extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document Shorewall6 support for dynamic zones.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-20 14:33:49 -07:00
parent 44cbfd8f27
commit ec28bdb5a0
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall/releasenotes.txt
View File

@ -113,6 +113,17 @@ None.
If you configure Shorewall-init to save/restore ipsets, be sure to
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.
As part of this change, Shorewall and Shorewall6 will only restore
saved ipsets if SAVE_IPSETS=Yes in shorewall.conf
(shorewall6.conf).
6) Shorewall6 now supports dynamic zones:
1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces
2) The HOSTS column of /etc/shorewall6/hosts may now contain
<interface>:dynamic.
3) /sbin/shorewall6 now supports the 'add' and 'delete' commands.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
@ -3628,7 +3639,7 @@ None.
8) The generated script now uses iptables[6]-restore to instantiate
the Netfilter ruleset during processing of the 'stop' command. As a
consequence, the 'critical' option in /etc/shorewall/route_stopped
consequence, the 'critical' option in /etc/shorewall/routestopped
is no longer needed and will result in a warning.
9) A new AUTOMAKE option has been added to shorewall.conf and

55
manpages6/shorewall6.xml
View File

@ -16,6 +16,22 @@
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>add</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -583,6 +599,29 @@
<para>The available commands are listed below.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">add</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
a dynamic zone usually used with VPN's.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are host or network addresses.<caution>
<para>The <command>add</command> command is not very robust. If
there are errors in the <replaceable>host-list</replaceable>,
you may see a large number of error messages yet a subsequent
<command>shorewall show zones</command> command will indicate
that all hosts were added. If this happens, replace
<command>add</command> by <command>delete</command> and run the
same command again. Then enter the correct command.</para>
</caution></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">allow</emphasis></term>
@ -677,6 +716,22 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.21. The delete command reverses the
effect of an earlier <emphasis role="bold">add</emphasis>
command.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are a host or network address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">drop</emphasis></term>