Some more 3.2.0 Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3893 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 16:54:10 +01:00 · 2006-05-07 15:13:32 +00:00 · 2006-05-07 15:13:32 +00:00 · d31e897793
commit d31e897793
parent 0e62b7338f
1 changed files with 11 additions and 11 deletions
--- a/docs/Documentation.xml
+++ b/docs/Documentation.xml
@ -1426,17 +1426,16 @@ DNAT      net       loc:192.168.1.5 tcp      www

      <programlisting>#ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
 ...
-DNAT      sam       $FW             tcp      ssh
+ACCEPT+   sam       $FW             tcp      ssh
 DNAT      net       loc:192.168.1.3 tcp      ssh
 ...</programlisting>

      <para>The first rule allows Sam SSH access to the firewall. The second
      rule says that any clients from the net zone with the exception of those
      in the <quote>sam</quote> zone should have their connection port
-      forwarded to 192.168.1.3. If you need to exclude more than one zone in
-      this way, you can list the zones separated by commas (e.g.,
-      net!sam,joe,fred). This technique also may be used when the ACTION is
-      REDIRECT.</para>
+      forwarded to 192.168.1.3. If you need to exclude more than one zone,
+      simply use multiple ACCEPT+ rules. This technique also may be used when
+      the ACTION is REDIRECT.</para>
    </section>
  </section>

@ -1697,11 +1696,16 @@ DNAT      net       loc:192.168.1.3 tcp      ssh
                url="Shorewall_and_Kazaa.html">Kazaa filtering</ulink>.</para>

                <note>
-                  <para>When the protocol specified in the PROTO column is TCP
+                  <para>With Shorewall versions prior to 3.2.0, when the
+                  protocol specified in the PROTO column is TCP
                  (<quote>tcp</quote>, <quote>TCP</quote> or
                  <quote>6</quote>), Shorewall will only pass connection
                  requests (SYN packets) to user space. This is for
                  compatibility with ftwall.</para>
+
+                  <para>With Shorewall version 3.2.0 and later, this special
+                  treatment no longer applies. Rather, use tcp:syn in the
+                  PROTOCOL column to acheive this behavior.</para>
                </note>
              </listitem>
            </varlistentry>
@ -1779,11 +1783,7 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
        <listitem>
          <para>Describes the source hosts to which the rule applies.. The
          contents of this field must begin with the name of a zone defined in
-          /etc/shorewall/zones, $FW, <quote>all</quote> or "none". If the
-          ACTION is DNAT or REDIRECT, sub-zones may be excluded from the rule
-          by following the initial zone name with <quote>!</quote> and a
-          comma-separated list of those sub-zones to be excluded. There is an
-          <link linkend="Exclude">example</link> above.</para>
+          /etc/shorewall/zones, $FW, <quote>all</quote> or "none".</para>

          <para>If the source is "none" then the rule is ignored. This is most
          commonly used with <ulink