diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml
index de44d7869..9b9e4c1af 100644
--- a/docs/shorewall_setup_guide.xml
+++ b/docs/shorewall_setup_guide.xml
@@ -106,19 +106,13 @@
Note to Debian Users
If you install using the .deb, you will find that your /etc/shorewall directory is empty. This
- is intentional. The released configuration file skeletons may be found
- on your system in the directory /usr/share/doc/shorewall-common/default-config.
+ class="directory">/etc/shorewall directory is almost empty.
+ This is intentional. The released configuration file skeletons may be
+ found on your system in the directory /usr/share/doc/shorewall/default-config.
Simply copy the files you need from that directory to /etc/shorewall and modify the
copies.
-
- Note that you must copy /usr/share/doc/shorewall-common/default-config/shorewall.conf
- and /usr/share/doc/shorewall-common/default-config/modules to
- /etc/shorewall even if you do
- not modify those files.
As each file is introduced, I suggest that you look through the
@@ -269,8 +263,7 @@ dmz ipv4
/etc/shorewall/policy file had the following
policies:
- #SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
-# LEVEL
+ #SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info
@@ -416,10 +409,11 @@ all all REJECT info
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
file, that file would might contain:
- #ZONE INTERFACE BROADCAST OPTIONS
-net eth0 detect
-loc eth1 detect
-dmz eth2 detect
+ ?FORMAT 2
+#ZONE INTERFACE OPTIONS
+net eth0
+loc eth1
+dmz eth2
Note that the $FW zone has no entry
in the /etc/shorewall/interfaces file.
@@ -435,10 +429,11 @@ dmz eth2 detect
Multiple Interfaces to a Zone
- #ZONE INTERFACE BROADCAST OPTIONS
-net eth0 detect
-loc eth1 detect
-loc eth2 detect
+ ?FORMAT 2
+#ZONE INTERFACE BROADCAST OPTIONS
+net eth0
+loc eth1
+loc eth2
@@ -1409,8 +1404,7 @@ eth0 192.168.201.0/29 192.0.2.176
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
-# PORT(S) PORT(S) DEST
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.201.4 tcp www
If one of your daughter's friends at address
url="ProxyARP.htm">/etc/shorewall/proxyarp
file.
- #ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
+ #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.0.2.177 eth2 eth0 No
192.0.2.178 eth2 eth0 No
@@ -1608,7 +1602,7 @@ eth0 192.168.201.0/29 192.0.2.176
You would do that by adding an entry in /etc/shorewall/nat.
- #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
+ #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
192.0.2.179 eth0 192.168.201.4 No No
With this entry in place, you daughter has her own IP address
@@ -1622,8 +1616,7 @@ eth0 192.168.201.0/29 192.0.2.176
to use a DNAT rule for you daughter's web server -- you would rather
just use an ACCEPT rule:
- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
-# PORT(S) PORT(S) DEST
+ #ACTION SOURCE DEST PROTO DEST SPORT ORIGDEST
ACCEPT net loc:192.168.201.4 tcp www
A word of warning is in order here. ISPs typically configure
@@ -1725,8 +1718,7 @@ ACCEPT net loc:192.168.201.4 tcp www
You probably want to allow ping between your zones:
- #ACTION SOURCE DEST PROTO DEST
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request
@@ -1735,8 +1727,7 @@ ACCEPT loc dmz icmp echo-request
Let's suppose that you run mail and pop3 servers on DMZ 2 and a
Web Server on DMZ 1. The rules that you would need are:
- #ACTION SOURCE DEST PROTO DEST COMMENTS
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
#Internet
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
@@ -1760,8 +1751,7 @@ ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
If you run a public DNS server on 192.0.2.177, you would need to
add the following rules:
- #ACTION SOURCE DEST PROTO DEST COMMENTS
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
#Internet
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
@@ -1784,8 +1774,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
scp utility can also do publishing and software update
distribution.
- #ACTION SOURCE DEST PROTO DEST COMMENTS
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net $FW tcp ssh #SSH to the
#Firewall
@@ -1816,22 +1805,11 @@ ACCEPT net $FW tcp ssh #SSH to the
/etc/shorewall/interfaces (The
options
will be very site-specific).
- #ZONE INTERFACE BROADCAST OPTIONS
-net eth0 detect routefilter
-loc eth1 detect
-dmz eth2 detect
-
- The setup described here requires that your network interfaces be
- brought up before Shorewall can start. This opens a short window during
- which you have no firewall protection. If you replace
- detect
with the actual broadcast addresses in the entries
- above, you can bring up Shorewall before you bring up your network
- interfaces.
-
- #ZONE INTERFACE BROADCAST OPTIONS
-net eth0 192.0.2.255
-loc eth1 192.168.201.7
-dmz eth2 192.168.202.7
+ ?FORMAT 2
+#ZONE INTERFACE OPTIONS
+net eth0 routefilter
+loc eth1
+dmz eth2
/etc/shorewall/masq - Local Subnet
@@ -1851,8 +1829,7 @@ eth0 192.168.201.0/29 192.0.2.176
/etc/shorewall/rules
- #ACTION SOURCE DEST PROTO DEST COMMENTS
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request