fixed quotes, add CVS Id

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@972 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
mhnoyes 2003-12-26 17:43:14 +00:00
parent caf8e2a63e
commit be5a11b988
4 changed files with 44 additions and 36 deletions

View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_and_Aliased_Interfaces"> <article id="Shorewall_and_Aliased_Interfaces">
<!--$Id$-->
<articleinfo> <articleinfo>
<title>Shorewall and Aliased Interfaces</title> <title>Shorewall and Aliased Interfaces</title>
@ -30,8 +32,8 @@
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink Texts. A copy of the license is included in the section entitled
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -75,15 +77,15 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
[root@gateway root]# </programlisting> [root@gateway root]# </programlisting>
<para><note><para>One <emphasis role="bold">cannot</emphasis> type <para><note><para>One <emphasis role="bold">cannot</emphasis> type
&#34;ip addr show dev eth0:0&#34; because &#34;eth0:0&#34; is a label <quote>ip addr show dev eth0:0</quote> because <quote>eth0:0</quote> is
for a particular address rather than a device name.</para><programlisting>[root@gateway root]# ip addr show dev eth0:0 a label for a particular address rather than a device name.</para><programlisting>[root@gateway root]# ip addr show dev eth0:0
Device &#34;eth0:0&#34; does not exist. Device &#34;eth0:0&#34; does not exist.
[root@gateway root]#</programlisting></note></para> [root@gateway root]#</programlisting></note></para>
</example> </example>
<para>The iptables program doesn&#39;t support virtual interfaces in <para>The iptables program doesn&#39;t support virtual interfaces in
either it&#39;s &#34;-i&#34; or &#34;-o&#34; command options; as a either it&#39;s <quote>-i</quote> or <quote>-o</quote> command options; as
consequence, Shorewall does not allow them to be used in the a consequence, Shorewall does not allow them to be used in the
/etc/shorewall/interfaces file or anywhere else except as described in the /etc/shorewall/interfaces file or anywhere else except as described in the
discussion below.</para> discussion below.</para>
</section> </section>
@ -230,7 +232,7 @@ esac</programlisting>
<para>Shorewall can create the alias (additional address) for you if you <para>Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
with Shorewall 1.3.14, Shorewall can actually create the &#34;label&#34; with Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
(virtual interface) so that you can see the created address using (virtual interface) so that you can see the created address using
ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the
virtual interface name in the INTERFACE column as follows:</para> virtual interface name in the INTERFACE column as follows:</para>
@ -311,7 +313,7 @@ eth0:2 = 206.124.146.180</programlisting>
<para>Shorewall can create the alias (additional address) for you if you <para>Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the &#34;label&#34; Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
(virtual interface) so that you can see the created address using (virtual interface) so that you can see the created address using
ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the
virtual interface name in the INTERFACE column as follows:</para> virtual interface name in the INTERFACE column as follows:</para>
@ -501,7 +503,7 @@ eth0:2 = 206.124.146.180</programlisting>
</table> </table>
<note id="multiple_subnets-ex1-n1"> <note id="multiple_subnets-ex1-n1">
<para> If you are running Shorewall 1.3.10 or earlier then you <para>If you are running Shorewall 1.3.10 or earlier then you
must specify the <emphasis role="bold">multi</emphasis> must specify the <emphasis role="bold">multi</emphasis>
option.</para> option.</para>
</note> </note>
@ -564,8 +566,8 @@ eth0:2 = 206.124.146.180</programlisting>
align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry
align="center">OPTIONS</entry></row></thead><tbody><row><entry>-</entry><entry>eth1</entry><entry>192.168.1.255,192.168.20.255</entry><entry><xref align="center">OPTIONS</entry></row></thead><tbody><row><entry>-</entry><entry>eth1</entry><entry>192.168.1.255,192.168.20.255</entry><entry><xref
linkend="multiple_subnets-ex2-n1" /></entry></row></tbody></tgroup></table><note linkend="multiple_subnets-ex2-n1" /></entry></row></tbody></tgroup></table><note
id="multiple_subnets-ex2-n1"><para> If you are running Shorewall id="multiple_subnets-ex2-n1"><para>If you are running Shorewall 1.3.10
1.3.10 or earlier then you must specify the <emphasis role="bold">multi</emphasis> or earlier then you must specify the <emphasis role="bold">multi</emphasis>
option.</para></note></para> option.</para></note></para>
<para>In /etc/shorewall/hosts:<table><title>/etc/shorewall/hosts</title><tgroup <para>In /etc/shorewall/hosts:<table><title>/etc/shorewall/hosts</title><tgroup

View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_and_Kazaa"> <article id="Shorewall_and_Kazaa">
<!--$Id$-->
<articleinfo> <articleinfo>
<title>Kazaa Filtering</title> <title>Kazaa Filtering</title>
@ -26,22 +28,22 @@
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink Texts. A copy of the license is included in the section entitled
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to <para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
user-space filter for applications based on the &#34;Fast Track&#34; peer to user-space filter for applications based on the <quote>Fast Track</quote>
peer protocol. Applications using this protocol include Kazaa, KazaaLite, peer to peer protocol. Applications using this protocol include Kazaa,
iMash and Grokster.</para> KazaaLite, iMash and Grokster.</para>
<para>To filter traffic from your &#39;loc&#39; zone with ftwall, you insert <para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
the following rules <emphasis role="bold">near the top</emphasis> of your insert the following rules <emphasis role="bold">near the top</emphasis> of
/etc/shorewall/rules file (before and ACCEPT rules whose source is the your /etc/shorewall/rules file (before and ACCEPT rules whose source is the
&#39;loc&#39; zone).</para> <quote>loc</quote> zone).</para>
<programlisting> QUEUE loc net tcp <programlisting> QUEUE loc net tcp
QUEUE loc net udp QUEUE loc net udp

View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="UserSets"> <article id="UserSets">
<!--$Id$-->
<articleinfo> <articleinfo>
<title>Controlling Output Traffic by UID/GID</title> <title>Controlling Output Traffic by UID/GID</title>
@ -26,8 +28,8 @@
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink Texts. A copy of the license is included in the section entitled
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -42,9 +44,9 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Shorewall allows you to define collections of users called &#34;<link <para>Shorewall allows you to define collections of users called
linkend="UserSet">User Sets</link>&#34; and then to restrict certain <quote><link linkend="UserSet">User Sets</link></quote> and then to
rules in /etc/shorewall/rules to a given User Set.</para> restrict certain rules in /etc/shorewall/rules to a given User Set.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -105,7 +107,7 @@
<para>In the REJECT and ACCEPT columns, if you don&#39;t want to specify a <para>In the REJECT and ACCEPT columns, if you don&#39;t want to specify a
value in the column but you want to specify a value in a following column, value in the column but you want to specify a value in a following column,
you may enter &#34;-&#34;.</para> you may enter <quote>-</quote>.</para>
<para>Users and/or groups are added to User Sets using the <para>Users and/or groups are added to User Sets using the
/etc/shorewall/users file. Columns in that file are:</para> /etc/shorewall/users file. Columns in that file are:</para>
@ -137,7 +139,7 @@
</variablelist> </variablelist>
<para>Only one of the USER and GROUP column needs to be non-empty. If you <para>Only one of the USER and GROUP column needs to be non-empty. If you
wish to specify a GROUP but not a USER, enter &#34;-&#34; in the user wish to specify a GROUP but not a USER, enter <quote>-</quote> in the user
column.</para> column.</para>
<para>If both USER and GROUP are specified then only programs running <para>If both USER and GROUP are specified then only programs running
@ -151,14 +153,14 @@
<para>When the name of a user set is given in the USER SET column, you <para>When the name of a user set is given in the USER SET column, you
may not include a log level in the ACTION column; logging of such rules may not include a log level in the ACTION column; logging of such rules
is governed solely by the user set&#39;s definition in the is governed solely by the user set&#39;s definition in the
/etc/shorewall/userset file. </para> /etc/shorewall/userset file.</para>
</important> </important>
<example> <example>
<title>You want members of the &#39;admin&#39; group and &#39;root&#39; <title>You want members of the <quote>admin</quote> group and
to be able to use ssh on the firewall to connect to local systems. You <quote>root</quote> to be able to use ssh on the firewall to connect to
want to log all connections accepted for these users using syslog at the local systems. You want to log all connections accepted for these users
&#39;info&#39; level.</title> using syslog at the <quote>info</quote> level.</title>
<para>/etc/shorewall/usersets</para> <para>/etc/shorewall/usersets</para>
@ -189,14 +191,14 @@ ACCEPT $FW loc tcp 22 - - -
<programlisting>[ &#60;<emphasis>user name or number</emphasis>&#62; ] : [ &#60;<emphasis>group name or number</emphasis>&#62; ]</programlisting> <programlisting>[ &#60;<emphasis>user name or number</emphasis>&#62; ] : [ &#60;<emphasis>group name or number</emphasis>&#62; ]</programlisting>
<para>When a user and/or group name is given in the USER SET column, it is <para>When a user and/or group name is given in the USER SET column, it is
OK to specify a log level in the ACTION column. </para> OK to specify a log level in the ACTION column.</para>
<example> <example>
<title>You want user <emphasis role="bold">mail</emphasis> to be able to <title>You want user <emphasis role="bold">mail</emphasis> to be able to
send email from the firewall to the local net zone</title> send email from the firewall to the local net zone</title>
<para>/etc/shorewall/rules (be sure to note the &#34;:&#34; in the USER <para>/etc/shorewall/rules (be sure to note the <quote>:</quote> in the
SET column entry).</para> USER SET column entry).</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER <programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
# PORT(S) DESTINATION SET # PORT(S) DESTINATION SET

View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="VPN"> <article id="VPN">
<!--$Id$-->
<articleinfo> <articleinfo>
<title>VPN</title> <title>VPN</title>
@ -49,7 +51,7 @@
<para>If PPTP is being used, there are no firewall requirements beyond the <para>If PPTP is being used, there are no firewall requirements beyond the
default loc-&#62;net ACCEPT policy. There is one restriction however: Only default loc-&#62;net ACCEPT policy. There is one restriction however: Only
one local system at a time can be connected to a single remote gateway one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the &#39;Patch-o-matic&#39; patches unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para> available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
<para>If IPSEC is being used then only one system may connect to the <para>If IPSEC is being used then only one system may connect to the