alternative syntax in which the @@ -839,7 +839,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). @@ -912,7 +912,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). @@ -925,13 +925,13 @@ The interface argument names an interface defined in the shorewall-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) file. A host-list is comma-separated list whose elements are a host or network address. Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5)) allows a + url="/manpages/shorewall-zones.html">shorewall-zones(5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the delete command has the alternative syntax in which the @@ -954,7 +954,7 @@ any optional network interface. interface may be either the logical or physical name of the interface. The command removes any routes added from shorewall-routes(5) and any + url="/manpages/shorewall-routes.html">shorewall-routes(5) and any traffic shaping configuration for the interface. @@ -1001,7 +1001,7 @@ may be either the logical or physical name of the interface. The command sets /proc entries for the interface, adds any route specified in shorewall-routes(5) and installs + url="/manpages/shorewall-routes.html">shorewall-routes(5) and installs the interface's traffic shaping configuration, if any. @@ -1037,7 +1037,7 @@ Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If no filename is given then the file specified by RESTOREFILE in shorewall.conf(5) is + url="/manpages/shorewall.conf.html">shorewall.conf(5) is assumed. @@ -1148,7 +1148,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). @@ -1159,7 +1159,7 @@ Causes traffic from the listed addresses to be logged then discarded. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5). + url="/manpages/shorewall.conf.html">shorewall.conf (5). @@ -1168,7 +1168,7 @@ Monitors the log file specified by the LOGFILE option in - shorewall.conf(5) and + shorewall.conf(5) and produces an audible alarm when new Shorewall messages are logged. The -m option causes the MAC address of each packet source to be displayed if that information is @@ -1188,7 +1188,7 @@ Causes traffic from the listed addresses to be logged then rejected. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5). + url="/manpages/shorewall.conf.html">shorewall.conf (5). @@ -1238,7 +1238,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). The - option was added in Shorewall 4.5.3 and causes Shorewall to look in the given @@ -1306,7 +1306,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). @@ -1348,7 +1348,7 @@ The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall.conf(5). When both + url="/manpages/shorewall.conf.html">shorewall.conf(5). When both and are present, the result is determined by the option that appears last. @@ -1360,7 +1360,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). @@ -1375,7 +1375,7 @@ role="bold">shorewall save; if no filename is given then Shorewall will be restored from the file specified by the RESTOREFILE option in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -1437,7 +1437,7 @@ role="bold">shorewall -f start commands. If filename is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5). @@ -1564,7 +1564,7 @@ Added in Shorewall 4.4.17. Displays the per-IP accounting counters (shorewall-accounting + url="/manpages/shorewall-accounting.html">shorewall-accounting (5)). @@ -1575,7 +1575,7 @@ Displays the last 20 Shorewall messages from the log file specified by the LOGFILE option in shorewall.conf(5). The + url="/manpages/shorewall.conf.html">shorewall.conf(5). The -m option causes the MAC address of each packet source to be displayed if that information is available. @@ -1690,14 +1690,14 @@ Shorewall will look in that directory first for configuration files. If -f is specified, the saved configuration specified by the RESTOREFILE - option in shorewall.conf(5) + option in shorewall.conf(5) will be restored if that saved configuration exists and has been modified more recently than the files in /etc/shorewall. When -f is given, a directory may not be specified. Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was - added to shorewall.conf(5). + added to shorewall.conf(5). When LEGACY_FASTSTART=No, the modification times of files in /etc/shorewall are compared with that of /var/lib/shorewall/firewall (the compiled script that last started/restarted the @@ -1713,7 +1713,7 @@ The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall.conf(5). When both + url="/manpages/shorewall.conf.html">shorewall.conf(5). When both and are present, the result is determined by the option that appears last. @@ -1725,7 +1725,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). @@ -1735,12 +1735,12 @@ Stops the firewall. All existing connections, except those listed in shorewall-routestopped(5) + url="/manpages/shorewall-routestopped.html">shorewall-routestopped(5) or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. + url="/manpages/shorewall.conf.html">shorewall.conf(5), are taken down. The only new traffic permitted through the firewall is from systems listed in shorewall-routestopped(5) + url="/manpages/shorewall-routestopped.html">shorewall-routestopped(5) or by ADMINISABSENTMINDED. If is given, the command will be processed @@ -1814,13 +1814,13 @@ The option was added in Shorewall 4.4.26 and causes legacy blacklisting rules (shorewall-blacklist (5) ) to + url="/manpages/shorewall-blacklist.html">shorewall-blacklist (5) ) to be converted to entries in the blrules file (shorewall-blrules (5) ). The + url="/manpages/shorewall-blrules.html">shorewall-blrules (5) ). The blacklist keyword is removed from shorewall-zones (5), shorewall-interfaces (5) and - shorewall-hosts (5). The + url="/manpages/shorewall-zones.html">shorewall-zones (5), shorewall-interfaces (5) and + shorewall-hosts (5). The unmodified files are saved with a .bak suffix. The option was added in Shorewall 4.5.11. @@ -1834,7 +1834,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + shorewall.conf(5). For a description of the other options, see the check command above. @@ -1880,7 +1880,7 @@ See ALSO http://www.shorewall.net/starting_and_stopping_shorewall.htm + url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index cd84a7326..baacd4a05 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -50,7 +50,7 @@ The new structure is enabled by sectioning the accounting file in a - manner similar to the rules + manner similar to the rules file. The sections are INPUT, OUTPUT and FORWARD and must appear in that order (although any @@ -824,14 +824,14 @@ See ALSO http://shorewall.net/Accounting.html + url="/Accounting.html">http://www.shorewall.net/Accounting.html http://shorewall.net/shorewall_logging.html + url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-actions.xml b/Shorewall6/manpages/shorewall6-actions.xml index 792e80bca..92058cc8c 100644 --- a/Shorewall6/manpages/shorewall6-actions.xml +++ b/Shorewall6/manpages/shorewall6-actions.xml @@ -24,7 +24,7 @@ Description This file allows you to define new ACTIONS for use in rules (see - shorewall6-rules(5)). You define + shorewall6-rules(5)). You define the ip6tables rules to be performed in an ACTION in /etc/shorewall6/action.action-name. @@ -58,7 +58,7 @@ target that is supported by your ip6tables but is not directly supported by Shorewall. The action may be used as the rule target in an INLINE rule in shorewall6-rules(5). + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5). Beginning with Shorewall 4.6.0, the Netfilter table(s) in which the builtin can be @@ -146,7 +146,7 @@ See ALSO http://shorewall.net/Actions.html + url="/Actions.html">http://www.shorewall.net/Actions.html shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-blacklist.xml b/Shorewall6/manpages/shorewall6-blacklist.xml index 5ae79a06f..24815e662 100644 --- a/Shorewall6/manpages/shorewall6-blacklist.xml +++ b/Shorewall6/manpages/shorewall6-blacklist.xml @@ -26,7 +26,7 @@ The blacklist file is used to perform static blacklisting by source address (IP or MAC), or by application. The use of this file is deprecated in favor of shorewall6-blrules(5), and beginning + url="/manpages6/shorewall6-blrules.html">shorewall6-blrules(5), and beginning with Shorewall 4.5.7, the blacklist file is no longer installed. Existing blacklist files can be converted to a corresponding blrules file using the shorewall6 update -b command. @@ -47,7 +47,7 @@ (if your kernel and ip6tables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match). Exclusion (shorewall6-exclusion(5)) is + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)) is supported. MAC addresses must be prefixed with "~" and use "-" as a @@ -101,7 +101,7 @@ interface that has the 'blacklist' option set. So to block traffic from your local network to an internet host, you had to specify on your internal interface in shorewall6-interfaces + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces (5). @@ -109,7 +109,7 @@ Beginning with Shorewall 4.4.13, entries are applied based on the blacklist setting in shorewall6-zones(5): + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5): @@ -145,12 +145,12 @@ When a packet arrives on an interface that has the blacklist option specified in shorewall6-interfaces(5), its + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5), its source IP address and MAC address is checked against this file and disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall6.conf(5). If shorewall6.conf(5). If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching the protocol (and one of the ports if @@ -197,10 +197,10 @@ See ALSO http://shorewall.net/blacklisting_support.htm + url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-blrules.xml b/Shorewall6/manpages/shorewall6-blrules.xml index c70ca8685..bfe977e5c 100644 --- a/Shorewall6/manpages/shorewall6-blrules.xml +++ b/Shorewall6/manpages/shorewall6-blrules.xml @@ -28,13 +28,13 @@ Rules in this file are applied depending on the setting of BLACKLISTNEWONLY in shorewall6.conf(5). If + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). If BLACKLISTNEWONLY=No, then they are applied regardless of the connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to connections in the NEW and INVALID states. The format of rules in this file is the same as the format of rules - in shorewall6-rules (5). The + in shorewall6-rules(5). The difference in the two files lies in the ACTION (first) column. @@ -70,7 +70,7 @@ If BLACKLIST_LOGLEVEL is specified in shorewall6.conf(5), + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), then the macro expands to blacklog. @@ -78,7 +78,7 @@ Otherwise it expands to the action specified for BLACKLIST_DISPOSITION in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -89,10 +89,10 @@ May only be used if BLACKLIST_LOGLEVEL is specified in - shorewall6.conf (5). + shorewall6.conf (5). Logs, audits (if specified) and applies the BLACKLIST_DISPOSITION specified in shorewall6.conf (5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5). @@ -167,7 +167,7 @@ queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html. @@ -206,7 +206,7 @@ The name of an action declared in shorewall6-actions(5) or + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5) or in /usr/share/shorewall6/actions.std. @@ -238,7 +238,7 @@ If the ACTION names an action declared in shorewall6-actions(5) or in + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5) or in /usr/share/shorewall6/actions.std then: @@ -268,13 +268,13 @@ Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in shorewall6.conf(5)). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). For the remaining columns, see shorewall6-rules (5). + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5). @@ -314,10 +314,10 @@ See ALSO http://shorewall.net/blacklisting_support.htm + url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index 12184f741..c09d349da 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -266,7 +266,7 @@ This error message may be eliminated by adding target as a builtin action in shorewall6-actions(5). + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5). @@ -336,7 +336,7 @@ interface is an interface to that zone, and address-list is a comma-separated list of addresses (may contain exclusion - see shorewall6-exclusion + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion (5)). Beginning with Shorewall 4.5.7, can be @@ -357,7 +357,7 @@ Where interface is an interface to that zone, and address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall-exclusion + shorewall6-exclusion (5)). COMMENT is only allowed in format 1; the remainder of the line @@ -373,7 +373,7 @@ where address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall6-exclusion + shorewall6-exclusion (5)). @@ -524,7 +524,7 @@ DROP:PO - 2001:1.2.3::4 See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-hosts.xml b/Shorewall6/manpages/shorewall6-hosts.xml index 578376fe9..a4665f8bd 100644 --- a/Shorewall6/manpages/shorewall6-hosts.xml +++ b/Shorewall6/manpages/shorewall6-hosts.xml @@ -29,7 +29,7 @@ The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall6-zones(5) determines the + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5) determines the order in which the records in this file are interpreted. @@ -39,7 +39,7 @@ If you have an entry for a zone and interface in shorewall6-interfaces(5) then do + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) then do not include any entries in this file for that same (zone, interface) pair. @@ -55,7 +55,7 @@ The name of a zone declared in shorewall6-zones(5). You may not + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5). You may not list the firewall zone in this column. @@ -68,7 +68,7 @@ The name of an interface defined in the shorewall6-interfaces(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) file followed by a colon (":") and a comma-separated list whose elements are either: @@ -105,7 +105,7 @@
You may also exclude certain hosts through use of an exclusion (see shorewall6-exclusion(5). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5).
@@ -125,7 +125,7 @@ Check packets arriving on this port against the shorewall6-blacklist(5) + url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist(5) file. @@ -137,7 +137,7 @@ The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the shorewall6-zones(5) file + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5) file then you do NOT need to specify the 'ipsec' option here.
@@ -195,7 +195,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index a9940a0c1..0ce318bc0 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -71,7 +71,7 @@ zone in this column. If the interface serves multiple zones that will be defined in - the shorewall6-hosts(5) + the shorewall6-hosts(5) file, you should place "-" in this column. If there are multiple interfaces to the same zone, you must @@ -88,7 +88,7 @@ loc eth2 - Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' interface, then that zone must be defined as type in shorewall6-zones(5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5). @@ -102,7 +102,7 @@ loc eth2 - Logical name of interface. Each interface may be listed only once in this file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18. + url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18. If the option is not specified, then the logical name is also the name of the actual interface. @@ -115,7 +115,7 @@ loc eth2 - Care must be exercised when using wildcards where there is another zone that uses a matching specific interface. See shorewall6-nesting(5) for a + url="/manpages6/shorewall6-nesting.html">shorewall6-nesting(5) for a discussion of this problem. Shorewall6 allows '+' as an interface name. @@ -199,7 +199,7 @@ loc eth2 - Check packets arriving on this interface against the shorewall6-blacklist(5) + url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist(5) file. Beginning with Shorewall 4.4.13: @@ -210,7 +210,7 @@ loc eth2 - ZONES column, then the behavior is as if blacklist had been specified in the IN_OPTIONS column of shorewall6-zones(5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5). @@ -270,16 +270,16 @@ loc eth2 - the interface is a simple bridge with a + url="/SimpleBridge.html">simple bridge with a DHCP server on one port and DHCP clients on another port. If you use Shorewall-perl for + url="/bridge-Shorewall-perl.html">Shorewall-perl for firewall/bridging, then you need to include DHCP-specific rules in shorewall-rules(8). + url="/manpages/shorewall-rules.html">shorewall-rules(8). DHCP uses UDP ports 546 and 547. @@ -349,7 +349,7 @@ loc eth2 - Added in Shorewall 4.4.21. Defines the zone as dynamic. Requires ipset match support in your iptables and kernel. See http://www.shorewall.net/Dynamic.html + url="/Dynamic.html">http://www.shorewall.net/Dynamic.html for further information. @@ -389,7 +389,7 @@ loc eth2 - refers to the name given in this option. It is useful when you want to specify the same wildcard port name on two or more bridges. See http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple. + url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple. If the interface name is a wildcard name (ends with '+'), then the physical @@ -627,7 +627,7 @@ dmz eth2 - See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-ipsets.xml b/Shorewall6/manpages/shorewall6-ipsets.xml index e17c00173..b8e8ecedc 100644 --- a/Shorewall6/manpages/shorewall6-ipsets.xml +++ b/Shorewall6/manpages/shorewall6-ipsets.xml @@ -76,7 +76,7 @@ specified, matching packets must match all of the listed sets. For information about set lists and exclusion, see shorewall-exclusion (5). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion (5). Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects each time a packet matches an ipset. You do that by listing diff --git a/Shorewall6/manpages/shorewall6-maclist.xml b/Shorewall6/manpages/shorewall6-maclist.xml index 0b54fd63e..bb0ba5c93 100644 --- a/Shorewall6/manpages/shorewall6-maclist.xml +++ b/Shorewall6/manpages/shorewall6-maclist.xml @@ -27,8 +27,8 @@ associated IPv6 addresses to be allowed to use the specified interface. The feature is enabled by using the maclist option in the shorewall6-interfaces(5) or - shorewall6-hosts(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) or + shorewall6-hosts(5) configuration file. The columns in the file are as follows. @@ -43,7 +43,7 @@ ACCEPT or DROP (if MACLIST_TABLE=filter in shorewall6.conf(5), then REJECT + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), then REJECT is also allowed). If specified, the log-level causes packets matching the rule to be logged at that level. @@ -99,10 +99,10 @@ See ALSO http://shorewall.net/MAC_Validation.html + url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index efc027a12..d5398f42d 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -25,13 +25,13 @@ This file was introduced in Shorewall 4.6.0 and is intended to replace shorewall6-tcrules(5). This file is + url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5). This file is only processed by the compiler if: No file named 'tcrules' exists on the current CONFIG_PATH (see - shorewall6.conf(5)); + shorewall6.conf(5)); or @@ -46,14 +46,14 @@ Unlike rules in the shorewall6-rules(5) file, evaluation + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html. + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html. The columns in the file are as follows (where the column name is @@ -106,7 +106,7 @@ Unless otherwise specified for the particular command, the default chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in shorewall6.conf(5), and FORWARD + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), and FORWARD when MARK_IN_FORWARD_CHAIN=Yes. A chain-designator may not be specified if the SOURCE or DEST @@ -161,11 +161,11 @@ When using Shorewall's built-in traffic shaping tool, the major class is the device number (the first device in shorewall6-tcdevices(5) + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5) is major class 1, the second device is major class 2, and so on) and the minor class is the class's MARK value in shorewall6-tcclasses(5) + url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses(5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.). @@ -299,7 +299,7 @@ specified at the end of the rule. If the target is not one known to Shorewall, then it must be defined as a builtin action in shorewall6-actions + url="/manpages6/shorewall6-actions.html">shorewall6-actions (5). The following rules are equivalent: @@ -312,7 +312,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark If INLINE_MATCHES=Yes in shorewall6.conf(5) then the + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) then the third rule above can be specified as follows: 2:P eth0 - ; -p tcp @@ -445,7 +445,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark This error message may be eliminated by adding the target as a builtin action in shorewall6-actions(5). + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5). @@ -487,7 +487,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark then the assigned mark values are 0x200, 0x300 and 0x400 in equal proportions. If no mask is specified, then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall6.conf(5)). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). @@ -588,7 +588,7 @@ Normal-Service => 0x00 Transparently redirects a packet without altering the IP header. Requires a tproxy provider to be defined in shorewall6-providers(5). + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). There are three parameters to TPROXY - neither is required: @@ -714,7 +714,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). @@ -731,7 +731,7 @@ Normal-Service => 0x00 An interface name. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in shorewall6.conf (5)). The + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5)). The interface name may be optionally followed by a colon (":") and an IP address list. @@ -751,7 +751,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). @@ -786,7 +786,7 @@ Normal-Service => 0x00 destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -1146,16 +1146,16 @@ Normal-Service => 0x00 See ALSO http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/PacketMarking.html + url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5), diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml index d9152b9fd..0f1b8fdde 100644 --- a/Shorewall6/manpages/shorewall6-masq.xml +++ b/Shorewall6/manpages/shorewall6-masq.xml @@ -35,9 +35,9 @@ If you have more than one ISP link, adding entries to this file will not force connections to go out through a particular link. You must use entries in shorewall6-rtrules(5) or + url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules(5) or PREROUTING entries in shorewall-tcrules(5) to do + url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules(5) to do that. @@ -56,17 +56,17 @@ internet interface. Each interface must match an entry in shorewall6-interfaces(5). + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall6-interfaces(5). + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5). For example, ppp0 in this file will match a shorewall6-interfaces(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) entry that defines ppp+. Where more that + url="/4.4/MultiISP.html#Shared">more that one internet provider share a single interface, the provider is specified by including the provider name or number in parentheses: @@ -81,7 +81,7 @@ addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations. Exclusion is allowed (see shorewall6-exclusion(5)) as + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)) as are ipset names preceded by a plus sign '+'. Comments may be attached to Netfilter rules generated from @@ -535,7 +535,7 @@ If INLINE_MATCHES=Yes in shorewall6.conf(5), then these + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), then these rules may be specified as follows: /etc/shorewall/masq: diff --git a/Shorewall6/manpages/shorewall6-modules.xml b/Shorewall6/manpages/shorewall6-modules.xml index 4094da063..ef22b24f8 100644 --- a/Shorewall6/manpages/shorewall6-modules.xml +++ b/Shorewall6/manpages/shorewall6-modules.xml @@ -30,7 +30,7 @@ These files specify which kernel modules shorewall6 will load before trying to determine your ip6tables/kernel's capabilities. The modules file is used when LOAD_HELPERS_ONLY=No in - shorewall6.conf(8); the + shorewall6.conf(5); the helpers file is used when LOAD_HELPERS_ONLY=Yes. @@ -48,7 +48,7 @@ The modulename names a kernel module (without suffix). shorewall6 will search for modules based on your MODULESDIR and MODULE_SUFFIX settings in shorewall6.conf(8). The + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). The moduleoptions are passed to modprobe (if installed) or to insmod. diff --git a/Shorewall6/manpages/shorewall6-nesting.xml b/Shorewall6/manpages/shorewall6-nesting.xml index d67aa2880..000872419 100644 --- a/Shorewall6/manpages/shorewall6-nesting.xml +++ b/Shorewall6/manpages/shorewall6-nesting.xml @@ -24,7 +24,7 @@ Description - In shorewall6-zones(5), a + In shorewall6-zones(5), a zone may be declared to be a sub-zone of one or more other zones using the above syntax. The child-zone may be neither the firewall zone nor a vserver zone. The firewall zone may not appear as a @@ -32,7 +32,7 @@ firewall zone. Where zones are nested, the CONTINUE policy in shorewall6-policy(5) allows hosts + url="/manpages6/shorewall6-policy.html">shorewall6-policy(5) allows hosts that are within multiple zones to be managed under the rules of all of these zones. @@ -74,7 +74,7 @@ under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all). You can have this policy generated for you automatically by using the IMPLICIT_CONTINUE option in - shorewall6.conf(5). + shorewall6.conf(5). Partial /etc/shorewall6/rules: diff --git a/Shorewall6/manpages/shorewall6-netmap.xml b/Shorewall6/manpages/shorewall6-netmap.xml index e2a63620a..09f1d11c9 100644 --- a/Shorewall6/manpages/shorewall6-netmap.xml +++ b/Shorewall6/manpages/shorewall6-netmap.xml @@ -82,7 +82,7 @@ Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in Shorewall6 4.4.24, exclusion is + url="/manpages6/shorewall6-exclusion.html">exclusion is supported. @@ -94,12 +94,12 @@ The name of a network interface. The interface must be defined in shorewall6-interfaces(5). + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall6-interfaces(5). + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5). For example, ppp0 in this file will match a shorewall6-interfaces(8) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) entry that defines ppp+. @@ -147,7 +147,7 @@ destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -188,9 +188,9 @@ See ALSO http://shorewall.net/netmap.html + url="/netmap.html">http://www.shorewall.net/netmap.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs
diff --git a/Shorewall6/manpages/shorewall6-params.xml b/Shorewall6/manpages/shorewall6-params.xml index 9d48b0281..d8db1a49e 100644 --- a/Shorewall6/manpages/shorewall6-params.xml +++ b/Shorewall6/manpages/shorewall6-params.xml @@ -26,7 +26,7 @@ Assign any shell variables that you need in this file. The file is always processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in shorewall6.conf (5) so the full range + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5) so the full range of shell capabilities may be used. It is suggested that variable names begin with an upper case letter @@ -40,7 +40,7 @@ Any option from shorewall6.conf + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5) COMMAND @@ -107,7 +107,7 @@ NET_OPTIONS=dhcp,nosmurfs Example shorewall6-interfaces(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) file. ZONE INTERFACE BROADCAST OPTIONS @@ -129,7 +129,7 @@ net eth0 - dhcp,nosmurfs See ALSO http://www.shorewall.net/configuration_file_basics.htm#Variables + url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index c9961bfd5..f2f0a3f6c 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -25,7 +25,7 @@ This file defines the high-level policy for connections between zones defined in shorewall6-zones(5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5). The order of entries in this file is important @@ -66,7 +66,7 @@ Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, "all" or + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5), $FW, "all" or "all+". Support for "all+" was added in Shorewall 4.5.17. "all" does @@ -84,7 +84,7 @@ Destination zone. Must be the name of a zone defined in shorewall-zones(5), $FW, "all" or + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE must be "all", "all+", another bport zone associated with the same bridge, or it must be an ipv4 zone that is associated with only the same @@ -118,7 +118,7 @@ The word "None" or "none". This causes any default action defined in shorewall.conf(5) to be + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) to be omitted for this policy. @@ -191,7 +191,7 @@ might also match (where the source or destination zone in those rules is a superset of the SOURCE or DEST in this policy). See shorewall6-nesting(5) + url="/manpages6/shorewall6-nesting.html">shorewall6-nesting(5) for additional information. @@ -231,7 +231,7 @@ url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html). For a description of log levels, see http://www.shorewall.net/shorewall_logging.html. + url="/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html. If you don't want to log but need to specify the following column, place "-" here. @@ -327,7 +327,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-providers.xml b/Shorewall6/manpages/shorewall6-providers.xml index c73644875..b0dfe185b 100644 --- a/Shorewall6/manpages/shorewall6-providers.xml +++ b/Shorewall6/manpages/shorewall6-providers.xml @@ -77,11 +77,11 @@ A FWMARK value used in your shorewall6-mangle(5) file to + url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5) file to direct packets to this provider. If HIGH_ROUTE_MARKS=Yes in shorewall6.conf(5), then the + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), then the value must be a multiple of 256 between 256 and 65280 or their hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte of the value being zero). Otherwise, the value must be between 1 and @@ -110,7 +110,7 @@ The name of the network interface to the provider. Must be listed in shorewall6-interfaces(5). + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5). @@ -190,7 +190,7 @@ Beginning with Shorewall 4.4.3, defaults to the setting of the TRACK_PROVIDERS option in - shorewall6.conf + shorewall6.conf (5). If you set TRACK_PROVIDERS=Yes and want to override that setting for an individual provider, then specify (see below). @@ -238,7 +238,7 @@ and configured with an IPv4 address then ignore this provider. If not specified, the value of the option for the INTERFACE in shorewall6-interfaces(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) is assumed. Use of that option is preferred to this one, unless an address is provider in the INTERFACE column. @@ -275,7 +275,7 @@ Added in Shorewall 4.5.4. Used for supporting the TPROXY action in shorewall-tcrules(5). See http://www.shorewall.net/Shorewall_Squid_Usage.html. + url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html. When specified, the MARK, DUPLICATE and GATEWAY columns should be empty, INTERFACE should be set to 'lo' and should be the only OPTION. Only one @@ -389,10 +389,10 @@ See ALSO http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-proxyndp.xml b/Shorewall6/manpages/shorewall6-proxyndp.xml index 9a75425b7..7bdc8a16e 100644 --- a/Shorewall6/manpages/shorewall6-proxyndp.xml +++ b/Shorewall6/manpages/shorewall6-proxyndp.xml @@ -133,7 +133,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5), diff --git a/Shorewall6/manpages/shorewall6-routes.xml b/Shorewall6/manpages/shorewall6-routes.xml index 83e9467d7..27527a05e 100644 --- a/Shorewall6/manpages/shorewall6-routes.xml +++ b/Shorewall6/manpages/shorewall6-routes.xml @@ -34,7 +34,7 @@ The name or number of a provider defined in shorewall6-providers (5). + url="/manpages6/shorewall6-providers.html">shorewall6-providers (5). Beginning with Shorewall 4.5.14, you may also enter in this column to add routes to the main routing table. @@ -73,7 +73,7 @@ Specifies the device route. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in shorewall6-providers + url="/manpages6/shorewall6-providers.html">shorewall6-providers (5).This column must be omitted if , or is specified in the GATEWAY column. @@ -92,7 +92,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-routestopped.xml b/Shorewall6/manpages/shorewall6-routestopped.xml index 3bb524884..d7d02ac46 100644 --- a/Shorewall6/manpages/shorewall6-routestopped.xml +++ b/Shorewall6/manpages/shorewall6-routestopped.xml @@ -25,7 +25,7 @@ Description This file is deprecated in favor of the shorewall6-stoppedrules(5) + url="/manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules(5) file. This file is used to define the hosts that are accessible when the @@ -80,7 +80,7 @@ themselves. Beginning with Shorewall 4.4.9, this option is automatically set if routeback is specified in shorewall6-interfaces + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces (5) or if the rules compiler detects that the interface is a bridge. @@ -149,7 +149,7 @@ The source and dest options work best when used in conjunction with ADMINISABSENTMINDED=Yes in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -181,10 +181,10 @@ See ALSO http://shorewall.net/starting_and_stopping_shorewall.htm + url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-rtrules.xml b/Shorewall6/manpages/shorewall6-rtrules.xml index c4fc04182..dbbb6b04c 100644 --- a/Shorewall6/manpages/shorewall6-rtrules.xml +++ b/Shorewall6/manpages/shorewall6-rtrules.xml @@ -25,7 +25,7 @@ Entries in this file cause traffic to be routed to one of the providers listed in shorewall6-providers(5). + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). The columns in the file are as follows. @@ -164,7 +164,7 @@ See ALSO http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index a3f57c01e..cf4552265 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -25,7 +25,7 @@ Entries in this file govern connection establishment by defining exceptions to the policies laid out in shorewall6-policy(5). By default, + url="/manpages6/shorewall6-policy.html">shorewall6-policy(5). By default, subsequent requests and responses are automatically allowed using connection tracking. For any particular (source,dest) pair of zones, the rules are evaluated in the order in which they appear in this file and the @@ -80,7 +80,7 @@ There is an implicit rule added at the end of this section that invokes the RELATED_DISPOSITION (shorewall6.conf(5)). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). @@ -96,7 +96,7 @@ There is an implicit rule added at the end of this section that invokes the INVALID_DISPOSITION (shorewall6.conf(5)). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). @@ -112,7 +112,7 @@ There is an implicit rule added at the end of this section that invokes the UNTRACKED_DISPOSITION (shorewall6.conf(5)). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). @@ -137,7 +137,7 @@ If you specify FASTACCEPT=Yes in shorewall6.conf(5) then the shorewall6.conf(5) then the ESTABLISHED and RELATED sections must be empty. @@ -197,7 +197,7 @@ like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -207,7 +207,7 @@ The name of an action declared in shorewall6-actions(5) or + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5) or in /usr/share/shorewall/actions.std. @@ -302,11 +302,11 @@ Do not process any of the following rules for this (source zone,destination zone). If the source and/or destination IP address falls into a zone defined later in - shorewall6-zones(5) + shorewall6-zones(5) or in a parent zone of the source or destination zones, then this connection request will be passed to the rules defined for that (those) zone(s). See shorewall6-nesting(5) + url="/manpages6/shorewall6-nesting.html">shorewall6-nesting(5) for additional information. @@ -317,7 +317,7 @@ like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -388,7 +388,7 @@ like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -419,7 +419,7 @@ INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In this case, you must declare the target as a builtin action in shorewall6-actions(5). + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5). Some considerations when using INLINE: @@ -464,7 +464,7 @@ This error message may be eliminated by adding the target as a builtin action in shorewall6-actions(5). + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5). @@ -510,7 +510,7 @@ Added in Shorewall 4.5.9.3. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html. Similar to LOG:NFLOG[(nflog-parameters)], @@ -539,7 +539,7 @@ like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -571,7 +571,7 @@ like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -613,7 +613,7 @@ like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -629,7 +629,7 @@ If the ACTION names an action declared in shorewall-actions(5) or in + url="/manpages/shorewall-actions.html">shorewall-actions(5) or in /usr/share/shorewall/actions.std then: @@ -660,7 +660,7 @@ Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in shorewall.conf(5)). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix generated by the LOGPREFIX setting. @@ -688,7 +688,7 @@ Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall-zones (5). This + url="/manpages6/shorewall6-zones.html">shorewall6-zones (5). This zone-list may be optionally followed by "+" to indicate that the rule is to apply to intra-zone traffic as well as inter-zone traffic. @@ -707,7 +707,7 @@ role="bold">-] is "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13, exclusion is supported -- see see shorewall6-exclusion(5). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5). Except when all[+][-] or @@ -740,7 +740,7 @@ firewall interface can be specified by an ampersand ('&') followed by the logical name of the interface as found in the INTERFACE column of shorewall6-interfaces + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces (5). Beginning with Shorewall 4.5.4, A @@ -750,7 +750,7 @@ preceded by a caret ('^'). When a single country code is given, the square brackets may be omitted. A list of country codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html. + url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list requires GeoIP Match support in your ip6tables and Kernel. @@ -761,7 +761,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). Examples: @@ -856,7 +856,7 @@ Location of Server. May be a zone declared in shorewall6-zones(5), $shorewall6-zones(5), $FW to indicate the firewall itself, all. all+ or none. @@ -864,18 +864,18 @@ Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall-zones (5). Ths + url="/manpages6/shorewall6-zones.html">shorewall6-zones (5). Ths zone-list may be optionally followed by "+" to indicate that the rule is to apply to intra-zone traffic as well as inter-zone traffic. Beginning with Shorewall-4.4.13, exclusion is supported -- see see shorewall6-exclusion(5). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5). Beginning with Shorewall6 4.4.17, the primary IP address of a firewall interface can be specified by an ampersand ('&') followed by the logical name of the interface as found in the INTERFACE column of shorewall6-interfaces + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces (5). Beginning with Shorewall 4.5.4, A @@ -885,7 +885,7 @@ preceded by a caret ('^'). When a single country code is given, the square brackets may be omitted. A list of country codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html. + url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list requires GeoIP Match support in your ip6tables and Kernel. @@ -925,7 +925,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). Restriction: MAC addresses are not allowed (this is a Netfilter restriction). @@ -1024,7 +1024,7 @@ interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. Note that prior to Shorewall6 4.4.19, only a single ICMP type may be listed. @@ -1549,7 +1549,7 @@ If the HELPERS option is specified in shorewall.conf(5), then any module + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), then any module specified in this column must be listed in the HELPERS setting. @@ -1644,7 +1644,7 @@ -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 Note that SECCTX must be defined as a builtin action in shorewall6-actions(5): + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5): #ACTION OPTIONS SECCTX builtin @@ -1663,10 +1663,10 @@ See ALSO http://www.shorewall.net/shorewall_logging.html + url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-blrules(5), shorewall6-hosts(5), diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml index 2d4674c39..b0c2d7777 100644 --- a/Shorewall6/manpages/shorewall6-secmarks.xml +++ b/Shorewall6/manpages/shorewall6-secmarks.xml @@ -25,7 +25,7 @@ Unlike rules in the shorewall6-rules(5) file, evaluation + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5) file, evaluation of rules in this file will continue after a match. So the final secmark for each packet will be the one assigned by the LAST rule that matches. @@ -182,7 +182,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). @@ -210,7 +210,7 @@ You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). @@ -245,7 +245,7 @@ destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -412,7 +412,7 @@ RESTORE I:ER url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), diff --git a/Shorewall6/manpages/shorewall6-stoppedrules.xml b/Shorewall6/manpages/shorewall6-stoppedrules.xml index 00c6d338d..da426d7de 100644 --- a/Shorewall6/manpages/shorewall6-stoppedrules.xml +++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml @@ -147,10 +147,10 @@ See ALSO http://shorewall.net/starting_and_stopping_shorewall.htm + url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-tcclasses.xml b/Shorewall6/manpages/shorewall6-tcclasses.xml index bda90dc91..41b01ae59 100644 --- a/Shorewall6/manpages/shorewall6-tcclasses.xml +++ b/Shorewall6/manpages/shorewall6-tcclasses.xml @@ -125,7 +125,7 @@ You may specify either the interface number or the interface name. If the classify option is given for the interface in shorewall6-tcdevices(5), + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5), then you must also specify an interface class (an integer that must be unique within classes associated with this interface). @@ -134,13 +134,13 @@ Please note that you can only use interface names in here that have a bandwidth defined in the shorewall6-tcdevices(5) + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5) file. Normally, all classes defined here are sub-classes of a root class (class number 1) that is implicitly defined from the entry in shorewall6-tcdevices(5). You + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5). You can establish a class hierarchy by specifying a parent class -- the number of a class that you have previously defined. The sub-class may borrow unused bandwidth @@ -155,12 +155,12 @@ The mark value which is an integer in the range 1-255. You set mark values in the shorewall6-mangle(5) file, + url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5) file, marking the traffic you want to fit in the classes defined in here. Must be specified as '-' if the classify option is given for the interface in shorewall6-tcdevices(5) and + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5) and you are running Shorewall 4.5 5 or earlier. You can use the same marks for different interfaces. @@ -718,10 +718,10 @@ tc-red(8) http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-tcdevices.xml b/Shorewall6/manpages/shorewall6-tcdevices.xml index d08133e3f..f06ef8646 100644 --- a/Shorewall6/manpages/shorewall6-tcdevices.xml +++ b/Shorewall6/manpages/shorewall6-tcdevices.xml @@ -104,7 +104,7 @@ Name of interface. Each interface may be listed only once in this file. You may NOT specify the name of an alias (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18 + url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18 You may NOT specify wildcards here, e.g. if you have multiple ppp interfaces, you need to put them all in here! @@ -152,7 +152,7 @@ may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by default. See Shorewall FAQ + url="/FAQ.htm#faq97a">Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with @@ -172,7 +172,7 @@ The outgoing bandwidth of that interface. This is the maximum speed your connection can handle. It is also the speed you can refer as "full" if you define the tc classes in shorewall6-tcclasses(5). + url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses(5). Outgoing traffic above this rate will be dropped. @@ -196,7 +196,7 @@ ― When specified, Shorewall will not generate tc or Netfilter rules to classify traffic based on packet marks. You must do all classification using CLASSIFY rules in shorewall-tcrules(5). + url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5). - Use the Hierarchical Token Bucket queuing discipline. This is the default. @@ -285,7 +285,7 @@ tc-hfsc (7) http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt diff --git a/Shorewall6/manpages/shorewall6-tcfilters.xml b/Shorewall6/manpages/shorewall6-tcfilters.xml index 0b81c2be5..51f9ef921 100644 --- a/Shorewall6/manpages/shorewall6-tcfilters.xml +++ b/Shorewall6/manpages/shorewall6-tcfilters.xml @@ -70,10 +70,10 @@ The name or number of an interface defined in shorewall6-tcdevices(5) + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5) followed by a class number defined for that interface in shorewall6-tcclasses(5). + url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses(5). @@ -312,13 +312,13 @@ See ALSO http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/PacketMarking.html + url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html diff --git a/Shorewall6/manpages/shorewall6-tcinterfaces.xml b/Shorewall6/manpages/shorewall6-tcinterfaces.xml index cf59a01ac..56bdcd3ea 100644 --- a/Shorewall6/manpages/shorewall6-tcinterfaces.xml +++ b/Shorewall6/manpages/shorewall6-tcinterfaces.xml @@ -25,7 +25,7 @@ This file lists the interfaces that are subject to simple traffic shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in - shorewall6.conf(5). + shorewall6.conf(5). A note on the bandwidth definition used in this file: @@ -162,7 +162,7 @@ may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by default. See Shorewall FAQ + url="/FAQ.htm#faq97a">Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with diff --git a/Shorewall6/manpages/shorewall6-tcpri.xml b/Shorewall6/manpages/shorewall6-tcpri.xml index ea84ae6c9..f9ea745ae 100644 --- a/Shorewall6/manpages/shorewall6-tcpri.xml +++ b/Shorewall6/manpages/shorewall6-tcpri.xml @@ -25,12 +25,12 @@ This file is used to specify the priority band of traffic for simple traffic shaping (TC_ENABLED=Simple in shorewall6.conf(5)). The priority band + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). The priority band of each packet is determined by the last entry that the packet matches. If a packet doesn't match any entry in this file, then its priority will be determined by its TOS field. The default mapping is as follows but can be changed by setting the TC_PRIOMAP option - in shorewall6.conf(5). + in shorewall6.conf(5). TOS Bits Means Linux Priority BAND ------------------------------------------------------------ @@ -63,7 +63,7 @@ Classifies matching traffic as High Priority (1), Medium Priority (2) or Low Priority (3). For those interfaces listed in shorewall6-tcinterfaces(5), + url="/manpages6/shorewall6-tcinterfaces.html">shorewall6-tcinterfaces(5), Priority 2 traffic will be deferred so long and there is Priority 1 traffic queued and Priority 3 traffic will be deferred so long as there is Priority 1 or Priority 2 traffic to send. diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index ced319417..dc66fe53e 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -28,14 +28,14 @@ Unlike rules in the shorewall6-rules(5) file, evaluation + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall6/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html. + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html. Beginning with Shorewall 4.5.4, the tcrules file supports two @@ -123,7 +123,7 @@ - Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). Please note that :I is included for completeness and affects neither traffic shaping @@ -203,7 +203,7 @@ then the assigned mark values are 0x200, 0x300 and 0x400 in equal proportions. If no mask is specified, then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall6.conf(5)). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). May optionally be followed by :P, - Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in shorewall.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). Please note that :I is included for completeness and affects neither traffic shaping @@ -317,11 +317,11 @@ When using Shorewall6's built-in traffic shaping tool, the major class is the device number (the first device in shorewall6-tcdevices(5) + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5) is major class 1, the second device is major class 2, and so on) and the minor class is the class's MARK value in shorewall6-tcclasses(5) + url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses(5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.). @@ -517,7 +517,7 @@ [option] ...") after any matches specified at the end of the rule. If the target is not one known to Shorewall, then it must be defined as a builtin action in - shorewall6-actions + shorewall6-actions (5). The following rules are equivalent: @@ -529,7 +529,7 @@ INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 INLINE eth0 - ; -p tcp -j MARK --set-mark 2 If INLINE_MATCHES=Yes in shorewall.conf(5) then the + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) then the third rule above can be specified as follows: 2:P eth0 - ; -p tcp @@ -653,7 +653,7 @@ Normal-Service => 0x00 Transparently redirects a packet without altering the IP header. Requires a local provider to be defined in shorewall6-providers(5). + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). There are three parameters to TPROXY - only the first (mark) is required: @@ -662,7 +662,7 @@ Normal-Service => 0x00 mark - the MARK value corresponding to the local provider in shorewall6-providers(5). + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). @@ -687,7 +687,7 @@ Normal-Service => 0x00 Transparently redirects a packet without altering the IP header. Requires a local provider to be defined in shorewall6-providers(5). + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). There are three parameters to TPROXY - only the first (mark) is required: @@ -747,7 +747,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). @@ -777,7 +777,7 @@ Normal-Service => 0x00 You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)). @@ -812,7 +812,7 @@ Normal-Service => 0x00 destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading @@ -1214,16 +1214,16 @@ Normal-Service => 0x00 See ALSO http://shorewall.net/traffic_shaping.htm + url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm http://shorewall.net/MultiISP.html + url="/MultiISP.html">http://www.shorewall.net/MultiISP.html http://shorewall.net/PacketMarking.html + url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5), diff --git a/Shorewall6/manpages/shorewall6-tos.xml b/Shorewall6/manpages/shorewall6-tos.xml index 704cc1908..5e023b7fe 100644 --- a/Shorewall6/manpages/shorewall6-tos.xml +++ b/Shorewall6/manpages/shorewall6-tos.xml @@ -25,7 +25,7 @@ This file defines rules for setting Type Of Service (TOS). Its use is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in - shorewall6-mangle + shorewall6-mangle (5). The columns in the file are as follows. @@ -166,7 +166,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-tunnels.xml b/Shorewall6/manpages/shorewall6-tunnels.xml index 53b20ee15..cc739f985 100644 --- a/Shorewall6/manpages/shorewall6-tunnels.xml +++ b/Shorewall6/manpages/shorewall6-tunnels.xml @@ -27,7 +27,7 @@ encrypted) traffic to pass between the Shorewall6 system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism. See http://www.shorewall.net/VPNBasics.html + url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html for details. The columns in the file are as follows (where the column name is @@ -138,7 +138,7 @@ Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (shorewall6-exclusion (5) ) + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion (5) ) is not supported. @@ -240,7 +240,7 @@ See ALSO http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6-zones.xml b/Shorewall6/manpages/shorewall6-zones.xml index 1767f9327..ceef7acad 100644 --- a/Shorewall6/manpages/shorewall6-zones.xml +++ b/Shorewall6/manpages/shorewall6-zones.xml @@ -44,14 +44,14 @@ "none", "SOURCE" and "DEST" are reserved and may not be used as zone names. The maximum length of a zone name is determined by the setting of the LOGFORMAT option in shorewall6.conf(5). With the + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). With the default LOGFORMAT, zone names can be at most 5 characters long.
The maximum length of an iptables log prefix is 29 bytes. As explained in shorewall6.conf (5), the default + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5), the default LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first %s is replaced by the chain name and the second is replaced by the disposition. @@ -95,7 +95,7 @@ follow the (sub)zone name by ":" and a comma-separated list of the parent zones. The parent zones must have been declared in earlier records in this file. See shorewall6-nesting(5) for + url="/manpages6/shorewall6-nesting.html">shorewall6-nesting(5) for additional information. Example: @@ -108,7 +108,7 @@ c:a,b ipv6 Currently, Shorewall6 uses this information to reorder the zone list so that parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE option in shorewall6.conf(5) can also + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) can also create implicit CONTINUE policies to/from the subzone. Where an ipsec zone is @@ -135,7 +135,7 @@ c:a,b ipv6 the column. Communication with some zone hosts may be encrypted. Encrypted hosts are designated using the 'ipsec' option in shorewall6-hosts(5). + url="/manpages6/shorewall6-hosts.html">shorewall6-hosts(5). @@ -178,7 +178,7 @@ c:a,b ipv6 Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver guests. The zone contents must be defined in - shorewall6-hosts + shorewall6-hosts (5). Vserver zones are implicitly handled as subzones of the @@ -206,7 +206,7 @@ c:a,b ipv6 $FW rules are defined, they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -288,12 +288,12 @@ c:a,b ipv6 When specified in the IN_OPTIONS column, causes all traffic from this zone to be passed against the src entries in shorewall6-blacklist(5). + url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist(5). When specified in the OUT_OPTIONS column, causes all traffic to this zone to be passed against the dst entries in shorewall6-blacklist(5). + url="/manpages6/shorewall6-blacklist.html">horewall6-blacklist(5). Specifying this option in the OPTIONS column is equivalent to entering it in both of the IN_OPTIONS and @@ -309,7 +309,7 @@ c:a,b ipv6 OPTIONS column and indicates that only a single ipset should be created for this zone if it has multiple dynamic entries in shorewall6-hosts(5). + url="/manpages6/shorewall6-hosts.html">shorewall6-hosts(5). Without this option, a separate ipset is created for each interface. @@ -353,7 +353,7 @@ c:a,b ipv6 sets the MSS field in TCP packets. If you supply this option, you should also set FASTACCEPT=No in shorewall6.conf(5) to + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) to insure that both the SYN and SYN,ACK packets have their MSS field adjusted. @@ -426,10 +426,10 @@ c:a,b ipv6 See ALSO http://www.shorewall.net/Multiple_Zones.html. + url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html. http://shorewall.net/configuration_file_basics.htm#Pairs + url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 56115f89a..aa61b0d8e 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -171,7 +171,7 @@ If you set the value of either option to "None" then no default action will be used and the default action or macro must be specified in shorewall6-policy(5). + url="/manpages6/shorewall6-policy.html">shorewall6-policy(5). You can pass parameters to the specified action or macro (e.g., @@ -192,7 +192,7 @@ Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting is enabled (see shorewall6-accounting(5)). + url="/manpages6/shorewall6-accounting.html">shorewall6-accounting(5)). If not specified or set to the empty value, ACCOUNTING=Yes is assumed. @@ -207,7 +207,7 @@ Added in Shorewall 4.4.20. This setting determines which Netfilter table the accounting rules are added in. By default, ACCOUNTING_TABLE=filter is assumed. See also shorewall-accounting(5). + url="/manpages6/shorewall6-accounting.html">shorewall6-accounting(5). @@ -219,11 +219,11 @@ The value of this variable affects Shorewall6's stopped state. When ADMINISABSENTMINDED=No, only traffic to/from those addresses listed in shorewall6-routestopped(5) + url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5) is accepted when Shorewall6 is stopped. When ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in shorewall6-routestopped(5), + url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5), connections that were active when Shorewall6 stopped continue to work and all new connections from the firewall system itself are allowed. If this variable is not set or is given the empty value @@ -280,13 +280,13 @@ Modify shorewall6-conntrack + url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack (5) to only apply helpers where they are required; or Specify the appropriate helper in the HELPER column in - shorewall6-rules + shorewall6-rules (5). @@ -357,7 +357,7 @@ a value or if you assign an empty value then DROP is assumed. The setting determines the disposition of packets sent to the blacklog target of shorewall6-blrules(5). + url="/manpages6/shorewall6-blrules.html">shorewall6-blrules(5). @@ -374,7 +374,7 @@ hosts are not logged. The setting determines the log level of packets sent to the blacklog target of shorewall6-blrules(5). + url="/manpages6/shorewall6-blrules.html">shorewall6-blrules(5). @@ -391,11 +391,11 @@ connections, for packets in the INVALID connection state (such as a TCP SYN,ACK when there has been no corresponding SYN), and for packets that are UNTRACKED due to entries in shorewall6-conntrack(5). + url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack(5). This includes entries in the shorewall6-blrules (5) file + url="/manpages6/shorewall6-blrules.html">shorewall6-blrules (5) file and in the BLACKLIST section of shorewall6-rules (5). + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5). When set to No or no, blacklists are consulted for every packet @@ -464,13 +464,13 @@ /etc/shorewall6/tcstart file. That way, your traffic shaping rules can still use the “fwmark” classifier based on packet marking defined in shorewall6-tcrules(5). If not + url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5). If not specified, CLEAR_TC=No is assumed. If you also run Shorewall and if you have TC_ENABLED=Internal in your shorewall-conf(5), + url="/manpages/shorewall.conf.html">shorewall-conf(5), then you will want CLEAR_TC=No in this file. @@ -678,7 +678,7 @@ net all DROP infothen the chain name is 'net2all' are accepted early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of shorewall6-rules(5). + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5). FASTACCEPT=Yes is incompatible with @@ -709,7 +709,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.4. Specifies the pathname of the directory containing the GeoIP Match database. See http://www.shorewall.net/ISO-3661.html. + url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html. If not specified, the default value is /usr/share/xt_geoip/LE which is the default location of the little-endian database. @@ -861,11 +861,11 @@ net all DROP infothen the chain name is 'net2all' Subzones are defined by following their name with ":" and a list of parent zones (in shorewall6-zones(5)). Normally, + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5)). Normally, you want to have a set of special rules for the subzone and if a connection doesn't match any of those subzone-specific rules then you want the parent zone rules and policies to be applied; see - shorewall6-nesting(5). + shorewall6-nesting(5). With IMPLICIT_CONTINUE=Yes, that happens automatically. If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, @@ -882,9 +882,9 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.6.0. Traditionally in shorewall6-rules(5), a semicolon + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5), a semicolon separates column-oriented specifications on the left from alternative + url="/configuration_file_basics.htm#Pairs">alternative specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the specifications on the right are interpreted as if INLINE had been specified in the ACTION column. If not specified or @@ -900,7 +900,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID packets through the NEW section of shorewall-rules (5). When a + url="/manpages6/shorewall6-rules.html">shorewall-rules (5). When a packet in INVALID state fails to match any rule in the INVALID section, the packet is disposed of based on this setting. The default value is CONTINUE for compatibility with earlier @@ -915,7 +915,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.13. Packets in the INVALID state that do not match any rule in the INVALID section of shorewall-rules (5) are + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5) are logged at this level. The default value is empty which means no logging is performed. @@ -1205,7 +1205,7 @@ net all DROP infothen the chain name is 'net2all' The setting of LOGFORMAT has an effect of the permitted length of zone names. See shorewall6-zones (5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones (5). @@ -1373,9 +1373,9 @@ LOG:info:,bar net fw The performance of configurations with a large numbers of entries in shorewall-maclist(5) can be + url="/manpages6/shorewall6-maclist.html">shorewall6-maclist(5) can be improved by setting the MACLIST_TTL variable in shorewall.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). If your iptables and kernel support the "Recent Match" (see the output of "shorewall check" near the top), you can cache the @@ -1384,7 +1384,7 @@ LOG:info:,bar net fw When a new connection arrives from a 'maclist' interface, the packet passes through then list of entries for that interface in - shorewall-maclist(5). If + shorewall6-maclist(5). If there is a match then the source IP address is added to the 'Recent' set for that interface. Subsequent connection attempts from that IP address occurring within $MACLIST_TTL seconds will be accepted @@ -1555,7 +1555,7 @@ LOG:info:,bar net fw Optimization category 1 - Traditionally, Shorewall has created rules for the complete matrix of + url="/ScalabilityAndPerformance.html">the complete matrix of host groups defined by the zones, interfaces and hosts files. Any traffic that didn't correspond to an element of that matrix was rejected in one of the built-in chains. When @@ -1860,7 +1860,7 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED packets that don't match any rule in the RELATED section of shorewall6-rules (5). Concern + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5). Concern about the safety of this practice resulted in the addition of this option. When a packet in RELATED state fails to match any rule in the RELATED section, the packet is disposed of based on this @@ -1876,7 +1876,7 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Packets in the related state that do not match any rule in the RELATED section of shorewall6-rules (5) are + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5) are logged at this level. The default value is empty which means no logging is performed. @@ -1959,7 +1959,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.10. The default is No. If set to Yes, at least one optional interface must be up in order for the firewall to be in the started state. Intended to be used with the Shorewall Init + url="/manpages/shorewall-init.html">Shorewall Init Package. @@ -2003,7 +2003,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.7. Determines the disposition of packets entering from interfaces with the option (see shorewall-interfaces(5)). + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)). Packets disposed of by this option are those whose response packets would not be sent through the same interface receiving the packet. @@ -2040,7 +2040,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.20. The default setting is DROP which causes smurf packets (see the nosmurfs option in shorewall-interfaces(5)) to + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)) to be dropped. A_DROP causes the packets to be audited prior to being dropped and requires AUDIT_TARGET support in the kernel and ip6tables. @@ -2054,7 +2054,7 @@ INLINE - - - ; -j REJECT Specifies the logging level for smurf packets (see the nosmurfs option in shorewall6-interfaces(5)). + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)). If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged. @@ -2068,7 +2068,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.20. Determines the disposition of packets matching the option (see shorewall6-interfaces(5)) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)) and of hairpin packets on interfaces without the option. Hairpin packets are packets that are routed out of the @@ -2084,7 +2084,7 @@ INLINE - - - ; -j REJECT Added on Shorewall 4.4.20. Determines the logging of packets matching the option (see shorewall6-interfaces(5)) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)) and of hairpin packets on interfaces without the option. Hairpin packets are packets that are routed out of the @@ -2187,13 +2187,13 @@ INLINE - - - ; -j REJECT tcdevices and tcclasses files. This allows the compiler to have access to your Shorewall traffic shaping configuration so that it can validate CLASSIFY rules - in shorewall6-tcrules + in shorewall6-tcrules (5). If you also run Shorewall and if you have TC_ENABLED=Internal in your shorewall-conf(5), + url="/manpages/shorewall.conf.html">shorewall-conf(5), then you will want TC_ENABLED=No or TC_ENABLED=Shared in this file. @@ -2208,7 +2208,7 @@ INLINE - - - ; -j REJECT Normally, Shorewall6 tries to protect users from themselves by preventing PREROUTING and OUTPUT tcrules from being applied to packets that have been marked by the 'track' option in shorewall6-providers(5). + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall6 will not include these cautionary checks. @@ -2222,7 +2222,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to priority bands. See shorewall6-tcpri(5). The + url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri(5). The map consists of 16 space-separated digits with values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2. The first entry gives @@ -2245,7 +2245,7 @@ INLINE - - - ; -j REJECT Determines the disposition of TCP packets that fail the checks enabled by the tcpflags interface option (see shorewall6-interfaces(5)) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)) and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet). If not set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") then @@ -2273,20 +2273,20 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.3. When set to Yes, causes the option to be assumed on all providers defined in shorewall6-providers(5). May + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). May be overridden on an individual provider through use of the option. The default value is 'No'. Beginning in Shorewall 4.4.6, setting this option to 'Yes' also simplifies PREROUTING rules in shorewall6-tcrules(5). + url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5). Previously, when TC_EXPERT=No, packets arriving through 'tracked' provider interfaces were unconditionally passed to the PREROUTING tcrules. This was done so that tcrules could reset the packet mark to zero, thus allowing the packet to be routed using the 'main' routing table. Using the main table allowed dynamic routes (such as those added for VPNs) to be effective. The shorewall6-rtrules(5) file was + url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules(5) file was created to provide a better alternative to clearing the packet mark. As a consequence, passing these packets to PREROUTING complicates things without providing any real benefit. Beginning with Shorewall @@ -2322,7 +2322,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED packets through the NEW section of shorewall6-rules (5). When a + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5). When a packet in UNTRACKED state fails to match any rule in the UNTRACKED section, the packet is disposed of based on this setting. The default value is CONTINUE for compatibility with earlier @@ -2337,7 +2337,7 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match any rule in the UNTRACKED section of shorewall-rules (5) are + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5) are logged at this level. The default value is empty which means no logging is performed. @@ -2362,7 +2362,7 @@ INLINE - - - ; -j REJECT Both the DUPLICATE and the COPY columns in shorewall6-providers(5) + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5) file must remain empty (or contain "-"). @@ -2379,7 +2379,7 @@ INLINE - - - ; -j REJECT Packets are sent through the main routing table by a rule with priority 999. In shorewall6-routing_rules(5), + url="/manpages6/shorewall6-routing_rules.html">shorewall6-routing_rules(5), the range 1-998 may be used for inserting rules that bypass the main table. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index 6be615cff..5a74d97a2 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -647,7 +647,7 @@ The and options are used for debugging. See http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace. + url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace. The nolock prevents the command from attempting to acquire the Shorewall6 lockfile. It is useful if you need to @@ -659,7 +659,7 @@ role="bold">v and q. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in shorewall6.conf(5). Each shorewall6.conf(5). Each v adds one to the effective verbosity and each q subtracts one from the effective VERBOSITY. Alternatively, v may be @@ -687,7 +687,7 @@ The interface argument names an interface defined in the shorewall6-interfaces(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) file. A host-list is comma-separated list whose elements are host or network addresses. The add command is not very robust. If @@ -701,7 +701,7 @@ Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) allows a + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the add command has the alternative syntax in which the @@ -756,7 +756,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -822,7 +822,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -836,13 +836,13 @@ The interface argument names an interface defined in the shorewall6-interfaces(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) file. A host-list is comma-separated list whose elements are a host or network address. Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) allows a + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the delete command has the alternative syntax in which the @@ -865,7 +865,7 @@ any optional network interface. interface may be either the logical or physical name of the interface. The command removes any routes added from shorewall6-routes(5) and any + url="/manpages6/shorewall6-routes.html">shorewall6-routes(5) and any traffic shaping configuration for the interface. @@ -912,7 +912,7 @@ may be either the logical or physical name of the interface. The command sets /proc entries for the interface, adds any route specified in shorewall6-routes(5) and + url="/manpages6/shorewall6-routes.html">shorewall6-routes(5) and installs the interface's traffic shaping configuration, if any. @@ -949,7 +949,7 @@ Deletes /var/lib/shorewall6/filename and /var/lib/shorewall6/save. If no filename is given then the file specified by RESTOREFILE in shorewall6.conf(5) is + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) is assumed. @@ -1032,7 +1032,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1043,7 +1043,7 @@ Causes traffic from the listed addresses to be logged then discarded. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5). @@ -1052,7 +1052,7 @@ Monitors the log file specified by the LOGFILE option in - shorewall6.conf(5) and + shorewall6.conf(5) and produces an audible alarm when new Shorewall6 messages are logged. The -m option causes the MAC address of each packet source to be displayed if that information is @@ -1072,7 +1072,7 @@ Causes traffic from the listed addresses to be logged then rejected. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5). @@ -1124,7 +1124,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). The - option was added in Shorewall 4.5.3 and causes Shorewall to look in the given @@ -1184,7 +1184,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1229,7 +1229,7 @@ The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall6.conf(5). When both + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). When both and are present, the result is determined by the option that appears last. @@ -1241,7 +1241,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1256,7 +1256,7 @@ role="bold">shorewall6 save; if no filename is given then Shorewall6 will be restored from the file specified by the RESTOREFILE option in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -1318,7 +1318,7 @@ role="bold">shorewall6 -f start commands. If filename is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). @@ -1445,7 +1445,7 @@ Displays the last 20 Shorewall6 messages from the log file specified by the LOGFILE option in shorewall6.conf(5). The + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). The -m option causes the MAC address of each packet source to be displayed if that information is available. @@ -1537,7 +1537,7 @@ for configuration files. If -f is specified, the saved configuration specified by the RESTOREFILE option in shorewall6.conf(5) will be + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) will be restored if that saved configuration exists and has been modified more recently than the files in /etc/shorewall6. When -f is given, a @@ -1545,7 +1545,7 @@ Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option was added to shorewall6.conf(5). When + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). When LEGACY_FASTSTART=No, the modification times of files in /etc/shorewall6 are compared with that of /var/lib/shorewall6/firewall (the compiled script that last @@ -1557,7 +1557,7 @@ The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall6.conf(5). When both + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). When both and are present, the result is determined by the option that appears last. @@ -1569,7 +1569,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1579,12 +1579,12 @@ Stops the firewall. All existing connections, except those listed in shorewall6-routestopped(5) + url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5) or permitted by the ADMINISABSENTMINDED option in shorewall6.conf(5), are taken + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), are taken down. The only new traffic permitted through the firewall is from systems listed in shorewall6-routestopped(5) + url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped(5) or by ADMINISABSENTMINDED. @@ -1652,13 +1652,13 @@ The option was added in Shorewall 4.4.26 and causes legacy blacklisting rules (shorewall6-blacklist (5) ) + url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist (5) ) to be converted to entries in the blrules file (shorewall6-blrules (5) ). The + url="/manpages6/shorewall6-blrules.html">shorewall6-blrules (5) ). The blacklist keyword is removed from shorewall6-zones (5), shorewall-interfaces (5) - and shorewall6-hosts (5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones (5), shorewall6-interfaces (5) + and shorewall6-hosts (5). The unmodified files are saved with a .bak suffix. The option was added in Shorewall 4.5.11. @@ -1672,7 +1672,7 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). For a description of the other options, see the check command above. @@ -1712,7 +1712,7 @@ See ALSO http://www.shorewall.net/starting_and_stopping_shorewall.htm + url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),