Documentation updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@491 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-05-31 15:05:39 +02:00 · 2003-03-09 01:33:17 +00:00 · 2003-03-09 01:33:17 +00:00 · cd8109c133
commit cd8109c133
parent 23bb0e6474
7 changed files with 629 additions and 502 deletions
--- a/STABLE/documentation/Forum.html
+++ b/STABLE/documentation/Forum.html
@ -0,0 +1,42 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Support Forum</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
      <h1 align="center"><font color="#ffffff">Support Forum</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
 <h3><font color="#ff6633"></font></h3>
 <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please 
 read the <a href="support.htm">Shorewall Support  Guide</a>.</h1>
 <p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support 
 Forum</a><br>
 </p>
 <p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2003 Thomas M. Eastep.</font></a></p>
  <br>
 </body>
 </html>
--- a/STABLE/documentation/SeattleInTheSpring.html
+++ b/STABLE/documentation/SeattleInTheSpring.html
@ -0,0 +1,52 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Springtime in Seattle!!!</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
      <h1 align="center"><font color="#ffffff">Visit Seattle in the Springtime!!!!</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <h3><font color="#ff6633"></font></h3>
 <img src="images/P1000048.jpg" alt="" width="640" height="480">
 <br>
 <br>
 <b>March 6, 2003 - Nice day for a walk....</b><br>
 <br>
 <img src="images/P1000050.jpg" alt="" width="640" height="480">
 <br>
 <br>
 <br>
 <img src="images/P1000049.jpg" alt="" width="480" height="640">
 <p><b>The view from my office window -- think I'll go out and enjoy the deck
 (Yes -- that is snow on the deck...)</b>.<br>
 </p>
 <p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a> 
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
   <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -50,24 +50,24 @@
                           <li>                                         
-    <p align="left">          <b>If you are installing Shorewall for the
+    <p align="left">          <b>If you are installing Shorewall for the first
-first time and plan to use the        .tgz and install.sh script, you can
+time and plan to use the        .tgz and install.sh script, you can untar
-untar the archive, replace the        'firewall' script in the untarred directory
+the archive, replace the        'firewall' script in the untarred directory 
           with the one you downloaded        below, and then run install.sh.</b></p>
                                        </li>
                           <li>                                         
    <p align="left">          <b>If you are running a Shorewall version earlier 
-    than 1.3.11, when the instructions say to install a corrected       
+    than 1.3.11, when the instructions say to install a corrected        firewall
-firewall     script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
+    script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
      or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to 
 overwrite        the        existing file. DO  NOT REMOVE OR RENAME THE OLD 
 /etc/shorewall/firewall               or /var/lib/shorewall/firewall  before 
 you do that. /etc/shorewall/firewall               and /var/lib/shorewall/firewall 
- are symbolic links that point           to the 'shorewall' file used by
+ are symbolic links that point           to the 'shorewall' file used by your
-your  system initialization scripts     to         start Shorewall during
+ system initialization scripts     to         start Shorewall during boot.
-boot. It is  that file that must be overwritten              with the corrected
+It is  that file that must be overwritten              with the corrected 
 script. Beginning with Shorewall 1.3.11, you may rename the existing file 
 before copying in the new file.</b></p>
                   </li>
@ -94,8 +94,8 @@ before copying in the new file.</b></p>
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3
     on RH7.2</a></font></b></li>
                           <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
-RedHat iptables</a></b></li>
+iptables</a></b></li>
                           <li><b><a href="#SuSE">Problems installing/upgrading 
   RPM   on  SuSE</a></b></li>
                           <li><b><a href="#Multiport">Problems with iptables 
@ -115,22 +115,24 @@ RedHat iptables</a></b></li>
 <ul>
      <li>There is an <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
- rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
+  rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
 223.0.0.0/8.</li>
 </ul>
 <ul>
      <li>The documentation for the routestopped file claimed that a comma-separated
- list could appear in the second column while the code only supported a single 
+  list could appear in the second column while the code only supported a
- host or network address.</li>
+single   host or network address.</li>
     <li>Log messages produced by 'logunclean' and 'dropunclean' were not 
 rate-limited.</li>
-  <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't support
+   <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
-the 'maclist' interface option.<br>
+support the 'maclist' interface option.</li>
  <li>Log messages generated by RFC 1918 filtering are not rate limited.<br>
  </li>
 </ul>
-  These three problems have been corrected in <a
+   These four problems have been corrected in <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
  firewall script</a> which may be installed in /usr/lib/shorewall as described
  above.<br>
@ -141,8 +143,8 @@ the 'maclist' interface option.<br>
          <li>The 'shorewall add' command produces an error message referring 
  to  'find_interfaces_by_maclist'.</li>
         <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
-      <li>The 'shorewall add' command can fail with "iptables: Index of insertion
+       <li>The 'shorewall add' command can fail with "iptables: Index of
-  too big".<br>
+insertion   too big".<br>
       </li>
 </ul>
@ -153,8 +155,8 @@ the 'maclist' interface option.<br>
 <ul>
        <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
-eth0.1)   are not supported in this version or in 1.3.12. If you need such 
+ eth0.1)   are not supported in this version or in 1.3.12. If you need such
-support,   post on the users list and I can provide you with a patched version.<br>
+ support,   post on the users list and I can provide you with a patched version.<br>
        </li>
 </ul>
@ -169,8 +171,8 @@ support,   post on the users list and I can provide you with a patched version.<
    firewall script</a> which may be installed in /usr/lib/shorewall as described 
    above.</li>
        <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
-eth0.1)   are not supported in this version or in 1.3.13. If you need such 
+ eth0.1)   are not supported in this version or in 1.3.13. If you need such
-support,   post on the users list and I can provide you with a patched version.<br>
+ support,   post on the users list and I can provide you with a patched version.<br>
         </li>
 </ul>
@ -179,8 +181,8 @@ support,   post on the users list and I can provide you with a patched version.<
 <ul>
            <li>The .lrp was missing the /etc/shorewall/routestopped file 
--  a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects
+--  a  new   lrp (shorwall-1.3.12a.lrp) has been released which corrects this
-this  problem.<br>
+ problem.<br>
            </li>
 </ul>
@ -209,8 +211,8 @@ this  problem.<br>
   the   .rpm  from shorewall.net or mirrors should no longer see these warnings 
   as  the .rpm you will get from there has been corrected.</li>
               <li>DNAT rules that exclude a source subzone (SOURCE column
-contains     !  followed by a sub-zone list) result in an error message and 
+ contains     !  followed by a sub-zone list) result in an error message
-Shorewall    fails  to start.<br>
+and  Shorewall    fails  to start.<br>
                 <br>
             Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this 
@ -231,11 +233,11 @@ a fix.<br>
           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this 
       version of the firewall script</a> may help. Please report any cases 
-  where     installing this script in /usr/lib/shorewall/firewall solved
+  where     installing this script in /usr/lib/shorewall/firewall solved your
-your   connection     problems. Beginning with version 1.3.10, it is safe
+  connection     problems. Beginning with version 1.3.10, it is safe to save
-to save   the old version     of /usr/lib/shorewall/firewall before copying
+  the old version     of /usr/lib/shorewall/firewall before copying in the
-in the  new one since /usr/lib/shorewall/firewall     is the real script
+ new one since /usr/lib/shorewall/firewall     is the real script now and
-now and not just a symbolic link to the real script.<br>
+not just a symbolic link to the real script.<br>
                  </li>
 </ul>
@ -336,8 +338,8 @@ loc dmz:10.1.1.1:24        tcp   25 - 10.1.1.1")<br>
 <ol>
                                                        <li>If the firewall 
- is  running     a  DHCP   server,                                   the
+ is  running     a  DHCP   server,                                   the client
-client   won't be   able   to obtain   an IP  address                   
+  won't be   able   to obtain   an IP  address                          
       lease  from that   server.</li>
                                                        <li>With this order 
 of  checking,      the   "dhcp"                                   option 
@ -352,8 +354,8 @@ cannot  be used as   a  noise-reduction
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          This version of the 1.3.7a firewall script </a>
                                          corrects the problem. It must be
-installed          in /var/lib/shorewall                                as 
+ installed          in /var/lib/shorewall                               
-described  above.</p>
+as  described  above.</p>
 <h3>Version 1.3.7</h3>
@ -373,8 +375,10 @@ described  above.</p>
 <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the 
           .7   version in each sequence from now on.</p>
 <h3 align="left">Version 1.3.6</h3>
 <ul>
                                    <li>                                
@ -393,36 +397,46 @@ described  above.</p>
 </ul>
 <p align="left">These problems are fixed in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">    
      this correct firewall script</a> which must be installed in       
    /var/lib/shorewall/ as described above. These problems are also     
      corrected in version 1.3.7.</p>
 <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
 <p align="left">A line was inadvertently deleted from the "interfaces    
       file" -- this line should be added back in if the version that you 
                      downloaded is missing it:</p>
 <p align="left">net    eth0    detect               routefilter,dhcp,norfc1918</p>
 <p align="left">If you downloaded two-interfaces-a.tgz then the above    
       line should already be in the file.</p>
 <h3 align="left">Version 1.3.5-1.3.5b</h3>
 <p align="left">The new 'proxyarp' interface option doesn't work :-(     
      This is fixed in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">    
      this corrected firewall script</a> which must be installed in     
      /var/lib/shorewall/ as described above.</p>
 <h3 align="left">Versions 1.3.4-1.3.5a</h3>
 <p align="left">Prior to version 1.3.4, host file entries such as the    
       following were allowed:</p>
 <div align="left">                                    
 <pre>	adm	eth0:1.2.4.5,eth0:5.6.7.8</pre>
                         </div>
@ -440,8 +454,10 @@ described  above.</p>
 <p align="left">This problem is corrected in version 1.3.5b.</p>
                       </div>
 <h3 align="left">Version 1.3.5</h3>
 <p align="left">REDIRECT rules are broken in this version. Install       
   <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">    
@ -449,32 +465,39 @@ described  above.</p>
                      as instructed above. This problem is corrected in version 
      1.3.5a.</p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands   
-         to not verify that the zones named in the /etc/shorewall/policy
+        to not verify that the zones named in the /etc/shorewall/policy file
-file            have been previously defined in the /etc/shorewall/zones
+           have been previously defined in the /etc/shorewall/zones file.
-file. The            "shorewall check" command does perform this verification
+The            "shorewall check" command does perform this verification so
-so it's a            good idea to run that command after you have made configuration
+it's a            good idea to run that command after you have made configuration 
                      changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
 <p align="left">If you have upgraded from Shorewall 1.2 and after        
   "Activating rules..." you see the message: "iptables: No            chains/target/match 
           by that name" then you probably have an entry in            /etc/shorewall/hosts 
           that specifies an interface that you didn't            include 
 in   /etc/shorewall/interfaces.        To correct this problem, you      
     must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 
- and             later versions produce a clearer error    message    in
+ and             later versions produce a clearer error    message    in this
-this  case.</p>
+ case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the        
   download sites contained an incorrect version of the .lrp file. That 
-           file can be identified by its size (56284 bytes). The correct
+          file can be identified by its size (56284 bytes). The correct version
-version            has a size of 38126 bytes.</p>
+           has a size of 38126 bytes.</p>
 <ul>
                                    <li>The code to detect a duplicate interface
@ -485,11 +508,13 @@ it  behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
 <p align="left">Both problems are corrected in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">    
      this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> 
           as described above.</p>
 <ul>
                                    <li>                                
@ -502,18 +527,20 @@ it  behaved     just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
 <h3 align="left">Version 1.3.1</h3>
 <ul>
                                    <li>TCP SYN packets may be double counted 
  when              LIMIT:BURST  is included in a CONTINUE or ACCEPT policy 
  (i.e.,    each              packet is sent through the limit chain twice).</li>
                                    <li>An unnecessary jump to the policy 
 chain    is  sometimes                 generated for a CONTINUE policy.</li>
-                                   <li>When an option is given for more than
+                                    <li>When an option is given for more
-  one   interface      in               /etc/shorewall/interfaces then depending
+than   one   interface      in               /etc/shorewall/interfaces then
-   on the option,     Shorewall                may ignore all but the first
+depending    on the option,     Shorewall                may ignore all but
-  appearence of the   option.  For example:<br>
+the first   appearence of the   option.  For example:<br>
                                    <br>
                                    net    eth0    dhcp<br>
                                    loc    eth1    dhcp<br>
@ -532,13 +559,16 @@ found   that affects only   the 'routestopped' option.<br>
 </ul>
 <p align="left">These problems are corrected in           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">    
      this firewall script</a> which should be installed in            /etc/shorewall/firewall 
           as described above.</p>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
                                    <li>Folks who downloaded 1.3.0 from the 
 links    on  the   download    page              before 23:40 GMT, 29 May 
@ -556,6 +586,7 @@ The "shorewall    version"  command   will tell    you which version
 <hr>                                               
 <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
 <p align="left">The upgrade issues have moved to           <a
 href="upgrade_issues.htm">a separate page</a>.</p>
@ -566,8 +597,8 @@ The "shorewall    version"  command   will tell    you which version
 <blockquote>                                                            
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
-                   prevent it from working with Shorewall. Regrettably,  RedHat
+                    prevent it from working with Shorewall. Regrettably,
-      released    this buggy iptables in RedHat   7.2. </p>
+ RedHat       released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
@ -575,7 +606,7 @@ The "shorewall    version"  command   will tell    you which version
             corrected 1.2.3 rpm which you can download here</a>  and I have
   also     built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
-iptables-1.2.4   rpm which you can download here</a>. If  you are currently
+ iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
           running RedHat 7.1, you can install either of these RPMs      
       <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
@ -591,8 +622,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  <p align="left">If you         would like to patch iptables 1.2.3 yourself, 
           the patches are available         for download. This <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
-               which corrects a problem with parsing of the --log-level specification
+                which corrects a problem with parsing of the --log-level
-           while         this <a
+specification            while         this <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
                    corrects a problem in handling the  TOS target.</p>
@ -626,12 +657,12 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
  <p>The RedHat iptables RPM is compiled with debugging enabled but the 
   user-space debugging code was not updated to reflect recent changes in 
-           the     Netfilter 'mangle' table. You can correct the problem
+           the     Netfilter 'mangle' table. You can correct the problem by
-by   installing            <a
+  installing            <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
-              this iptables RPM</a>. If you are already running a 1.2.5 version 
+               this iptables RPM</a>. If you are already running a 1.2.5
-      of       iptables, you will need to specify the --oldpackage option 
+version        of       iptables, you will need to specify the --oldpackage
-to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+option  to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                         </blockquote>
@ -664,7 +695,8 @@ to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
 <ul>
                                                        <li>set MULTIPORT=No
- in                                   /etc/shorewall/shorewall.conf; or </li>
+  in                                   /etc/shorewall/shorewall.conf; or
  </li>
                                                        <li>if you are running
   Shorewall      1.3.6    you may                                  install
                                  <a
@ -676,8 +708,8 @@ to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                      </h3>
-                  /etc/shorewall/nat entries of the following form will result
+                   /etc/shorewall/nat entries of the following form will
-   in  Shorewall     being unable to start:<br>
+result    in  Shorewall     being unable to start:<br>
                   <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -685,15 +717,16 @@ to   rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
                   The solution is to put "no" in the LOCAL column. Kernel
-support     for   LOCAL=yes   has never worked properly and 2.4.18-10 has 
+ support     for   LOCAL=yes   has never worked properly and 2.4.18-10 has
-disabled  it.   The  2.4.19 kernel   contains corrected support under a new 
+ disabled  it.   The  2.4.19 kernel   contains corrected support under a
-kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+new  kernel configuraiton    option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 2/18/2003 -                             
+<p><font size="2">  Last updated 3/8/2003 -                              
- <a href="support.htm">Tom Eastep</a></font> </p>
+<a href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-</p>
+ </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/images/P1000048.jpg
+++ b/STABLE/documentation/images/P1000048.jpg
--- a/STABLE/documentation/images/P1000049.jpg
+++ b/STABLE/documentation/images/P1000049.jpg
--- a/STABLE/documentation/images/P1000050.jpg
+++ b/STABLE/documentation/images/P1000050.jpg
--- a/STABLE/documentation/images/postfix-white.gif
+++ b/STABLE/documentation/images/postfix-white.gif