diff --git a/docs/support.xml b/docs/support.xml
index 17beea894..56f0e8ddb 100644
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -428,7 +428,9 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)
below).
For quick questions, there is also
- a #shorewall channel at irc.freenode.net.
+ a #shorewall channel at irc.freenode.net. You must
+ have a registered Nic on freenode in order to post on the
+ channel.
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index 449bca47a..77ad871f5 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -130,33 +130,16 @@
- ACTION - {ACCEPT[|]|NONAT|DROP[]|REJECT[]|DNAT[-]|REDIRECT[-]|CONTINUE[]|LOG|QUEUE[]|NFQUEUE[!]|COUNT[(queuenumber)]|COMMENT|action|macro[(target)]}[:{log-level|ACTION - target[:{log-level|none}[!][:tag]]Specifies the action to be taken if the connection request
- matches the rule. Must be one of the following.
+ matches the rule. target must be one of
+ the following.
@@ -340,7 +323,7 @@
- NFQUEUE
+ NFQUEUE[(queuenumber)]Queues the packet to a user-space application using the
@@ -351,7 +334,8 @@
- NFQUEUE!
+ NFQUEUE![(queuenumber)]like NFQUEUE but exempts the rule from being suppressed
@@ -394,7 +378,8 @@
- macro
+ macro[(macrotarget)]The name of a macro defined in a file named
@@ -402,7 +387,7 @@
action parameter (Look at the macro source to see if it has
PARAM in the TARGET column) then the
macro name is followed by the
- parenthesized target (macrotarget (ACCEPT, DROP, REJECT, ...) to be substituted for the
@@ -415,9 +400,30 @@
deprecated.
+
+
+ TRIGGER(trigger[:direction])
+
+
+ Added in Shorewall 4.4.12. Causes either the SOURCE or
+ DESTINATION address of the connection to be added to the named
+ trigger. By default, the SOURCE
+ address is added to the trigger but if
+ direction is
+ (e.g., trig:d) then the DESTINATION address is added. See the
+ TRIGGER column below.
+
+ When a TRIGGER rule is placed in the NEW section, the
+ SOURCE is added to the trigger at the time of the connection.
+ If it is placed in the ESTABLISHED section, each packet that
+ matches the rule causes the trigger time of the address
+ (SOURCE or DEST) to be set to the current time.
+
+
- The ACTION may optionally be
+ The target may optionally be
followed by ":" and a syslog log level (e.g, REJECT:info or
Web(ACCEPT):debug). This causes the packet to be logged at the
specified level. Note that if the
+
+
+ TRIGGER -
+ trigger[:[seconds][:[direction]]]
+
+
+ Added in Shorewall 4.4.12. An entry in this column restrict
+ the rule to matching an address that has been previously triggered
+ by a TRIGGER rule. Normally the SOURCE address is checked but you
+ can cause the DESTINATION address to be used instead by supplying a
+ direction of (e.g.,
+ foo::d). By default, the address must have been triggered within the
+ last 60 seconds but you can specify a different time using the
+ seconds option (e.g., foo:30).
+
+
@@ -1224,7 +1246,7 @@
to the port range 81-90.
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
- # PORT PORT(S) DEST
+ # PORT PORT(S) DEST
REDIRECT net $FW::81-90:random tcp www
@@ -1281,6 +1303,31 @@
that traffic.
+
+
+ Example 10:
+
+
+ Allow a connection from internet host to the firewall's TCP
+ port 1088 within 30 seconds after the firewall establishes an SSH
+ connection to that host.
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME TRIGGER
+ # PORT(S) PORT(S) DEST LIMIT GROUP
+ #
+ # Trigger the incoming connection
+ #
+ TRIGGER(port1088:d) fw net tcp 22
+ #
+ # Note that the TRIGGER rule must precede the ACCEPT rule; the ACCEPT rule can be omitted if the fw->net policy is ACCEPT
+ #
+ ACCEPT fw net tcp 22
+ #
+ # Now accept the return connection on port 1088
+ #
+ ACCEPT net fw tcp 1088 - - - - - - - port1088:30
+
+