fixed quotes, add CVS Id

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1004 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs/shorewall_setup_guide.xml

@@ -2,6 +2,8 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 <article id="IPIP">
+  <!--$Id$-->
+
   <articleinfo>
     <title>Shorewall Setup Guide</title>
 
@@ -26,8 +28,8 @@
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
       no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled &#34;<ulink
+      Texts. A copy of the license is included in the section entitled
-      url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
     </legalnotice>
   </articleinfo>
 
@@ -42,8 +44,6 @@
     give you general guidelines and will point you to other resources as
     necessary.</para>
 
-    <para></para>
-
     <caution>
       <para>If you run LEAF Bering, your Shorewall configuration is NOT what I
       release -- I suggest that you consider installing a stock Shorewall lrp
@@ -51,8 +51,8 @@
       the iproute/iproute2 package be installed (on RedHat, the package is
       called iproute). You can tell if this package is installed by the
       presence of an <emphasis role="bold">ip</emphasis> program on your
-      firewall system. As root, you can use the &#39;which&#39; command to
+      firewall system. As root, you can use the <quote>which</quote> command
-      check for this program:</para>
+      to check for this program:</para>
 
       <programlisting>     [root@gateway root]# which ip
      /sbin/ip
@@ -146,8 +146,8 @@
     will be used. With the exception of <emphasis role="bold">fw</emphasis>,
     Shorewall attaches absolutely no meaning to zone names. Zones are entirely
     what YOU make of them. That means that you should not expect Shorewall to
-    do something special &#34;because this is the internet zone&#34; or
+    do something special <quote>because this is the internet zone</quote> or
-    &#34;because that is the DMZ&#34;.</para>
+    <quote>because that is the DMZ</quote>.</para>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" /> Edit the
     /etc/shorewall/zones file and make any changes necessary.</para>
@@ -329,9 +329,9 @@
     name (previously defined in /etc/shorewall/zones) with a network
     interface. This is done in the <ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>
     file. The firewall illustrated above has three network interfaces. Where
-    Internet connectivity is through a cable or DSL &#34;Modem&#34;, the
+    Internet connectivity is through a cable or DSL <quote>Modem</quote>, the
     <emphasis>External Interface</emphasis> will be the Ethernet adapter that
-    is connected to that &#34;Modem&#34; (e.g., <emphasis role="bold">eth0</emphasis>)
+    is connected to that <quote>Modem</quote> (e.g., <emphasis role="bold">eth0</emphasis>)
     unless you connect via Point-to-Point Protocol over Ethernet (PPPoE) or
     Point-to-Point Tunneling Protocol (PPTP) in which case the External
     Interface will be a ppp interface (e.g., <emphasis role="bold">ppp0</emphasis>).
@@ -512,8 +512,8 @@
 
     <para>The following discussion barely scratches the surface of addressing
     and routing. If you are interested in learning more about this subject, I
-    highly recommend &#34;<emphasis>IP Fundamentals: What Everyone Needs to
+    highly recommend <quote><emphasis>IP Fundamentals: What Everyone Needs to
-    Know about Addressing &#38; Routing</emphasis>&#34;, Thomas A. Maufer,
+    Know about Addressing &#38; Routing</emphasis></quote>, Thomas A. Maufer,
     Prentice-Hall, 1999, ISBN 0-13-975483-0.</para>
 
     <section id="Addresses">
@@ -521,8 +521,8 @@
 
       <para>IP version 4 (IPv4) addresses are 32-bit numbers. The notation
       w.x.y.z refers to an address where the high-order byte has value
-      &#34;w&#34;, the next byte has value &#34;x&#34;, etc. If we take the
+      <quote>w</quote>, the next byte has value <quote>x</quote>, etc. If we
-      address 192.0.2.14 and express it in hexadecimal, we get:</para>
+      take the address 192.0.2.14 and express it in hexadecimal, we get:</para>
 
       <para><programlisting>        C0.00.02.0E</programlisting>or looking at
       it as a 32-bit integer</para>
@@ -533,10 +533,10 @@
     <section id="Subnets">
       <title>Subnets</title>
 
-      <para>You will still hear the terms &#34;Class A network&#34;,
+      <para>You will still hear the terms <quote>Class A network</quote>,
-      &#34;Class B network&#34; and &#34;Class C network&#34;. In the early
+      <quote>Class B network</quote> and <quote>Class C network</quote>. In
-      days of IP, networks only came in three sizes (there were also Class D
+      the early days of IP, networks only came in three sizes (there were also
-      networks but they were used differently):</para>
+      Class D networks but they were used differently):</para>
 
       <simplelist>
         <member>Class A - netmask 255.0.0.0, size = 2 ** 24</member>
@@ -869,14 +869,14 @@
         </tgroup>
       </table>
 
-      <para>Notice that the VLSM is written with a slash (&#34;/&#34;) -- you
+      <para>Notice that the VLSM is written with a slash (<quote>/</quote>) --
-      will often hear a subnet of size 64 referred to as a &#34;slash 26&#34;
+      you will often hear a subnet of size 64 referred to as a <quote>slash 26</quote>
-      subnet and one of size 8 referred to as a &#34;slash 29&#34;.</para>
+      subnet and one of size 8 referred to as a <quote>slash 29</quote>.</para>
 
       <para>The subnet&#39;s mask (also referred to as its
       <emphasis>netmask</emphasis>) is simply a 32-bit number with the first
-      &#34;VLSM&#34; bits set to one and the remaining bits set to zero. For
+      <quote>VLSM</quote> bits set to one and the remaining bits set to zero.
-      example, for a subnet of size 64, the subnet mask has 26 leading one
+      For example, for a subnet of size 64, the subnet mask has 26 leading one
       bits:</para>
 
       <para><programlisting>        11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 = 255.255.255.192</programlisting>The
@@ -888,7 +888,7 @@
 
       <para>For a subnetwork whose address is <emphasis role="bold">a.b.c.d</emphasis>
       and whose Variable Length Subnet Mask is <emphasis role="bold">/v</emphasis>,
-      we denote the subnetwork as &#34;<emphasis role="bold">a.b.c.d/v</emphasis>&#34;
+      we denote the subnetwork as <quote><emphasis role="bold">a.b.c.d/v</emphasis></quote>
       using <emphasis>CIDR Notation</emphasis>. Example:</para>
 
       <table>
@@ -976,10 +976,10 @@
 
       <para role="bold">Later in this guide, you will see the notation
       <emphasis role="bold">a.b.c.d/v</emphasis> used to describe the ip
-      configuration of a network interface (the &#39;ip&#39; utility also uses
+      configuration of a network interface (the <quote>ip</quote> utility also
-      this syntax). This simply means that the interface is configured with ip
+      uses this syntax). This simply means that the interface is configured
-      address <emphasis role="bold">a.b.c.d</emphasis> and with the netmask
+      with ip address <emphasis role="bold">a.b.c.d</emphasis> and with the
-      that corresponds to VLSM /<emphasis role="bold">v</emphasis>.</para>
+      netmask that corresponds to VLSM /<emphasis role="bold">v</emphasis>.</para>
 
       <para>Example: 192.0.2.65/29<programlisting>    The interface is configured with IP address 192.0.2.65 and netmask 255.255.255.248.
 </programlisting>Beginning with Shorewall 1.4.6, /sbin/shorewall supports an
@@ -1023,12 +1023,12 @@
       site in the Dallas, Texas area.</para>
 
       <para>The first three routes are <emphasis>host routes</emphasis> since
-      they indicate how to get to a single host. In the &#39;netstat&#39;
+      they indicate how to get to a single host. In the <quote>netstat</quote>
-      output this can be seen by the &#34;Genmask&#34; (Subnet Mask) of
+      output this can be seen by the <quote>Genmask</quote> (Subnet Mask) of
-      255.255.255.255 and the &#34;H&#34; in the Flags column. The remainder
+      255.255.255.255 and the <quote>H</quote> in the Flags column. The
-      are <emphasis>&#39;net&#39; routes</emphasis> since they tell the kernel
+      remainder are <emphasis><quote>net</quote> routes</emphasis> since they
-      how to route packets to a subnetwork. The last route is the
+      tell the kernel how to route packets to a subnetwork. The last route is
-      <emphasis>default route </emphasis>and the gateway mentioned in that
+      the <emphasis>default route </emphasis>and the gateway mentioned in that
       route is called the <emphasis>default gateway</emphasis>.</para>
 
       <para>When the kernel is trying to send a packet to IP address <emphasis
@@ -1037,29 +1037,29 @@
       <itemizedlist>
         <listitem>
           <para><emphasis role="bold">A</emphasis> is logically ANDed with the
-          &#39;Genmask&#39; value in the table entry.</para>
+          <quote>Genmask</quote> value in the table entry.</para>
         </listitem>
 
         <listitem>
-          <para>The result is compared with the &#39;Destination&#39; value in
+          <para>The result is compared with the <quote>Destination</quote>
-          the table entry.</para>
+          value in the table entry.</para>
         </listitem>
 
         <listitem>
-          <para>If the result and the &#39;Destination&#39; value are the
+          <para>If the result and the <quote>Destination</quote> value are the
           same, then:</para>
 
           <itemizedlist>
             <listitem>
-              <para>If the &#39;Gateway&#39; column is non-zero, the packet is
+              <para>If the <quote>Gateway</quote> column is non-zero, the
-              sent to the gateway over the interface named in the
+              packet is sent to the gateway over the interface named in the
-              &#39;Iface&#39; column.</para>
+              <quote>Iface</quote> column.</para>
             </listitem>
 
             <listitem>
               <para>Otherwise, the packet is sent directly to <emphasis
               role="bold">A</emphasis> over the interface named in the
-              &#39;iface&#39; column.</para>
+              <quote>iface</quote> column.</para>
             </listitem>
           </itemizedlist>
         </listitem>
@@ -1101,7 +1101,7 @@
       Rather Ethernet addressing is based on <emphasis>Media Access Control</emphasis>
       (MAC) addresses. Each Ethernet device has it&#39;s own unique MAC
       address which is burned into a PROM on the device during manufacture.
-      You can obtain the MAC of an Ethernet device using the &#39;ip&#39;
+      You can obtain the MAC of an Ethernet device using the <quote>ip</quote>
       utility:</para>
 
       <programlisting>        [root@gateway root]# ip addr show eth0
@@ -1138,7 +1138,7 @@
       that an IP packet is to be sent, systems maintain an
       <emphasis>ARP cache</emphasis> of IP&#60;-&#62;MAC correspondences. You
       can see the ARP cache on your system (including your Windows system)
-      using the &#39;arp&#39; command:</para>
+      using the <quote>arp</quote> command:</para>
 
       <programlisting>        [root@gateway root]# arp -na
         ? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
@@ -1149,12 +1149,12 @@
 </programlisting>
 
       <para>The leading question marks are a result of my having specified the
-      &#39;n&#39; option (Windows &#39;arp&#39; doesn&#39;t allow that option)
+      <quote>n</quote> option (Windows <quote>arp</quote> doesn&#39;t allow
-      which causes the &#39;arp&#39; program to forego IP-&#62;DNS name
+      that option) which causes the <quote>arp</quote> program to forego
-      translation. Had I not given that option, the question marks would have
+      IP-&#62;DNS name translation. Had I not given that option, the question
-      been replaced with the FQDN corresponding to each IP address. Notice
+      marks would have been replaced with the FQDN corresponding to each IP
-      that the last entry in the table records the information we saw using
+      address. Notice that the last entry in the table records the information
-      tcpdump above.</para>
+      we saw using tcpdump above.</para>
     </section>
 
     <section id="RFC1918">
@@ -1205,7 +1205,7 @@
       addresses that you are going to use.</para>
 
       <note>
-        <para><emphasis role="bold">In this document, external &#34;real&#34;
+        <para><emphasis role="bold">In this document, external <quote>real</quote>
         IP addresses are of the form 192.0.2.x. 192.0.2.0/24 is reserved by
         RFC 3330 for use as public IP addresses in printed examples. These
         addresses are not to be confused with addresses in 192.168.0.0/16; as
@@ -1293,12 +1293,12 @@
         192.0.2.64       0.0.0.0         255.255.255.248 U     40  0         0 eth0
         0.0.0.0          192.0.2.66      0.0.0.0         UG    40  0         0 eth0</programlisting>
 
-      <para>This means that DMZ 1 will send an ARP &#34;who-has
+      <para>This means that DMZ 1 will send an ARP <quote>who-has 192.0.2.65</quote>
-      192.0.2.65&#34; request and no device on the DMZ Ethernet segment has
+      request and no device on the DMZ Ethernet segment has that IP address.
-      that IP address. Oddly enough, the firewall will respond to the request
+      Oddly enough, the firewall will respond to the request with the MAC
-      with the MAC address of its <emphasis role="underline">DMZ Interface</emphasis>!!
+      address of its <emphasis role="underline">DMZ Interface</emphasis>!! DMZ
-      DMZ 1 can then send Ethernet frames addressed to that MAC address and
+      1 can then send Ethernet frames addressed to that MAC address and the
-      the frames will be received (correctly) by the firewall/router.</para>
+      frames will be received (correctly) by the firewall/router.</para>
 
       <para>It is this rather unexpected ARP behavior on the part of the Linux
       Kernel that prompts the warning earlier in this guide regarding the
@@ -1306,7 +1306,7 @@
       switch. When an ARP request for one of the firewall/router&#39;s IP
       addresses is sent by another system connected to the hub/switch, all of
       the firewall&#39;s interfaces that connect to the hub/switch can
-      respond! It is then a race as to which &#34;here-is&#34; response
+      respond! It is then a race as to which <quote>here-is</quote> response
       reaches the sender first.</para>
     </section>
 
@@ -1315,7 +1315,7 @@
 
       <para>If you have the above situation but it is non-routed, you can
       configure your network exactly as described above with one additional
-      twist; simply specify the &#34;proxyarp&#34; option on all three
+      twist; simply specify the <quote>proxyarp</quote> option on all three
       firewall interfaces in the /etc/shorewall/interfaces file.</para>
 
       <para>Most of us don&#39;t have the luxury of having enough public IP
@@ -1431,9 +1431,9 @@
         selected connections from the internet.</para>
 
         <para><inlinegraphic fileref="images/BD21298_.gif" /> Suppose that
-        your daughter wants to run a web server on her system &#34;Local
+        your daughter wants to run a web server on her system <quote>Local 3</quote>.
-        3&#34;. You could allow connections to the internet to her server by
+        You could allow connections to the internet to her server by adding
-        adding the following entry in <ulink url="Documentation.htm#Rules">/etc/shorewall/rules</ulink>:</para>
+        the following entry in <ulink url="Documentation.htm#Rules">/etc/shorewall/rules</ulink>:</para>
 
         <informaltable>
           <tgroup cols="7">
@@ -1505,13 +1505,13 @@
           </listitem>
 
           <listitem>
-            <para>The firewall responds to ARP &#34;who has&#34; requests for
+            <para>The firewall responds to ARP <quote>who has</quote> requests
-            <emphasis role="bold">A</emphasis>.</para>
+            for <emphasis role="bold">A</emphasis>.</para>
           </listitem>
 
           <listitem>
             <para>When <emphasis role="bold">H</emphasis> <emphasis
-            role="bold">A </emphasis>andissues an ARP &#34;who has&#34;
+            role="bold">A </emphasis>andissues an ARP <quote>who has</quote>
             request for an address in the subnetwork defined by <emphasis
             role="bold">M</emphasis>, the firewall will respond (with the MAC
             if the firewall interface) to <emphasis role="bold">H</emphasis>.</para>
@@ -1597,29 +1597,30 @@
             TCP/IP Illustrated, Vol 1 reveals that a</para>
 
             <blockquote>
-              <para>&#34;gratuitous&#34; ARP packet should cause the ISP&#39;s
+              <para><quote>gratuitous</quote> ARP packet should cause the
-              router to refresh their ARP cache (section 4.7). A gratuitous
+              ISP&#39;s router to refresh their ARP cache (section 4.7). A
-              ARP is simply a host requesting the MAC address for its own IP;
+              gratuitous ARP is simply a host requesting the MAC address for
-              in addition to ensuring that the IP address isn&#39;t a
+              its own IP; in addition to ensuring that the IP address
-              duplicate,...</para>
+              isn&#39;t a duplicate,...</para>
 
-              <para>&#34;if the host sending the gratuitous ARP has just
+              <para><quote>if the host sending the gratuitous ARP has just
               changed its hardware address..., this packet causes any other
               host...that has an entry in its cache for the old hardware
-              address to update its ARP cache entry accordingly.&#34;</para>
+              address to update its ARP cache entry accordingly.</quote></para>
             </blockquote>
 
             <para>Which is, of course, exactly what you want to do when you
             switch a host from being exposed to the Internet to behind
             Shorewall using proxy ARP (or one-to-one NAT for that matter).
             Happily enough, recent versions of Redhat&#39;s iputils package
-            include &#34;arping&#34;, whose &#34;-U&#34; flag does just that:</para>
+            include <quote>arping</quote>, whose <quote>-U</quote> flag does
+            just that:</para>
 
             <para><programlisting>        arping -U -I &#60;net if&#62; &#60;newly proxied IP&#62;
         arping -U -I eth0 66.58.99.83 # for example</programlisting>Stevens
             goes on to mention that not all systems respond correctly to
-            gratuitous ARPs, but googling for &#34;arping -U&#34; seems to
+            gratuitous ARPs, but googling for <quote>arping -U</quote> seems
-            support the idea that it works most of the time.</para>
+            to support the idea that it works most of the time.</para>
           </listitem>
 
           <listitem>
@@ -1794,29 +1795,29 @@ role="underline">0:4:e2:20:20:33</emphasis> 0:0:77:95:dd:19 ip 98: 192.0.2.177 &
             TCP/IP Illustrated, Vol 1 reveals that a</para>
 
             <blockquote>
-              <para>&#34;gratuitous&#34; ARP packet should cause the ISP&#39;s
+              <para><quote>gratuitous</quote> ARP packet should cause the
-              router to refresh their ARP cache (section 4.7). A gratuitous
+              ISP&#39;s router to refresh their ARP cache (section 4.7). A
-              ARP is simply a host requesting the MAC address for its own IP;
+              gratuitous ARP is simply a host requesting the MAC address for
-              in addition to ensuring that the IP address isn&#39;t a
+              its own IP; in addition to ensuring that the IP address
-              duplicate,...</para>
+              isn&#39;t a duplicate,...</para>
 
-              <para>&#34;if the host sending the gratuitous ARP has just
+              <para><quote>if the host sending the gratuitous ARP has just
               changed its hardware address..., this packet causes any other
               host...that has an entry in its cache for the old hardware
-              address to update its ARP cache entry accordingly.&#34;</para>
+              address to update its ARP cache entry accordingly.</quote></para>
             </blockquote>
 
             <para>Which is, of course, exactly what you want to do when you
             switch a host from being exposed to the Internet to behind
             Shorewall using one-to-one NAT. Happily enough, recent versions of
-            Redhat&#39;s iputils package include &#34;arping&#34;, whose
+            Redhat&#39;s iputils package include <quote>arping</quote>, whose
-            &#34;-U&#34; flag does just that:</para>
+            <quote>-U</quote> flag does just that:</para>
 
             <para><programlisting>        arping -U -I &#60;net if&#62; &#60;newly proxied IP&#62;
         arping -U -I eth0 66.58.99.83 # for example</programlisting>Stevens
             goes on to mention that not all systems respond correctly to
-            gratuitous ARPs, but googling for &#34;arping -U&#34; seems to
+            gratuitous ARPs, but googling for <quote>arping -U</quote> seems
-            support the idea that it works most of the time.</para>
+            to support the idea that it works most of the time.</para>
           </listitem>
 
           <listitem>
@@ -2301,7 +2302,7 @@ role="underline">0:4:e2:20:20:33</emphasis> 0:0:77:95:dd:19 ip 98: 192.0.2.177 &
       set of configuration files for our sample network. Only those that were
       modified from the original installation are shown.</para>
 
-      <para>/etc/shorewall/interfaces (The &#34;options&#34; will be very
+      <para>/etc/shorewall/interfaces (The <quote>options</quote> will be very
       site-specific).</para>
 
       <informaltable>
@@ -2354,7 +2355,7 @@ role="underline">0:4:e2:20:20:33</emphasis> 0:0:77:95:dd:19 ip 98: 192.0.2.177 &
 
       <para>The setup described here requires that your network interfaces be
       brought up before Shorewall can start. This opens a short window during
-      which you have no firewall protection. If you replace &#39;detect&#39;
+      which you have no firewall protection. If you replace <quote>detect</quote>
       with the actual broadcast addresses in the entries above, you can bring
       up Shorewall before you bring up your network interfaces.</para>
 
@@ -3102,7 +3103,7 @@ view &#34;external&#34; {
 ; ############################################################
 ; Iverse Address Arpa Records (PTR&#39;s) 
 ; ############################################################
-178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.<optional></optional></programlisting>
+178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting>
 
     <para>db.192.0.2.179 - Reverse zone for Daughter&#39;s public web server</para>
 
@@ -3286,13 +3287,13 @@ foobar.net.      86400   IN A    192.0.2.177
     <para>The <ulink url="Install.htm">Installation procedure</ulink>
     configures your system to start Shorewall at system boot.</para>
 
-    <para>The firewall is started using the &#34;shorewall start&#34; command
+    <para>The firewall is started using the <quote>shorewall start</quote>
-    and stopped using &#34;shorewall stop&#34;. When the firewall is stopped,
+    command and stopped using <quote>shorewall stop</quote>. When the firewall
-    routing is enabled on those hosts that have an entry in <ulink
+    is stopped, routing is enabled on those hosts that have an entry in <ulink
     url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
-    A running firewall may be restarted using the &#34;shorewall restart&#34;
+    A running firewall may be restarted using the <quote>shorewall restart</quote>
     command. If you want to totally remove any trace of Shorewall from your
-    Netfilter configuration, use &#34;shorewall clear&#34;.</para>
+    Netfilter configuration, use <quote>shorewall clear</quote>.</para>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" /> Edit the <ulink
     url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>
@@ -3301,13 +3302,13 @@ foobar.net.      86400   IN A    192.0.2.177
 
     <caution>
       <para>If you are connected to your firewall from the internet, do not
-      issue a &#34;shorewall stop&#34; command unless you have added an entry
+      issue a <quote>shorewall stop</quote> command unless you have added an
-      for the IP address that you are connected from to <ulink
+      entry for the IP address that you are connected from to <ulink
       url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
-      Also, I don&#39;t recommend using &#34;shorewall restart&#34;; it is
+      Also, I don&#39;t recommend using <quote>shorewall restart</quote>; it
-      better to create an <ulink url="starting_and_stopping_shorewall.htm"><emphasis>an
+      is better to create an <ulink url="starting_and_stopping_shorewall.htm"><emphasis>an
       alternate configuration</emphasis></ulink>&#x00A0; and test it using the
-      &#34;<ulink url="starting_and_stopping_shorewall.htm">shorewall try</ulink>&#34;
+      <quote><ulink url="starting_and_stopping_shorewall.htm">shorewall try</ulink></quote>
       command.</para>
     </caution>
   </section>