Some more 3.2.0 Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3893 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-05-07 15:13:32 +00:00
parent 0e62b7338f
commit d31e897793

View File

@ -1426,17 +1426,16 @@ DNAT net loc:192.168.1.5 tcp www
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
...
DNAT sam $FW tcp ssh
ACCEPT+ sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...</programlisting>
<para>The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those
in the <quote>sam</quote> zone should have their connection port
forwarded to 192.168.1.3. If you need to exclude more than one zone in
this way, you can list the zones separated by commas (e.g.,
net!sam,joe,fred). This technique also may be used when the ACTION is
REDIRECT.</para>
forwarded to 192.168.1.3. If you need to exclude more than one zone,
simply use multiple ACCEPT+ rules. This technique also may be used when
the ACTION is REDIRECT.</para>
</section>
</section>
@ -1697,11 +1696,16 @@ DNAT net loc:192.168.1.3 tcp ssh
url="Shorewall_and_Kazaa.html">Kazaa filtering</ulink>.</para>
<note>
<para>When the protocol specified in the PROTO column is TCP
<para>With Shorewall versions prior to 3.2.0, when the
protocol specified in the PROTO column is TCP
(<quote>tcp</quote>, <quote>TCP</quote> or
<quote>6</quote>), Shorewall will only pass connection
requests (SYN packets) to user space. This is for
compatibility with ftwall.</para>
<para>With Shorewall version 3.2.0 and later, this special
treatment no longer applies. Rather, use tcp:syn in the
PROTOCOL column to acheive this behavior.</para>
</note>
</listitem>
</varlistentry>
@ -1779,11 +1783,7 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
<listitem>
<para>Describes the source hosts to which the rule applies.. The
contents of this field must begin with the name of a zone defined in
/etc/shorewall/zones, $FW, <quote>all</quote> or "none". If the
ACTION is DNAT or REDIRECT, sub-zones may be excluded from the rule
by following the initial zone name with <quote>!</quote> and a
comma-separated list of those sub-zones to be excluded. There is an
<link linkend="Exclude">example</link> above.</para>
/etc/shorewall/zones, $FW, <quote>all</quote> or "none".</para>
<para>If the source is "none" then the rule is ignored. This is most
commonly used with <ulink