From 3e6f57e6994a175efdc23f4fb35ee7df4d27babb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 21 Jul 2014 14:33:59 -0700 Subject: [PATCH 1/4] Correct link in the Multi-ISP document Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 0c6b34034..208b7f8f6 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -820,9 +820,9 @@ DROP:info net:192.168.1.0/24 all url="manpages/shorewall-interfaces.html">shorewall-interfaces (5) will not disable route filtering on a given interface. You must set ROUTE_FILTER=No in shorewall-interfaces - (5), then set the routefilter option - on those interfaces on which you want route filtering. + url="manpages/shorewall.conf.html">shorewall.conf (5), then + set the routefilter option on those + interfaces on which you want route filtering. From 848078873de286bb9cfa22b2eded088d8d4a5fe4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 22 Jul 2014 07:19:10 -0700 Subject: [PATCH 2/4] Update tcfilters manpages to mention BASIC_FILTERS=Yes Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-tcfilters.xml | 16 ++++++++++------ Shorewall6/manpages/shorewall6-tcfilters.xml | 16 ++++++++++------ 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/Shorewall/manpages/shorewall-tcfilters.xml b/Shorewall/manpages/shorewall-tcfilters.xml index 26242660a..e428b03e9 100644 --- a/Shorewall/manpages/shorewall-tcfilters.xml +++ b/Shorewall/manpages/shorewall-tcfilters.xml @@ -88,9 +88,11 @@ address. DNS names are not allowed. Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the Basic - Ematchcapability. The ipset name may optionally be - followed by a number or a comma separated list of src and/or dst - enclosed in square brackets ([...]). See capability and you set BASIC_FILTERS=Yes in + shorewall.conf (5). The + ipset name may optionally be followed by a number or a comma + separated list of src and/or dst enclosed in square brackets + ([...]). See shorewall-ipsets(5) for details. @@ -105,9 +107,11 @@ address. DNS names are not allowed. Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the Basic - Ematchcapability. The ipset name may optionally be - followed by a number or a comma separated list of src and/or dst - enclosed in square brackets ([...]). See capability and you set BASIC_FILTERS=Yes in + shorewall.conf (5). The + ipset name may optionally be followed by a number or a comma + separated list of src and/or dst enclosed in square brackets + ([...]). See shorewall-ipsets(5) for details. diff --git a/Shorewall6/manpages/shorewall6-tcfilters.xml b/Shorewall6/manpages/shorewall6-tcfilters.xml index 66e6e87a9..1813c0cc0 100644 --- a/Shorewall6/manpages/shorewall6-tcfilters.xml +++ b/Shorewall6/manpages/shorewall6-tcfilters.xml @@ -88,9 +88,11 @@ address. DNS names are not allowed. Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the Basic - Ematch capability. The ipset name may optionally be - followed by a number or a comma separated list of src and/or dst - enclosed in square brackets ([...]). See capability and you set BASIC_FILTERS=Yes in + shorewall6.conf (5). The + ipset name may optionally be followed by a number or a comma + separated list of src and/or dst enclosed in square brackets + ([...]). See shorewall6-ipsets(5) for details. @@ -105,9 +107,11 @@ address. DNS names are not allowed. Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the Basic - Ematchcapability. The ipset name may optionally be - followed by a number or a comma separated list of src and/or dst - enclosed in square brackets ([...]). See capability and you set BASIC_FILTERS=Yes in + shorewall6.conf (5). The + ipset name may optionally be followed by a number or a comma + separated list of src and/or dst enclosed in square brackets + ([...]). See shorewall6-ipsets(5) for details. From 44a34ceb95268591a4625bbc5f9ae1b95bad2af2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 23 Jul 2014 10:36:34 -0700 Subject: [PATCH 3/4] Add complex port-forwarding example to the aliased interfaces article Signed-off-by: Tom Eastep --- docs/Shorewall_and_Aliased_Interfaces.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml index 559e7c8b0..e28f98691 100644 --- a/docs/Shorewall_and_Aliased_Interfaces.xml +++ b/docs/Shorewall_and_Aliased_Interfaces.xml @@ -182,6 +182,13 @@ ACCEPT net $FW:206.124.146.178 tcp 22 #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 + + If I wished to forward tcp port 10000 on that virtual interface to + port 22 on local host 192.168.1.3, the rule would be: + + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +DNAT net loc:192.168.1.3:22 tcp 22 - 206.124.146.178
From 21209504c5ebd85d16c93a39530300bd11ebe55c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 23 Jul 2014 10:47:11 -0700 Subject: [PATCH 4/4] Correct example from preceding commit Signed-off-by: Tom Eastep --- docs/Shorewall_and_Aliased_Interfaces.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml index e28f98691..432fbb9f1 100644 --- a/docs/Shorewall_and_Aliased_Interfaces.xml +++ b/docs/Shorewall_and_Aliased_Interfaces.xml @@ -188,7 +188,7 @@ DNAT net loc:192.168.1.3 tcp 80 - 20 #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST -DNAT net loc:192.168.1.3:22 tcp 22 - 206.124.146.178 +DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178