diff --git a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.xml b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.xml index 58958338f..32f249360 100644 --- a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.xml +++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.xml @@ -2,6 +2,8 @@
+ + Shorewall and Aliased Interfaces @@ -30,8 +32,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -75,15 +77,15 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55 [root@gateway root]# One cannot type - "ip addr show dev eth0:0" because "eth0:0" is a label - for a particular address rather than a device name.[root@gateway root]# ip addr show dev eth0:0 + ip addr show dev eth0:0 because eth0:0 is + a label for a particular address rather than a device name.[root@gateway root]# ip addr show dev eth0:0 Device "eth0:0" does not exist. [root@gateway root]# The iptables program doesn't support virtual interfaces in - either it's "-i" or "-o" command options; as a - consequence, Shorewall does not allow them to be used in the + either it's -i or -o command options; as + a consequence, Shorewall does not allow them to be used in the /etc/shorewall/interfaces file or anywhere else except as described in the discussion below. @@ -230,7 +232,7 @@ esac Shorewall can create the alias (additional address) for you if you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning - with Shorewall 1.3.14, Shorewall can actually create the "label" + with Shorewall 1.3.14, Shorewall can actually create the label (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows: @@ -311,7 +313,7 @@ eth0:2 = 206.124.146.180 Shorewall can create the alias (additional address) for you if you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with - Shorewall 1.3.14, Shorewall can actually create the "label" + Shorewall 1.3.14, Shorewall can actually create the label (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows: @@ -501,7 +503,7 @@ eth0:2 = 206.124.146.180 - If you are running Shorewall 1.3.10 or earlier then you + If you are running Shorewall 1.3.10 or earlier then you must specify the multi option. @@ -564,8 +566,8 @@ eth0:2 = 206.124.146.180 align="center">INTERFACEBROADCASTOPTIONS-eth1192.168.1.255,192.168.20.255 If you are running Shorewall - 1.3.10 or earlier then you must specify the multi + id="multiple_subnets-ex2-n1">If you are running Shorewall 1.3.10 + or earlier then you must specify the multi option. In /etc/shorewall/hosts:/etc/shorewall/hosts
+ + Kazaa Filtering @@ -26,22 +28,22 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. Beginning with Shorewall version 1.4.8, Shorewall can interface to ftwall. ftwall is part of the p2pwall project and is a - user-space filter for applications based on the "Fast Track" peer to - peer protocol. Applications using this protocol include Kazaa, KazaaLite, - iMash and Grokster. + user-space filter for applications based on the Fast Track + peer to peer protocol. Applications using this protocol include Kazaa, + KazaaLite, iMash and Grokster. - To filter traffic from your 'loc' zone with ftwall, you insert - the following rules near the top of your - /etc/shorewall/rules file (before and ACCEPT rules whose source is the - 'loc' zone). + To filter traffic from your loc zone with ftwall, you + insert the following rules near the top of + your /etc/shorewall/rules file (before and ACCEPT rules whose source is the + loc zone). QUEUE loc net tcp QUEUE loc net udp diff --git a/Shorewall-docs/UserSets.xml b/Shorewall-docs/UserSets.xml index b4ba9266d..efbd186cd 100644 --- a/Shorewall-docs/UserSets.xml +++ b/Shorewall-docs/UserSets.xml @@ -2,6 +2,8 @@
+ + Controlling Output Traffic by UID/GID @@ -26,8 +28,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -42,9 +44,9 @@ - Shorewall allows you to define collections of users called "User Sets" and then to restrict certain - rules in /etc/shorewall/rules to a given User Set. + Shorewall allows you to define collections of users called + User Sets and then to + restrict certain rules in /etc/shorewall/rules to a given User Set. @@ -105,7 +107,7 @@ In the REJECT and ACCEPT columns, if you don't want to specify a value in the column but you want to specify a value in a following column, - you may enter "-". + you may enter -. Users and/or groups are added to User Sets using the /etc/shorewall/users file. Columns in that file are: @@ -137,7 +139,7 @@ Only one of the USER and GROUP column needs to be non-empty. If you - wish to specify a GROUP but not a USER, enter "-" in the user + wish to specify a GROUP but not a USER, enter - in the user column. If both USER and GROUP are specified then only programs running @@ -151,14 +153,14 @@ When the name of a user set is given in the USER SET column, you may not include a log level in the ACTION column; logging of such rules is governed solely by the user set's definition in the - /etc/shorewall/userset file. + /etc/shorewall/userset file. - You want members of the 'admin' group and 'root' - to be able to use ssh on the firewall to connect to local systems. You - want to log all connections accepted for these users using syslog at the - 'info' level. + You want members of the <quote>admin</quote> group and + <quote>root</quote> to be able to use ssh on the firewall to connect to + local systems. You want to log all connections accepted for these users + using syslog at the <quote>info</quote> level. /etc/shorewall/usersets @@ -189,14 +191,14 @@ ACCEPT $FW loc tcp 22 - - - [ <user name or number> ] : [ <group name or number> ] When a user and/or group name is given in the USER SET column, it is - OK to specify a log level in the ACTION column. + OK to specify a log level in the ACTION column. You want user <emphasis role="bold">mail</emphasis> to be able to send email from the firewall to the local net zone - /etc/shorewall/rules (be sure to note the ":" in the USER - SET column entry). + /etc/shorewall/rules (be sure to note the : in the + USER SET column entry). #ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER # PORT(S) DESTINATION SET diff --git a/Shorewall-docs/VPN.xml b/Shorewall-docs/VPN.xml index 3eea61062..7e79936e0 100644 --- a/Shorewall-docs/VPN.xml +++ b/Shorewall-docs/VPN.xml @@ -2,6 +2,8 @@
+ + VPN @@ -49,7 +51,7 @@ If PPTP is being used, there are no firewall requirements beyond the default loc->net ACCEPT policy. There is one restriction however: Only one local system at a time can be connected to a single remote gateway - unless you patch your kernel from the 'Patch-o-matic' patches + unless you patch your kernel from the Patch-o-matic patches available at http://www.netfilter.org. If IPSEC is being used then only one system may connect to the