mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 09:33:14 +01:00
Cleanup links in manpages so that hrefs in generated HTML don't take the user to a different server
This commit is contained in:
parent
240c42943b
commit
b1a490b50a
@ -50,7 +50,7 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>The new structure is enabled by sectioning the accounting file in a
|
<para>The new structure is enabled by sectioning the accounting file in a
|
||||||
manner similar to the <ulink url="manpages/shorewall-rules.html">rules
|
manner similar to the <ulink url="/manpages/shorewall-rules.html">rules
|
||||||
file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
|
file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
|
||||||
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
||||||
role="bold">FORWARD</emphasis> and must appear in that order (although any
|
role="bold">FORWARD</emphasis> and must appear in that order (although any
|
||||||
@ -295,7 +295,7 @@
|
|||||||
the iptaccount utility are only available when <ulink
|
the iptaccount utility are only available when <ulink
|
||||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
|
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
|
||||||
is installed. See <ulink
|
is installed. See <ulink
|
||||||
url="http://www.shorewall.net/Accounting.html#perIP">http://www.shorewall.net/Accounting.html#perIP</ulink>
|
url="/Accounting.html#perIP">http://www.shorewall.net/Accounting.html#perIP</ulink>
|
||||||
for additional information.</para>
|
for additional information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -788,14 +788,14 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
|
url="/Accounting.html">http://www.shorewall.net/Accounting.html
|
||||||
</ulink></para>
|
</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
|
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
|
||||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||||
|
@ -24,7 +24,7 @@
|
|||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para>This file allows you to define new ACTIONS for use in rules (see
|
<para>This file allows you to define new ACTIONS for use in rules (see
|
||||||
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
|
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>). You define
|
||||||
the iptables rules to be performed in an ACTION in
|
the iptables rules to be performed in an ACTION in
|
||||||
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
|
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
|
||||||
|
|
||||||
@ -58,7 +58,7 @@
|
|||||||
target that is supported by your iptables but is not directly
|
target that is supported by your iptables but is not directly
|
||||||
supported by Shorewall. The action may be used as the rule
|
supported by Shorewall. The action may be used as the rule
|
||||||
target in an INLINE rule in <ulink
|
target in an INLINE rule in <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
|
<para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
|
||||||
in which the <emphasis role="bold">builtin</emphasis> can be
|
in which the <emphasis role="bold">builtin</emphasis> can be
|
||||||
@ -147,7 +147,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
|
url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
|
||||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||||
|
@ -44,7 +44,7 @@
|
|||||||
(if your kernel and iptables contain iprange match support) or ipset
|
(if your kernel and iptables contain iprange match support) or ipset
|
||||||
name prefaced by "+" (if your kernel supports ipset match).
|
name prefaced by "+" (if your kernel supports ipset match).
|
||||||
Exclusion (<ulink
|
Exclusion (<ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
|
||||||
supported.</para>
|
supported.</para>
|
||||||
|
|
||||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||||
@ -98,7 +98,7 @@
|
|||||||
interface that has the 'blacklist' option set. So to block traffic
|
interface that has the 'blacklist' option set. So to block traffic
|
||||||
from your local network to an internet host, you had to specify
|
from your local network to an internet host, you had to specify
|
||||||
<option>blacklist</option> on your internal interface in <ulink
|
<option>blacklist</option> on your internal interface in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
@ -106,7 +106,7 @@
|
|||||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
||||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
on the <emphasis role="bold">blacklist</emphasis> setting in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5):</para>
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5):</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -182,10 +182,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||||
|
@ -27,13 +27,13 @@
|
|||||||
|
|
||||||
<para>Rules in this file are applied depending on the setting of
|
<para>Rules in this file are applied depending on the setting of
|
||||||
BLACKLISTNEWONLY in <ulink
|
BLACKLISTNEWONLY in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). If
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
|
||||||
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
||||||
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
||||||
connections in the NEW and INVALID states.</para>
|
connections in the NEW and INVALID states.</para>
|
||||||
|
|
||||||
<para>The format of rules in this file is the same as the format of rules
|
<para>The format of rules in this file is the same as the format of rules
|
||||||
in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The
|
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>. The
|
||||||
difference in the two files lies in the ACTION (first) column.</para>
|
difference in the two files lies in the ACTION (first) column.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
@ -69,7 +69,7 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
|
||||||
the macro expands to <emphasis
|
the macro expands to <emphasis
|
||||||
role="bold">blacklog</emphasis>.</para>
|
role="bold">blacklog</emphasis>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -77,7 +77,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Otherwise it expands to the action specified for
|
<para>Otherwise it expands to the action specified for
|
||||||
BLACKLIST_DISPOSITION in <ulink
|
BLACKLIST_DISPOSITION in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -88,10 +88,10 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf </ulink>(5).
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5).
|
||||||
Logs, audits (if specified) and applies the
|
Logs, audits (if specified) and applies the
|
||||||
BLACKLIST_DISPOSITION specified in <ulink
|
BLACKLIST_DISPOSITION specified in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -166,7 +166,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>queues matching packets to a back end logging daemon via
|
<para>queues matching packets to a back end logging daemon via
|
||||||
a netlink socket then continues to the next rule. See <ulink
|
a netlink socket then continues to the next rule. See <ulink
|
||||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -205,7 +205,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an <emphasis>action</emphasis> declared in
|
<para>The name of an <emphasis>action</emphasis> declared in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||||
in /usr/share/shorewall/actions.std.</para>
|
in /usr/share/shorewall/actions.std.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -237,7 +237,7 @@
|
|||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||||
<emphasis>action</emphasis> declared in <ulink
|
<emphasis>action</emphasis> declared in <ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||||
/usr/share/shorewall/actions.std then:</para>
|
/usr/share/shorewall/actions.std then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -267,13 +267,13 @@
|
|||||||
<para>Actions specifying logging may be followed by a log tag (a
|
<para>Actions specifying logging may be followed by a log tag (a
|
||||||
string of alphanumeric characters) which is appended to the string
|
string of alphanumeric characters) which is appended to the string
|
||||||
generated by the LOGPREFIX (in <ulink
|
generated by the LOGPREFIX (in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>For the remaining columns, see <ulink
|
<para>For the remaining columns, see <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
|
url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
@ -313,10 +313,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
|
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
|
||||||
|
@ -266,7 +266,7 @@
|
|||||||
|
|
||||||
<para>This error message may be eliminated by adding
|
<para>This error message may be eliminated by adding
|
||||||
<replaceable>target</replaceable> as a builtin action in <ulink
|
<replaceable>target</replaceable> as a builtin action in <ulink
|
||||||
url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -344,7 +344,7 @@
|
|||||||
<replaceable>interface</replaceable> is an interface to that zone,
|
<replaceable>interface</replaceable> is an interface to that zone,
|
||||||
and <replaceable>address-list</replaceable> is a comma-separated
|
and <replaceable>address-list</replaceable> is a comma-separated
|
||||||
list of addresses (may contain exclusion - see <ulink
|
list of addresses (may contain exclusion - see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
|
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
|
||||||
@ -365,7 +365,7 @@
|
|||||||
<para>Where <replaceable>interface</replaceable> is an interface to
|
<para>Where <replaceable>interface</replaceable> is an interface to
|
||||||
that zone, and <replaceable>address-list</replaceable> is a
|
that zone, and <replaceable>address-list</replaceable> is a
|
||||||
comma-separated list of addresses (may contain exclusion - see
|
comma-separated list of addresses (may contain exclusion - see
|
||||||
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
|
|
||||||
<para>COMMENT is only allowed in format 1; the remainder of the line
|
<para>COMMENT is only allowed in format 1; the remainder of the line
|
||||||
@ -381,7 +381,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>address-list</replaceable> is a
|
<para>where <replaceable>address-list</replaceable> is a
|
||||||
comma-separated list of addresses (may contain exclusion - see
|
comma-separated list of addresses (may contain exclusion - see
|
||||||
<ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
|
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -532,7 +532,7 @@ DROP:PO - 1.2.3.4
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -88,7 +88,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
|
|||||||
<para>In most contexts, ipset names can be used as an
|
<para>In most contexts, ipset names can be used as an
|
||||||
<replaceable>address-or-range</replaceable>. Beginning with Shorewall
|
<replaceable>address-or-range</replaceable>. Beginning with Shorewall
|
||||||
4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
|
4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
|
||||||
url="shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
|
url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
|
||||||
of these lists when used in an exclusion are as follows:</para>
|
of these lists when used in an exclusion are as follows:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
@ -29,7 +29,7 @@
|
|||||||
|
|
||||||
<para>The order of entries in this file is not significant in determining
|
<para>The order of entries in this file is not significant in determining
|
||||||
zone composition. Rather, the order that the zones are declared in <ulink
|
zone composition. Rather, the order that the zones are declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
|
||||||
in which the records in this file are interpreted.</para>
|
in which the records in this file are interpreted.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
@ -39,7 +39,7 @@
|
|||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you have an entry for a zone and interface in <ulink
|
<para>If you have an entry for a zone and interface in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
|
||||||
not include any entries in this file for that same (zone, interface)
|
not include any entries in this file for that same (zone, interface)
|
||||||
pair.</para>
|
pair.</para>
|
||||||
</warning>
|
</warning>
|
||||||
@ -53,7 +53,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a zone declared in <ulink
|
<para>The name of a zone declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5). You may not
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You may not
|
||||||
list the firewall zone in this column.</para>
|
list the firewall zone in this column.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -67,7 +67,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an interface defined in the <ulink
|
<para>The name of an interface defined in the <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
|
||||||
followed by a colon (":") and a comma-separated list whose elements
|
followed by a colon (":") and a comma-separated list whose elements
|
||||||
are either:</para>
|
are either:</para>
|
||||||
|
|
||||||
@ -102,7 +102,7 @@
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para>You may also exclude certain hosts through use of an
|
<para>You may also exclude certain hosts through use of an
|
||||||
<emphasis>exclusion</emphasis> (see <ulink
|
<emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -123,7 +123,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Check packets arriving on this port against the <ulink
|
<para>Check packets arriving on this port against the <ulink
|
||||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -145,7 +145,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The zone does not have an entry for this interface
|
<para>The zone does not have an entry for this interface
|
||||||
in <ulink
|
in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -169,7 +169,7 @@
|
|||||||
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
||||||
that if the zone named in the ZONE column is specified as an
|
that if the zone named in the ZONE column is specified as an
|
||||||
IPSEC zone in the <ulink
|
IPSEC zone in the <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5) file
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) file
|
||||||
then you do NOT need to specify the 'ipsec' option
|
then you do NOT need to specify the 'ipsec' option
|
||||||
here.</para>
|
here.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -181,7 +181,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Connection requests from these hosts are compared
|
<para>Connection requests from these hosts are compared
|
||||||
against the contents of <ulink
|
against the contents of <ulink
|
||||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||||
this option is specified, the interface must be an Ethernet
|
this option is specified, the interface must be an Ethernet
|
||||||
NIC or equivalent and must be up before Shorewall is
|
NIC or equivalent and must be up before Shorewall is
|
||||||
started.</para>
|
started.</para>
|
||||||
@ -212,7 +212,7 @@
|
|||||||
|
|
||||||
<para>Smurfs will be optionally logged based on the setting of
|
<para>Smurfs will be optionally logged based on the setting of
|
||||||
SMURF_LOG_LEVEL in <ulink
|
SMURF_LOG_LEVEL in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||||
logging, the packets are dropped.</para>
|
logging, the packets are dropped.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -274,7 +274,7 @@ vpn ppp+:192.168.3.0/24</programlisting></para>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||||
|
@ -145,8 +145,8 @@
|
|||||||
|
|
||||||
<para>On a laptop with both Ethernet and wireless interfaces, you will
|
<para>On a laptop with both Ethernet and wireless interfaces, you will
|
||||||
want to make both interfaces optional and set the REQUIRE_INTERFACE option
|
want to make both interfaces optional and set the REQUIRE_INTERFACE option
|
||||||
to Yes in <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5) or
|
to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5) or
|
||||||
<ulink url="../Manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||||
(5). This causes the firewall to remain stopped until at least one of the
|
(5). This causes the firewall to remain stopped until at least one of the
|
||||||
interfaces comes up.</para>
|
interfaces comes up.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
@ -71,7 +71,7 @@
|
|||||||
in this column.</para>
|
in this column.</para>
|
||||||
|
|
||||||
<para>If the interface serves multiple zones that will be defined in
|
<para>If the interface serves multiple zones that will be defined in
|
||||||
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
the <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||||
file, you should place "-" in this column.</para>
|
file, you should place "-" in this column.</para>
|
||||||
|
|
||||||
<para>If there are multiple interfaces to the same zone, you must
|
<para>If there are multiple interfaces to the same zone, you must
|
||||||
@ -97,7 +97,7 @@ loc eth2 -</programlisting>
|
|||||||
<para>Logical name of interface. Each interface may be listed only
|
<para>Logical name of interface. Each interface may be listed only
|
||||||
once in this file. You may NOT specify the name of a "virtual"
|
once in this file. You may NOT specify the name of a "virtual"
|
||||||
interface (e.g., eth0:0) here; see <ulink
|
interface (e.g., eth0:0) here; see <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
||||||
If the <option>physical</option> option is not specified, then the
|
If the <option>physical</option> option is not specified, then the
|
||||||
logical name is also the name of the actual interface.</para>
|
logical name is also the name of the actual interface.</para>
|
||||||
|
|
||||||
@ -111,7 +111,7 @@ loc eth2 -</programlisting>
|
|||||||
<para>When using Shorewall versions before 4.1.4, care must be
|
<para>When using Shorewall versions before 4.1.4, care must be
|
||||||
exercised when using wildcards where there is another zone that uses
|
exercised when using wildcards where there is another zone that uses
|
||||||
a matching specific interface. See <ulink
|
a matching specific interface. See <ulink
|
||||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
||||||
discussion of this problem.</para>
|
discussion of this problem.</para>
|
||||||
|
|
||||||
<para>Shorewall allows '+' as an interface name.</para>
|
<para>Shorewall allows '+' as an interface name.</para>
|
||||||
@ -154,7 +154,7 @@ loc eth2 -</programlisting>
|
|||||||
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
|
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
|
||||||
'lo' interface, then that zone must be defined as type
|
'lo' interface, then that zone must be defined as type
|
||||||
<option>local</option> in <ulink
|
<option>local</option> in <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -268,7 +268,7 @@ loc eth2 -</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Checks packets arriving on this interface against the
|
<para>Checks packets arriving on this interface against the
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.13:</para>
|
<para>Beginning with Shorewall 4.4.13:</para>
|
||||||
@ -279,7 +279,7 @@ loc eth2 -</programlisting>
|
|||||||
ZONES column, then the behavior is as if <emphasis
|
ZONES column, then the behavior is as if <emphasis
|
||||||
role="bold">blacklist</emphasis> had been specified in the
|
role="bold">blacklist</emphasis> had been specified in the
|
||||||
IN_OPTIONS column of <ulink
|
IN_OPTIONS column of <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -348,7 +348,7 @@ loc eth2 -</programlisting>
|
|||||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
||||||
firewall/bridging</ulink>, then you need to include
|
firewall/bridging</ulink>, then you need to include
|
||||||
DHCP-specific rules in <ulink
|
DHCP-specific rules in <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(8).
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||||
DHCP uses UDP ports 67 and 68.</para>
|
DHCP uses UDP ports 67 and 68.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -421,7 +421,7 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>This option may also be enabled globally in the <ulink
|
<para>This option may also be enabled globally in the <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -433,7 +433,7 @@ loc eth2 -</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Connection requests from this interface are compared
|
<para>Connection requests from this interface are compared
|
||||||
against the contents of <ulink
|
against the contents of <ulink
|
||||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||||
this option is specified, the interface must be an Ethernet
|
this option is specified, the interface must be an Ethernet
|
||||||
NIC and must be up before Shorewall is started.</para>
|
NIC and must be up before Shorewall is started.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -472,7 +472,7 @@ loc eth2 -</programlisting>
|
|||||||
<para>Defines the zone as <firstterm>dynamic</firstterm>.
|
<para>Defines the zone as <firstterm>dynamic</firstterm>.
|
||||||
Requires ipset match support in your iptables and kernel. See
|
Requires ipset match support in your iptables and kernel. See
|
||||||
<ulink
|
<ulink
|
||||||
url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
url="/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
||||||
for further information.</para>
|
for further information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -486,7 +486,7 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<para>Smurfs will be optionally logged based on the setting of
|
<para>Smurfs will be optionally logged based on the setting of
|
||||||
SMURF_LOG_LEVEL in <ulink
|
SMURF_LOG_LEVEL in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||||
logging, the packets are dropped.</para>
|
logging, the packets are dropped.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -527,7 +527,7 @@ loc eth2 -</programlisting>
|
|||||||
refers to the name given in this option. It is useful when you
|
refers to the name given in this option. It is useful when you
|
||||||
want to specify the same wildcard port name on two or more
|
want to specify the same wildcard port name on two or more
|
||||||
bridges. See <ulink
|
bridges. See <ulink
|
||||||
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
||||||
|
|
||||||
<para>If the <emphasis>interface</emphasis> name is a wildcard
|
<para>If the <emphasis>interface</emphasis> name is a wildcard
|
||||||
name (ends with '+'), then the physical
|
name (ends with '+'), then the physical
|
||||||
@ -547,7 +547,7 @@ loc eth2 -</programlisting>
|
|||||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
||||||
Do NOT use this option if you are employing Proxy ARP through
|
Do NOT use this option if you are employing Proxy ARP through
|
||||||
entries in <ulink
|
entries in <ulink
|
||||||
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
|
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
|
||||||
This option is intended solely for use with Proxy ARP
|
This option is intended solely for use with Proxy ARP
|
||||||
sub-networking as described at: <ulink
|
sub-networking as described at: <ulink
|
||||||
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
||||||
@ -626,12 +626,12 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<para>This option can also be enabled globally via the
|
<para>This option can also be enabled globally via the
|
||||||
ROUTE_FILTER option in the <ulink
|
ROUTE_FILTER option in the <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>If ROUTE_FILTER=Yes in <ulink
|
<para>If ROUTE_FILTER=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), or if
|
||||||
your distribution sets net.ipv4.conf.all.rp_filter=1 in
|
your distribution sets net.ipv4.conf.all.rp_filter=1 in
|
||||||
<filename>/etc/sysctl.conf</filename>, then setting
|
<filename>/etc/sysctl.conf</filename>, then setting
|
||||||
<emphasis role="bold">routefilter</emphasis>=0 in an
|
<emphasis role="bold">routefilter</emphasis>=0 in an
|
||||||
@ -653,14 +653,14 @@ loc eth2 -</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If USE_DEFAULT_RT=Yes in <ulink
|
<para>If USE_DEFAULT_RT=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) and
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||||
the interface is listed in <ulink
|
the interface is listed in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If there is an entry for the interface in <ulink
|
<para>If there is an entry for the interface in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5)
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5)
|
||||||
that doesn't specify the <option>balance</option>
|
that doesn't specify the <option>balance</option>
|
||||||
option.</para>
|
option.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -797,7 +797,7 @@ loc eth2 -</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Incoming requests from this interface may be remapped
|
<para>Incoming requests from this interface may be remapped
|
||||||
via UPNP (upnpd). See <ulink
|
via UPNP (upnpd). See <ulink
|
||||||
url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
|
url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -912,7 +912,7 @@ net ppp0 -</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
|
||||||
|
@ -77,7 +77,7 @@
|
|||||||
specified, matching packets must match all of the listed sets.</para>
|
specified, matching packets must match all of the listed sets.</para>
|
||||||
|
|
||||||
<para>For information about set lists and exclusion, see <ulink
|
<para>For information about set lists and exclusion, see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||||
|
@ -27,8 +27,8 @@
|
|||||||
associated IP addresses to be allowed to use the specified interface. The
|
associated IP addresses to be allowed to use the specified interface. The
|
||||||
feature is enabled by using the <emphasis role="bold">maclist</emphasis>
|
feature is enabled by using the <emphasis role="bold">maclist</emphasis>
|
||||||
option in the <ulink
|
option in the <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
|
||||||
url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
|
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows (where the column name is
|
<para>The columns in the file are as follows (where the column name is
|
||||||
@ -45,7 +45,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
||||||
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
|
||||||
also allowed). If specified, the
|
also allowed). If specified, the
|
||||||
<replaceable>log-level</replaceable> causes packets matching the
|
<replaceable>log-level</replaceable> causes packets matching the
|
||||||
rule to be logged at that level.</para>
|
rule to be logged at that level.</para>
|
||||||
@ -101,10 +101,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
|
url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -24,13 +24,13 @@
|
|||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
||||||
replace <ulink url="shorewall-mangle.html">shorewall-rules(5)</ulink>.
|
replace <ulink url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>.
|
||||||
This file is only processed by the compiler if:</para>
|
This file is only processed by the compiler if:</para>
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
<orderedlist numeration="loweralpha">
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>); or</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>); or</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -44,14 +44,14 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Unlike rules in the <ulink
|
<para>Unlike rules in the <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||||
of rules in this file will continue after a match. So the final mark for
|
of rules in this file will continue after a match. So the final mark for
|
||||||
each packet will be the one assigned by the LAST tcrule that
|
each packet will be the one assigned by the LAST tcrule that
|
||||||
matches.</para>
|
matches.</para>
|
||||||
|
|
||||||
<para>If you use multiple internet providers with the 'track' option, in
|
<para>If you use multiple internet providers with the 'track' option, in
|
||||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The columns in the file are as follows (where the column name is
|
<para>The columns in the file are as follows (where the column name is
|
||||||
@ -104,7 +104,7 @@
|
|||||||
<para>Unless otherwise specified for the particular
|
<para>Unless otherwise specified for the particular
|
||||||
<replaceable>command</replaceable>, the default chain is PREROUTING
|
<replaceable>command</replaceable>, the default chain is PREROUTING
|
||||||
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>, and FORWARD
|
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and FORWARD
|
||||||
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||||
|
|
||||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||||
@ -159,11 +159,11 @@
|
|||||||
<para>When using Shorewall's built-in traffic shaping tool,
|
<para>When using Shorewall's built-in traffic shaping tool,
|
||||||
the <emphasis>major</emphasis> class is the device number (the
|
the <emphasis>major</emphasis> class is the device number (the
|
||||||
first device in <ulink
|
first device in <ulink
|
||||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||||
is major class 1, the second device is major class 2, and so
|
is major class 1, the second device is major class 2, and so
|
||||||
on) and the <emphasis>minor</emphasis> class is the class's
|
on) and the <emphasis>minor</emphasis> class is the class's
|
||||||
MARK value in <ulink
|
MARK value in <ulink
|
||||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
||||||
preceded by the number 1 (MARK 1 corresponds to minor class
|
preceded by the number 1 (MARK 1 corresponds to minor class
|
||||||
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
|
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
|
||||||
to minor class 122, etc.).</para>
|
to minor class 122, etc.).</para>
|
||||||
@ -297,7 +297,7 @@
|
|||||||
specified at the end of the rule. If the target is not one
|
specified at the end of the rule. If the target is not one
|
||||||
known to Shorewall, then it must be defined as a builtin
|
known to Shorewall, then it must be defined as a builtin
|
||||||
action in <ulink
|
action in <ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>The following rules are equivalent:</para>
|
<para>The following rules are equivalent:</para>
|
||||||
@ -310,7 +310,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
|||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>If INLINE_MATCHES=Yes in <ulink
|
<para>If INLINE_MATCHES=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
||||||
third rule above can be specified as follows:</para>
|
third rule above can be specified as follows:</para>
|
||||||
|
|
||||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||||
@ -443,7 +443,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
|||||||
<para>This error message may be eliminated by adding the
|
<para>This error message may be eliminated by adding the
|
||||||
<replaceable>target</replaceable> as a builtin action in
|
<replaceable>target</replaceable> as a builtin action in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -485,7 +485,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
|||||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||||
equal proportions. If no mask is specified, then ( 2 **
|
equal proportions. If no mask is specified, then ( 2 **
|
||||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -586,7 +586,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Transparently redirects a packet without altering the IP
|
<para>Transparently redirects a packet without altering the IP
|
||||||
header. Requires a tproxy provider to be defined in <ulink
|
header. Requires a tproxy provider to be defined in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>There are three parameters to TPROXY - neither is
|
<para>There are three parameters to TPROXY - neither is
|
||||||
required:</para>
|
required:</para>
|
||||||
@ -712,7 +712,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -749,7 +749,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -784,7 +784,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||||
typename. See <ulink
|
typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -1167,16 +1167,16 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||||
|
@ -35,9 +35,9 @@
|
|||||||
<para>If you have more than one ISP link, adding entries to this file
|
<para>If you have more than one ISP link, adding entries to this file
|
||||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||||
through a particular link. You must use entries in <ulink
|
through a particular link. You must use entries in <ulink
|
||||||
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
|
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
|
||||||
entries in <ulink
|
entries in <ulink
|
||||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
|
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
|
||||||
that.</para>
|
that.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
@ -55,7 +55,7 @@
|
|||||||
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
|
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
|
||||||
comma-separated list of interface names. This is usually your
|
comma-separated list of interface names. This is usually your
|
||||||
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
|
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
|
||||||
and a <emphasis>digit</emphasis> to indicate that you want the alias
|
and a <emphasis>digit</emphasis> to indicate that you want the alias
|
||||||
added with that name (e.g., eth0:0). This will allow the alias to be
|
added with that name (e.g., eth0:0). This will allow the alias to be
|
||||||
displayed with ifconfig. <emphasis role="bold">That is the only use
|
displayed with ifconfig. <emphasis role="bold">That is the only use
|
||||||
@ -63,17 +63,17 @@
|
|||||||
Shorewall configuration.</emphasis></para>
|
Shorewall configuration.</emphasis></para>
|
||||||
|
|
||||||
<para>Each interface must match an entry in <ulink
|
<para>Each interface must match an entry in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||||
Shorewall allows loose matches to wildcard entries in <ulink
|
Shorewall allows loose matches to wildcard entries in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||||
example, <filename class="devicefile">ppp0</filename> in this file
|
example, <filename class="devicefile">ppp0</filename> in this file
|
||||||
will match a <ulink
|
will match a <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
|
|
||||||
<para>Where <ulink
|
<para>Where <ulink
|
||||||
url="http://www.shorewall.net/4.4/MultiISP.html#Shared">more that
|
url="/4.4/MultiISP.html#Shared">more that
|
||||||
one internet provider share a single interface</ulink>, the provider
|
one internet provider share a single interface</ulink>, the provider
|
||||||
is specified by including the provider name or number in
|
is specified by including the provider name or number in
|
||||||
parentheses:</para>
|
parentheses:</para>
|
||||||
@ -88,7 +88,7 @@
|
|||||||
addresses to indicate that you only want to change the source IP
|
addresses to indicate that you only want to change the source IP
|
||||||
address for packets being sent to those particular destinations.
|
address for packets being sent to those particular destinations.
|
||||||
Exclusion is allowed (see <ulink
|
Exclusion is allowed (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
|
||||||
are ipset names preceded by a plus sign '+';</para>
|
are ipset names preceded by a plus sign '+';</para>
|
||||||
|
|
||||||
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
|
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
|
||||||
@ -99,7 +99,7 @@
|
|||||||
|
|
||||||
<para>Normally Masq/SNAT rules are evaluated after those for
|
<para>Normally Masq/SNAT rules are evaluated after those for
|
||||||
one-to-one NAT (defined in <ulink
|
one-to-one NAT (defined in <ulink
|
||||||
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
|
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
|
||||||
rule to be applied before one-to-one NAT rules, prefix the interface
|
rule to be applied before one-to-one NAT rules, prefix the interface
|
||||||
name with "+":</para>
|
name with "+":</para>
|
||||||
|
|
||||||
@ -109,7 +109,7 @@
|
|||||||
|
|
||||||
<para>This feature should only be required if you need to insert
|
<para>This feature should only be required if you need to insert
|
||||||
rules in this file that preempt entries in <ulink
|
rules in this file that preempt entries in <ulink
|
||||||
url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
|
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Comments may be attached to Netfilter rules generated from
|
<para>Comments may be attached to Netfilter rules generated from
|
||||||
entries in this file through the use of COMMENT lines. These lines
|
entries in this file through the use of COMMENT lines. These lines
|
||||||
@ -174,7 +174,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If you specify an address here, SNAT will be used and this
|
<para>If you specify an address here, SNAT will be used and this
|
||||||
will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
|
will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
|
||||||
in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) then
|
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
|
||||||
Shorewall will automatically add this address to the INTERFACE named
|
Shorewall will automatically add this address to the INTERFACE named
|
||||||
in the first column.</para>
|
in the first column.</para>
|
||||||
|
|
||||||
@ -679,7 +679,7 @@
|
|||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>If INLINE_MATCHES=Yes in <ulink
|
<para>If INLINE_MATCHES=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>, then these
|
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then these
|
||||||
rules may be specified as follows:</para>
|
rules may be specified as follows:</para>
|
||||||
|
|
||||||
<programlisting>/etc/shorewall/masq:
|
<programlisting>/etc/shorewall/masq:
|
||||||
@ -703,7 +703,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
|
shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
|
||||||
|
@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
<para>The <filename>modules</filename> file is used when
|
<para>The <filename>modules</filename> file is used when
|
||||||
LOAD_HELPERS_ONLY=No in <ulink
|
LOAD_HELPERS_ONLY=No in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(8); the
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8); the
|
||||||
<filename>helpers</filename> file is used when
|
<filename>helpers</filename> file is used when
|
||||||
LOAD_HELPERS_ONLY=Yes</para>
|
LOAD_HELPERS_ONLY=Yes</para>
|
||||||
|
|
||||||
@ -50,7 +50,7 @@
|
|||||||
<para>The <replaceable>modulename</replaceable> names a kernel module
|
<para>The <replaceable>modulename</replaceable> names a kernel module
|
||||||
(without suffix). Shorewall will search for modules based on your
|
(without suffix). Shorewall will search for modules based on your
|
||||||
MODULESDIR and MODULE_SUFFIX settings in <ulink
|
MODULESDIR and MODULE_SUFFIX settings in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(8). The
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
|
||||||
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
|
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
|
||||||
installed) or to insmod.</para>
|
installed) or to insmod.</para>
|
||||||
|
|
||||||
|
@ -29,9 +29,9 @@
|
|||||||
<warning>
|
<warning>
|
||||||
<para>If all you want to do is simple port forwarding, do NOT use this
|
<para>If all you want to do is simple port forwarding, do NOT use this
|
||||||
file. See <ulink
|
file. See <ulink
|
||||||
url="../FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
|
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
|
||||||
Also, in many cases, Proxy ARP (<ulink
|
Also, in many cases, Proxy ARP (<ulink
|
||||||
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
|
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
|
||||||
solution that one-to-one NAT.</para>
|
solution that one-to-one NAT.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
@ -72,7 +72,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Interfaces that have the <emphasis
|
<para>Interfaces that have the <emphasis
|
||||||
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||||
Shorewall will automatically add the EXTERNAL address to this
|
Shorewall will automatically add the EXTERNAL address to this
|
||||||
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
|
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
|
||||||
name with ":" and a <emphasis>digit</emphasis> to indicate that you
|
name with ":" and a <emphasis>digit</emphasis> to indicate that you
|
||||||
@ -83,12 +83,12 @@
|
|||||||
</emphasis></para>
|
</emphasis></para>
|
||||||
|
|
||||||
<para>Each interface must match an entry in <ulink
|
<para>Each interface must match an entry in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||||
Shorewall allows loose matches to wildcard entries in <ulink
|
Shorewall allows loose matches to wildcard entries in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||||
example, <filename class="devicefile">ppp0</filename> in this file
|
example, <filename class="devicefile">ppp0</filename> in this file
|
||||||
will match a <ulink
|
will match a <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
|
|
||||||
@ -143,10 +143,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/NAT.htm">http://shorewall.net/NAT.htm</ulink></para>
|
url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -24,7 +24,7 @@
|
|||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a
|
<para>In <ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a
|
||||||
zone may be declared to be a sub-zone of one or more other zones using the
|
zone may be declared to be a sub-zone of one or more other zones using the
|
||||||
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
||||||
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
||||||
@ -32,7 +32,7 @@
|
|||||||
firewall zone.</para>
|
firewall zone.</para>
|
||||||
|
|
||||||
<para>Where zones are nested, the CONTINUE policy in <ulink
|
<para>Where zones are nested, the CONTINUE policy in <ulink
|
||||||
url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
|
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
|
||||||
are within multiple zones to be managed under the rules of all of these
|
are within multiple zones to be managed under the rules of all of these
|
||||||
zones.</para>
|
zones.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
@ -74,7 +74,7 @@
|
|||||||
under rules where the source zone is net. It is important that this policy
|
under rules where the source zone is net. It is important that this policy
|
||||||
be listed BEFORE the next policy (net to all). You can have this policy
|
be listed BEFORE the next policy (net to all). You can have this policy
|
||||||
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
|
@ -81,7 +81,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Network in CIDR format (e.g., 192.168.1.0/24). Beginning with
|
<para>Network in CIDR format (e.g., 192.168.1.0/24). Beginning with
|
||||||
Shorewall 4.4.24, <ulink
|
Shorewall 4.4.24, <ulink
|
||||||
url="shorewall-exclusion.html">exclusion</ulink> is
|
url="/manpages/shorewall-exclusion.html">exclusion</ulink> is
|
||||||
supported.</para>
|
supported.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -93,12 +93,12 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a network interface. The interface must be defined
|
<para>The name of a network interface. The interface must be defined
|
||||||
in <ulink
|
in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||||
Shorewall allows loose matches to wildcard entries in <ulink
|
Shorewall allows loose matches to wildcard entries in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||||
example, <filename class="devicefile">ppp0</filename> in this file
|
example, <filename class="devicefile">ppp0</filename> in this file
|
||||||
will match a <ulink
|
will match a <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
|
||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -147,7 +147,7 @@
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||||
a typename. See <ulink
|
a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -189,10 +189,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
|
url="/netmap.html">http://www.shorewall.net/netmap.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
<para>Assign any shell variables that you need in this file. The file is
|
<para>Assign any shell variables that you need in this file. The file is
|
||||||
always processed by <filename>/bin/sh</filename> or by the shell specified
|
always processed by <filename>/bin/sh</filename> or by the shell specified
|
||||||
through SHOREWALL_SHELL in <ulink
|
through SHOREWALL_SHELL in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
|
||||||
shell capabilities may be used.</para>
|
shell capabilities may be used.</para>
|
||||||
|
|
||||||
<para>It is suggested that variable names begin with an upper case letter
|
<para>It is suggested that variable names begin with an upper case letter
|
||||||
@ -40,7 +40,7 @@
|
|||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member><emphasis role="bold">Any option from <ulink
|
<member><emphasis role="bold">Any option from <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
|
||||||
|
|
||||||
<member><emphasis role="bold">COMMAND</emphasis></member>
|
<member><emphasis role="bold">COMMAND</emphasis></member>
|
||||||
|
|
||||||
@ -107,7 +107,7 @@ NET_BCAST=130.252.100.255
|
|||||||
NET_OPTIONS=routefilter,norfc1918</programlisting>
|
NET_OPTIONS=routefilter,norfc1918</programlisting>
|
||||||
|
|
||||||
<para>Example <ulink
|
<para>Example <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
|
||||||
@ -129,7 +129,7 @@ net eth0 130.252.100.255 routefilter,norfc1918</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>This file defines the high-level policy for connections between
|
<para>This file defines the high-level policy for connections between
|
||||||
zones defined in <ulink
|
zones defined in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>The order of entries in this file is important</para>
|
<para>The order of entries in this file is important</para>
|
||||||
@ -66,7 +66,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||||
"all+".</para>
|
"all+".</para>
|
||||||
|
|
||||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||||
@ -84,7 +84,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||||
"all+", another bport zone associated with the same bridge, or it
|
"all+", another bport zone associated with the same bridge, or it
|
||||||
must be an ipv4 zone that is associated with only the same
|
must be an ipv4 zone that is associated with only the same
|
||||||
@ -118,7 +118,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The word "None" or "none". This causes any default action
|
<para>The word "None" or "none". This causes any default action
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
||||||
omitted for this policy.</para>
|
omitted for this policy.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -191,7 +191,7 @@
|
|||||||
might also match (where the source or destination zone in
|
might also match (where the source or destination zone in
|
||||||
those rules is a superset of the SOURCE or DEST in this
|
those rules is a superset of the SOURCE or DEST in this
|
||||||
policy). See <ulink
|
policy). See <ulink
|
||||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||||
additional information.</para>
|
additional information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -231,7 +231,7 @@
|
|||||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||||
|
|
||||||
<para>For a description of log levels, see <ulink
|
<para>For a description of log levels, see <ulink
|
||||||
url="http://www.shorewall.net/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
|
|
||||||
<para>If you don't want to log but need to specify the following
|
<para>If you don't want to log but need to specify the following
|
||||||
column, place "-" here.</para>
|
column, place "-" here.</para>
|
||||||
@ -327,7 +327,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -77,11 +77,11 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
||||||
url="shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
|
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
|
||||||
direct packets to this provider.</para>
|
direct packets to this provider.</para>
|
||||||
|
|
||||||
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
|
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
|
||||||
must be a multiple of 256 between 256 and 65280 or their hexadecimal
|
must be a multiple of 256 between 256 and 65280 or their hexadecimal
|
||||||
equivalents (0x0100 and 0xff00 with the low-order byte of the value
|
equivalents (0x0100 and 0xff00 with the low-order byte of the value
|
||||||
being zero). Otherwise, the value must be between 1 and 255. Each
|
being zero). Otherwise, the value must be between 1 and 255. Each
|
||||||
@ -101,7 +101,7 @@
|
|||||||
previously listed provider. You may select only certain entries from
|
previously listed provider. You may select only certain entries from
|
||||||
the table to copy by using the COPY column below. This column should
|
the table to copy by using the COPY column below. This column should
|
||||||
contain a dash ("-') when USE_DEFAULT_RT=Yes in <ulink
|
contain a dash ("-') when USE_DEFAULT_RT=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -112,7 +112,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of the network interface to the provider. Must be
|
<para>The name of the network interface to the provider. Must be
|
||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
|
||||||
general, that interface should not have the
|
general, that interface should not have the
|
||||||
<option>proxyarp</option> option specified unless
|
<option>proxyarp</option> option specified unless
|
||||||
<option>loose</option> is given in the OPTIONS column of this
|
<option>loose</option> is given in the OPTIONS column of this
|
||||||
@ -177,7 +177,7 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
||||||
defaults to the setting of the TRACK_PROVIDERS option in
|
defaults to the setting of the TRACK_PROVIDERS option in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
|
||||||
If you set TRACK_PROVIDERS=Yes and want to override that
|
If you set TRACK_PROVIDERS=Yes and want to override that
|
||||||
setting for an individual provider, then specify
|
setting for an individual provider, then specify
|
||||||
<option>notrack</option> (see below).</para>
|
<option>notrack</option> (see below).</para>
|
||||||
@ -241,7 +241,7 @@
|
|||||||
and configured with an IPv4 address then ignore this provider.
|
and configured with an IPv4 address then ignore this provider.
|
||||||
If not specified, the value of the <option>optional</option>
|
If not specified, the value of the <option>optional</option>
|
||||||
option for the INTERFACE in <ulink
|
option for the INTERFACE in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>
|
||||||
is assumed. Use of that option is preferred to this one,
|
is assumed. Use of that option is preferred to this one,
|
||||||
unless an <replaceable>address</replaceable> is provider in
|
unless an <replaceable>address</replaceable> is provider in
|
||||||
the INTERFACE column.</para>
|
the INTERFACE column.</para>
|
||||||
@ -300,7 +300,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
|
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
|
||||||
action in shorewall-mangle(5). See <ulink
|
action in shorewall-mangle(5). See <ulink
|
||||||
url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
||||||
When specified, the MARK, DUPLICATE and GATEWAY columns should
|
When specified, the MARK, DUPLICATE and GATEWAY columns should
|
||||||
be empty, INTERFACE should be set to 'lo' and
|
be empty, INTERFACE should be set to 'lo' and
|
||||||
<option>tproxy</option> should be the only OPTION. Only one
|
<option>tproxy</option> should be the only OPTION. Only one
|
||||||
@ -416,10 +416,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -132,10 +132,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
|
url="/ProxyARP.htm">http://www.shorewall.net/ProxyARP.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -34,7 +34,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name or number of a provider defined in <ulink
|
<para>The name or number of a provider defined in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink> (5).
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5).
|
||||||
Beginning with Shorewall 4.5.14, you may also enter
|
Beginning with Shorewall 4.5.14, you may also enter
|
||||||
<option>main</option> in this column to add routes to the main
|
<option>main</option> in this column to add routes to the main
|
||||||
routing table.</para>
|
routing table.</para>
|
||||||
@ -73,7 +73,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
|
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
|
||||||
given, then the INTERFACE specified for the PROVIDER in <ulink
|
given, then the INTERFACE specified for the PROVIDER in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink> (5). This
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5). This
|
||||||
column must be omitted if <option>blackhole</option>,
|
column must be omitted if <option>blackhole</option>,
|
||||||
<option>prohibit</option> or <option>unreachable</option> is
|
<option>prohibit</option> or <option>unreachable</option> is
|
||||||
specified in the GATEWAY column.</para>
|
specified in the GATEWAY column.</para>
|
||||||
@ -92,7 +92,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para>This file is deprecated in favor of the <ulink
|
<para>This file is deprecated in favor of the <ulink
|
||||||
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para>This file is used to define the hosts that are accessible when the
|
<para>This file is used to define the hosts that are accessible when the
|
||||||
@ -84,7 +84,7 @@
|
|||||||
themselves. Beginning with Shorewall 4.4.9, this option is
|
themselves. Beginning with Shorewall 4.4.9, this option is
|
||||||
automatically set if <emphasis
|
automatically set if <emphasis
|
||||||
role="bold">routeback</emphasis> is specified in <ulink
|
role="bold">routeback</emphasis> is specified in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
(5) or if the rules compiler detects that the interface is a
|
(5) or if the rules compiler detects that the interface is a
|
||||||
bridge.</para>
|
bridge.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -176,7 +176,7 @@
|
|||||||
<para>The <emphasis role="bold">source</emphasis> and <emphasis
|
<para>The <emphasis role="bold">source</emphasis> and <emphasis
|
||||||
role="bold">dest</emphasis> options work best when used in conjunction
|
role="bold">dest</emphasis> options work best when used in conjunction
|
||||||
with ADMINISABSENTMINDED=Yes in <ulink
|
with ADMINISABSENTMINDED=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</note>
|
</note>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
@ -210,10 +210,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>Entries in this file cause traffic to be routed to one of the
|
<para>Entries in this file cause traffic to be routed to one of the
|
||||||
providers listed in <ulink
|
providers listed in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows.</para>
|
<para>The columns in the file are as follows.</para>
|
||||||
|
|
||||||
@ -181,10 +181,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>Entries in this file govern connection establishment by defining
|
<para>Entries in this file govern connection establishment by defining
|
||||||
exceptions to the policies laid out in <ulink
|
exceptions to the policies laid out in <ulink
|
||||||
url="shorewall-policy.html">shorewall-policy</ulink>(5). By default,
|
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By default,
|
||||||
subsequent requests and responses are automatically allowed using
|
subsequent requests and responses are automatically allowed using
|
||||||
connection tracking. For any particular (source,dest) pair of zones, the
|
connection tracking. For any particular (source,dest) pair of zones, the
|
||||||
rules are evaluated in the order in which they appear in this file and the
|
rules are evaluated in the order in which they appear in this file and the
|
||||||
@ -87,7 +87,7 @@
|
|||||||
|
|
||||||
<para>There is an implicit rule added at the end of this section
|
<para>There is an implicit rule added at the end of this section
|
||||||
that invokes the RELATED_DISPOSITION (<ulink
|
that invokes the RELATED_DISPOSITION (<ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -103,7 +103,7 @@
|
|||||||
|
|
||||||
<para>There is an implicit rule added at the end of this section
|
<para>There is an implicit rule added at the end of this section
|
||||||
that invokes the INVALID_DISPOSITION (<ulink
|
that invokes the INVALID_DISPOSITION (<ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -119,7 +119,7 @@
|
|||||||
|
|
||||||
<para>There is an implicit rule added at the end of this section
|
<para>There is an implicit rule added at the end of this section
|
||||||
that invokes the UNTRACKED_DISPOSITION (<ulink
|
that invokes the UNTRACKED_DISPOSITION (<ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -145,7 +145,7 @@
|
|||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you specify FASTACCEPT=Yes in <ulink
|
<para>If you specify FASTACCEPT=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
|
||||||
role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
|
role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
|
||||||
role="bold">RELATED</emphasis> sections must be empty.</para>
|
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||||
|
|
||||||
@ -224,7 +224,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like ACCEPT but exempts the rule from being suppressed
|
<para>like ACCEPT but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -234,7 +234,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an <emphasis>action</emphasis> declared in
|
<para>The name of an <emphasis>action</emphasis> declared in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||||
in /usr/share/shorewall/actions.std.</para>
|
in /usr/share/shorewall/actions.std.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -329,11 +329,11 @@
|
|||||||
<para>Do not process any of the following rules for this
|
<para>Do not process any of the following rules for this
|
||||||
(source zone,destination zone). If the source and/or
|
(source zone,destination zone). If the source and/or
|
||||||
destination IP address falls into a zone defined later in
|
destination IP address falls into a zone defined later in
|
||||||
<ulink url="shorewall-zones.html">shorewall-zones</ulink>(5)
|
<ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||||
or in a parent zone of the source or destination zones, then
|
or in a parent zone of the source or destination zones, then
|
||||||
this connection request will be passed to the rules defined
|
this connection request will be passed to the rules defined
|
||||||
for that (those) zone(s). See <ulink
|
for that (those) zone(s). See <ulink
|
||||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||||
additional information.</para>
|
additional information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -344,7 +344,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like CONTINUE but exempts the rule from being suppressed
|
<para>like CONTINUE but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -414,7 +414,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like DROP but exempts the rule from being suppressed by
|
<para>like DROP but exempts the rule from being suppressed by
|
||||||
OPTIMIZE=1 in <ulink
|
OPTIMIZE=1 in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -445,7 +445,7 @@
|
|||||||
INLINE(ACCEPT)). Otherwise, you can include it after the
|
INLINE(ACCEPT)). Otherwise, you can include it after the
|
||||||
semicolon. In this case, you must declare the target as a
|
semicolon. In this case, you must declare the target as a
|
||||||
builtin action in <ulink
|
builtin action in <ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Some considerations when using INLINE:</para>
|
<para>Some considerations when using INLINE:</para>
|
||||||
|
|
||||||
@ -490,7 +490,7 @@
|
|||||||
<para>This error message may be eliminated by adding the
|
<para>This error message may be eliminated by adding the
|
||||||
<replaceable>target</replaceable> as a builtin action in
|
<replaceable>target</replaceable> as a builtin action in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -536,7 +536,7 @@
|
|||||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||||
back end logging daemon via a netlink socket then continues to
|
back end logging daemon via a netlink socket then continues to
|
||||||
the next rule. See <ulink
|
the next rule. See <ulink
|
||||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
|
|
||||||
<para>Similar to<emphasis role="bold">
|
<para>Similar to<emphasis role="bold">
|
||||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||||
@ -565,7 +565,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -596,7 +596,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like QUEUE but exempts the rule from being suppressed by
|
<para>like QUEUE but exempts the rule from being suppressed by
|
||||||
OPTIMIZE=1 in <ulink
|
OPTIMIZE=1 in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -615,7 +615,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like REJECT but exempts the rule from being suppressed
|
<para>like REJECT but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -649,7 +649,7 @@
|
|||||||
<para>Added in Shorewall 4.5.10. Queues matching packets to a
|
<para>Added in Shorewall 4.5.10. Queues matching packets to a
|
||||||
back end logging daemon via a netlink socket then continues to
|
back end logging daemon via a netlink socket then continues to
|
||||||
the next rule. See <ulink
|
the next rule. See <ulink
|
||||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
|
|
||||||
<para>Similar to<emphasis role="bold">
|
<para>Similar to<emphasis role="bold">
|
||||||
LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
|
LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
|
||||||
@ -671,7 +671,7 @@
|
|||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||||
<emphasis>action</emphasis> declared in <ulink
|
<emphasis>action</emphasis> declared in <ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||||
/usr/share/shorewall/actions.std then:</para>
|
/usr/share/shorewall/actions.std then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -702,7 +702,7 @@
|
|||||||
<para>Actions specifying logging may be followed by a log tag (a
|
<para>Actions specifying logging may be followed by a log tag (a
|
||||||
string of alphanumeric characters) which is appended to the string
|
string of alphanumeric characters) which is appended to the string
|
||||||
generated by the LOGPREFIX (in <ulink
|
generated by the LOGPREFIX (in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
||||||
the log prefix generated by the LOGPREFIX setting.</para>
|
the log prefix generated by the LOGPREFIX setting.</para>
|
||||||
@ -732,7 +732,7 @@
|
|||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
<replaceable>zone-list </replaceable>which consists of a
|
||||||
comma-separated list of zones declared in <ulink
|
comma-separated list of zones declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). This
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||||
well as inter-zone traffic.</para>
|
well as inter-zone traffic.</para>
|
||||||
@ -751,7 +751,7 @@
|
|||||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||||
@ -791,7 +791,7 @@
|
|||||||
firewall interface can be specified by an ampersand ('&')
|
firewall interface can be specified by an ampersand ('&')
|
||||||
followed by the logical name of the interface as found in the
|
followed by the logical name of the interface as found in the
|
||||||
INTERFACE column of <ulink
|
INTERFACE column of <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, A
|
<para>Beginning with Shorewall 4.5.4, A
|
||||||
@ -801,14 +801,14 @@
|
|||||||
preceded by a caret ('^'). When a single country code is given, the
|
preceded by a caret ('^'). When a single country code is given, the
|
||||||
square brackets may be omitted. A list of country codes supported by
|
square brackets may be omitted. A list of country codes supported by
|
||||||
Shorewall may be found at <ulink
|
Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||||
Kernel.</para>
|
Kernel.</para>
|
||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Examples:</para>
|
<para>Examples:</para>
|
||||||
|
|
||||||
@ -906,7 +906,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Location of Server. May be a zone declared in <ulink
|
<para>Location of Server. May be a zone declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
|
||||||
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
||||||
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
||||||
<emphasis role="bold">none</emphasis>.</para>
|
<emphasis role="bold">none</emphasis>.</para>
|
||||||
@ -914,7 +914,7 @@
|
|||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
<replaceable>zone-list </replaceable>which consists of a
|
||||||
comma-separated list of zones declared in <ulink
|
comma-separated list of zones declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). This
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||||
well as inter-zone traffic.</para>
|
well as inter-zone traffic.</para>
|
||||||
@ -926,7 +926,7 @@
|
|||||||
preceded by a caret ('^'). When a single country code is given, the
|
preceded by a caret ('^'). When a single country code is given, the
|
||||||
square brackets may be omitted. A list of country codes supported by
|
square brackets may be omitted. A list of country codes supported by
|
||||||
Shorewall may be found at <ulink
|
Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||||
Kernel.</para>
|
Kernel.</para>
|
||||||
@ -941,7 +941,7 @@
|
|||||||
affected. When <emphasis role="bold">all+</emphasis> is used,
|
affected. When <emphasis role="bold">all+</emphasis> is used,
|
||||||
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
|
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
|
||||||
exclusion is supported -- see see <ulink
|
exclusion is supported -- see see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||||
@ -976,7 +976,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Restriction: MAC addresses are not allowed (this is a
|
<para>Restriction: MAC addresses are not allowed (this is a
|
||||||
Netfilter restriction).</para>
|
Netfilter restriction).</para>
|
||||||
@ -1002,7 +1002,7 @@
|
|||||||
firewall interface can be specified by an ampersand ('&')
|
firewall interface can be specified by an ampersand ('&')
|
||||||
followed by the logical name of the interface as found in the
|
followed by the logical name of the interface as found in the
|
||||||
INTERFACE column of <ulink
|
INTERFACE column of <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>The <replaceable>port</replaceable> that the server is
|
<para>The <replaceable>port</replaceable> that the server is
|
||||||
@ -1079,7 +1079,7 @@
|
|||||||
interpreted as the destination icmp-type(s). ICMP types may be
|
interpreted as the destination icmp-type(s). ICMP types may be
|
||||||
specified as a numeric type, a numeric type and code separated by a
|
specified as a numeric type, a numeric type and code separated by a
|
||||||
slash (e.g., 3/4), or a typename. See <ulink
|
slash (e.g., 3/4), or a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||||
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
|
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
|
||||||
listed.</para>
|
listed.</para>
|
||||||
|
|
||||||
@ -1176,7 +1176,7 @@
|
|||||||
firewall interface can be specified by an ampersand ('&')
|
firewall interface can be specified by an ampersand ('&')
|
||||||
followed by the logical name of the interface as found in the
|
followed by the logical name of the interface as found in the
|
||||||
INTERFACE column of <ulink
|
INTERFACE column of <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>For other actions, this column may be included and may contain
|
<para>For other actions, this column may be included and may contain
|
||||||
@ -1194,10 +1194,10 @@
|
|||||||
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
|
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
|
||||||
addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
|
addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
|
||||||
See <ulink
|
See <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
<para>See <ulink
|
<para>See <ulink
|
||||||
url="../PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
|
url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
|
||||||
for an example of using an entry in this column with a user-defined
|
for an example of using an entry in this column with a user-defined
|
||||||
action rule.</para>
|
action rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1567,7 +1567,7 @@
|
|||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>If the HELPERS option is specified in <ulink
|
<para>If the HELPERS option is specified in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then any module
|
||||||
specified in this column must be listed in the HELPERS
|
specified in this column must be listed in the HELPERS
|
||||||
setting.</para>
|
setting.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1696,21 +1696,21 @@
|
|||||||
example:</para>
|
example:</para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(8):<programlisting> #ZONE TYPE OPTIONS
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5):<programlisting> #ZONE TYPE OPTIONS
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv4
|
net ipv4
|
||||||
dmz ipv4
|
dmz ipv4
|
||||||
loc ipv4</programlisting></para>
|
loc ipv4</programlisting></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||||
net ppp0
|
net ppp0
|
||||||
loc eth1 detect
|
loc eth1 detect
|
||||||
dmz eth2 detect
|
dmz eth2 detect
|
||||||
- ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para>
|
- ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="shorewall-hosts.html">shorewall-host</ulink>(8):<programlisting> #ZONE HOST(S) OPTIONS
|
url="/manpages/shorewall-hosts.html">shorewall-host</ulink>(5):<programlisting> #ZONE HOST(S) OPTIONS
|
||||||
loc ppp+:192.168.3.0/24</programlisting></para>
|
loc ppp+:192.168.3.0/24</programlisting></para>
|
||||||
|
|
||||||
<para>rules:</para>
|
<para>rules:</para>
|
||||||
@ -1806,7 +1806,7 @@
|
|||||||
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||||
|
|
||||||
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>(5):</para>
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5):</para>
|
||||||
|
|
||||||
<programlisting> #ACTION OPTIONS
|
<programlisting> #ACTION OPTIONS
|
||||||
SECCTX builtin</programlisting>
|
SECCTX builtin</programlisting>
|
||||||
@ -1825,13 +1825,13 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
url="/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
|
shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Unlike rules in the <ulink
|
<para>Unlike rules in the <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||||
of rules in this file will continue after a match. So the final secmark
|
of rules in this file will continue after a match. So the final secmark
|
||||||
for each packet will be the one assigned by the LAST rule that
|
for each packet will be the one assigned by the LAST rule that
|
||||||
matches.</para>
|
matches.</para>
|
||||||
@ -182,7 +182,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Addresses may be specified using an ipset name preceded by
|
<para>Addresses may be specified using an ipset name preceded by
|
||||||
'+'.</para>
|
'+'.</para>
|
||||||
@ -213,7 +213,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Addresses may be specified using an ipset name preceded by
|
<para>Addresses may be specified using an ipset name preceded by
|
||||||
'+'.</para>
|
'+'.</para>
|
||||||
@ -251,7 +251,7 @@
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||||
a typename. See <ulink
|
a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -411,7 +411,7 @@ RESTORE I:ER</programlisting>
|
|||||||
url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
|
url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -147,10 +147,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -125,7 +125,7 @@
|
|||||||
<para>You may specify the interface number rather than the interface
|
<para>You may specify the interface number rather than the interface
|
||||||
name. If the <emphasis role="bold">classify</emphasis> option is
|
name. If the <emphasis role="bold">classify</emphasis> option is
|
||||||
given for the interface in <ulink
|
given for the interface in <ulink
|
||||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
|
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
|
||||||
you must also specify an interface class (an integer that must be
|
you must also specify an interface class (an integer that must be
|
||||||
unique within classes associated with this interface). If the
|
unique within classes associated with this interface). If the
|
||||||
classify option is not given, you may still specify a
|
classify option is not given, you may still specify a
|
||||||
@ -139,12 +139,12 @@
|
|||||||
|
|
||||||
<para>Please note that you can only use interface names in here that
|
<para>Please note that you can only use interface names in here that
|
||||||
have a bandwidth defined in the <ulink
|
have a bandwidth defined in the <ulink
|
||||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para>Normally, all classes defined here are sub-classes of a root
|
<para>Normally, all classes defined here are sub-classes of a root
|
||||||
class that is implicitly defined from the entry in <ulink
|
class that is implicitly defined from the entry in <ulink
|
||||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
|
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
|
||||||
can establish a class hierarchy by specifying a
|
can establish a class hierarchy by specifying a
|
||||||
<emphasis>parent</emphasis> class -- the number of a class that you
|
<emphasis>parent</emphasis> class -- the number of a class that you
|
||||||
have previously defined. The sub-class may borrow unused bandwidth
|
have previously defined. The sub-class may borrow unused bandwidth
|
||||||
@ -159,11 +159,11 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||||
range 1-255. You set mark values in the <ulink
|
range 1-255. You set mark values in the <ulink
|
||||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) file,
|
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) file,
|
||||||
marking the traffic you want to fit in the classes defined in here.
|
marking the traffic you want to fit in the classes defined in here.
|
||||||
Must be specified as '-' if the <emphasis
|
Must be specified as '-' if the <emphasis
|
||||||
role="bold">classify</emphasis> option is given for the interface in
|
role="bold">classify</emphasis> option is given for the interface in
|
||||||
<ulink url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
<ulink url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||||
and you are running Shorewall 4.5.5 or earlier.</para>
|
and you are running Shorewall 4.5.5 or earlier.</para>
|
||||||
|
|
||||||
<para>You can use the same marks for different interfaces.</para>
|
<para>You can use the same marks for different interfaces.</para>
|
||||||
@ -417,7 +417,7 @@
|
|||||||
of the class. So the total RATE represented by an entry with
|
of the class. So the total RATE represented by an entry with
|
||||||
'occurs' will be the listed RATE multiplied by
|
'occurs' will be the listed RATE multiplied by
|
||||||
<emphasis>number</emphasis>. For additional information, see
|
<emphasis>number</emphasis>. For additional information, see
|
||||||
<ulink url="shorewall-mangle.html">tcrules</ulink>
|
<ulink url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -762,10 +762,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>tc-hfsc(7)</para>
|
<para>tc-hfsc(7)</para>
|
||||||
|
|
||||||
|
@ -104,7 +104,7 @@
|
|||||||
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
||||||
listed only once in this file. You may NOT specify the name of an
|
listed only once in this file. You may NOT specify the name of an
|
||||||
alias (e.g., eth0:0) here; see <ulink
|
alias (e.g., eth0:0) here; see <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
||||||
|
|
||||||
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
||||||
ppp interfaces, you need to put them all in here!</para>
|
ppp interfaces, you need to put them all in here!</para>
|
||||||
@ -151,7 +151,7 @@
|
|||||||
may be configured instead. Rate-estimated filters should be used
|
may be configured instead. Rate-estimated filters should be used
|
||||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||||
default. See <ulink
|
default. See <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||||
97a</ulink>.</para>
|
97a</ulink>.</para>
|
||||||
|
|
||||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||||
@ -171,7 +171,7 @@
|
|||||||
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
|
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
|
||||||
This is the maximum speed your connection can handle. It is also the
|
This is the maximum speed your connection can handle. It is also the
|
||||||
speed you can refer as "full" if you define the tc classes in <ulink
|
speed you can refer as "full" if you define the tc classes in <ulink
|
||||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
||||||
Outgoing traffic above this rate will be dropped.</para>
|
Outgoing traffic above this rate will be dropped.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -195,7 +195,7 @@
|
|||||||
<para><option>classify</option> ― When specified, Shorewall will not
|
<para><option>classify</option> ― When specified, Shorewall will not
|
||||||
generate tc or Netfilter rules to classify traffic based on packet
|
generate tc or Netfilter rules to classify traffic based on packet
|
||||||
marks. You must do all classification using CLASSIFY rules in <ulink
|
marks. You must do all classification using CLASSIFY rules in <ulink
|
||||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5).</para>
|
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5).</para>
|
||||||
|
|
||||||
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
|
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
|
||||||
Bucket</firstterm> queuing discipline. This is the default.</para>
|
Bucket</firstterm> queuing discipline. This is the default.</para>
|
||||||
@ -283,10 +283,10 @@
|
|||||||
<para>tc-hfsc (7)</para>
|
<para>tc-hfsc (7)</para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
|
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
|
||||||
|
@ -70,10 +70,10 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name or number of an <returnvalue>interface</returnvalue>
|
<para>The name or number of an <returnvalue>interface</returnvalue>
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||||
followed by a <replaceable>class</replaceable> number defined for
|
followed by a <replaceable>class</replaceable> number defined for
|
||||||
that interface in <ulink
|
that interface in <ulink
|
||||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
|
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -99,7 +99,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -318,16 +318,16 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>This file lists the interfaces that are subject to simple traffic
|
<para>This file lists the interfaces that are subject to simple traffic
|
||||||
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
||||||
file:</para>
|
file:</para>
|
||||||
@ -162,7 +162,7 @@
|
|||||||
may be configured instead. Rate-estimated filters should be used
|
may be configured instead. Rate-estimated filters should be used
|
||||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||||
default. See <ulink
|
default. See <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||||
97a</ulink>.</para>
|
97a</ulink>.</para>
|
||||||
|
|
||||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||||
|
@ -25,12 +25,12 @@
|
|||||||
|
|
||||||
<para>This file is used to specify the priority of traffic for simple
|
<para>This file is used to specify the priority of traffic for simple
|
||||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
|
||||||
each packet is determined by the <emphasis role="bold">last</emphasis>
|
each packet is determined by the <emphasis role="bold">last</emphasis>
|
||||||
entry that the packet matches. If a packet doesn't match any entry in this
|
entry that the packet matches. If a packet doesn't match any entry in this
|
||||||
file, then its priority will be determined by its TOS field. The default
|
file, then its priority will be determined by its TOS field. The default
|
||||||
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
||||||
in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<programlisting>TOS Bits Means Linux Priority BAND
|
<programlisting>TOS Bits Means Linux Priority BAND
|
||||||
------------------------------------------------------------
|
------------------------------------------------------------
|
||||||
@ -63,7 +63,7 @@
|
|||||||
<para>Classifies matching traffic as High Priority (1), Medium
|
<para>Classifies matching traffic as High Priority (1), Medium
|
||||||
Priority (2) or Low Priority (3). For those interfaces listed in
|
Priority (2) or Low Priority (3). For those interfaces listed in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
|
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
|
||||||
Priority 2 traffic will be deferred so long and there is Priority 1
|
Priority 2 traffic will be deferred so long and there is Priority 1
|
||||||
traffic queued and Priority 3 traffic will be deferred so long as
|
traffic queued and Priority 3 traffic will be deferred so long as
|
||||||
there is Priority 1 or Priority 2 traffic to send.</para>
|
there is Priority 1 or Priority 2 traffic to send.</para>
|
||||||
@ -151,7 +151,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>prio(8), shorewall(8), shorewall-accounting(5),
|
<para>prio(8), shorewall(8), shorewall-accounting(5),
|
||||||
shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
|
shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
|
||||||
|
@ -28,14 +28,14 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Unlike rules in the <ulink
|
<para>Unlike rules in the <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||||
of rules in this file will continue after a match. So the final mark for
|
of rules in this file will continue after a match. So the final mark for
|
||||||
each packet will be the one assigned by the LAST tcrule that
|
each packet will be the one assigned by the LAST tcrule that
|
||||||
matches.</para>
|
matches.</para>
|
||||||
|
|
||||||
<para>If you use multiple internet providers with the 'track' option, in
|
<para>If you use multiple internet providers with the 'track' option, in
|
||||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
||||||
@ -123,7 +123,7 @@
|
|||||||
|
|
||||||
<para>- Otherwise, the chain is determined by the setting of
|
<para>- Otherwise, the chain is determined by the setting of
|
||||||
MARK_IN_FORWARD_CHAIN in <ulink
|
MARK_IN_FORWARD_CHAIN in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||||
included for completeness and affects neither traffic shaping
|
included for completeness and affects neither traffic shaping
|
||||||
@ -203,7 +203,7 @@
|
|||||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||||
equal proportions. If no mask is specified, then ( 2 **
|
equal proportions. If no mask is specified, then ( 2 **
|
||||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>May optionally be followed by <emphasis
|
<para>May optionally be followed by <emphasis
|
||||||
role="bold">:P</emphasis>, <emphasis
|
role="bold">:P</emphasis>, <emphasis
|
||||||
@ -231,7 +231,7 @@
|
|||||||
|
|
||||||
<para>- Otherwise, the chain is determined by the setting of
|
<para>- Otherwise, the chain is determined by the setting of
|
||||||
MARK_IN_FORWARD_CHAIN in <ulink
|
MARK_IN_FORWARD_CHAIN in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||||
included for completeness and affects neither traffic shaping
|
included for completeness and affects neither traffic shaping
|
||||||
@ -311,11 +311,11 @@
|
|||||||
<para>When using Shorewall's built-in traffic shaping tool, the
|
<para>When using Shorewall's built-in traffic shaping tool, the
|
||||||
<emphasis>major</emphasis> class is the device number (the first
|
<emphasis>major</emphasis> class is the device number (the first
|
||||||
device in <ulink
|
device in <ulink
|
||||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
|
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
|
||||||
major class 1, the second device is major class 2, and so on)
|
major class 1, the second device is major class 2, and so on)
|
||||||
and the <emphasis>minor</emphasis> class is the class's MARK
|
and the <emphasis>minor</emphasis> class is the class's MARK
|
||||||
value in <ulink
|
value in <ulink
|
||||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
||||||
preceded by the number 1 (MARK 1 corresponds to minor class 11,
|
preceded by the number 1 (MARK 1 corresponds to minor class 11,
|
||||||
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
|
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
|
||||||
minor class 122, etc.).</para>
|
minor class 122, etc.).</para>
|
||||||
@ -487,7 +487,7 @@
|
|||||||
[<replaceable>option</replaceable>] ...") after any matches
|
[<replaceable>option</replaceable>] ...") after any matches
|
||||||
specified at the end of the rule. If the target is not one known
|
specified at the end of the rule. If the target is not one known
|
||||||
to Shorewall, then it must be defined as a builtin action in
|
to Shorewall, then it must be defined as a builtin action in
|
||||||
<ulink url="shorewall-actions.html">shorewall-actions</ulink>
|
<ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>The following rules are equivalent:</para>
|
<para>The following rules are equivalent:</para>
|
||||||
@ -500,7 +500,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
|||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>If INLINE_MATCHES=Yes in <ulink
|
<para>If INLINE_MATCHES=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
|
||||||
third rule above can be specified as follows:</para>
|
third rule above can be specified as follows:</para>
|
||||||
|
|
||||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||||
@ -724,7 +724,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>Transparently redirects a packet without altering the IP
|
<para>Transparently redirects a packet without altering the IP
|
||||||
header. Requires a local provider to be defined in <ulink
|
header. Requires a local provider to be defined in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>There are three parameters to TPROXY - only the first
|
<para>There are three parameters to TPROXY - only the first
|
||||||
(mark) is required:</para>
|
(mark) is required:</para>
|
||||||
@ -733,7 +733,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para><replaceable>mark</replaceable> - the MARK value
|
<para><replaceable>mark</replaceable> - the MARK value
|
||||||
corresponding to the local provider in <ulink
|
corresponding to the local provider in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -758,7 +758,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>Transparently redirects a packet without altering the IP
|
<para>Transparently redirects a packet without altering the IP
|
||||||
header. Requires a tproxy provider to be defined in <ulink
|
header. Requires a tproxy provider to be defined in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>There are three parameters to TPROXY - neither is
|
<para>There are three parameters to TPROXY - neither is
|
||||||
required:</para>
|
required:</para>
|
||||||
@ -862,7 +862,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -879,7 +879,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<para>An interface name. May not be used in the PREROUTING chain
|
<para>An interface name. May not be used in the PREROUTING chain
|
||||||
(:P in the mark column or no chain qualifier and
|
(:P in the mark column or no chain qualifier and
|
||||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||||
url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
|
url="/manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
|
||||||
interface name may be optionally followed by a colon (":") and
|
interface name may be optionally followed by a colon (":") and
|
||||||
an IP address list.</para>
|
an IP address list.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -899,7 +899,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -934,7 +934,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||||
typename. See <ulink
|
typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -1317,16 +1317,16 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
||||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
||||||
<ulink url="shorewall-mangle.html">shorewall-mangle</ulink> (5).</para>
|
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink> (5).</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows (where the column name is
|
<para>The columns in the file are as follows (where the column name is
|
||||||
followed by a different name in parentheses, the different name is used in
|
followed by a different name in parentheses, the different name is used in
|
||||||
@ -167,7 +167,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -27,7 +27,7 @@
|
|||||||
encrypted) traffic to pass between the Shorewall system and a remote
|
encrypted) traffic to pass between the Shorewall system and a remote
|
||||||
gateway. Traffic flowing through the tunnel is handled using the normal
|
gateway. Traffic flowing through the tunnel is handled using the normal
|
||||||
zone/policy/rule mechanism. See <ulink
|
zone/policy/rule mechanism. See <ulink
|
||||||
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||||
for details.</para>
|
for details.</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows.</para>
|
<para>The columns in the file are as follows.</para>
|
||||||
@ -143,7 +143,7 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||||
may be given. Exclusion (<ulink
|
may be given. Exclusion (<ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
|
||||||
not supported.</para>
|
not supported.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -281,7 +281,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -45,14 +45,14 @@
|
|||||||
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
|
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
|
||||||
as zone names. The maximum length of a zone name is determined by
|
as zone names. The maximum length of a zone name is determined by
|
||||||
the setting of the LOGFORMAT option in <ulink
|
the setting of the LOGFORMAT option in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). With the
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With the
|
||||||
default LOGFORMAT, zone names can be at most 5 characters
|
default LOGFORMAT, zone names can be at most 5 characters
|
||||||
long.</para>
|
long.</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||||
explained in <ulink
|
explained in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink> (5), the default
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5), the default
|
||||||
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
||||||
%s is replaced by the chain name and the second is replaced by the
|
%s is replaced by the chain name and the second is replaced by the
|
||||||
disposition.</para>
|
disposition.</para>
|
||||||
@ -97,7 +97,7 @@
|
|||||||
(sub)zone name by ":" and a comma-separated list of the parent
|
(sub)zone name by ":" and a comma-separated list of the parent
|
||||||
zones. The parent zones must have been declared in earlier records
|
zones. The parent zones must have been declared in earlier records
|
||||||
in this file. See <ulink
|
in this file. See <ulink
|
||||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||||
additional information.</para>
|
additional information.</para>
|
||||||
|
|
||||||
<para>Example:</para>
|
<para>Example:</para>
|
||||||
@ -110,7 +110,7 @@ c:a,b ipv4</programlisting>
|
|||||||
<para>Currently, Shorewall uses this information to reorder the zone
|
<para>Currently, Shorewall uses this information to reorder the zone
|
||||||
list so that parent zones appear after their subzones in the list.
|
list so that parent zones appear after their subzones in the list.
|
||||||
The IMPLICIT_CONTINUE option in <ulink
|
The IMPLICIT_CONTINUE option in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) can also create
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can also create
|
||||||
implicit CONTINUE policies to/from the subzone.</para>
|
implicit CONTINUE policies to/from the subzone.</para>
|
||||||
|
|
||||||
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
||||||
@ -137,7 +137,7 @@ c:a,b ipv4</programlisting>
|
|||||||
the column. Communication with some zone hosts may be
|
the column. Communication with some zone hosts may be
|
||||||
encrypted. Encrypted hosts are designated using the 'ipsec'
|
encrypted. Encrypted hosts are designated using the 'ipsec'
|
||||||
option in <ulink
|
option in <ulink
|
||||||
url="shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
|
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -180,7 +180,7 @@ c:a,b ipv4</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
||||||
Linux-vserver guests. The zone contents must be defined in
|
Linux-vserver guests. The zone contents must be defined in
|
||||||
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink>
|
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>Vserver zones are implicitly handled as subzones of the
|
<para>Vserver zones are implicitly handled as subzones of the
|
||||||
@ -208,7 +208,7 @@ c:a,b ipv4</programlisting>
|
|||||||
$FW rules are defined, they are placed in a chain named
|
$FW rules are defined, they are placed in a chain named
|
||||||
${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' )
|
${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' )
|
||||||
depending on the ZONE2ZONE setting in <ulink
|
depending on the ZONE2ZONE setting in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -290,12 +290,12 @@ c:a,b ipv4</programlisting>
|
|||||||
<para>When specified in the IN_OPTIONS column, causes all
|
<para>When specified in the IN_OPTIONS column, causes all
|
||||||
traffic from this zone to be passed against the <emphasis
|
traffic from this zone to be passed against the <emphasis
|
||||||
role="bold">src</emphasis> entries in <ulink
|
role="bold">src</emphasis> entries in <ulink
|
||||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5).</para>
|
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>(5).</para>
|
||||||
|
|
||||||
<para>When specified in the OUT_OPTIONS column, causes all
|
<para>When specified in the OUT_OPTIONS column, causes all
|
||||||
traffic to this zone to be passed against the <emphasis
|
traffic to this zone to be passed against the <emphasis
|
||||||
role="bold">dst</emphasis> entries in s<ulink
|
role="bold">dst</emphasis> entries in s<ulink
|
||||||
url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
|
url="/manpages/shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Specifying this option in the OPTIONS column is
|
<para>Specifying this option in the OPTIONS column is
|
||||||
equivalent to entering it in both of the IN_OPTIONS and
|
equivalent to entering it in both of the IN_OPTIONS and
|
||||||
@ -310,7 +310,7 @@ c:a,b ipv4</programlisting>
|
|||||||
<para>Added in Shorewall 4.5.9. May only be specified in the
|
<para>Added in Shorewall 4.5.9. May only be specified in the
|
||||||
OPTIONS column and indicates that only a single ipset should
|
OPTIONS column and indicates that only a single ipset should
|
||||||
be created for this zone if it has multiple dynamic entries in
|
be created for this zone if it has multiple dynamic entries in
|
||||||
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5).
|
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
|
||||||
Without this option, a separate ipset is created for each
|
Without this option, a separate ipset is created for each
|
||||||
interface.</para>
|
interface.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -354,7 +354,7 @@ c:a,b ipv4</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>sets the MSS field in TCP packets. If you supply this
|
<para>sets the MSS field in TCP packets. If you supply this
|
||||||
option, you should also set FASTACCEPT=No in <ulink
|
option, you should also set FASTACCEPT=No in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) to insure
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to insure
|
||||||
that both the SYN and SYN,ACK packets have their MSS field
|
that both the SYN and SYN,ACK packets have their MSS field
|
||||||
adjusted.</para>
|
adjusted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -427,10 +427,10 @@ c:a,b ipv4</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -183,7 +183,7 @@
|
|||||||
<para>If you set the value of either option to "None" then no
|
<para>If you set the value of either option to "None" then no
|
||||||
default action will be used and the default action or macro must be
|
default action will be used and the default action or macro must be
|
||||||
specified in <ulink
|
specified in <ulink
|
||||||
url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
|
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5).</para>
|
||||||
|
|
||||||
<para>You can pass <replaceable>parameters</replaceable> to the
|
<para>You can pass <replaceable>parameters</replaceable> to the
|
||||||
specified action (e.g.,
|
specified action (e.g.,
|
||||||
@ -204,7 +204,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
|
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
|
||||||
is enabled (see <ulink
|
is enabled (see <ulink
|
||||||
url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
|
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
|
||||||
not specified or set to the empty value, ACCOUNTING=Yes is
|
not specified or set to the empty value, ACCOUNTING=Yes is
|
||||||
assumed.</para>
|
assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -219,7 +219,7 @@
|
|||||||
<para>Added in Shorewall 4.4.20. This setting determines which
|
<para>Added in Shorewall 4.4.20. This setting determines which
|
||||||
Netfilter table the accounting rules are added in. By default,
|
Netfilter table the accounting rules are added in. By default,
|
||||||
ACCOUNTING_TABLE=filter is assumed. See also <ulink
|
ACCOUNTING_TABLE=filter is assumed. See also <ulink
|
||||||
url="shorewall-accounting.html">shorewall-accounting</ulink>(5).</para>
|
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -230,7 +230,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter determines whether Shorewall automatically adds
|
<para>This parameter determines whether Shorewall automatically adds
|
||||||
the external address(es) in <ulink
|
the external address(es) in <ulink
|
||||||
url="shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
|
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
|
||||||
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||||
role="bold">yes</emphasis> then Shorewall automatically adds these
|
role="bold">yes</emphasis> then Shorewall automatically adds these
|
||||||
aliases. If it is set to <emphasis role="bold">No</emphasis> or
|
aliases. If it is set to <emphasis role="bold">No</emphasis> or
|
||||||
@ -256,7 +256,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter determines whether Shorewall automatically adds
|
<para>This parameter determines whether Shorewall automatically adds
|
||||||
the SNAT ADDRESS in <ulink
|
the SNAT ADDRESS in <ulink
|
||||||
url="shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
|
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
|
||||||
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||||
role="bold">yes</emphasis> then Shorewall automatically adds these
|
role="bold">yes</emphasis> then Shorewall automatically adds these
|
||||||
addresses. If it is set to <emphasis role="bold">No</emphasis> or
|
addresses. If it is set to <emphasis role="bold">No</emphasis> or
|
||||||
@ -283,10 +283,10 @@
|
|||||||
<para>The value of this variable affects Shorewall's stopped state.
|
<para>The value of this variable affects Shorewall's stopped state.
|
||||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||||
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
|
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
|
||||||
in addition to traffic to/from addresses in <ulink
|
in addition to traffic to/from addresses in <ulink
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
|
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
|
||||||
connections that were active when Shorewall stopped continue to work
|
connections that were active when Shorewall stopped continue to work
|
||||||
and all new connections from the firewall system itself are allowed.
|
and all new connections from the firewall system itself are allowed.
|
||||||
If this variable is not set or is given the empty value then
|
If this variable is not set or is given the empty value then
|
||||||
@ -350,13 +350,13 @@
|
|||||||
<orderedlist numeration="loweralpha">
|
<orderedlist numeration="loweralpha">
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Modify <ulink
|
<para>Modify <ulink
|
||||||
url="shorewall-conntrack.html">shorewall-conntrack</ulink>
|
url="/manpages/shorewall-conntrack.html">shorewall-conntrack</ulink>
|
||||||
(5) to only apply helpers where they are required; or</para>
|
(5) to only apply helpers where they are required; or</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specify the appropriate helper in the HELPER column in
|
<para>Specify the appropriate helper in the HELPER column in
|
||||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
<ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
@ -427,10 +427,10 @@
|
|||||||
|
|
||||||
<para>The BLACKLIST_DISPOSITION setting has no effect on entries in
|
<para>The BLACKLIST_DISPOSITION setting has no effect on entries in
|
||||||
the BLACKLIST section of <ulink
|
the BLACKLIST section of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink> (5). It
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). It
|
||||||
determines the disposition of packets sent to the <emphasis
|
determines the disposition of packets sent to the <emphasis
|
||||||
role="bold">blacklog</emphasis> target of <ulink
|
role="bold">blacklog</emphasis> target of <ulink
|
||||||
url="shorewall-blrules.html">shorewall-blrules </ulink>(5).</para>
|
url="/manpages/shorewall-blrules.html">shorewall-blrules </ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -447,7 +447,7 @@
|
|||||||
hosts are not logged. The setting determines the log level of
|
hosts are not logged. The setting determines the log level of
|
||||||
packets sent to the <emphasis role="bold">blacklog</emphasis> target
|
packets sent to the <emphasis role="bold">blacklog</emphasis> target
|
||||||
of <ulink
|
of <ulink
|
||||||
url="shorewall-blrules.html">shorewall-blrules</ulink>(5).</para>
|
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -463,9 +463,9 @@
|
|||||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||||
connections and for packets in the INVALID connection state (such as
|
connections and for packets in the INVALID connection state (such as
|
||||||
TCP SYN,ACK when there has been no corresponding SYN). That includes
|
TCP SYN,ACK when there has been no corresponding SYN). That includes
|
||||||
entries in the <ulink url="???">shorewall-blrules</ulink> (5) file
|
entries in the <ulink url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) file
|
||||||
and in the BLACKLIST section of <ulink
|
and in the BLACKLIST section of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||||
@ -534,7 +534,7 @@
|
|||||||
/etc/shorewall/tcstart file. That way, your traffic shaping rules
|
/etc/shorewall/tcstart file. That way, your traffic shaping rules
|
||||||
can still use the “fwmark” classifier based on packet marking
|
can still use the “fwmark” classifier based on packet marking
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
|
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
|
||||||
specified, CLEAR_TC=Yes is assumed.</para>
|
specified, CLEAR_TC=Yes is assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -669,7 +669,7 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Install, configure and start <ulink
|
<para>Install, configure and start <ulink
|
||||||
url="../IPv6Support.html">Shorewall6</ulink>.</para>
|
url="/IPv6Support.html">Shorewall6</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -789,7 +789,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
||||||
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
||||||
or RELATED sections of <ulink
|
or RELATED sections of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>FASTACCEPT=Yes is incompatible with
|
<para>FASTACCEPT=Yes is incompatible with
|
||||||
@ -820,7 +820,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
||||||
directory containing the <firstterm>GeoIP Match</firstterm>
|
directory containing the <firstterm>GeoIP Match</firstterm>
|
||||||
database. See <ulink
|
database. See <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
If not specified, the default value is
|
If not specified, the default value is
|
||||||
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
||||||
location of the little-endian database.</para>
|
location of the little-endian database.</para>
|
||||||
@ -907,7 +907,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
|
|
||||||
<para>Prior to version 3.2.0, it was not possible to use connection
|
<para>Prior to version 3.2.0, it was not possible to use connection
|
||||||
marking in <ulink
|
marking in <ulink
|
||||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
|
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
|
||||||
a multi-ISP configuration that uses the track option.</para>
|
a multi-ISP configuration that uses the track option.</para>
|
||||||
|
|
||||||
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
|
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
|
||||||
@ -990,11 +990,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
|
|
||||||
<para>Subzones are defined by following their name with ":" and a
|
<para>Subzones are defined by following their name with ":" and a
|
||||||
list of parent zones (in <ulink
|
list of parent zones (in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
|
||||||
you want to have a set of special rules for the subzone and if a
|
you want to have a set of special rules for the subzone and if a
|
||||||
connection doesn't match any of those subzone-specific rules then
|
connection doesn't match any of those subzone-specific rules then
|
||||||
you want the parent zone rules and policies to be applied; see
|
you want the parent zone rules and policies to be applied; see
|
||||||
<ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
|
<ulink url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
|
||||||
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
||||||
|
|
||||||
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
||||||
@ -1011,9 +1011,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||||
url="shorewall6-rules.html">shorewall-rules(5)</ulink>, a semicolon
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a semicolon
|
||||||
separates column-oriented specifications on the left from <ulink
|
separates column-oriented specifications on the left from <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
|
url="/configuration_file_basics.htm#Pairs">alternative
|
||||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||||
specified, the specifications on the right are interpreted as if
|
specified, the specifications on the right are interpreted as if
|
||||||
INLINE had been specified in the ACTION column. If not specified or
|
INLINE had been specified in the ACTION column. If not specified or
|
||||||
@ -1029,7 +1029,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||||
INVALID packets through the NEW section of <ulink
|
INVALID packets through the NEW section of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||||
packet in INVALID state fails to match any rule in the INVALID
|
packet in INVALID state fails to match any rule in the INVALID
|
||||||
section, the packet is disposed of based on this setting. The
|
section, the packet is disposed of based on this setting. The
|
||||||
default value is CONTINUE for compatibility with earlier
|
default value is CONTINUE for compatibility with earlier
|
||||||
@ -1044,7 +1044,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
|
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
|
||||||
do not match any rule in the INVALID section of <ulink
|
do not match any rule in the INVALID section of <ulink
|
||||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
||||||
logged at this level. The default value is empty which means no
|
logged at this level. The default value is empty which means no
|
||||||
logging is performed.</para>
|
logging is performed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1117,7 +1117,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This option indicates that zone-related ipsec information is
|
<para>This option indicates that zone-related ipsec information is
|
||||||
found in the zones file (<ulink
|
found in the zones file (<ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)). The option
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). The option
|
||||||
indicates to the compiler that this is not a legacy configuration
|
indicates to the compiler that this is not a legacy configuration
|
||||||
where the ipsec information was contained in a separate file. The
|
where the ipsec information was contained in a separate file. The
|
||||||
value of this option must not be changed and the option must not be
|
value of this option must not be changed and the option must not be
|
||||||
@ -1255,7 +1255,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
you do not enable martian logging for all interfaces, you may still
|
you do not enable martian logging for all interfaces, you may still
|
||||||
enable it for individual interfaces using the <emphasis
|
enable it for individual interfaces using the <emphasis
|
||||||
role="bold">logmartians</emphasis> interface option in <ulink
|
role="bold">logmartians</emphasis> interface option in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||||
|
|
||||||
<para>The value <emphasis role="bold">Keep</emphasis> causes
|
<para>The value <emphasis role="bold">Keep</emphasis> causes
|
||||||
Shorewall to ignore the option. If the option is set to <emphasis
|
Shorewall to ignore the option. If the option is set to <emphasis
|
||||||
@ -1263,7 +1263,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
interfaces. If the option is set to <emphasis
|
interfaces. If the option is set to <emphasis
|
||||||
role="bold">No</emphasis>, then martian logging is disabled on all
|
role="bold">No</emphasis>, then martian logging is disabled on all
|
||||||
interfaces except those specified in <ulink
|
interfaces except those specified in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1351,7 +1351,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||||
If not assigned or if assigned an empty value, /var/log/messages is
|
If not assigned or if assigned an empty value, /var/log/messages is
|
||||||
assumed. For further information, see <ulink
|
assumed. For further information, see <ulink
|
||||||
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1378,7 +1378,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<note>
|
<note>
|
||||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||||
length of zone names. See <ulink
|
length of zone names. See <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1546,9 +1546,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The performance of configurations with a large numbers of
|
<para>The performance of configurations with a large numbers of
|
||||||
entries in <ulink
|
entries in <ulink
|
||||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
|
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
|
||||||
improved by setting the MACLIST_TTL variable in <ulink
|
improved by setting the MACLIST_TTL variable in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>If your iptables and kernel support the "Recent Match" (see
|
<para>If your iptables and kernel support the "Recent Match" (see
|
||||||
the output of "shorewall check" near the top), you can cache the
|
the output of "shorewall check" near the top), you can cache the
|
||||||
@ -1557,7 +1557,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
|
|
||||||
<para>When a new connection arrives from a 'maclist' interface, the
|
<para>When a new connection arrives from a 'maclist' interface, the
|
||||||
packet passes through then list of entries for that interface in
|
packet passes through then list of entries for that interface in
|
||||||
<ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
<ulink url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||||
there is a match then the source IP address is added to the 'Recent'
|
there is a match then the source IP address is added to the 'Recent'
|
||||||
set for that interface. Subsequent connection attempts from that IP
|
set for that interface. Subsequent connection attempts from that IP
|
||||||
address occurring within $MACLIST_TTL seconds will be accepted
|
address occurring within $MACLIST_TTL seconds will be accepted
|
||||||
@ -1763,7 +1763,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
|
|
||||||
<para>When combined with route filtering (ROUTE_FILTER=Yes or
|
<para>When combined with route filtering (ROUTE_FILTER=Yes or
|
||||||
<option>routefilter</option> in <ulink
|
<option>routefilter</option> in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)),
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)),
|
||||||
this option ensures that packets with an RFC1918 source address are
|
this option ensures that packets with an RFC1918 source address are
|
||||||
only accepted from interfaces having known routes to networks using
|
only accepted from interfaces having known routes to networks using
|
||||||
such addresses.</para>
|
such addresses.</para>
|
||||||
@ -1772,7 +1772,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<option>blackhole</option>, <option>unreachable</option> or
|
<option>blackhole</option>, <option>unreachable</option> or
|
||||||
<option>prohibit</option> to set the type of route to be created.
|
<option>prohibit</option> to set the type of route to be created.
|
||||||
See <ulink
|
See <ulink
|
||||||
url="http://www.shorewall.net/MultiISP.html#null_routing">http://www.shorewall.net/MultiISP.html#null_routing</ulink>.</para>
|
url="/MultiISP.html#null_routing">http://www.shorewall.net/MultiISP.html#null_routing</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1794,7 +1794,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Optimization category 1 - Traditionally, Shorewall has
|
<para>Optimization category 1 - Traditionally, Shorewall has
|
||||||
created rules for <ulink
|
created rules for <ulink
|
||||||
url="../ScalabilityAndPerformance.html">the complete matrix of
|
url="/ScalabilityAndPerformance.html">the complete matrix of
|
||||||
host groups defined by the zones, interfaces and hosts
|
host groups defined by the zones, interfaces and hosts
|
||||||
files</ulink>. Any traffic that didn't correspond to an element
|
files</ulink>. Any traffic that didn't correspond to an element
|
||||||
of that matrix was rejected in one of the built-in chains. When
|
of that matrix was rejected in one of the built-in chains. When
|
||||||
@ -2104,7 +2104,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
||||||
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
||||||
section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
section of <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||||
(5). Concern about the safety of this practice resulted in the
|
(5). Concern about the safety of this practice resulted in the
|
||||||
addition of this option. When a packet in RELATED state fails to
|
addition of this option. When a packet in RELATED state fails to
|
||||||
match any rule in the RELATED section, the packet is disposed of
|
match any rule in the RELATED section, the packet is disposed of
|
||||||
@ -2120,7 +2120,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
||||||
do not match any rule in the RELATED section of <ulink
|
do not match any rule in the RELATED section of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||||
this level. The default value is empty which means no logging is
|
this level. The default value is empty which means no logging is
|
||||||
performed.</para>
|
performed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2203,7 +2203,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
||||||
at least one optional interface must be up in order for the firewall
|
at least one optional interface must be up in order for the firewall
|
||||||
to be in the started state. Intended to be used with the <ulink
|
to be in the started state. Intended to be used with the <ulink
|
||||||
url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
|
url="/manpages/shorewall-init.html">Shorewall Init Package</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -2266,8 +2266,8 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP
|
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP
|
||||||
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
|
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
|
||||||
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
|
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
|
||||||
url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
|
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
|
||||||
url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
|
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) are processed
|
||||||
then are re-added later. This is done to help ensure that the
|
then are re-added later. This is done to help ensure that the
|
||||||
addresses can be added with the specified labels but can have the
|
addresses can be added with the specified labels but can have the
|
||||||
undesirable side effect of causing routes to be quietly deleted.
|
undesirable side effect of causing routes to be quietly deleted.
|
||||||
@ -2299,14 +2299,14 @@ INLINE - - - ; -j REJECT
|
|||||||
interfaces. If the option is set to <emphasis
|
interfaces. If the option is set to <emphasis
|
||||||
role="bold">No</emphasis>, then route filtering is disabled on all
|
role="bold">No</emphasis>, then route filtering is disabled on all
|
||||||
interfaces except those specified in <ulink
|
interfaces except those specified in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>If you need to disable route filtering on any interface,
|
<para>If you need to disable route filtering on any interface,
|
||||||
then you must set ROUTE_FILTER=No then set routefilter=1 or
|
then you must set ROUTE_FILTER=No then set routefilter=1 or
|
||||||
routefilter=2 on those interfaces where you want route filtering.
|
routefilter=2 on those interfaces where you want route filtering.
|
||||||
See <ulink
|
See <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
for additional details.</para>
|
for additional details.</para>
|
||||||
</important>
|
</important>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2321,7 +2321,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Added in Shorewall 4.5.7. Determines the disposition of
|
<para>Added in Shorewall 4.5.7. Determines the disposition of
|
||||||
packets entering from interfaces the <option>rpfilter</option>
|
packets entering from interfaces the <option>rpfilter</option>
|
||||||
option (see <ulink
|
option (see <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
|
||||||
Packets disposed of by this option are those whose response packets
|
Packets disposed of by this option are those whose response packets
|
||||||
would not be sent through the same interface receiving the
|
would not be sent through the same interface receiving the
|
||||||
packet.</para>
|
packet.</para>
|
||||||
@ -2374,7 +2374,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.20. Determines the disposition of
|
<para>Added in Shorewall 4.4.20. Determines the disposition of
|
||||||
packets matching the <option>sfilter</option> option (see <ulink
|
packets matching the <option>sfilter</option> option (see <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||||
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
||||||
<option>routeback</option> option.<footnote>
|
<option>routeback</option> option.<footnote>
|
||||||
<para>Hairpin packets are packets that are routed out of the
|
<para>Hairpin packets are packets that are routed out of the
|
||||||
@ -2390,7 +2390,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added on Shorewall 4.4.20. Determines the logging of packets
|
<para>Added on Shorewall 4.4.20. Determines the logging of packets
|
||||||
matching the <option>sfilter</option> option (see <ulink
|
matching the <option>sfilter</option> option (see <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||||
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
||||||
<option>routeback</option> option.<footnote>
|
<option>routeback</option> option.<footnote>
|
||||||
<para>Hairpin packets are packets that are routed out of the
|
<para>Hairpin packets are packets that are routed out of the
|
||||||
@ -2421,7 +2421,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
||||||
causes smurf packets (see the nosmurfs option in <ulink
|
causes smurf packets (see the nosmurfs option in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
|
||||||
be dropped. A_DROP causes the packets to be audited prior to being
|
be dropped. A_DROP causes the packets to be audited prior to being
|
||||||
dropped and requires AUDIT_TARGET support in the kernel and
|
dropped and requires AUDIT_TARGET support in the kernel and
|
||||||
iptables.</para>
|
iptables.</para>
|
||||||
@ -2435,7 +2435,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Specifies the logging level for smurf packets (see the
|
<para>Specifies the logging level for smurf packets (see the
|
||||||
nosmurfs option in <ulink
|
nosmurfs option in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
|
||||||
set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
||||||
logged.</para>
|
logged.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2524,8 +2524,8 @@ INLINE - - - ; -j REJECT
|
|||||||
|
|
||||||
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
|
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
|
||||||
simple traffic shaping using <ulink
|
simple traffic shaping using <ulink
|
||||||
url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
|
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
|
||||||
and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
|
and <ulink url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
|
||||||
enabled.</para>
|
enabled.</para>
|
||||||
|
|
||||||
<para>If you set TC_ENABLED=Internal or internal or leave the option
|
<para>If you set TC_ENABLED=Internal or internal or leave the option
|
||||||
@ -2552,7 +2552,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Normally, Shorewall tries to protect users from themselves by
|
<para>Normally, Shorewall tries to protect users from themselves by
|
||||||
preventing PREROUTING and OUTPUT tcrules from being applied to
|
preventing PREROUTING and OUTPUT tcrules from being applied to
|
||||||
packets that have been marked by the 'track' option in <ulink
|
packets that have been marked by the 'track' option in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
|
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
|
||||||
Shorewall will not include these cautionary checks.</para>
|
Shorewall will not include these cautionary checks.</para>
|
||||||
@ -2566,7 +2566,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
|
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
|
||||||
TOS field to priority bands. See <ulink
|
TOS field to priority bands. See <ulink
|
||||||
url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
|
url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
|
||||||
<emphasis>map</emphasis> consists of 16 space-separated digits with
|
<emphasis>map</emphasis> consists of 16 space-separated digits with
|
||||||
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
|
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
|
||||||
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
|
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
|
||||||
@ -2589,7 +2589,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Determines the disposition of TCP packets that fail the checks
|
<para>Determines the disposition of TCP packets that fail the checks
|
||||||
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
|
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
|
||||||
option (see <ulink
|
option (see <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||||
must have a value of ACCEPT (accept the packet), REJECT (send an RST
|
must have a value of ACCEPT (accept the packet), REJECT (send an RST
|
||||||
response) or DROP (ignore the packet). If not set or if set to the
|
response) or DROP (ignore the packet). If not set or if set to the
|
||||||
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
||||||
@ -2621,13 +2621,13 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
||||||
<option>track</option> option to be assumed on all providers defined
|
<option>track</option> option to be assumed on all providers defined
|
||||||
in <ulink
|
in <ulink
|
||||||
url="shorewall-providers.html">shorewall-providers</ulink>(5). May
|
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5). May
|
||||||
be overridden on an individual provider through use of the
|
be overridden on an individual provider through use of the
|
||||||
<option>notrack</option> option. The default value is 'No'.</para>
|
<option>notrack</option> option. The default value is 'No'.</para>
|
||||||
|
|
||||||
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
||||||
also simplifies PREROUTING rules in <ulink
|
also simplifies PREROUTING rules in <ulink
|
||||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
||||||
Previously, when TC_EXPERT=No, packets arriving through 'tracked'
|
Previously, when TC_EXPERT=No, packets arriving through 'tracked'
|
||||||
provider interfaces were unconditionally passed to the PREROUTING
|
provider interfaces were unconditionally passed to the PREROUTING
|
||||||
tcrules. This was done so that tcrules could reset the packet mark
|
tcrules. This was done so that tcrules could reset the packet mark
|
||||||
@ -2669,7 +2669,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||||
UNTRACKED packets through the NEW section of <ulink
|
UNTRACKED packets through the NEW section of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||||
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
||||||
section, the packet is disposed of based on this setting. The
|
section, the packet is disposed of based on this setting. The
|
||||||
default value is CONTINUE for compatibility with earlier
|
default value is CONTINUE for compatibility with earlier
|
||||||
@ -2684,7 +2684,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
||||||
do not match any rule in the UNTRACKED section of <ulink
|
do not match any rule in the UNTRACKED section of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||||
this level. The default value is empty which means no logging is
|
this level. The default value is empty which means no logging is
|
||||||
performed.</para>
|
performed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2708,7 +2708,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Both the DUPLICATE and the COPY columns in <ulink
|
<para>Both the DUPLICATE and the COPY columns in <ulink
|
||||||
url="shorewall-providers.html">providers</ulink>(5) file must
|
url="/manpages/shorewall-providers.html">providers</ulink>(5) file must
|
||||||
remain empty (or contain "-").</para>
|
remain empty (or contain "-").</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -2725,7 +2725,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Packets are sent through the main routing table by a rule
|
<para>Packets are sent through the main routing table by a rule
|
||||||
with priority 999. In <ulink
|
with priority 999. In <ulink
|
||||||
url="shorewall-routing_rules.html">routing_rules</ulink>(5), the
|
url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5), the
|
||||||
range 1-998 may be used for inserting rules that bypass the main
|
range 1-998 may be used for inserting rules that bypass the main
|
||||||
table.</para>
|
table.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -730,7 +730,7 @@
|
|||||||
|
|
||||||
<para>The <option>trace</option> and <option>debug</option> options are
|
<para>The <option>trace</option> and <option>debug</option> options are
|
||||||
used for debugging. See <ulink
|
used for debugging. See <ulink
|
||||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
||||||
|
|
||||||
<para>The nolock <option>option</option> prevents the command from
|
<para>The nolock <option>option</option> prevents the command from
|
||||||
attempting to acquire the Shorewall lockfile. It is useful if you need to
|
attempting to acquire the Shorewall lockfile. It is useful if you need to
|
||||||
@ -742,7 +742,7 @@
|
|||||||
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
||||||
options are omitted, the amount of output is determined by the setting of
|
options are omitted, the amount of output is determined by the setting of
|
||||||
the VERBOSITY parameter in <ulink
|
the VERBOSITY parameter in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
|
||||||
role="bold">v</emphasis> adds one to the effective verbosity and each
|
role="bold">v</emphasis> adds one to the effective verbosity and each
|
||||||
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
||||||
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
||||||
@ -770,7 +770,7 @@
|
|||||||
|
|
||||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||||
defined in the <ulink
|
defined in the <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||||
elements are host or network addresses.<caution>
|
elements are host or network addresses.<caution>
|
||||||
<para>The <command>add</command> command is not very robust. If
|
<para>The <command>add</command> command is not very robust. If
|
||||||
@ -784,7 +784,7 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
||||||
single ipset to handle entries for multiple interfaces. When that
|
single ipset to handle entries for multiple interfaces. When that
|
||||||
option is specified for a zone, the <command>add</command> command
|
option is specified for a zone, the <command>add</command> command
|
||||||
has the alternative syntax in which the
|
has the alternative syntax in which the
|
||||||
@ -839,7 +839,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -912,7 +912,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -925,13 +925,13 @@
|
|||||||
|
|
||||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||||
defined in the <ulink
|
defined in the <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||||
elements are a host or network address.</para>
|
elements are a host or network address.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
||||||
single ipset to handle entries for multiple interfaces. When that
|
single ipset to handle entries for multiple interfaces. When that
|
||||||
option is specified for a zone, the <command>delete</command>
|
option is specified for a zone, the <command>delete</command>
|
||||||
command has the alternative syntax in which the
|
command has the alternative syntax in which the
|
||||||
@ -954,7 +954,7 @@
|
|||||||
any optional network interface. <replaceable>interface</replaceable>
|
any optional network interface. <replaceable>interface</replaceable>
|
||||||
may be either the logical or physical name of the interface. The
|
may be either the logical or physical name of the interface. The
|
||||||
command removes any routes added from <ulink
|
command removes any routes added from <ulink
|
||||||
url="shorewall-routes.html">shorewall-routes</ulink>(5) and any
|
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and any
|
||||||
traffic shaping configuration for the interface.</para>
|
traffic shaping configuration for the interface.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1001,7 +1001,7 @@
|
|||||||
may be either the logical or physical name of the interface. The
|
may be either the logical or physical name of the interface. The
|
||||||
command sets <filename>/proc</filename> entries for the interface,
|
command sets <filename>/proc</filename> entries for the interface,
|
||||||
adds any route specified in <ulink
|
adds any route specified in <ulink
|
||||||
url="shorewall-routes.html">shorewall-routes</ulink>(5) and installs
|
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and installs
|
||||||
the interface's traffic shaping configuration, if any.</para>
|
the interface's traffic shaping configuration, if any.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1037,7 +1037,7 @@
|
|||||||
<para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
|
<para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
|
||||||
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
|
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
|
||||||
given then the file specified by RESTOREFILE in <ulink
|
given then the file specified by RESTOREFILE in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) is
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) is
|
||||||
assumed.</para>
|
assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1148,7 +1148,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1159,7 +1159,7 @@
|
|||||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||||
to be logged then discarded. Logging occurs at the log level
|
to be logged then discarded. Logging occurs at the log level
|
||||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1168,7 +1168,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Monitors the log file specified by the LOGFILE option in
|
<para>Monitors the log file specified by the LOGFILE option in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||||
produces an audible alarm when new Shorewall messages are logged.
|
produces an audible alarm when new Shorewall messages are logged.
|
||||||
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
||||||
address of each packet source to be displayed if that information is
|
address of each packet source to be displayed if that information is
|
||||||
@ -1188,7 +1188,7 @@
|
|||||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||||
to be logged then rejected. Logging occurs at the log level
|
to be logged then rejected. Logging occurs at the log level
|
||||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1238,7 +1238,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
||||||
and causes Shorewall to look in the given
|
and causes Shorewall to look in the given
|
||||||
@ -1306,7 +1306,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1348,7 +1348,7 @@
|
|||||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||||
and performs the compilation step unconditionally, overriding the
|
and performs the compilation step unconditionally, overriding the
|
||||||
AUTOMAKE setting in <ulink
|
AUTOMAKE setting in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
||||||
<option>-f</option> and <option>-c</option>are present, the result
|
<option>-f</option> and <option>-c</option>are present, the result
|
||||||
is determined by the option that appears last.</para>
|
is determined by the option that appears last.</para>
|
||||||
|
|
||||||
@ -1360,7 +1360,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1375,7 +1375,7 @@
|
|||||||
role="bold">shorewall save</emphasis>; if no
|
role="bold">shorewall save</emphasis>; if no
|
||||||
<emphasis>filename</emphasis> is given then Shorewall will be
|
<emphasis>filename</emphasis> is given then Shorewall will be
|
||||||
restored from the file specified by the RESTOREFILE option in <ulink
|
restored from the file specified by the RESTOREFILE option in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1437,7 +1437,7 @@
|
|||||||
role="bold">shorewall -f start</emphasis> commands. If
|
role="bold">shorewall -f start</emphasis> commands. If
|
||||||
<emphasis>filename</emphasis> is not given then the state is saved
|
<emphasis>filename</emphasis> is not given then the state is saved
|
||||||
in the file specified by the RESTOREFILE option in <ulink
|
in the file specified by the RESTOREFILE option in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1564,7 +1564,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.17. Displays the per-IP
|
<para>Added in Shorewall 4.4.17. Displays the per-IP
|
||||||
accounting counters (<ulink
|
accounting counters (<ulink
|
||||||
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
|
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1575,7 +1575,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Displays the last 20 Shorewall messages from the log
|
<para>Displays the last 20 Shorewall messages from the log
|
||||||
file specified by the LOGFILE option in <ulink
|
file specified by the LOGFILE option in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). The
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
|
||||||
<emphasis role="bold">-m</emphasis> option causes the MAC
|
<emphasis role="bold">-m</emphasis> option causes the MAC
|
||||||
address of each packet source to be displayed if that
|
address of each packet source to be displayed if that
|
||||||
information is available.</para>
|
information is available.</para>
|
||||||
@ -1690,14 +1690,14 @@
|
|||||||
Shorewall will look in that <emphasis>directory</emphasis> first for
|
Shorewall will look in that <emphasis>directory</emphasis> first for
|
||||||
configuration files. If <emphasis role="bold">-f</emphasis> is
|
configuration files. If <emphasis role="bold">-f</emphasis> is
|
||||||
specified, the saved configuration specified by the RESTOREFILE
|
specified, the saved configuration specified by the RESTOREFILE
|
||||||
option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
option in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||||
will be restored if that saved configuration exists and has been
|
will be restored if that saved configuration exists and has been
|
||||||
modified more recently than the files in /etc/shorewall. When
|
modified more recently than the files in /etc/shorewall. When
|
||||||
<emphasis role="bold">-f</emphasis> is given, a
|
<emphasis role="bold">-f</emphasis> is given, a
|
||||||
<replaceable>directory</replaceable> may not be specified.</para>
|
<replaceable>directory</replaceable> may not be specified.</para>
|
||||||
|
|
||||||
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
|
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
|
||||||
added to <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).
|
added to <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||||
When LEGACY_FASTSTART=No, the modification times of files in
|
When LEGACY_FASTSTART=No, the modification times of files in
|
||||||
/etc/shorewall are compared with that of /var/lib/shorewall/firewall
|
/etc/shorewall are compared with that of /var/lib/shorewall/firewall
|
||||||
(the compiled script that last started/restarted the
|
(the compiled script that last started/restarted the
|
||||||
@ -1713,7 +1713,7 @@
|
|||||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||||
and performs the compilation step unconditionally, overriding the
|
and performs the compilation step unconditionally, overriding the
|
||||||
AUTOMAKE setting in <ulink
|
AUTOMAKE setting in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
||||||
<option>-f</option> and <option>-c</option>are present, the result
|
<option>-f</option> and <option>-c</option>are present, the result
|
||||||
is determined by the option that appears last.</para>
|
is determined by the option that appears last.</para>
|
||||||
|
|
||||||
@ -1725,7 +1725,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1735,12 +1735,12 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Stops the firewall. All existing connections, except those
|
<para>Stops the firewall. All existing connections, except those
|
||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||||
or permitted by the ADMINISABSENTMINDED option in <ulink
|
or permitted by the ADMINISABSENTMINDED option in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
|
||||||
The only new traffic permitted through the firewall is from systems
|
The only new traffic permitted through the firewall is from systems
|
||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||||
or by ADMINISABSENTMINDED.</para>
|
or by ADMINISABSENTMINDED.</para>
|
||||||
|
|
||||||
<para>If <option>-f</option> is given, the command will be processed
|
<para>If <option>-f</option> is given, the command will be processed
|
||||||
@ -1814,13 +1814,13 @@
|
|||||||
|
|
||||||
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||||
and causes legacy blacklisting rules (<ulink
|
and causes legacy blacklisting rules (<ulink
|
||||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
|
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
|
||||||
be converted to entries in the blrules file (<ulink
|
be converted to entries in the blrules file (<ulink
|
||||||
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
|
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
|
||||||
blacklist keyword is removed from <ulink
|
blacklist keyword is removed from <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
|
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
|
||||||
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
|
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink> (5). The
|
||||||
unmodified files are saved with a .bak suffix.</para>
|
unmodified files are saved with a .bak suffix.</para>
|
||||||
|
|
||||||
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
|
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
|
||||||
@ -1834,7 +1834,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>For a description of the other options, see the <emphasis
|
<para>For a description of the other options, see the <emphasis
|
||||||
role="bold">check</emphasis> command above.</para>
|
role="bold">check</emphasis> command above.</para>
|
||||||
@ -1880,7 +1880,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||||
|
|
||||||
<para>shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -50,7 +50,7 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>The new structure is enabled by sectioning the accounting file in a
|
<para>The new structure is enabled by sectioning the accounting file in a
|
||||||
manner similar to the <ulink url="manpages/shorewall-rules.html">rules
|
manner similar to the <ulink url="/manpages6/shorewall6-rules.html">rules
|
||||||
file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
|
file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
|
||||||
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
||||||
role="bold">FORWARD</emphasis> and must appear in that order (although any
|
role="bold">FORWARD</emphasis> and must appear in that order (although any
|
||||||
@ -824,14 +824,14 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
|
url="/Accounting.html">http://www.shorewall.net/Accounting.html
|
||||||
</ulink></para>
|
</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||||
|
@ -24,7 +24,7 @@
|
|||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para>This file allows you to define new ACTIONS for use in rules (see
|
<para>This file allows you to define new ACTIONS for use in rules (see
|
||||||
<ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink>). You define
|
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You define
|
||||||
the ip6tables rules to be performed in an ACTION in
|
the ip6tables rules to be performed in an ACTION in
|
||||||
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
|
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
|
||||||
|
|
||||||
@ -58,7 +58,7 @@
|
|||||||
target that is supported by your ip6tables but is not directly
|
target that is supported by your ip6tables but is not directly
|
||||||
supported by Shorewall. The action may be used as the rule
|
supported by Shorewall. The action may be used as the rule
|
||||||
target in an INLINE rule in <ulink
|
target in an INLINE rule in <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
|
<para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
|
||||||
in which the <emphasis role="bold">builtin</emphasis> can be
|
in which the <emphasis role="bold">builtin</emphasis> can be
|
||||||
@ -146,7 +146,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
|
url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
|
||||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
<para>The blacklist file is used to perform static blacklisting by source
|
<para>The blacklist file is used to perform static blacklisting by source
|
||||||
address (IP or MAC), or by application. The use of this file is deprecated
|
address (IP or MAC), or by application. The use of this file is deprecated
|
||||||
in favor of <ulink
|
in favor of <ulink
|
||||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
|
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
|
||||||
with Shorewall 4.5.7, the blacklist file is no longer installed. Existing
|
with Shorewall 4.5.7, the blacklist file is no longer installed. Existing
|
||||||
blacklist files can be converted to a corresponding blrules file using the
|
blacklist files can be converted to a corresponding blrules file using the
|
||||||
<command>shorewall6 update -b</command> command.</para>
|
<command>shorewall6 update -b</command> command.</para>
|
||||||
@ -47,7 +47,7 @@
|
|||||||
(if your kernel and ip6tables contain iprange match support) or
|
(if your kernel and ip6tables contain iprange match support) or
|
||||||
ipset name prefaced by "+" (if your kernel supports ipset match).
|
ipset name prefaced by "+" (if your kernel supports ipset match).
|
||||||
Exclusion (<ulink
|
Exclusion (<ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
|
||||||
supported.</para>
|
supported.</para>
|
||||||
|
|
||||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||||
@ -101,7 +101,7 @@
|
|||||||
interface that has the 'blacklist' option set. So to block traffic
|
interface that has the 'blacklist' option set. So to block traffic
|
||||||
from your local network to an internet host, you had to specify
|
from your local network to an internet host, you had to specify
|
||||||
<option>blacklist</option> on your internal interface in <ulink
|
<option>blacklist</option> on your internal interface in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
@ -109,7 +109,7 @@
|
|||||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
||||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
on the <emphasis role="bold">blacklist</emphasis> setting in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5):</para>
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5):</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -145,12 +145,12 @@
|
|||||||
|
|
||||||
<para>When a packet arrives on an interface that has the <emphasis
|
<para>When a packet arrives on an interface that has the <emphasis
|
||||||
role="bold">blacklist</emphasis> option specified in <ulink
|
role="bold">blacklist</emphasis> option specified in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5), its
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5), its
|
||||||
source IP address and MAC address is checked against this file and
|
source IP address and MAC address is checked against this file and
|
||||||
disposed of according to the <emphasis
|
disposed of according to the <emphasis
|
||||||
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
||||||
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf</ulink>(5). If <emphasis
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If <emphasis
|
||||||
role="bold">PROTOCOL</emphasis> or <emphasis
|
role="bold">PROTOCOL</emphasis> or <emphasis
|
||||||
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
||||||
are supplied, only packets matching the protocol (and one of the ports if
|
are supplied, only packets matching the protocol (and one of the ports if
|
||||||
@ -197,10 +197,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||||
|
@ -28,13 +28,13 @@
|
|||||||
|
|
||||||
<para>Rules in this file are applied depending on the setting of
|
<para>Rules in this file are applied depending on the setting of
|
||||||
BLACKLISTNEWONLY in <ulink
|
BLACKLISTNEWONLY in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf</ulink>(5). If
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||||
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
||||||
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
||||||
connections in the NEW and INVALID states.</para>
|
connections in the NEW and INVALID states.</para>
|
||||||
|
|
||||||
<para>The format of rules in this file is the same as the format of rules
|
<para>The format of rules in this file is the same as the format of rules
|
||||||
in <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>. The
|
in <ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
|
||||||
difference in the two files lies in the ACTION (first) column.</para>
|
difference in the two files lies in the ACTION (first) column.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
@ -70,7 +70,7 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||||
then the macro expands to <emphasis
|
then the macro expands to <emphasis
|
||||||
role="bold">blacklog</emphasis>.</para>
|
role="bold">blacklog</emphasis>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -78,7 +78,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Otherwise it expands to the action specified for
|
<para>Otherwise it expands to the action specified for
|
||||||
BLACKLIST_DISPOSITION in <ulink
|
BLACKLIST_DISPOSITION in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -89,10 +89,10 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf </ulink>(5).
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf </ulink>(5).
|
||||||
Logs, audits (if specified) and applies the
|
Logs, audits (if specified) and applies the
|
||||||
BLACKLIST_DISPOSITION specified in <ulink
|
BLACKLIST_DISPOSITION specified in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -167,7 +167,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>queues matching packets to a back end logging daemon via
|
<para>queues matching packets to a back end logging daemon via
|
||||||
a netlink socket then continues to the next rule. See <ulink
|
a netlink socket then continues to the next rule. See <ulink
|
||||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -206,7 +206,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an <emphasis>action</emphasis> declared in
|
<para>The name of an <emphasis>action</emphasis> declared in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||||
in /usr/share/shorewall6/actions.std.</para>
|
in /usr/share/shorewall6/actions.std.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -238,7 +238,7 @@
|
|||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||||
<emphasis>action</emphasis> declared in <ulink
|
<emphasis>action</emphasis> declared in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
||||||
/usr/share/shorewall6/actions.std then:</para>
|
/usr/share/shorewall6/actions.std then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -268,13 +268,13 @@
|
|||||||
<para>Actions specifying logging may be followed by a log tag (a
|
<para>Actions specifying logging may be followed by a log tag (a
|
||||||
string of alphanumeric characters) which is appended to the string
|
string of alphanumeric characters) which is appended to the string
|
||||||
generated by the LOGPREFIX (in <ulink
|
generated by the LOGPREFIX (in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>For the remaining columns, see <ulink
|
<para>For the remaining columns, see <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
@ -314,10 +314,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||||
|
@ -266,7 +266,7 @@
|
|||||||
|
|
||||||
<para>This error message may be eliminated by adding
|
<para>This error message may be eliminated by adding
|
||||||
<replaceable>target</replaceable> as a builtin action in <ulink
|
<replaceable>target</replaceable> as a builtin action in <ulink
|
||||||
url="manpages/shorewall-actions.html">shorewall6-actions(5)</ulink>.</para>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -336,7 +336,7 @@
|
|||||||
<replaceable>interface</replaceable> is an interface to that zone,
|
<replaceable>interface</replaceable> is an interface to that zone,
|
||||||
and <replaceable>address-list</replaceable> is a comma-separated
|
and <replaceable>address-list</replaceable> is a comma-separated
|
||||||
list of addresses (may contain exclusion - see <ulink
|
list of addresses (may contain exclusion - see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
|
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
|
||||||
@ -357,7 +357,7 @@
|
|||||||
<para>Where <replaceable>interface</replaceable> is an interface to
|
<para>Where <replaceable>interface</replaceable> is an interface to
|
||||||
that zone, and <replaceable>address-list</replaceable> is a
|
that zone, and <replaceable>address-list</replaceable> is a
|
||||||
comma-separated list of addresses (may contain exclusion - see
|
comma-separated list of addresses (may contain exclusion - see
|
||||||
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
|
|
||||||
<para>COMMENT is only allowed in format 1; the remainder of the line
|
<para>COMMENT is only allowed in format 1; the remainder of the line
|
||||||
@ -373,7 +373,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>address-list</replaceable> is a
|
<para>where <replaceable>address-list</replaceable> is a
|
||||||
comma-separated list of addresses (may contain exclusion - see
|
comma-separated list of addresses (may contain exclusion - see
|
||||||
<ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
|
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||||
(5)).</para>
|
(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -524,7 +524,7 @@ DROP:PO - 2001:1.2.3::4
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -29,7 +29,7 @@
|
|||||||
|
|
||||||
<para>The order of entries in this file is not significant in determining
|
<para>The order of entries in this file is not significant in determining
|
||||||
zone composition. Rather, the order that the zones are declared in <ulink
|
zone composition. Rather, the order that the zones are declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5) determines the
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) determines the
|
||||||
order in which the records in this file are interpreted.</para>
|
order in which the records in this file are interpreted.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
@ -39,7 +39,7 @@
|
|||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you have an entry for a zone and interface in <ulink
|
<para>If you have an entry for a zone and interface in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5) then do
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) then do
|
||||||
not include any entries in this file for that same (zone, interface)
|
not include any entries in this file for that same (zone, interface)
|
||||||
pair.</para>
|
pair.</para>
|
||||||
</warning>
|
</warning>
|
||||||
@ -55,7 +55,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a zone declared in <ulink
|
<para>The name of a zone declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5). You may not
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5). You may not
|
||||||
list the firewall zone in this column.</para>
|
list the firewall zone in this column.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -68,7 +68,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an interface defined in the <ulink
|
<para>The name of an interface defined in the <ulink
|
||||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
file followed by a colon (":") and a comma-separated list whose
|
file followed by a colon (":") and a comma-separated list whose
|
||||||
elements are either:</para>
|
elements are either:</para>
|
||||||
|
|
||||||
@ -105,7 +105,7 @@
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para>You may also exclude certain hosts through use of an
|
<para>You may also exclude certain hosts through use of an
|
||||||
<emphasis>exclusion</emphasis> (see <ulink
|
<emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -125,7 +125,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Check packets arriving on this port against the <ulink
|
<para>Check packets arriving on this port against the <ulink
|
||||||
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
|
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -137,7 +137,7 @@
|
|||||||
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
||||||
that if the zone named in the ZONE column is specified as an
|
that if the zone named in the ZONE column is specified as an
|
||||||
IPSEC zone in the <ulink
|
IPSEC zone in the <ulink
|
||||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5) file
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) file
|
||||||
then you do NOT need to specify the 'ipsec' option
|
then you do NOT need to specify the 'ipsec' option
|
||||||
here.</para>
|
here.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -195,7 +195,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||||
|
@ -71,7 +71,7 @@
|
|||||||
zone in this column.</para>
|
zone in this column.</para>
|
||||||
|
|
||||||
<para>If the interface serves multiple zones that will be defined in
|
<para>If the interface serves multiple zones that will be defined in
|
||||||
the <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
the <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||||
file, you should place "-" in this column.</para>
|
file, you should place "-" in this column.</para>
|
||||||
|
|
||||||
<para>If there are multiple interfaces to the same zone, you must
|
<para>If there are multiple interfaces to the same zone, you must
|
||||||
@ -88,7 +88,7 @@ loc eth2 -</programlisting>
|
|||||||
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
|
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
|
||||||
'lo' interface, then that zone must be defined as type
|
'lo' interface, then that zone must be defined as type
|
||||||
<option>local</option> in <ulink
|
<option>local</option> in <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -102,7 +102,7 @@ loc eth2 -</programlisting>
|
|||||||
<para>Logical name of interface. Each interface may be listed only
|
<para>Logical name of interface. Each interface may be listed only
|
||||||
once in this file. You may NOT specify the name of a "virtual"
|
once in this file. You may NOT specify the name of a "virtual"
|
||||||
interface (e.g., eth0:0) here; see <ulink
|
interface (e.g., eth0:0) here; see <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
||||||
If the <option>physical</option> option is not specified, then the
|
If the <option>physical</option> option is not specified, then the
|
||||||
logical name is also the name of the actual interface.</para>
|
logical name is also the name of the actual interface.</para>
|
||||||
|
|
||||||
@ -115,7 +115,7 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<para>Care must be exercised when using wildcards where there is
|
<para>Care must be exercised when using wildcards where there is
|
||||||
another zone that uses a matching specific interface. See <ulink
|
another zone that uses a matching specific interface. See <ulink
|
||||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
|
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
|
||||||
discussion of this problem.</para>
|
discussion of this problem.</para>
|
||||||
|
|
||||||
<para>Shorewall6 allows '+' as an interface name.</para>
|
<para>Shorewall6 allows '+' as an interface name.</para>
|
||||||
@ -199,7 +199,7 @@ loc eth2 -</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Check packets arriving on this interface against the
|
<para>Check packets arriving on this interface against the
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.13:</para>
|
<para>Beginning with Shorewall 4.4.13:</para>
|
||||||
@ -210,7 +210,7 @@ loc eth2 -</programlisting>
|
|||||||
ZONES column, then the behavior is as if <emphasis
|
ZONES column, then the behavior is as if <emphasis
|
||||||
role="bold">blacklist</emphasis> had been specified in the
|
role="bold">blacklist</emphasis> had been specified in the
|
||||||
IN_OPTIONS column of <ulink
|
IN_OPTIONS column of <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -270,16 +270,16 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>the interface is a <ulink
|
<para>the interface is a <ulink
|
||||||
url="../SimpleBridge.html">simple bridge</ulink> with a
|
url="/SimpleBridge.html">simple bridge</ulink> with a
|
||||||
DHCP server on one port and DHCP clients on another
|
DHCP server on one port and DHCP clients on another
|
||||||
port.</para>
|
port.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>If you use <ulink
|
<para>If you use <ulink
|
||||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
url="/bridge-Shorewall-perl.html">Shorewall-perl for
|
||||||
firewall/bridging</ulink>, then you need to include
|
firewall/bridging</ulink>, then you need to include
|
||||||
DHCP-specific rules in <ulink
|
DHCP-specific rules in <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink>(8).
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||||
DHCP uses UDP ports 546 and 547.</para>
|
DHCP uses UDP ports 546 and 547.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -349,7 +349,7 @@ loc eth2 -</programlisting>
|
|||||||
<para>Added in Shorewall 4.4.21. Defines the zone as
|
<para>Added in Shorewall 4.4.21. Defines the zone as
|
||||||
<firstterm>dynamic</firstterm>. Requires ipset match support
|
<firstterm>dynamic</firstterm>. Requires ipset match support
|
||||||
in your iptables and kernel. See <ulink
|
in your iptables and kernel. See <ulink
|
||||||
url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
url="/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
||||||
for further information.</para>
|
for further information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -389,7 +389,7 @@ loc eth2 -</programlisting>
|
|||||||
refers to the name given in this option. It is useful when you
|
refers to the name given in this option. It is useful when you
|
||||||
want to specify the same wildcard port name on two or more
|
want to specify the same wildcard port name on two or more
|
||||||
bridges. See <ulink
|
bridges. See <ulink
|
||||||
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
||||||
|
|
||||||
<para>If the <emphasis>interface</emphasis> name is a wildcard
|
<para>If the <emphasis>interface</emphasis> name is a wildcard
|
||||||
name (ends with '+'), then the physical
|
name (ends with '+'), then the physical
|
||||||
@ -627,7 +627,7 @@ dmz eth2 -</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
|
||||||
|
@ -76,7 +76,7 @@
|
|||||||
specified, matching packets must match all of the listed sets.</para>
|
specified, matching packets must match all of the listed sets.</para>
|
||||||
|
|
||||||
<para>For information about set lists and exclusion, see <ulink
|
<para>For information about set lists and exclusion, see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||||
|
@ -27,8 +27,8 @@
|
|||||||
associated IPv6 addresses to be allowed to use the specified interface.
|
associated IPv6 addresses to be allowed to use the specified interface.
|
||||||
The feature is enabled by using the <emphasis
|
The feature is enabled by using the <emphasis
|
||||||
role="bold">maclist</emphasis> option in the <ulink
|
role="bold">maclist</emphasis> option in the <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
|
||||||
<ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||||
configuration file.</para>
|
configuration file.</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows.</para>
|
<para>The columns in the file are as follows.</para>
|
||||||
@ -43,7 +43,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
||||||
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
|
||||||
is also allowed). If specified, the
|
is also allowed). If specified, the
|
||||||
<replaceable>log-level</replaceable> causes packets matching the
|
<replaceable>log-level</replaceable> causes packets matching the
|
||||||
rule to be logged at that level.</para>
|
rule to be logged at that level.</para>
|
||||||
@ -99,10 +99,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
|
url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -25,13 +25,13 @@
|
|||||||
|
|
||||||
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
||||||
replace <ulink
|
replace <ulink
|
||||||
url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>. This file is
|
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>. This file is
|
||||||
only processed by the compiler if:</para>
|
only processed by the compiler if:</para>
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
<orderedlist numeration="loweralpha">
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
||||||
<ulink url="shorewall.conf.html">shorewall6.conf(5)</ulink>);
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
|
||||||
or</para>
|
or</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -46,14 +46,14 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Unlike rules in the <ulink
|
<para>Unlike rules in the <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||||
of rules in this file will continue after a match. So the final mark for
|
of rules in this file will continue after a match. So the final mark for
|
||||||
each packet will be the one assigned by the LAST tcrule that
|
each packet will be the one assigned by the LAST tcrule that
|
||||||
matches.</para>
|
matches.</para>
|
||||||
|
|
||||||
<para>If you use multiple internet providers with the 'track' option, in
|
<para>If you use multiple internet providers with the 'track' option, in
|
||||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The columns in the file are as follows (where the column name is
|
<para>The columns in the file are as follows (where the column name is
|
||||||
@ -106,7 +106,7 @@
|
|||||||
<para>Unless otherwise specified for the particular
|
<para>Unless otherwise specified for the particular
|
||||||
<replaceable>command</replaceable>, the default chain is PREROUTING
|
<replaceable>command</replaceable>, the default chain is PREROUTING
|
||||||
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink>, and FORWARD
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, and FORWARD
|
||||||
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||||
|
|
||||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||||
@ -161,11 +161,11 @@
|
|||||||
<para>When using Shorewall's built-in traffic shaping tool,
|
<para>When using Shorewall's built-in traffic shaping tool,
|
||||||
the <emphasis>major</emphasis> class is the device number (the
|
the <emphasis>major</emphasis> class is the device number (the
|
||||||
first device in <ulink
|
first device in <ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||||
is major class 1, the second device is major class 2, and so
|
is major class 1, the second device is major class 2, and so
|
||||||
on) and the <emphasis>minor</emphasis> class is the class's
|
on) and the <emphasis>minor</emphasis> class is the class's
|
||||||
MARK value in <ulink
|
MARK value in <ulink
|
||||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
||||||
preceded by the number 1 (MARK 1 corresponds to minor class
|
preceded by the number 1 (MARK 1 corresponds to minor class
|
||||||
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
|
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
|
||||||
to minor class 122, etc.).</para>
|
to minor class 122, etc.).</para>
|
||||||
@ -299,7 +299,7 @@
|
|||||||
specified at the end of the rule. If the target is not one
|
specified at the end of the rule. If the target is not one
|
||||||
known to Shorewall, then it must be defined as a builtin
|
known to Shorewall, then it must be defined as a builtin
|
||||||
action in <ulink
|
action in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>The following rules are equivalent:</para>
|
<para>The following rules are equivalent:</para>
|
||||||
@ -312,7 +312,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
|||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>If INLINE_MATCHES=Yes in <ulink
|
<para>If INLINE_MATCHES=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
|
||||||
third rule above can be specified as follows:</para>
|
third rule above can be specified as follows:</para>
|
||||||
|
|
||||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||||
@ -445,7 +445,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
|||||||
<para>This error message may be eliminated by adding the
|
<para>This error message may be eliminated by adding the
|
||||||
<replaceable>target</replaceable> as a builtin action in
|
<replaceable>target</replaceable> as a builtin action in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -487,7 +487,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
|||||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||||
equal proportions. If no mask is specified, then ( 2 **
|
equal proportions. If no mask is specified, then ( 2 **
|
||||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -588,7 +588,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Transparently redirects a packet without altering the IP
|
<para>Transparently redirects a packet without altering the IP
|
||||||
header. Requires a tproxy provider to be defined in <ulink
|
header. Requires a tproxy provider to be defined in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>There are three parameters to TPROXY - neither is
|
<para>There are three parameters to TPROXY - neither is
|
||||||
required:</para>
|
required:</para>
|
||||||
@ -714,7 +714,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -731,7 +731,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<para>An interface name. May not be used in the PREROUTING chain
|
<para>An interface name. May not be used in the PREROUTING chain
|
||||||
(:P in the mark column or no chain qualifier and
|
(:P in the mark column or no chain qualifier and
|
||||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||||
url="shorewall6.conf">shorewall6.conf</ulink> (5)). The
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)). The
|
||||||
interface name may be optionally followed by a colon (":") and
|
interface name may be optionally followed by a colon (":") and
|
||||||
an IP address list.</para>
|
an IP address list.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -751,7 +751,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -786,7 +786,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||||
typename. See <ulink
|
typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -1146,16 +1146,16 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
|
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
|
||||||
|
@ -35,9 +35,9 @@
|
|||||||
<para>If you have more than one ISP link, adding entries to this file
|
<para>If you have more than one ISP link, adding entries to this file
|
||||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||||
through a particular link. You must use entries in <ulink
|
through a particular link. You must use entries in <ulink
|
||||||
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) or
|
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) or
|
||||||
PREROUTING entries in <ulink
|
PREROUTING entries in <ulink
|
||||||
url="shorewall6-mangle.html">shorewall-tcrules</ulink>(5) to do
|
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to do
|
||||||
that.</para>
|
that.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
@ -56,17 +56,17 @@
|
|||||||
internet interface.</para>
|
internet interface.</para>
|
||||||
|
|
||||||
<para>Each interface must match an entry in <ulink
|
<para>Each interface must match an entry in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
Shorewall allows loose matches to wildcard entries in <ulink
|
Shorewall allows loose matches to wildcard entries in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
For example, <filename class="devicefile">ppp0</filename> in this
|
For example, <filename class="devicefile">ppp0</filename> in this
|
||||||
file will match a <ulink
|
file will match a <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
|
|
||||||
<para>Where <ulink
|
<para>Where <ulink
|
||||||
url="http://www.shorewall.net/4.4/MultiISP.html#Shared">more that
|
url="/4.4/MultiISP.html#Shared">more that
|
||||||
one internet provider share a single interface</ulink>, the provider
|
one internet provider share a single interface</ulink>, the provider
|
||||||
is specified by including the provider name or number in
|
is specified by including the provider name or number in
|
||||||
parentheses:</para>
|
parentheses:</para>
|
||||||
@ -81,7 +81,7 @@
|
|||||||
addresses to indicate that you only want to change the source IP
|
addresses to indicate that you only want to change the source IP
|
||||||
address for packets being sent to those particular destinations.
|
address for packets being sent to those particular destinations.
|
||||||
Exclusion is allowed (see <ulink
|
Exclusion is allowed (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
|
||||||
are ipset names preceded by a plus sign '+'.</para>
|
are ipset names preceded by a plus sign '+'.</para>
|
||||||
|
|
||||||
<para>Comments may be attached to Netfilter rules generated from
|
<para>Comments may be attached to Netfilter rules generated from
|
||||||
@ -535,7 +535,7 @@
|
|||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>If INLINE_MATCHES=Yes in <ulink
|
<para>If INLINE_MATCHES=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink>, then these
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then these
|
||||||
rules may be specified as follows:</para>
|
rules may be specified as follows:</para>
|
||||||
|
|
||||||
<programlisting>/etc/shorewall/masq:
|
<programlisting>/etc/shorewall/masq:
|
||||||
|
@ -30,7 +30,7 @@
|
|||||||
<para>These files specify which kernel modules shorewall6 will load before
|
<para>These files specify which kernel modules shorewall6 will load before
|
||||||
trying to determine your ip6tables/kernel's capabilities. The
|
trying to determine your ip6tables/kernel's capabilities. The
|
||||||
<filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
|
<filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(8); the
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5); the
|
||||||
<filename>helpers</filename> file is used when
|
<filename>helpers</filename> file is used when
|
||||||
LOAD_HELPERS_ONLY=Yes.</para>
|
LOAD_HELPERS_ONLY=Yes.</para>
|
||||||
|
|
||||||
@ -48,7 +48,7 @@
|
|||||||
<para>The <replaceable>modulename</replaceable> names a kernel module
|
<para>The <replaceable>modulename</replaceable> names a kernel module
|
||||||
(without suffix). shorewall6 will search for modules based on your
|
(without suffix). shorewall6 will search for modules based on your
|
||||||
MODULESDIR and MODULE_SUFFIX settings in <ulink
|
MODULESDIR and MODULE_SUFFIX settings in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(8). The
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
|
||||||
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
|
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
|
||||||
installed) or to insmod.</para>
|
installed) or to insmod.</para>
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@
|
|||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para>In <ulink url="shorewall-zones.html">shorewall6-zones</ulink>(5), a
|
<para>In <ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a
|
||||||
zone may be declared to be a sub-zone of one or more other zones using the
|
zone may be declared to be a sub-zone of one or more other zones using the
|
||||||
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
||||||
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
||||||
@ -32,7 +32,7 @@
|
|||||||
firewall zone.</para>
|
firewall zone.</para>
|
||||||
|
|
||||||
<para>Where zones are nested, the CONTINUE policy in <ulink
|
<para>Where zones are nested, the CONTINUE policy in <ulink
|
||||||
url="shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
|
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
|
||||||
that are within multiple zones to be managed under the rules of all of
|
that are within multiple zones to be managed under the rules of all of
|
||||||
these zones.</para>
|
these zones.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
@ -74,7 +74,7 @@
|
|||||||
under rules where the source zone is net. It is important that this policy
|
under rules where the source zone is net. It is important that this policy
|
||||||
be listed BEFORE the next policy (net to all). You can have this policy
|
be listed BEFORE the next policy (net to all). You can have this policy
|
||||||
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
||||||
|
|
||||||
|
@ -82,7 +82,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in
|
<para>Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in
|
||||||
Shorewall6 4.4.24, <ulink
|
Shorewall6 4.4.24, <ulink
|
||||||
url="shorewall6-exclusion.html">exclusion</ulink> is
|
url="/manpages6/shorewall6-exclusion.html">exclusion</ulink> is
|
||||||
supported.</para>
|
supported.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -94,12 +94,12 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a network interface. The interface must be defined
|
<para>The name of a network interface. The interface must be defined
|
||||||
in <ulink
|
in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
Shorewall allows loose matches to wildcard entries in <ulink
|
Shorewall allows loose matches to wildcard entries in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||||
For example, <filename class="devicefile">ppp0</filename> in this
|
For example, <filename class="devicefile">ppp0</filename> in this
|
||||||
file will match a <ulink
|
file will match a <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(8)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
entry that defines <filename
|
entry that defines <filename
|
||||||
class="devicefile">ppp+</filename>.</para>
|
class="devicefile">ppp+</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -147,7 +147,7 @@
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||||
a typename. See <ulink
|
a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -188,9 +188,9 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
|
url="/netmap.html">http://www.shorewall.net/netmap.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
</refentry>
|
</refentry>
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
<para>Assign any shell variables that you need in this file. The file is
|
<para>Assign any shell variables that you need in this file. The file is
|
||||||
always processed by <filename>/bin/sh</filename> or by the shell specified
|
always processed by <filename>/bin/sh</filename> or by the shell specified
|
||||||
through SHOREWALL_SHELL in <ulink
|
through SHOREWALL_SHELL in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
|
||||||
of shell capabilities may be used.</para>
|
of shell capabilities may be used.</para>
|
||||||
|
|
||||||
<para>It is suggested that variable names begin with an upper case letter
|
<para>It is suggested that variable names begin with an upper case letter
|
||||||
@ -40,7 +40,7 @@
|
|||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member><emphasis role="bold">Any option from <ulink
|
<member><emphasis role="bold">Any option from <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||||
(5)</emphasis></member>
|
(5)</emphasis></member>
|
||||||
|
|
||||||
<member><emphasis role="bold">COMMAND</emphasis></member>
|
<member><emphasis role="bold">COMMAND</emphasis></member>
|
||||||
@ -107,7 +107,7 @@
|
|||||||
NET_OPTIONS=dhcp,nosmurfs</programlisting>
|
NET_OPTIONS=dhcp,nosmurfs</programlisting>
|
||||||
|
|
||||||
<para>Example <ulink
|
<para>Example <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
|
||||||
@ -129,7 +129,7 @@ net eth0 - dhcp,nosmurfs</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>This file defines the high-level policy for connections between
|
<para>This file defines the high-level policy for connections between
|
||||||
zones defined in <ulink
|
zones defined in <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>The order of entries in this file is important</para>
|
<para>The order of entries in this file is important</para>
|
||||||
@ -66,7 +66,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
|
||||||
"all+".</para>
|
"all+".</para>
|
||||||
|
|
||||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||||
@ -84,7 +84,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
|
||||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||||
"all+", another bport zone associated with the same bridge, or it
|
"all+", another bport zone associated with the same bridge, or it
|
||||||
must be an ipv4 zone that is associated with only the same
|
must be an ipv4 zone that is associated with only the same
|
||||||
@ -118,7 +118,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The word "None" or "none". This causes any default action
|
<para>The word "None" or "none". This causes any default action
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
|
||||||
omitted for this policy.</para>
|
omitted for this policy.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -191,7 +191,7 @@
|
|||||||
might also match (where the source or destination zone in
|
might also match (where the source or destination zone in
|
||||||
those rules is a superset of the SOURCE or DEST in this
|
those rules is a superset of the SOURCE or DEST in this
|
||||||
policy). See <ulink
|
policy). See <ulink
|
||||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||||
for additional information.</para>
|
for additional information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -231,7 +231,7 @@
|
|||||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||||
|
|
||||||
<para>For a description of log levels, see <ulink
|
<para>For a description of log levels, see <ulink
|
||||||
url="http://www.shorewall.net/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
|
url="/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
|
||||||
|
|
||||||
<para>If you don't want to log but need to specify the following
|
<para>If you don't want to log but need to specify the following
|
||||||
column, place "-" here.</para>
|
column, place "-" here.</para>
|
||||||
@ -327,7 +327,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -77,11 +77,11 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
||||||
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink> file to
|
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file to
|
||||||
direct packets to this provider.</para>
|
direct packets to this provider.</para>
|
||||||
|
|
||||||
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink>, then the
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then the
|
||||||
value must be a multiple of 256 between 256 and 65280 or their
|
value must be a multiple of 256 between 256 and 65280 or their
|
||||||
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
|
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
|
||||||
of the value being zero). Otherwise, the value must be between 1 and
|
of the value being zero). Otherwise, the value must be between 1 and
|
||||||
@ -110,7 +110,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of the network interface to the provider. Must be
|
<para>The name of the network interface to the provider. Must be
|
||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>.</para>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -190,7 +190,7 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
||||||
defaults to the setting of the TRACK_PROVIDERS option in
|
defaults to the setting of the TRACK_PROVIDERS option in
|
||||||
<ulink url="shorwewall6.conf.html">shorewall6.conf</ulink>
|
<ulink url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
|
||||||
(5). If you set TRACK_PROVIDERS=Yes and want to override that
|
(5). If you set TRACK_PROVIDERS=Yes and want to override that
|
||||||
setting for an individual provider, then specify
|
setting for an individual provider, then specify
|
||||||
<option>notrack</option> (see below).</para>
|
<option>notrack</option> (see below).</para>
|
||||||
@ -238,7 +238,7 @@
|
|||||||
and configured with an IPv4 address then ignore this provider.
|
and configured with an IPv4 address then ignore this provider.
|
||||||
If not specified, the value of the <option>optional</option>
|
If not specified, the value of the <option>optional</option>
|
||||||
option for the INTERFACE in <ulink
|
option for the INTERFACE in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>
|
||||||
is assumed. Use of that option is preferred to this one,
|
is assumed. Use of that option is preferred to this one,
|
||||||
unless an <replaceable>address</replaceable> is provider in
|
unless an <replaceable>address</replaceable> is provider in
|
||||||
the INTERFACE column.</para>
|
the INTERFACE column.</para>
|
||||||
@ -275,7 +275,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
|
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
|
||||||
action in shorewall-tcrules(5). See <ulink
|
action in shorewall-tcrules(5). See <ulink
|
||||||
url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
||||||
When specified, the MARK, DUPLICATE and GATEWAY columns should
|
When specified, the MARK, DUPLICATE and GATEWAY columns should
|
||||||
be empty, INTERFACE should be set to 'lo' and
|
be empty, INTERFACE should be set to 'lo' and
|
||||||
<option>tproxy</option> should be the only OPTION. Only one
|
<option>tproxy</option> should be the only OPTION. Only one
|
||||||
@ -389,10 +389,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -133,7 +133,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
|
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
|
||||||
|
@ -34,7 +34,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name or number of a provider defined in <ulink
|
<para>The name or number of a provider defined in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink> (5).
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink> (5).
|
||||||
Beginning with Shorewall 4.5.14, you may also enter
|
Beginning with Shorewall 4.5.14, you may also enter
|
||||||
<option>main</option> in this column to add routes to the main
|
<option>main</option> in this column to add routes to the main
|
||||||
routing table.</para>
|
routing table.</para>
|
||||||
@ -73,7 +73,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
|
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
|
||||||
given, then the INTERFACE specified for the PROVIDER in <ulink
|
given, then the INTERFACE specified for the PROVIDER in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
|
||||||
(5).This column must be omitted if <option>blackhole</option>,
|
(5).This column must be omitted if <option>blackhole</option>,
|
||||||
<option>prohibit</option> or <option>unreachable</option> is
|
<option>prohibit</option> or <option>unreachable</option> is
|
||||||
specified in the GATEWAY column.</para>
|
specified in the GATEWAY column.</para>
|
||||||
@ -92,7 +92,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para>This file is deprecated in favor of the <ulink
|
<para>This file is deprecated in favor of the <ulink
|
||||||
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
url="/manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para>This file is used to define the hosts that are accessible when the
|
<para>This file is used to define the hosts that are accessible when the
|
||||||
@ -80,7 +80,7 @@
|
|||||||
themselves. Beginning with Shorewall 4.4.9, this option is
|
themselves. Beginning with Shorewall 4.4.9, this option is
|
||||||
automatically set if <emphasis
|
automatically set if <emphasis
|
||||||
role="bold">routeback</emphasis> is specified in <ulink
|
role="bold">routeback</emphasis> is specified in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
(5) or if the rules compiler detects that the interface is a
|
(5) or if the rules compiler detects that the interface is a
|
||||||
bridge.</para>
|
bridge.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -149,7 +149,7 @@
|
|||||||
<para>The <emphasis role="bold">source</emphasis> and <emphasis
|
<para>The <emphasis role="bold">source</emphasis> and <emphasis
|
||||||
role="bold">dest</emphasis> options work best when used in conjunction
|
role="bold">dest</emphasis> options work best when used in conjunction
|
||||||
with ADMINISABSENTMINDED=Yes in <ulink
|
with ADMINISABSENTMINDED=Yes in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</note>
|
</note>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
@ -181,10 +181,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>Entries in this file cause traffic to be routed to one of the
|
<para>Entries in this file cause traffic to be routed to one of the
|
||||||
providers listed in <ulink
|
providers listed in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows.</para>
|
<para>The columns in the file are as follows.</para>
|
||||||
|
|
||||||
@ -164,7 +164,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>Entries in this file govern connection establishment by defining
|
<para>Entries in this file govern connection establishment by defining
|
||||||
exceptions to the policies laid out in <ulink
|
exceptions to the policies laid out in <ulink
|
||||||
url="shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
|
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
|
||||||
subsequent requests and responses are automatically allowed using
|
subsequent requests and responses are automatically allowed using
|
||||||
connection tracking. For any particular (source,dest) pair of zones, the
|
connection tracking. For any particular (source,dest) pair of zones, the
|
||||||
rules are evaluated in the order in which they appear in this file and the
|
rules are evaluated in the order in which they appear in this file and the
|
||||||
@ -80,7 +80,7 @@
|
|||||||
|
|
||||||
<para>There is an implicit rule added at the end of this section
|
<para>There is an implicit rule added at the end of this section
|
||||||
that invokes the RELATED_DISPOSITION (<ulink
|
that invokes the RELATED_DISPOSITION (<ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -96,7 +96,7 @@
|
|||||||
|
|
||||||
<para>There is an implicit rule added at the end of this section
|
<para>There is an implicit rule added at the end of this section
|
||||||
that invokes the INVALID_DISPOSITION (<ulink
|
that invokes the INVALID_DISPOSITION (<ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -112,7 +112,7 @@
|
|||||||
|
|
||||||
<para>There is an implicit rule added at the end of this section
|
<para>There is an implicit rule added at the end of this section
|
||||||
that invokes the UNTRACKED_DISPOSITION (<ulink
|
that invokes the UNTRACKED_DISPOSITION (<ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -137,7 +137,7 @@
|
|||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you specify FASTACCEPT=Yes in <ulink
|
<para>If you specify FASTACCEPT=Yes in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
|
||||||
role="bold">ESTABLISHED</emphasis> and <emphasis
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||||
role="bold">RELATED</emphasis> sections must be empty.</para>
|
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||||
|
|
||||||
@ -197,7 +197,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like ACCEPT but exempts the rule from being suppressed
|
<para>like ACCEPT but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -207,7 +207,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an <emphasis>action</emphasis> declared in
|
<para>The name of an <emphasis>action</emphasis> declared in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||||
in /usr/share/shorewall/actions.std.</para>
|
in /usr/share/shorewall/actions.std.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -302,11 +302,11 @@
|
|||||||
<para>Do not process any of the following rules for this
|
<para>Do not process any of the following rules for this
|
||||||
(source zone,destination zone). If the source and/or
|
(source zone,destination zone). If the source and/or
|
||||||
destination IP address falls into a zone defined later in
|
destination IP address falls into a zone defined later in
|
||||||
<ulink url="shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
<ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
||||||
or in a parent zone of the source or destination zones, then
|
or in a parent zone of the source or destination zones, then
|
||||||
this connection request will be passed to the rules defined
|
this connection request will be passed to the rules defined
|
||||||
for that (those) zone(s). See <ulink
|
for that (those) zone(s). See <ulink
|
||||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||||
for additional information.</para>
|
for additional information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -317,7 +317,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like CONTINUE but exempts the rule from being suppressed
|
<para>like CONTINUE but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -388,7 +388,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like DROP but exempts the rule from being suppressed by
|
<para>like DROP but exempts the rule from being suppressed by
|
||||||
OPTIMIZE=1 in <ulink
|
OPTIMIZE=1 in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -419,7 +419,7 @@
|
|||||||
INLINE(ACCEPT)). Otherwise, you can include it after the
|
INLINE(ACCEPT)). Otherwise, you can include it after the
|
||||||
semicolon. In this case, you must declare the target as a
|
semicolon. In this case, you must declare the target as a
|
||||||
builtin action in <ulink
|
builtin action in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Some considerations when using INLINE:</para>
|
<para>Some considerations when using INLINE:</para>
|
||||||
|
|
||||||
@ -464,7 +464,7 @@
|
|||||||
<para>This error message may be eliminated by adding the
|
<para>This error message may be eliminated by adding the
|
||||||
<replaceable>target</replaceable> as a builtin action in
|
<replaceable>target</replaceable> as a builtin action in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -510,7 +510,7 @@
|
|||||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||||
back end logging daemon via a netlink socket then continues to
|
back end logging daemon via a netlink socket then continues to
|
||||||
the next rule. See <ulink
|
the next rule. See <ulink
|
||||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||||
|
|
||||||
<para>Similar to<emphasis role="bold">
|
<para>Similar to<emphasis role="bold">
|
||||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||||
@ -539,7 +539,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -571,7 +571,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like QUEUE but exempts the rule from being suppressed by
|
<para>like QUEUE but exempts the rule from being suppressed by
|
||||||
OPTIMIZE=1 in <ulink
|
OPTIMIZE=1 in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -613,7 +613,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>like REJECT but exempts the rule from being suppressed
|
<para>like REJECT but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -629,7 +629,7 @@
|
|||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||||
<emphasis>action</emphasis> declared in <ulink
|
<emphasis>action</emphasis> declared in <ulink
|
||||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||||
/usr/share/shorewall/actions.std then:</para>
|
/usr/share/shorewall/actions.std then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -660,7 +660,7 @@
|
|||||||
<para>Actions specifying logging may be followed by a log tag (a
|
<para>Actions specifying logging may be followed by a log tag (a
|
||||||
string of alphanumeric characters) which is appended to the string
|
string of alphanumeric characters) which is appended to the string
|
||||||
generated by the LOGPREFIX (in <ulink
|
generated by the LOGPREFIX (in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
||||||
the log prefix generated by the LOGPREFIX setting.</para>
|
the log prefix generated by the LOGPREFIX setting.</para>
|
||||||
@ -688,7 +688,7 @@
|
|||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
<replaceable>zone-list </replaceable>which consists of a
|
||||||
comma-separated list of zones declared in <ulink
|
comma-separated list of zones declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). This
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). This
|
||||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||||
well as inter-zone traffic.</para>
|
well as inter-zone traffic.</para>
|
||||||
@ -707,7 +707,7 @@
|
|||||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||||
@ -740,7 +740,7 @@
|
|||||||
firewall interface can be specified by an ampersand ('&')
|
firewall interface can be specified by an ampersand ('&')
|
||||||
followed by the logical name of the interface as found in the
|
followed by the logical name of the interface as found in the
|
||||||
INTERFACE column of <ulink
|
INTERFACE column of <ulink
|
||||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, A
|
<para>Beginning with Shorewall 4.5.4, A
|
||||||
@ -750,7 +750,7 @@
|
|||||||
preceded by a caret ('^'). When a single country code is given, the
|
preceded by a caret ('^'). When a single country code is given, the
|
||||||
square brackets may be omitted. A list of country codes supported by
|
square brackets may be omitted. A list of country codes supported by
|
||||||
Shorewall may be found at <ulink
|
Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||||
Kernel.</para>
|
Kernel.</para>
|
||||||
@ -761,7 +761,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Examples:</para>
|
<para>Examples:</para>
|
||||||
|
|
||||||
@ -856,7 +856,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Location of Server. May be a zone declared in <ulink
|
<para>Location of Server. May be a zone declared in <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
|
||||||
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
||||||
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
||||||
<emphasis role="bold">none</emphasis>.</para>
|
<emphasis role="bold">none</emphasis>.</para>
|
||||||
@ -864,18 +864,18 @@
|
|||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
<replaceable>zone-list </replaceable>which consists of a
|
||||||
comma-separated list of zones declared in <ulink
|
comma-separated list of zones declared in <ulink
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). Ths
|
||||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||||
well as inter-zone traffic. Beginning with Shorewall-4.4.13,
|
well as inter-zone traffic. Beginning with Shorewall-4.4.13,
|
||||||
exclusion is supported -- see see <ulink
|
exclusion is supported -- see see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
||||||
firewall interface can be specified by an ampersand ('&')
|
firewall interface can be specified by an ampersand ('&')
|
||||||
followed by the logical name of the interface as found in the
|
followed by the logical name of the interface as found in the
|
||||||
INTERFACE column of <ulink
|
INTERFACE column of <ulink
|
||||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, A
|
<para>Beginning with Shorewall 4.5.4, A
|
||||||
@ -885,7 +885,7 @@
|
|||||||
preceded by a caret ('^'). When a single country code is given, the
|
preceded by a caret ('^'). When a single country code is given, the
|
||||||
square brackets may be omitted. A list of country codes supported by
|
square brackets may be omitted. A list of country codes supported by
|
||||||
Shorewall may be found at <ulink
|
Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||||
Kernel.</para>
|
Kernel.</para>
|
||||||
@ -925,7 +925,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>Restriction: MAC addresses are not allowed (this is a
|
<para>Restriction: MAC addresses are not allowed (this is a
|
||||||
Netfilter restriction).</para>
|
Netfilter restriction).</para>
|
||||||
@ -1024,7 +1024,7 @@
|
|||||||
interpreted as the destination icmp-type(s). ICMP types may be
|
interpreted as the destination icmp-type(s). ICMP types may be
|
||||||
specified as a numeric type, a numeric type and code separated by a
|
specified as a numeric type, a numeric type and code separated by a
|
||||||
slash (e.g., 3/4), or a typename. See <ulink
|
slash (e.g., 3/4), or a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||||
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
|
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
|
||||||
listed.</para>
|
listed.</para>
|
||||||
|
|
||||||
@ -1549,7 +1549,7 @@
|
|||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>If the HELPERS option is specified in <ulink
|
<para>If the HELPERS option is specified in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then any module
|
||||||
specified in this column must be listed in the HELPERS
|
specified in this column must be listed in the HELPERS
|
||||||
setting.</para>
|
setting.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1644,7 +1644,7 @@
|
|||||||
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||||
|
|
||||||
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
||||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5):</para>
|
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5):</para>
|
||||||
|
|
||||||
<programlisting> #ACTION OPTIONS
|
<programlisting> #ACTION OPTIONS
|
||||||
SECCTX builtin</programlisting>
|
SECCTX builtin</programlisting>
|
||||||
@ -1663,10 +1663,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-blrules(5), shorewall6-hosts(5),
|
shorewall6-blacklist(5), shorewall6-blrules(5), shorewall6-hosts(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Unlike rules in the <ulink
|
<para>Unlike rules in the <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||||
of rules in this file will continue after a match. So the final secmark
|
of rules in this file will continue after a match. So the final secmark
|
||||||
for each packet will be the one assigned by the LAST rule that
|
for each packet will be the one assigned by the LAST rule that
|
||||||
matches.</para>
|
matches.</para>
|
||||||
@ -182,7 +182,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -210,7 +210,7 @@
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -245,7 +245,7 @@
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||||
a typename. See <ulink
|
a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -412,7 +412,7 @@ RESTORE I:ER</programlisting>
|
|||||||
url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
|
url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||||
|
@ -147,10 +147,10 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
|
@ -125,7 +125,7 @@
|
|||||||
<para>You may specify either the interface number or the interface
|
<para>You may specify either the interface number or the interface
|
||||||
name. If the <emphasis role="bold">classify</emphasis> option is
|
name. If the <emphasis role="bold">classify</emphasis> option is
|
||||||
given for the interface in <ulink
|
given for the interface in <ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
|
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
|
||||||
then you must also specify an interface class (an integer that must
|
then you must also specify an interface class (an integer that must
|
||||||
be unique within classes associated with this interface).</para>
|
be unique within classes associated with this interface).</para>
|
||||||
|
|
||||||
@ -134,13 +134,13 @@
|
|||||||
|
|
||||||
<para>Please note that you can only use interface names in here that
|
<para>Please note that you can only use interface names in here that
|
||||||
have a bandwidth defined in the <ulink
|
have a bandwidth defined in the <ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para>Normally, all classes defined here are sub-classes of a root
|
<para>Normally, all classes defined here are sub-classes of a root
|
||||||
class (class number 1) that is implicitly defined from the entry in
|
class (class number 1) that is implicitly defined from the entry in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
|
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
|
||||||
can establish a class hierarchy by specifying a
|
can establish a class hierarchy by specifying a
|
||||||
<emphasis>parent</emphasis> class -- the number of a class that you
|
<emphasis>parent</emphasis> class -- the number of a class that you
|
||||||
have previously defined. The sub-class may borrow unused bandwidth
|
have previously defined. The sub-class may borrow unused bandwidth
|
||||||
@ -155,12 +155,12 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||||
range 1-255. You set mark values in the <ulink
|
range 1-255. You set mark values in the <ulink
|
||||||
url="shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file,
|
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file,
|
||||||
marking the traffic you want to fit in the classes defined in here.
|
marking the traffic you want to fit in the classes defined in here.
|
||||||
Must be specified as '-' if the <emphasis
|
Must be specified as '-' if the <emphasis
|
||||||
role="bold">classify</emphasis> option is given for the interface in
|
role="bold">classify</emphasis> option is given for the interface in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
|
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
|
||||||
you are running Shorewall 4.5 5 or earlier.</para>
|
you are running Shorewall 4.5 5 or earlier.</para>
|
||||||
|
|
||||||
<para>You can use the same marks for different interfaces.</para>
|
<para>You can use the same marks for different interfaces.</para>
|
||||||
@ -718,10 +718,10 @@
|
|||||||
<para>tc-red(8)</para>
|
<para>tc-red(8)</para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -104,7 +104,7 @@
|
|||||||
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
||||||
listed only once in this file. You may NOT specify the name of an
|
listed only once in this file. You may NOT specify the name of an
|
||||||
alias (e.g., eth0:0) here; see <ulink
|
alias (e.g., eth0:0) here; see <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
||||||
|
|
||||||
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
||||||
ppp interfaces, you need to put them all in here!</para>
|
ppp interfaces, you need to put them all in here!</para>
|
||||||
@ -152,7 +152,7 @@
|
|||||||
may be configured instead. Rate-estimated filters should be used
|
may be configured instead. Rate-estimated filters should be used
|
||||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||||
default. See <ulink
|
default. See <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||||
97a</ulink>.</para>
|
97a</ulink>.</para>
|
||||||
|
|
||||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||||
@ -172,7 +172,7 @@
|
|||||||
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
|
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
|
||||||
This is the maximum speed your connection can handle. It is also the
|
This is the maximum speed your connection can handle. It is also the
|
||||||
speed you can refer as "full" if you define the tc classes in <ulink
|
speed you can refer as "full" if you define the tc classes in <ulink
|
||||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).
|
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).
|
||||||
Outgoing traffic above this rate will be dropped.</para>
|
Outgoing traffic above this rate will be dropped.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -196,7 +196,7 @@
|
|||||||
<para><option>classify</option> ― When specified, Shorewall will not
|
<para><option>classify</option> ― When specified, Shorewall will not
|
||||||
generate tc or Netfilter rules to classify traffic based on packet
|
generate tc or Netfilter rules to classify traffic based on packet
|
||||||
marks. You must do all classification using CLASSIFY rules in <ulink
|
marks. You must do all classification using CLASSIFY rules in <ulink
|
||||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
|
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).</para>
|
||||||
|
|
||||||
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
|
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
|
||||||
Bucket</firstterm> queuing discipline. This is the default.</para>
|
Bucket</firstterm> queuing discipline. This is the default.</para>
|
||||||
@ -285,7 +285,7 @@
|
|||||||
<para>tc-hfsc (7)</para>
|
<para>tc-hfsc (7)</para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
|
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
|
||||||
|
@ -70,10 +70,10 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name or number of an <returnvalue>interface</returnvalue>
|
<para>The name or number of an <returnvalue>interface</returnvalue>
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||||
followed by a <replaceable>class</replaceable> number defined for
|
followed by a <replaceable>class</replaceable> number defined for
|
||||||
that interface in <ulink
|
that interface in <ulink
|
||||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).</para>
|
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -312,13 +312,13 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||||
|
|
||||||
<para></para>
|
<para></para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>This file lists the interfaces that are subject to simple traffic
|
<para>This file lists the interfaces that are subject to simple traffic
|
||||||
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
||||||
file:</para>
|
file:</para>
|
||||||
@ -162,7 +162,7 @@
|
|||||||
may be configured instead. Rate-estimated filters should be used
|
may be configured instead. Rate-estimated filters should be used
|
||||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||||
default. See <ulink
|
default. See <ulink
|
||||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||||
97a</ulink>.</para>
|
97a</ulink>.</para>
|
||||||
|
|
||||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||||
|
@ -25,12 +25,12 @@
|
|||||||
|
|
||||||
<para>This file is used to specify the priority band of traffic for simple
|
<para>This file is used to specify the priority band of traffic for simple
|
||||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
|
||||||
of each packet is determined by the <emphasis role="bold">last</emphasis>
|
of each packet is determined by the <emphasis role="bold">last</emphasis>
|
||||||
entry that the packet matches. If a packet doesn't match any entry in this
|
entry that the packet matches. If a packet doesn't match any entry in this
|
||||||
file, then its priority will be determined by its TOS field. The default
|
file, then its priority will be determined by its TOS field. The default
|
||||||
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
||||||
in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
in <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<programlisting>TOS Bits Means Linux Priority BAND
|
<programlisting>TOS Bits Means Linux Priority BAND
|
||||||
------------------------------------------------------------
|
------------------------------------------------------------
|
||||||
@ -63,7 +63,7 @@
|
|||||||
<para>Classifies matching traffic as High Priority (1), Medium
|
<para>Classifies matching traffic as High Priority (1), Medium
|
||||||
Priority (2) or Low Priority (3). For those interfaces listed in
|
Priority (2) or Low Priority (3). For those interfaces listed in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-tcinterfaces.html">shorewall6-tcinterfaces</ulink>(5),
|
url="/manpages6/shorewall6-tcinterfaces.html">shorewall6-tcinterfaces</ulink>(5),
|
||||||
Priority 2 traffic will be deferred so long and there is Priority 1
|
Priority 2 traffic will be deferred so long and there is Priority 1
|
||||||
traffic queued and Priority 3 traffic will be deferred so long as
|
traffic queued and Priority 3 traffic will be deferred so long as
|
||||||
there is Priority 1 or Priority 2 traffic to send.</para>
|
there is Priority 1 or Priority 2 traffic to send.</para>
|
||||||
|
@ -28,14 +28,14 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Unlike rules in the <ulink
|
<para>Unlike rules in the <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||||
of rules in this file will continue after a match. So the final mark for
|
of rules in this file will continue after a match. So the final mark for
|
||||||
each packet will be the one assigned by the LAST tcrule that
|
each packet will be the one assigned by the LAST tcrule that
|
||||||
matches.</para>
|
matches.</para>
|
||||||
|
|
||||||
<para>If you use multiple internet providers with the 'track' option, in
|
<para>If you use multiple internet providers with the 'track' option, in
|
||||||
/etc/shorewall6/providers be sure to read the restrictions at <ulink
|
/etc/shorewall6/providers be sure to read the restrictions at <ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
||||||
@ -123,7 +123,7 @@
|
|||||||
|
|
||||||
<para>- Otherwise, the chain is determined by the setting of
|
<para>- Otherwise, the chain is determined by the setting of
|
||||||
MARK_IN_FORWARD_CHAIN in <ulink
|
MARK_IN_FORWARD_CHAIN in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||||
included for completeness and affects neither traffic shaping
|
included for completeness and affects neither traffic shaping
|
||||||
@ -203,7 +203,7 @@
|
|||||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||||
equal proportions. If no mask is specified, then ( 2 **
|
equal proportions. If no mask is specified, then ( 2 **
|
||||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
|
|
||||||
<para>May optionally be followed by <emphasis
|
<para>May optionally be followed by <emphasis
|
||||||
role="bold">:P</emphasis>, <emphasis
|
role="bold">:P</emphasis>, <emphasis
|
||||||
@ -231,7 +231,7 @@
|
|||||||
|
|
||||||
<para>- Otherwise, the chain is determined by the setting of
|
<para>- Otherwise, the chain is determined by the setting of
|
||||||
MARK_IN_FORWARD_CHAIN in <ulink
|
MARK_IN_FORWARD_CHAIN in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||||
included for completeness and affects neither traffic shaping
|
included for completeness and affects neither traffic shaping
|
||||||
@ -317,11 +317,11 @@
|
|||||||
<para>When using Shorewall6's built-in traffic shaping tool, the
|
<para>When using Shorewall6's built-in traffic shaping tool, the
|
||||||
<emphasis>major</emphasis> class is the device number (the first
|
<emphasis>major</emphasis> class is the device number (the first
|
||||||
device in <ulink
|
device in <ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||||
is major class 1, the second device is major class 2, and so on)
|
is major class 1, the second device is major class 2, and so on)
|
||||||
and the <emphasis>minor</emphasis> class is the class's MARK
|
and the <emphasis>minor</emphasis> class is the class's MARK
|
||||||
value in <ulink
|
value in <ulink
|
||||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
||||||
preceded by the number 1 (MARK 1 corresponds to minor class 11,
|
preceded by the number 1 (MARK 1 corresponds to minor class 11,
|
||||||
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
|
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
|
||||||
minor class 122, etc.).</para>
|
minor class 122, etc.).</para>
|
||||||
@ -517,7 +517,7 @@
|
|||||||
[<replaceable>option</replaceable>] ...") after any matches
|
[<replaceable>option</replaceable>] ...") after any matches
|
||||||
specified at the end of the rule. If the target is not one known
|
specified at the end of the rule. If the target is not one known
|
||||||
to Shorewall, then it must be defined as a builtin action in
|
to Shorewall, then it must be defined as a builtin action in
|
||||||
<ulink url="shorewall6-actions.html">shorewall6-actions</ulink>
|
<ulink url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>The following rules are equivalent:</para>
|
<para>The following rules are equivalent:</para>
|
||||||
@ -529,7 +529,7 @@ INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
|
|||||||
INLINE eth0 - ; -p tcp -j MARK --set-mark 2</programlisting>
|
INLINE eth0 - ; -p tcp -j MARK --set-mark 2</programlisting>
|
||||||
|
|
||||||
<para>If INLINE_MATCHES=Yes in <ulink
|
<para>If INLINE_MATCHES=Yes in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf(5)</ulink> then the
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
|
||||||
third rule above can be specified as follows:</para>
|
third rule above can be specified as follows:</para>
|
||||||
|
|
||||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||||
@ -653,7 +653,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>Transparently redirects a packet without altering the IP
|
<para>Transparently redirects a packet without altering the IP
|
||||||
header. Requires a local provider to be defined in <ulink
|
header. Requires a local provider to be defined in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>There are three parameters to TPROXY - only the first
|
<para>There are three parameters to TPROXY - only the first
|
||||||
(mark) is required:</para>
|
(mark) is required:</para>
|
||||||
@ -662,7 +662,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para><replaceable>mark</replaceable> - the MARK value
|
<para><replaceable>mark</replaceable> - the MARK value
|
||||||
corresponding to the local provider in <ulink
|
corresponding to the local provider in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -687,7 +687,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>Transparently redirects a packet without altering the IP
|
<para>Transparently redirects a packet without altering the IP
|
||||||
header. Requires a local provider to be defined in <ulink
|
header. Requires a local provider to be defined in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>There are three parameters to TPROXY - only the first
|
<para>There are three parameters to TPROXY - only the first
|
||||||
(mark) is required:</para>
|
(mark) is required:</para>
|
||||||
@ -747,7 +747,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -777,7 +777,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -812,7 +812,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||||
typename. See <ulink
|
typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
@ -1214,16 +1214,16 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
|
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
||||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
||||||
<ulink url="shorewall6-mangle.html">shorewall6-mangle</ulink>
|
<ulink url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows.</para>
|
<para>The columns in the file are as follows.</para>
|
||||||
@ -166,7 +166,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -27,7 +27,7 @@
|
|||||||
encrypted) traffic to pass between the Shorewall6 system and a remote
|
encrypted) traffic to pass between the Shorewall6 system and a remote
|
||||||
gateway. Traffic flowing through the tunnel is handled using the normal
|
gateway. Traffic flowing through the tunnel is handled using the normal
|
||||||
zone/policy/rule mechanism. See <ulink
|
zone/policy/rule mechanism. See <ulink
|
||||||
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||||
for details.</para>
|
for details.</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows (where the column name is
|
<para>The columns in the file are as follows (where the column name is
|
||||||
@ -138,7 +138,7 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||||
may be given. Exclusion (<ulink
|
may be given. Exclusion (<ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
|
||||||
is not supported.</para>
|
is not supported.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -240,7 +240,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -44,14 +44,14 @@
|
|||||||
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
|
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
|
||||||
names. The maximum length of a zone name is determined by the
|
names. The maximum length of a zone name is determined by the
|
||||||
setting of the LOGFORMAT option in <ulink
|
setting of the LOGFORMAT option in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
|
||||||
default LOGFORMAT, zone names can be at most 5 characters
|
default LOGFORMAT, zone names can be at most 5 characters
|
||||||
long.</para>
|
long.</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||||
explained in <ulink
|
explained in <ulink
|
||||||
url="shorewall.conf.html">shorewall6.conf</ulink> (5), the default
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5), the default
|
||||||
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
||||||
%s is replaced by the chain name and the second is replaced by the
|
%s is replaced by the chain name and the second is replaced by the
|
||||||
disposition.</para>
|
disposition.</para>
|
||||||
@ -95,7 +95,7 @@
|
|||||||
follow the (sub)zone name by ":" and a comma-separated list of the
|
follow the (sub)zone name by ":" and a comma-separated list of the
|
||||||
parent zones. The parent zones must have been declared in earlier
|
parent zones. The parent zones must have been declared in earlier
|
||||||
records in this file. See <ulink
|
records in this file. See <ulink
|
||||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
|
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
|
||||||
additional information.</para>
|
additional information.</para>
|
||||||
|
|
||||||
<para>Example:</para>
|
<para>Example:</para>
|
||||||
@ -108,7 +108,7 @@ c:a,b ipv6</programlisting>
|
|||||||
<para>Currently, Shorewall6 uses this information to reorder the
|
<para>Currently, Shorewall6 uses this information to reorder the
|
||||||
zone list so that parent zones appear after their subzones in the
|
zone list so that parent zones appear after their subzones in the
|
||||||
list. The IMPLICIT_CONTINUE option in <ulink
|
list. The IMPLICIT_CONTINUE option in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
|
||||||
create implicit CONTINUE policies to/from the subzone.</para>
|
create implicit CONTINUE policies to/from the subzone.</para>
|
||||||
|
|
||||||
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
||||||
@ -135,7 +135,7 @@ c:a,b ipv6</programlisting>
|
|||||||
the column. Communication with some zone hosts may be
|
the column. Communication with some zone hosts may be
|
||||||
encrypted. Encrypted hosts are designated using the 'ipsec'
|
encrypted. Encrypted hosts are designated using the 'ipsec'
|
||||||
option in <ulink
|
option in <ulink
|
||||||
url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
|
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -178,7 +178,7 @@ c:a,b ipv6</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
||||||
Linux-vserver guests. The zone contents must be defined in
|
Linux-vserver guests. The zone contents must be defined in
|
||||||
<ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>
|
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>Vserver zones are implicitly handled as subzones of the
|
<para>Vserver zones are implicitly handled as subzones of the
|
||||||
@ -206,7 +206,7 @@ c:a,b ipv6</programlisting>
|
|||||||
$FW rules are defined, they are placed in a chain named
|
$FW rules are defined, they are placed in a chain named
|
||||||
${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' )
|
${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' )
|
||||||
depending on the ZONE2ZONE setting in <ulink
|
depending on the ZONE2ZONE setting in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -288,12 +288,12 @@ c:a,b ipv6</programlisting>
|
|||||||
<para>When specified in the IN_OPTIONS column, causes all
|
<para>When specified in the IN_OPTIONS column, causes all
|
||||||
traffic from this zone to be passed against the <emphasis
|
traffic from this zone to be passed against the <emphasis
|
||||||
role="bold">src</emphasis> entries in <ulink
|
role="bold">src</emphasis> entries in <ulink
|
||||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5).</para>
|
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5).</para>
|
||||||
|
|
||||||
<para>When specified in the OUT_OPTIONS column, causes all
|
<para>When specified in the OUT_OPTIONS column, causes all
|
||||||
traffic to this zone to be passed against the <emphasis
|
traffic to this zone to be passed against the <emphasis
|
||||||
role="bold">dst</emphasis> entries in s<ulink
|
role="bold">dst</emphasis> entries in s<ulink
|
||||||
url="shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
|
url="/manpages6/shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Specifying this option in the OPTIONS column is
|
<para>Specifying this option in the OPTIONS column is
|
||||||
equivalent to entering it in both of the IN_OPTIONS and
|
equivalent to entering it in both of the IN_OPTIONS and
|
||||||
@ -309,7 +309,7 @@ c:a,b ipv6</programlisting>
|
|||||||
OPTIONS column and indicates that only a single ipset should
|
OPTIONS column and indicates that only a single ipset should
|
||||||
be created for this zone if it has multiple dynamic entries in
|
be created for this zone if it has multiple dynamic entries in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).
|
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5).
|
||||||
Without this option, a separate ipset is created for each
|
Without this option, a separate ipset is created for each
|
||||||
interface.</para>
|
interface.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -353,7 +353,7 @@ c:a,b ipv6</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>sets the MSS field in TCP packets. If you supply this
|
<para>sets the MSS field in TCP packets. If you supply this
|
||||||
option, you should also set FASTACCEPT=No in <ulink
|
option, you should also set FASTACCEPT=No in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to
|
||||||
insure that both the SYN and SYN,ACK packets have their MSS
|
insure that both the SYN and SYN,ACK packets have their MSS
|
||||||
field adjusted.</para>
|
field adjusted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -426,10 +426,10 @@ c:a,b ipv6</programlisting>
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
@ -171,7 +171,7 @@
|
|||||||
<para>If you set the value of either option to "None" then no
|
<para>If you set the value of either option to "None" then no
|
||||||
default action will be used and the default action or macro must be
|
default action will be used and the default action or macro must be
|
||||||
specified in <ulink
|
specified in <ulink
|
||||||
url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
|
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
|
||||||
|
|
||||||
<para>You can pass <replaceable>parameters</replaceable> to the
|
<para>You can pass <replaceable>parameters</replaceable> to the
|
||||||
specified action or macro (e.g.,
|
specified action or macro (e.g.,
|
||||||
@ -192,7 +192,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting
|
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting
|
||||||
is enabled (see <ulink
|
is enabled (see <ulink
|
||||||
url="shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).
|
url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).
|
||||||
If not specified or set to the empty value, ACCOUNTING=Yes is
|
If not specified or set to the empty value, ACCOUNTING=Yes is
|
||||||
assumed.</para>
|
assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -207,7 +207,7 @@
|
|||||||
<para>Added in Shorewall 4.4.20. This setting determines which
|
<para>Added in Shorewall 4.4.20. This setting determines which
|
||||||
Netfilter table the accounting rules are added in. By default,
|
Netfilter table the accounting rules are added in. By default,
|
||||||
ACCOUNTING_TABLE=filter is assumed. See also <ulink
|
ACCOUNTING_TABLE=filter is assumed. See also <ulink
|
||||||
url="shorewall-accounting.html">shorewall-accounting</ulink>(5).</para>
|
url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -219,11 +219,11 @@
|
|||||||
<para>The value of this variable affects Shorewall6's stopped state.
|
<para>The value of this variable affects Shorewall6's stopped state.
|
||||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||||
is accepted when Shorewall6 is stopped. When
|
is accepted when Shorewall6 is stopped. When
|
||||||
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
|
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
|
||||||
<ulink
|
<ulink
|
||||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
|
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
|
||||||
connections that were active when Shorewall6 stopped continue to
|
connections that were active when Shorewall6 stopped continue to
|
||||||
work and all new connections from the firewall system itself are
|
work and all new connections from the firewall system itself are
|
||||||
allowed. If this variable is not set or is given the empty value
|
allowed. If this variable is not set or is given the empty value
|
||||||
@ -280,13 +280,13 @@
|
|||||||
<orderedlist numeration="loweralpha">
|
<orderedlist numeration="loweralpha">
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Modify <ulink
|
<para>Modify <ulink
|
||||||
url="shorewall-conntrack.html">shorewall6-conntrack</ulink>
|
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>
|
||||||
(5) to only apply helpers where they are required; or</para>
|
(5) to only apply helpers where they are required; or</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specify the appropriate helper in the HELPER column in
|
<para>Specify the appropriate helper in the HELPER column in
|
||||||
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
@ -357,7 +357,7 @@
|
|||||||
a value or if you assign an empty value then DROP is assumed. The
|
a value or if you assign an empty value then DROP is assumed. The
|
||||||
setting determines the disposition of packets sent to the <emphasis
|
setting determines the disposition of packets sent to the <emphasis
|
||||||
role="bold">blacklog</emphasis> target of <ulink
|
role="bold">blacklog</emphasis> target of <ulink
|
||||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -374,7 +374,7 @@
|
|||||||
hosts are not logged. The setting determines the log level of
|
hosts are not logged. The setting determines the log level of
|
||||||
packets sent to the <emphasis role="bold">blacklog</emphasis> target
|
packets sent to the <emphasis role="bold">blacklog</emphasis> target
|
||||||
of <ulink
|
of <ulink
|
||||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -391,11 +391,11 @@
|
|||||||
connections, for packets in the INVALID connection state (such as a
|
connections, for packets in the INVALID connection state (such as a
|
||||||
TCP SYN,ACK when there has been no corresponding SYN), and for
|
TCP SYN,ACK when there has been no corresponding SYN), and for
|
||||||
packets that are UNTRACKED due to entries in <ulink
|
packets that are UNTRACKED due to entries in <ulink
|
||||||
url="shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
|
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
|
||||||
This includes entries in the <ulink
|
This includes entries in the <ulink
|
||||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
|
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
|
||||||
and in the BLACKLIST section of <ulink
|
and in the BLACKLIST section of <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||||
@ -464,13 +464,13 @@
|
|||||||
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
|
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
|
||||||
can still use the “fwmark” classifier based on packet marking
|
can still use the “fwmark” classifier based on packet marking
|
||||||
defined in <ulink
|
defined in <ulink
|
||||||
url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5). If not
|
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5). If not
|
||||||
specified, CLEAR_TC=No is assumed.</para>
|
specified, CLEAR_TC=No is assumed.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you also run Shorewall and if you have
|
<para>If you also run Shorewall and if you have
|
||||||
TC_ENABLED=Internal in your <ulink
|
TC_ENABLED=Internal in your <ulink
|
||||||
url="../manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
url="/manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
||||||
then you will want CLEAR_TC=No in this file.</para>
|
then you will want CLEAR_TC=No in this file.</para>
|
||||||
</warning>
|
</warning>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -678,7 +678,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
||||||
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
||||||
or RELATED sections of <ulink
|
or RELATED sections of <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>FASTACCEPT=Yes is incompatible with
|
<para>FASTACCEPT=Yes is incompatible with
|
||||||
@ -709,7 +709,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
||||||
directory containing the <firstterm>GeoIP Match</firstterm>
|
directory containing the <firstterm>GeoIP Match</firstterm>
|
||||||
database. See <ulink
|
database. See <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
If not specified, the default value is
|
If not specified, the default value is
|
||||||
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
||||||
location of the little-endian database.</para>
|
location of the little-endian database.</para>
|
||||||
@ -861,11 +861,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
|
|
||||||
<para>Subzones are defined by following their name with ":" and a
|
<para>Subzones are defined by following their name with ":" and a
|
||||||
list of parent zones (in <ulink
|
list of parent zones (in <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5)). Normally,
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)). Normally,
|
||||||
you want to have a set of special rules for the subzone and if a
|
you want to have a set of special rules for the subzone and if a
|
||||||
connection doesn't match any of those subzone-specific rules then
|
connection doesn't match any of those subzone-specific rules then
|
||||||
you want the parent zone rules and policies to be applied; see
|
you want the parent zone rules and policies to be applied; see
|
||||||
<ulink url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
|
<ulink url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
|
||||||
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
||||||
|
|
||||||
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
||||||
@ -882,9 +882,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
|
||||||
separates column-oriented specifications on the left from <ulink
|
separates column-oriented specifications on the left from <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
|
url="/configuration_file_basics.htm#Pairs">alternative
|
||||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||||
specified, the specifications on the right are interpreted as if
|
specified, the specifications on the right are interpreted as if
|
||||||
INLINE had been specified in the ACTION column. If not specified or
|
INLINE had been specified in the ACTION column. If not specified or
|
||||||
@ -900,7 +900,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||||
INVALID packets through the NEW section of <ulink
|
INVALID packets through the NEW section of <ulink
|
||||||
url="shorewall6-rules.html">shorewall-rules</ulink> (5). When a
|
url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5). When a
|
||||||
packet in INVALID state fails to match any rule in the INVALID
|
packet in INVALID state fails to match any rule in the INVALID
|
||||||
section, the packet is disposed of based on this setting. The
|
section, the packet is disposed of based on this setting. The
|
||||||
default value is CONTINUE for compatibility with earlier
|
default value is CONTINUE for compatibility with earlier
|
||||||
@ -915,7 +915,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
|
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
|
||||||
do not match any rule in the INVALID section of <ulink
|
do not match any rule in the INVALID section of <ulink
|
||||||
url="manpages/shorewall6-rules.html">shorewall-rules</ulink> (5) are
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||||
logged at this level. The default value is empty which means no
|
logged at this level. The default value is empty which means no
|
||||||
logging is performed.</para>
|
logging is performed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1205,7 +1205,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
<note>
|
<note>
|
||||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||||
length of zone names. See <ulink
|
length of zone names. See <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink> (5).</para>
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1373,9 +1373,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The performance of configurations with a large numbers of
|
<para>The performance of configurations with a large numbers of
|
||||||
entries in <ulink
|
entries in <ulink
|
||||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
|
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5) can be
|
||||||
improved by setting the MACLIST_TTL variable in <ulink
|
improved by setting the MACLIST_TTL variable in <ulink
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>If your iptables and kernel support the "Recent Match" (see
|
<para>If your iptables and kernel support the "Recent Match" (see
|
||||||
the output of "shorewall check" near the top), you can cache the
|
the output of "shorewall check" near the top), you can cache the
|
||||||
@ -1384,7 +1384,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
|
|
||||||
<para>When a new connection arrives from a 'maclist' interface, the
|
<para>When a new connection arrives from a 'maclist' interface, the
|
||||||
packet passes through then list of entries for that interface in
|
packet passes through then list of entries for that interface in
|
||||||
<ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
<ulink url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5). If
|
||||||
there is a match then the source IP address is added to the 'Recent'
|
there is a match then the source IP address is added to the 'Recent'
|
||||||
set for that interface. Subsequent connection attempts from that IP
|
set for that interface. Subsequent connection attempts from that IP
|
||||||
address occurring within $MACLIST_TTL seconds will be accepted
|
address occurring within $MACLIST_TTL seconds will be accepted
|
||||||
@ -1555,7 +1555,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Optimization category 1 - Traditionally, Shorewall has
|
<para>Optimization category 1 - Traditionally, Shorewall has
|
||||||
created rules for <ulink
|
created rules for <ulink
|
||||||
url="../ScalabilityAndPerformance.html">the complete matrix of
|
url="/ScalabilityAndPerformance.html">the complete matrix of
|
||||||
host groups defined by the zones, interfaces and hosts
|
host groups defined by the zones, interfaces and hosts
|
||||||
files</ulink>. Any traffic that didn't correspond to an element
|
files</ulink>. Any traffic that didn't correspond to an element
|
||||||
of that matrix was rejected in one of the built-in chains. When
|
of that matrix was rejected in one of the built-in chains. When
|
||||||
@ -1860,7 +1860,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
||||||
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
||||||
section of <ulink
|
section of <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
|
||||||
about the safety of this practice resulted in the addition of this
|
about the safety of this practice resulted in the addition of this
|
||||||
option. When a packet in RELATED state fails to match any rule in
|
option. When a packet in RELATED state fails to match any rule in
|
||||||
the RELATED section, the packet is disposed of based on this
|
the RELATED section, the packet is disposed of based on this
|
||||||
@ -1876,7 +1876,7 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
||||||
do not match any rule in the RELATED section of <ulink
|
do not match any rule in the RELATED section of <ulink
|
||||||
url="manpages/shorewall-rules.html">shorewall6-rules</ulink> (5) are
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||||
logged at this level. The default value is empty which means no
|
logged at this level. The default value is empty which means no
|
||||||
logging is performed.</para>
|
logging is performed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1959,7 +1959,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
||||||
at least one optional interface must be up in order for the firewall
|
at least one optional interface must be up in order for the firewall
|
||||||
to be in the started state. Intended to be used with the <ulink
|
to be in the started state. Intended to be used with the <ulink
|
||||||
url="../Manpages/shorewall-init.html">Shorewall Init
|
url="/manpages/shorewall-init.html">Shorewall Init
|
||||||
Package</ulink>.</para>
|
Package</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -2003,7 +2003,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Added in Shorewall 4.5.7. Determines the disposition of
|
<para>Added in Shorewall 4.5.7. Determines the disposition of
|
||||||
packets entering from interfaces with the <option>rpfilter</option>
|
packets entering from interfaces with the <option>rpfilter</option>
|
||||||
option (see <ulink
|
option (see <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)).
|
||||||
Packets disposed of by this option are those whose response packets
|
Packets disposed of by this option are those whose response packets
|
||||||
would not be sent through the same interface receiving the
|
would not be sent through the same interface receiving the
|
||||||
packet.</para>
|
packet.</para>
|
||||||
@ -2040,7 +2040,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
||||||
causes smurf packets (see the nosmurfs option in <ulink
|
causes smurf packets (see the nosmurfs option in <ulink
|
||||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)) to
|
||||||
be dropped. A_DROP causes the packets to be audited prior to being
|
be dropped. A_DROP causes the packets to be audited prior to being
|
||||||
dropped and requires AUDIT_TARGET support in the kernel and
|
dropped and requires AUDIT_TARGET support in the kernel and
|
||||||
ip6tables.</para>
|
ip6tables.</para>
|
||||||
@ -2054,7 +2054,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Specifies the logging level for smurf packets (see the
|
<para>Specifies the logging level for smurf packets (see the
|
||||||
nosmurfs option in <ulink
|
nosmurfs option in <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)).
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)).
|
||||||
If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
||||||
logged.</para>
|
logged.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2068,7 +2068,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.20. Determines the disposition of
|
<para>Added in Shorewall 4.4.20. Determines the disposition of
|
||||||
packets matching the <option>sfilter</option> option (see <ulink
|
packets matching the <option>sfilter</option> option (see <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||||
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
||||||
the <option>routeback</option> option.<footnote>
|
the <option>routeback</option> option.<footnote>
|
||||||
<para>Hairpin packets are packets that are routed out of the
|
<para>Hairpin packets are packets that are routed out of the
|
||||||
@ -2084,7 +2084,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added on Shorewall 4.4.20. Determines the logging of packets
|
<para>Added on Shorewall 4.4.20. Determines the logging of packets
|
||||||
matching the <option>sfilter</option> option (see <ulink
|
matching the <option>sfilter</option> option (see <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||||
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
||||||
the <option>routeback</option> option.<footnote>
|
the <option>routeback</option> option.<footnote>
|
||||||
<para>Hairpin packets are packets that are routed out of the
|
<para>Hairpin packets are packets that are routed out of the
|
||||||
@ -2187,13 +2187,13 @@ INLINE - - - ; -j REJECT
|
|||||||
<filename>tcdevices</filename> and <filename>tcclasses</filename>
|
<filename>tcdevices</filename> and <filename>tcclasses</filename>
|
||||||
files. This allows the compiler to have access to your Shorewall
|
files. This allows the compiler to have access to your Shorewall
|
||||||
traffic shaping configuration so that it can validate CLASSIFY rules
|
traffic shaping configuration so that it can validate CLASSIFY rules
|
||||||
in <ulink url="shorewall-tcrules.html">shorewall6-tcrules</ulink>
|
in <ulink url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you also run Shorewall and if you have
|
<para>If you also run Shorewall and if you have
|
||||||
TC_ENABLED=Internal in your <ulink
|
TC_ENABLED=Internal in your <ulink
|
||||||
url="../manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
url="/manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
||||||
then you will want TC_ENABLED=No or TC_ENABLED=Shared in this
|
then you will want TC_ENABLED=No or TC_ENABLED=Shared in this
|
||||||
file.</para>
|
file.</para>
|
||||||
</warning>
|
</warning>
|
||||||
@ -2208,7 +2208,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Normally, Shorewall6 tries to protect users from themselves by
|
<para>Normally, Shorewall6 tries to protect users from themselves by
|
||||||
preventing PREROUTING and OUTPUT tcrules from being applied to
|
preventing PREROUTING and OUTPUT tcrules from being applied to
|
||||||
packets that have been marked by the 'track' option in <ulink
|
packets that have been marked by the 'track' option in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||||
|
|
||||||
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
|
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
|
||||||
Shorewall6 will not include these cautionary checks.</para>
|
Shorewall6 will not include these cautionary checks.</para>
|
||||||
@ -2222,7 +2222,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
|
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
|
||||||
TOS field to priority bands. See <ulink
|
TOS field to priority bands. See <ulink
|
||||||
url="shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
|
url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
|
||||||
<emphasis>map</emphasis> consists of 16 space-separated digits with
|
<emphasis>map</emphasis> consists of 16 space-separated digits with
|
||||||
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
|
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
|
||||||
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
|
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
|
||||||
@ -2245,7 +2245,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Determines the disposition of TCP packets that fail the checks
|
<para>Determines the disposition of TCP packets that fail the checks
|
||||||
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
|
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
|
||||||
option (see <ulink
|
option (see <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||||
and must have a value of ACCEPT (accept the packet), REJECT (send an
|
and must have a value of ACCEPT (accept the packet), REJECT (send an
|
||||||
RST response) or DROP (ignore the packet). If not set or if set to
|
RST response) or DROP (ignore the packet). If not set or if set to
|
||||||
the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
||||||
@ -2273,20 +2273,20 @@ INLINE - - - ; -j REJECT
|
|||||||
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
||||||
<option>track</option> option to be assumed on all providers defined
|
<option>track</option> option to be assumed on all providers defined
|
||||||
in <ulink
|
in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5). May
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5). May
|
||||||
be overridden on an individual provider through use of the
|
be overridden on an individual provider through use of the
|
||||||
<option>notrack</option> option. The default value is 'No'.</para>
|
<option>notrack</option> option. The default value is 'No'.</para>
|
||||||
|
|
||||||
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
||||||
also simplifies PREROUTING rules in <ulink
|
also simplifies PREROUTING rules in <ulink
|
||||||
url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
||||||
Previously, when TC_EXPERT=No, packets arriving through 'tracked'
|
Previously, when TC_EXPERT=No, packets arriving through 'tracked'
|
||||||
provider interfaces were unconditionally passed to the PREROUTING
|
provider interfaces were unconditionally passed to the PREROUTING
|
||||||
tcrules. This was done so that tcrules could reset the packet mark
|
tcrules. This was done so that tcrules could reset the packet mark
|
||||||
to zero, thus allowing the packet to be routed using the 'main'
|
to zero, thus allowing the packet to be routed using the 'main'
|
||||||
routing table. Using the main table allowed dynamic routes (such as
|
routing table. Using the main table allowed dynamic routes (such as
|
||||||
those added for VPNs) to be effective. The <ulink
|
those added for VPNs) to be effective. The <ulink
|
||||||
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
|
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
|
||||||
created to provide a better alternative to clearing the packet mark.
|
created to provide a better alternative to clearing the packet mark.
|
||||||
As a consequence, passing these packets to PREROUTING complicates
|
As a consequence, passing these packets to PREROUTING complicates
|
||||||
things without providing any real benefit. Beginning with Shorewall
|
things without providing any real benefit. Beginning with Shorewall
|
||||||
@ -2322,7 +2322,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||||
UNTRACKED packets through the NEW section of <ulink
|
UNTRACKED packets through the NEW section of <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
|
||||||
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
||||||
section, the packet is disposed of based on this setting. The
|
section, the packet is disposed of based on this setting. The
|
||||||
default value is CONTINUE for compatibility with earlier
|
default value is CONTINUE for compatibility with earlier
|
||||||
@ -2337,7 +2337,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
||||||
do not match any rule in the UNTRACKED section of <ulink
|
do not match any rule in the UNTRACKED section of <ulink
|
||||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||||
logged at this level. The default value is empty which means no
|
logged at this level. The default value is empty which means no
|
||||||
logging is performed.</para>
|
logging is performed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -2362,7 +2362,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Both the DUPLICATE and the COPY columns in <ulink
|
<para>Both the DUPLICATE and the COPY columns in <ulink
|
||||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5)
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
|
||||||
file must remain empty (or contain "-").</para>
|
file must remain empty (or contain "-").</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -2379,7 +2379,7 @@ INLINE - - - ; -j REJECT
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Packets are sent through the main routing table by a rule
|
<para>Packets are sent through the main routing table by a rule
|
||||||
with priority 999. In <ulink
|
with priority 999. In <ulink
|
||||||
url="shorewall6-routing_rules.html">shorewall6-routing_rules</ulink>(5),
|
url="/manpages6/shorewall6-routing_rules.html">shorewall6-routing_rules</ulink>(5),
|
||||||
the range 1-998 may be used for inserting rules that bypass the
|
the range 1-998 may be used for inserting rules that bypass the
|
||||||
main table.</para>
|
main table.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -647,7 +647,7 @@
|
|||||||
|
|
||||||
<para>The <option>trace</option> and <option>debug</option> options are
|
<para>The <option>trace</option> and <option>debug</option> options are
|
||||||
used for debugging. See <ulink
|
used for debugging. See <ulink
|
||||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
||||||
|
|
||||||
<para>The nolock <option>option</option> prevents the command from
|
<para>The nolock <option>option</option> prevents the command from
|
||||||
attempting to acquire the Shorewall6 lockfile. It is useful if you need to
|
attempting to acquire the Shorewall6 lockfile. It is useful if you need to
|
||||||
@ -659,7 +659,7 @@
|
|||||||
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
||||||
options are omitted, the amount of output is determined by the setting of
|
options are omitted, the amount of output is determined by the setting of
|
||||||
the VERBOSITY parameter in <ulink
|
the VERBOSITY parameter in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
|
||||||
role="bold">v</emphasis> adds one to the effective verbosity and each
|
role="bold">v</emphasis> adds one to the effective verbosity and each
|
||||||
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
||||||
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
||||||
@ -687,7 +687,7 @@
|
|||||||
|
|
||||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||||
defined in the <ulink
|
defined in the <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||||
elements are host or network addresses.<caution>
|
elements are host or network addresses.<caution>
|
||||||
<para>The <command>add</command> command is not very robust. If
|
<para>The <command>add</command> command is not very robust. If
|
||||||
@ -701,7 +701,7 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||||
single ipset to handle entries for multiple interfaces. When that
|
single ipset to handle entries for multiple interfaces. When that
|
||||||
option is specified for a zone, the <command>add</command> command
|
option is specified for a zone, the <command>add</command> command
|
||||||
has the alternative syntax in which the
|
has the alternative syntax in which the
|
||||||
@ -756,7 +756,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -822,7 +822,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -836,13 +836,13 @@
|
|||||||
|
|
||||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||||
defined in the <ulink
|
defined in the <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||||
elements are a host or network address.</para>
|
elements are a host or network address.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||||
single ipset to handle entries for multiple interfaces. When that
|
single ipset to handle entries for multiple interfaces. When that
|
||||||
option is specified for a zone, the <command>delete</command>
|
option is specified for a zone, the <command>delete</command>
|
||||||
command has the alternative syntax in which the
|
command has the alternative syntax in which the
|
||||||
@ -865,7 +865,7 @@
|
|||||||
any optional network interface. <replaceable>interface</replaceable>
|
any optional network interface. <replaceable>interface</replaceable>
|
||||||
may be either the logical or physical name of the interface. The
|
may be either the logical or physical name of the interface. The
|
||||||
command removes any routes added from <ulink
|
command removes any routes added from <ulink
|
||||||
url="shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
|
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
|
||||||
traffic shaping configuration for the interface.</para>
|
traffic shaping configuration for the interface.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -912,7 +912,7 @@
|
|||||||
may be either the logical or physical name of the interface. The
|
may be either the logical or physical name of the interface. The
|
||||||
command sets <filename>/proc</filename> entries for the interface,
|
command sets <filename>/proc</filename> entries for the interface,
|
||||||
adds any route specified in <ulink
|
adds any route specified in <ulink
|
||||||
url="shorewall6-routes.html">shorewall6-routes</ulink>(5) and
|
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and
|
||||||
installs the interface's traffic shaping configuration, if
|
installs the interface's traffic shaping configuration, if
|
||||||
any.</para>
|
any.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -949,7 +949,7 @@
|
|||||||
<para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
|
<para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
|
||||||
/var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
|
/var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
|
||||||
given then the file specified by RESTOREFILE in <ulink
|
given then the file specified by RESTOREFILE in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) is
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
|
||||||
assumed.</para>
|
assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1032,7 +1032,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1043,7 +1043,7 @@
|
|||||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||||
to be logged then discarded. Logging occurs at the log level
|
to be logged then discarded. Logging occurs at the log level
|
||||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1052,7 +1052,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Monitors the log file specified by the LOGFILE option in
|
<para>Monitors the log file specified by the LOGFILE option in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5) and
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
|
||||||
produces an audible alarm when new Shorewall6 messages are logged.
|
produces an audible alarm when new Shorewall6 messages are logged.
|
||||||
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
||||||
address of each packet source to be displayed if that information is
|
address of each packet source to be displayed if that information is
|
||||||
@ -1072,7 +1072,7 @@
|
|||||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||||
to be logged then rejected. Logging occurs at the log level
|
to be logged then rejected. Logging occurs at the log level
|
||||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1124,7 +1124,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
||||||
and causes Shorewall to look in the given
|
and causes Shorewall to look in the given
|
||||||
@ -1184,7 +1184,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1229,7 +1229,7 @@
|
|||||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||||
and performs the compilation step unconditionally, overriding the
|
and performs the compilation step unconditionally, overriding the
|
||||||
AUTOMAKE setting in <ulink
|
AUTOMAKE setting in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||||
<option>-f</option> and <option>-c </option>are present, the result
|
<option>-f</option> and <option>-c </option>are present, the result
|
||||||
is determined by the option that appears last.</para>
|
is determined by the option that appears last.</para>
|
||||||
|
|
||||||
@ -1241,7 +1241,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1256,7 +1256,7 @@
|
|||||||
role="bold">shorewall6 save</emphasis>; if no
|
role="bold">shorewall6 save</emphasis>; if no
|
||||||
<emphasis>filename</emphasis> is given then Shorewall6 will be
|
<emphasis>filename</emphasis> is given then Shorewall6 will be
|
||||||
restored from the file specified by the RESTOREFILE option in <ulink
|
restored from the file specified by the RESTOREFILE option in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1318,7 +1318,7 @@
|
|||||||
role="bold">shorewall6 -f start</emphasis> commands. If
|
role="bold">shorewall6 -f start</emphasis> commands. If
|
||||||
<emphasis>filename</emphasis> is not given then the state is saved
|
<emphasis>filename</emphasis> is not given then the state is saved
|
||||||
in the file specified by the RESTOREFILE option in <ulink
|
in the file specified by the RESTOREFILE option in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1445,7 +1445,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Displays the last 20 Shorewall6 messages from the log
|
<para>Displays the last 20 Shorewall6 messages from the log
|
||||||
file specified by the LOGFILE option in <ulink
|
file specified by the LOGFILE option in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). The
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
|
||||||
<emphasis role="bold">-m</emphasis> option causes the MAC
|
<emphasis role="bold">-m</emphasis> option causes the MAC
|
||||||
address of each packet source to be displayed if that
|
address of each packet source to be displayed if that
|
||||||
information is available.</para>
|
information is available.</para>
|
||||||
@ -1537,7 +1537,7 @@
|
|||||||
for configuration files. If <emphasis role="bold">-f</emphasis> is
|
for configuration files. If <emphasis role="bold">-f</emphasis> is
|
||||||
specified, the saved configuration specified by the RESTOREFILE
|
specified, the saved configuration specified by the RESTOREFILE
|
||||||
option in <ulink
|
option in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) will be
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) will be
|
||||||
restored if that saved configuration exists and has been modified
|
restored if that saved configuration exists and has been modified
|
||||||
more recently than the files in /etc/shorewall6. When <emphasis
|
more recently than the files in /etc/shorewall6. When <emphasis
|
||||||
role="bold">-f</emphasis> is given, a
|
role="bold">-f</emphasis> is given, a
|
||||||
@ -1545,7 +1545,7 @@
|
|||||||
|
|
||||||
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
|
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
|
||||||
was added to <ulink
|
was added to <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When
|
||||||
LEGACY_FASTSTART=No, the modification times of files in
|
LEGACY_FASTSTART=No, the modification times of files in
|
||||||
/etc/shorewall6 are compared with that of
|
/etc/shorewall6 are compared with that of
|
||||||
/var/lib/shorewall6/firewall (the compiled script that last
|
/var/lib/shorewall6/firewall (the compiled script that last
|
||||||
@ -1557,7 +1557,7 @@
|
|||||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||||
and performs the compilation step unconditionally, overriding the
|
and performs the compilation step unconditionally, overriding the
|
||||||
AUTOMAKE setting in <ulink
|
AUTOMAKE setting in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||||
<option>-f</option> and <option>-c </option>are present, the result
|
<option>-f</option> and <option>-c </option>are present, the result
|
||||||
is determined by the option that appears last.</para>
|
is determined by the option that appears last.</para>
|
||||||
|
|
||||||
@ -1569,7 +1569,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1579,12 +1579,12 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Stops the firewall. All existing connections, except those
|
<para>Stops the firewall. All existing connections, except those
|
||||||
listed in <ulink
|
listed in <ulink
|
||||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||||
or permitted by the ADMINISABSENTMINDED option in <ulink
|
or permitted by the ADMINISABSENTMINDED option in <ulink
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5), are taken
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), are taken
|
||||||
down. The only new traffic permitted through the firewall is from
|
down. The only new traffic permitted through the firewall is from
|
||||||
systems listed in <ulink
|
systems listed in <ulink
|
||||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||||
or by ADMINISABSENTMINDED.</para>
|
or by ADMINISABSENTMINDED.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1652,13 +1652,13 @@
|
|||||||
|
|
||||||
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||||
and causes legacy blacklisting rules (<ulink
|
and causes legacy blacklisting rules (<ulink
|
||||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
|
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
|
||||||
to be converted to entries in the blrules file (<ulink
|
to be converted to entries in the blrules file (<ulink
|
||||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
|
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
|
||||||
blacklist keyword is removed from <ulink
|
blacklist keyword is removed from <ulink
|
||||||
url="shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
|
||||||
url="shorewall6-interfaces.html">shorewall-interfaces</ulink> (5)
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5)
|
||||||
and <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
and <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
||||||
The unmodified files are saved with a .bak suffix.</para>
|
The unmodified files are saved with a .bak suffix.</para>
|
||||||
|
|
||||||
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
|
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
|
||||||
@ -1672,7 +1672,7 @@
|
|||||||
warning message to be issued if the line current line contains
|
warning message to be issued if the line current line contains
|
||||||
alternative input specifications following a semicolon (";"). Such
|
alternative input specifications following a semicolon (";"). Such
|
||||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||||
|
|
||||||
<para>For a description of the other options, see the <emphasis
|
<para>For a description of the other options, see the <emphasis
|
||||||
role="bold">check</emphasis> command above.</para>
|
role="bold">check</emphasis> command above.</para>
|
||||||
@ -1712,7 +1712,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||||
|
|
||||||
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
|
Loading…
Reference in New Issue
Block a user