mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Hack to fix manpage formatting (looks bad in HTML now)
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
a1cdcdbd12
commit
ce46b2e214
@ -43,7 +43,12 @@
|
||||
|
||||
<para>The /usr/share/shorewall/modules file contains a large number of
|
||||
modules. Users are encouraged to copy the file to /etc/shorewall/modules
|
||||
and modify the copy to load only the modules required.</para>
|
||||
and modify the copy to load only the modules required.<note>
|
||||
<para>If you build monolithic kernels and have not installed
|
||||
module-init-tools, then create an empty /etc/shorewall/modules file;
|
||||
that will prevent Shorewall from trying to load modules at all.
|
||||
</para>
|
||||
</note></para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
||||
@ -618,7 +618,7 @@
|
||||
intra-zone traffic is affected.</para>
|
||||
|
||||
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
||||
then either:<itemizedlist>
|
||||
then either:<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>the SOURCE must be <option>all[+][-]</option>, or</para>
|
||||
</listitem>
|
||||
@ -632,73 +632,77 @@
|
||||
<para>the SOURCE <replaceable>zone</replaceable> must be an
|
||||
ipv4 zone that is associated with only the same bridge.</para>
|
||||
</listitem>
|
||||
</itemizedlist>Except when <emphasis
|
||||
role="bold">all</emphasis>[<emphasis role="bold">+]|[-</emphasis>]
|
||||
is specified, the server may be further restricted to a particular
|
||||
network, host or interface by appending ":" and the network, host or
|
||||
interface. See <emphasis role="bold">SOURCE</emphasis> above.</para>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Restrictions:</para>
|
||||
|
||||
<para>1. MAC addresses are not allowed (this is a Netfilter
|
||||
restriction).</para>
|
||||
|
||||
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
|
||||
addresses are allowed; no FQDNs or subnet addresses are
|
||||
permitted.</para>
|
||||
|
||||
<para>3. You may not specify both an interface and an
|
||||
address.</para>
|
||||
|
||||
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
||||
you may specify a range of IP addresses using the syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
||||
addresses in the range in a round-robin fashion.</para>
|
||||
|
||||
<para>If you kernel and iptables have ipset match support then you
|
||||
may give the name of an ipset prefaced by "+". The ipset name may be
|
||||
optionally followed by a number from 1 to 6 enclosed in square
|
||||
brackets ([]) to indicate the number of levels of destination
|
||||
bindings to be matched. Only one of the <emphasis
|
||||
role="bold">SOURCE</emphasis> and <emphasis
|
||||
role="bold">DEST</emphasis> columns may specify an ipset
|
||||
name.</para>
|
||||
|
||||
<para>The <replaceable>port</replaceable> that the server is
|
||||
listening on may be included and separated from the server's IP
|
||||
address by ":". If omitted, the firewall will not modifiy the
|
||||
destination port. A destination port may only be included if the
|
||||
<emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">REDIRECT</emphasis>. Example:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example:</term>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
|
||||
specifies a local server at IP address 192.168.1.3 and
|
||||
listening on port 3128. The port number MUST be specified as
|
||||
an integer and not as a name from services(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</orderedlist></para>
|
||||
|
||||
<blockquote>
|
||||
<para>if the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">REDIRECT</emphasis> or <emphasis
|
||||
role="bold">REDIRECT-</emphasis>, this column needs only to
|
||||
contain the port number on the firewall that the request should be
|
||||
redirected to. That is equivalent to specifying
|
||||
<option>$FW</option>::<replaceable>port</replaceable>.</para>
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+]|[-</emphasis>] is specified, the server may be
|
||||
further restricted to a particular network, host or interface by
|
||||
appending ":" and the network, host or interface. See <emphasis
|
||||
role="bold">SOURCE</emphasis> above.</para>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Restrictions:</para>
|
||||
|
||||
<para>1. MAC addresses are not allowed (this is a Netfilter
|
||||
restriction).</para>
|
||||
|
||||
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
|
||||
addresses are allowed; no FQDNs or subnet addresses are
|
||||
permitted.</para>
|
||||
|
||||
<para>3. You may not specify both an interface and an
|
||||
address.</para>
|
||||
|
||||
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
||||
you may specify a range of IP addresses using the syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
||||
addresses in the range in a round-robin fashion.</para>
|
||||
|
||||
<para>If you kernel and iptables have ipset match support then you
|
||||
may give the name of an ipset prefaced by "+". The ipset name may
|
||||
be optionally followed by a number from 1 to 6 enclosed in square
|
||||
brackets ([]) to indicate the number of levels of destination
|
||||
bindings to be matched. Only one of the <emphasis
|
||||
role="bold">SOURCE</emphasis> and <emphasis
|
||||
role="bold">DEST</emphasis> columns may specify an ipset
|
||||
name.</para>
|
||||
|
||||
<para>The <replaceable>port</replaceable> that the server is
|
||||
listening on may be included and separated from the server's IP
|
||||
address by ":". If omitted, the firewall will not modifiy the
|
||||
destination port. A destination port may only be included if the
|
||||
<emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">REDIRECT</emphasis>. Example:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example:</term>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
|
||||
specifies a local server at IP address 192.168.1.3 and
|
||||
listening on port 3128. The port number MUST be specified as
|
||||
an integer and not as a name from services(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<blockquote>
|
||||
<para>if the <emphasis role="bold">ACTION</emphasis> is
|
||||
<emphasis role="bold">REDIRECT</emphasis> or <emphasis
|
||||
role="bold">REDIRECT-</emphasis>, this column needs only to
|
||||
contain the port number on the firewall that the request should
|
||||
be redirected to. That is equivalent to specifying
|
||||
<option>$FW</option>::<replaceable>port</replaceable>.</para>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user