Yet more man pages

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4891 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

manpages/shorewall-accounting.xml

@@ -0,0 +1,244 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-accounting</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>accounting</refname>
+
+    <refpurpose>Shorewall Accounting file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/accounting</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Accounting rules exist simply to count packets and bytes in
+    categories that you define in this file. You may display these rules and
+    their packet and byte counters using the <command>shorewall show
+    accounting</command> command. </para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis></term>
+
+        <listitem>
+          <para>What to do when a matching packet is found.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">COUNT</emphasis></term>
+
+              <listitem>
+                <para>Simply count the match and continue with the next
+                rule</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DONE</emphasis></term>
+
+              <listitem>
+                <para>Count the match and don't attempt to match any other
+                accounting rules in the chain specified in the <emphasis
+                role="bold">CHAIN</emphasis> column.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>chain</emphasis>:<emphasis
+              role="bold">COUNT</emphasis></term>
+
+              <listitem>
+                <para>Where <emphasis>chain</emphasis> is the name of a chain.
+                Shorewall will create the chain automatically if it doesn't
+                already exist. Causes a jump to that chain. If <emphasis
+                role="bold">:COUNT</emphasis> is included, a counting rule
+                matching this record will be added to
+                <emphasis>chain</emphasis></para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">CHAIN</emphasis></term>
+
+        <listitem>
+          <para>The name of a chain. If specified as <emphasis
+          role="bold">-</emphasis> the <emphasis
+          role="bold">accounting</emphasis> chain is assumed. This is the
+          chain where the accounting rule is added. The chain will be created
+          if it doesn't already exist.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis></term>
+
+        <listitem>
+          <para>Packet Source.</para>
+
+          <para>The name of an interface, an address (host or net) or an
+          interface name followed by ":" and a host or net address.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DESTINATION</emphasis></term>
+
+        <listitem>
+          <para>Packet Destination.</para>
+
+          <para>Format same as <emphasis role="bold">SOURCE</emphasis>
+          column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTOCOL</emphasis></term>
+
+        <listitem>
+          <para>A protocol name (from protocols(5)), a protocol number,
+          <emphasis role="bold">ipp2p</emphasis>, <emphasis
+          role="bold">ipp2p:udp</emphasis> or <emphasis
+          role="bold">ipp2p:all</emphasis></para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S)</emphasis></term>
+
+        <listitem>
+          <para>Destination Port number. If the PROTOCOL is <emphasis
+          role="bold">ipp2p</emphasis> then this column must contain an ipp2p
+          option ("iptables -m ipp2p --help") without the leading "--". If no
+          option is given in this column, "ipp2p" is assumed.</para>
+
+          <para>Service name from services(5) or <emphasis>port
+          number</emphasis>. May only be specified if the protocol is
+          <emphasis role="bold">tcp</emphasis> or <emphasis
+          role="bold">udp</emphasis> (6 or 17).</para>
+
+          <para>You may place a comma-separated list of port numbers in this
+          column if your kernel and iptables include multiport match
+          support.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis></term>
+
+        <listitem>
+          <para>Source Port Service name from services(5) or <emphasis>port
+          number</emphasis>. May only be specified if the protocol is TCP or
+          UDP (6 or 17).</para>
+
+          <para>You may place a comma-separated list of port numbers in this
+          column if your kernel and iptables include multiport match
+          support.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER/GROUP</emphasis></term>
+
+        <listitem>
+          <para>This column may only be non-empty if the <emphasis
+          role="bold">SOURCE</emphasis> is the firewall itself.</para>
+
+          <para>The column may contain:</para>
+
+          <para>[!][<emphasis>user name or number</emphasis>][:<emphasis>group
+          name or number</emphasis>][+<emphasis>program
+          name</emphasis>]</para>
+
+          <para>When this column is non-empty, the rule applies only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>In all of the above columns except <emphasis
+    role="bold">ACTION</emphasis> and <emphasis role="bold">CHAIN</emphasis>,
+    the values <emphasis role="bold">-</emphasis>, <emphasis
+    role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
+    used as wildcards. Omitted trailing columns are also treated as
+    wildcards.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/accounting</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-actions.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-actions</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>actions</refname>
+
+    <refpurpose>Shorewall action declaration file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/actions</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file allows you to define new ACTIONS for use in rules (see
+    shorewall-rules(5)). You define the iptables rules to be performed in an
+    ACTION in /etc/shorewall/action.<emphasis>action-name</emphasis>. </para>
+
+    <para>ACTION names should begin with an upper-case letter to distinguish
+    them from Shorewall-generated chain names and they must meet the
+    requirements of a Netfilter chain. If you intend to log from the action
+    then the name must be no longer than 11 character in length. Names must
+    also meet the requirements for a Bourne Shell identifier (must begin with
+    a letter and be composed of letters, digits and underscore
+    characters).</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/actions</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-blacklist.xml

@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-blacklist</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>blacklist</refname>
+
+    <refpurpose>Shorewall Blacklist file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/blacklist</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The blacklist file is used to perform static blacklisting. You can
+    blacklist by source address (IP or MAC), or by application. </para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis></term>
+
+        <listitem>
+          <para>Host address, network address, MAC address, IP address range
+          (if your kernel and iptables contain iprange match support) or ipset
+          name prefaced by "+" (i your kernel supports ipset match).</para>
+
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>
+
+          <para>Example: ~00-A0-C9-15-39-78</para>
+
+          <para>A dash ("-") in this column means that any source address will
+          match. This is useful if you want to blacklist a particular
+          application.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTOCOL</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>If specified, must be a protocol number or a protocol name
+          from protocols(5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PORTS</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>May only be specified if the protocol is TCP (6) or UDP (17).
+          A comma-separated list of destination port numbers or service names
+          from services(5).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>When a packet arrives on an interface that has the <emphasis
+    role="bold">blacklist</emphasis> option specified in
+    shorewall-interfaces(5), its source IP address and MAC address is checked
+    against this file and disposed of according to the <emphasis
+    role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
+    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in shorewall.conf(5).
+    If <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
+    role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
+    are supplied, only packets matching the protocol (and one of the ports if
+    <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>To block DNS queries from address 192.0.2.126:</para>
+
+          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
+        192.0.2.126             udp             53</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>To block some of the nuisance applicataion:</para>
+
+          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
+        -                       udp             1024:1033,1434
+        -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/blacklist</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-template.xml

@@ -1,62 +1,128 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <refentry>
   <refmeta>
-    <refentrytitle>shorewall-</refentrytitle>
+    <refentrytitle>shorewall-blacklist</refentrytitle>
 
     <manvolnum>5</manvolnum>
   </refmeta>
 
   <refnamediv>
-    <refname>file</refname>
+    <refname>blacklist</refname>
 
-    <refpurpose>Shorewall file</refpurpose>
+    <refpurpose>Shorewall Blacklist file</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/shorewall/</command>
+      <command>/etc/shorewall/blacklist</command>
     </cmdsynopsis>
   </refsynopsisdiv>
 
   <refsect1>
     <title>Description</title>
 
+    <para>The blacklist file is used to perform static blacklisting. You can
+    blacklist by source address (IP or MAC), or by application. </para>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>
       <varlistentry>
-        <term>COLUMN 1</term>
+        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis></term>
 
         <listitem>
-          <para></para>
+          <para>Host address, network address, MAC address, IP address range
+          (if your kernel and iptables contain iprange match support) or ipset
+          name prefaced by "+" (i your kernel supports ipset match).</para>
+
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>
+
+          <para>Example: ~00-A0-C9-15-39-78</para>
+
+          <para>A dash ("-") in this column means that any source address will
+          match. This is useful if you want to blacklist a particular
+          application.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTOCOL</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>If specified, must be a protocol number or a protocol name
+          from protocols(5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PORTS</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>May only be specified if the protocol is TCP (6) or UDP (17).
+          A comma-separated list of destination port numbers or service names
+          from services(5).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>When a packet arrives on an interface that has the <emphasis
+    role="bold">blacklist</emphasis> option specified in
+    shorewall-interfaces(5), its source IP address and MAC address is checked
+    against this file and disposed of according to the <emphasis
+    role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
+    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in shorewall.conf(5).
+    If <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
+    role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
+    are supplied, only packets matching the protocol (and one of the ports if
+    <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>To block DNS queries from address 192.0.2.126:</para>
+
+          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
+        192.0.2.126             udp             53</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>To block some of the nuisance applicataion:</para>
+
+          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
+        -                       udp             1024:1033,1434
+        -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
         </listitem>
       </varlistentry>
     </variablelist>
   </refsect1>
 
-  <refsect1>
-    <title>Example</title>
-
-    <para></para>
-  </refsect1>
-
   <refsect1>
     <title>FILES</title>
 
-    <para>/etc/shorewall/</para>
+    <para>/etc/shorewall/blacklist</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
-    shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
-    shorewall-zones(5)</para>
   </refsect1>
 </refentry>