Update to reflect 1.3.4 Features

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@133 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-22 14:20:40 +01:00 · 2002-07-13 14:59:45 +00:00 · 2002-07-13 14:59:45 +00:00 · e97d6880c3
commit e97d6880c3
parent ccdbd9faed
4 changed files with 40 additions and 3 deletions
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@ -48,7 +48,9 @@
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
-#			routestopped - When the firewall is stopped, allow
+#			routestopped - (Deprecated -- use 
+#				       /etc/shorewall/routestopped)
+#				       When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
 #			norfc1918    - This interface should not receive
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -228,4 +228,35 @@ NAT_BEFORE_RULES=Yes

 MULTIPORT=No

+# DNAT IP Address Detection
+#
+# Normally when Shorewall encounters the following rule:
+#
+#	DNAT	net	loc:192.168.1.3	tcp	80
+#
+# it will forward TCP port 80 connections from the net to 192.168.1.3
+# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is 
+# convenient for two reasons:
+#
+#	a) If the the network interface has a dynamic IP address, the
+#	   firewall configuration will work even when the address
+#	   changes.
+#
+#	b) It saves having to configure the IP address in the rule 
+#	   while still allowing the firewall to be started before the
+#	   internet interface is brought up.
+#
+# This default behavior can also have a negative effect. If the
+# internet interface has more than one IP address then the above 
+# rule will forward connection requests on all of these addresses; 
+# that may not be what is desired.
+#
+# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
+# only if the original destination address is the primary IP address of
+# one of the interfaces associated with the source zone. Note that this
+# requires all interfaces to the source zone to be up when the firewall
+# is [re]started. 
+
+DETECT_DNAT_IPADDRS=No
+
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@ -48,7 +48,9 @@
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
-#			routestopped - When the firewall is stopped, allow
+#			routestopped - (Deprecated -- use 
+#				       /etc/shorewall/routestopped)
+#				       When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
 #			norfc1918    - This interface should not receive
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@ -48,7 +48,9 @@
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
-#			routestopped - When the firewall is stopped, allow
+#			routestopped - (Deprecated -- use 
+#				       /etc/shorewall/routestopped)
+#				       When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
 #			norfc1918    - This interface should not receive