extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add a new FAQ; remove 'Added in' from rules manpage

Browse Source
This commit is contained in:
Tom Eastep 2009-06-02 08:21:52 -07:00
parent a953c1af46
commit b82dad8843
2 changed files with 34 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/FAQ.xml
View File

@ -20,7 +20,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2001-2008</year> <year>2001-2009</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -498,6 +498,24 @@ REDIRECT net 22 tcp 9022</programlisting>
you use a REDIRECT rule.</para> you use a REDIRECT rule.</para>
</section> </section>
<section id="faq8">
<title>(FAQ 8) I have several external IP addresses and use
/etc/shorewall/nat to associate them with systems in my DMZ. When I add
a DNAT rule, say for ports 80 and 443, Shorewall redirects connections
on those ports for all of my addresses. How can I restrict DNAT to only
a single address?</title>
<para><emphasis role="bold">Answer</emphasis>: Specify the external
address that you want to redirect in the ORIGINAL DEST column.</para>
<para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
DNAT net net:192.168.4.22 tcp 80,443 - <emphasis
role="bold">206.124.146.178</emphasis></programlisting>
</section>
<section id="faq38"> <section id="faq38">
<title>(FAQ 38) Where can I find more information about DNAT?</title> <title>(FAQ 38) Where can I find more information about DNAT?</title>

31
manpages/shorewall-rules.xml
View File

@ -1071,18 +1071,17 @@
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term> role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number <para>May be used to limit the number of simultaneous connections
of simultaneous connections from each individual host to from each individual host to <replaceable>limit</replaceable>
<replaceable>limit</replaceable> connections. Requires connlimit connections. Requires connlimit match in your kernel and iptables.
match in your kernel and iptables. While the limit is only checked While the limit is only checked on rules specifying CONNLIMIT, the
on rules specifying CONNLIMIT, the number of current connections is number of current connections is calculated over all current
calculated over all current connections from the SOURCE host. By connections from the SOURCE host. By default, the limit is applied
default, the limit is applied to each host but can be made to apply to each host but can be made to apply to networks of hosts by
to networks of hosts by specifying a specifying a <replaceable>mask</replaceable>. The
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable> <replaceable>mask</replaceable> specifies the width of a VLSM mask
specifies the width of a VLSM mask to be applied to the source to be applied to the source address; the number of current
address; the number of current connections is then taken over all connections is then taken over all hosts in the subnet
hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>. <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
When<option> !</option> is specified, the rule matches when the When<option> !</option> is specified, the rule matches when the
number of connection exceeds the number of connection exceeds the
@ -1095,10 +1094,10 @@
<emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term> <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the rule <para>May be used to limit the rule to a particular time period each
to a particular time period each day, to particular days of the week day, to particular days of the week or month, or to a range defined
or month, or to a range defined by dates and times. Requires time by dates and times. Requires time match support in your kernel and
match support in your kernel and iptables.</para> iptables.</para>
<para><replaceable>timeelement</replaceable> may be:</para> <para><replaceable>timeelement</replaceable> may be:</para>