From ece5bd4c7295fb3117bc4a0ce92ad796313dcece Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 18 Feb 2009 16:48:34 +0000 Subject: [PATCH] Update SUBSYSLOCK documentation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9452 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/standalone.xml | 9 ++- docs/three-interface.xml | 44 ++++++------ docs/two-interface.xml | 15 ++-- manpages/shorewall-notrack.xml | 106 ++++++++++++++++++++++------ manpages/shorewall-routestopped.xml | 56 ++++++++++++++- manpages/shorewall.conf.xml | 6 +- manpages/shorewall.xml | 13 ++++ manpages6/shorewall6.conf.xml | 2 +- 8 files changed, 194 insertions(+), 57 deletions(-) diff --git a/docs/standalone.xml b/docs/standalone.xml index b0ec3e6b7..8bdfd2e68 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -266,8 +266,8 @@ net ipv4 action defined for the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is - performed before the policy is applied. The purpose of the common action is - two-fold: + performed before the policy is applied. The purpose of the common action + is two-fold: @@ -582,6 +582,11 @@ SSH/ACCEPT net $FW STARTUP_ENABLED=Yes. + While you are editing shorewall.conf, it is a + good idea to check the value of the SUBSYSLOCK option. You can find a + description of this option by typing 'man shorewall.conf' at a shell + prompt and searching for SUBSYSLOCK. + The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 31097c3af..508dfd50b 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -286,11 +286,11 @@ dmz ipv4Zone names are defined in If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If there is a common action defined for the - policy in /etc/shorewall/actions or + url="shorewall_extension_scripts.htm">common action defined for + the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is - performed before the action is applied. The purpose of the common action is - two-fold: + performed before the action is applied. The purpose of the common action + is two-fold: @@ -615,13 +615,10 @@ root@lists:~# - - The default gateway for the DMZ computers would be 10.10.11.254 and the default gateway - for the Local computers would be 10.10.10.254. - - + The default gateway for the DMZ computers would be + 10.10.11.254 and the + default gateway for the Local computers would be 10.10.10.254. Your ISP might assign your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 subnet then you will @@ -629,8 +626,7 @@ root@lists:~# and if it is in the 10.10.11.0/24 subnet then you will need to select a different RFC 1918 subnet for your DMZ. - - + @@ -648,10 +644,9 @@ root@lists:~# look as if the firewall itself is initiating the connection. This is necessary so that the destination host will be able to route return packets back to the firewall (remember that packets whose destination - address is reserved by RFC 1918 can't be routed across the Internet). - When the firewall receives a return packet, it rewrites the destination - address back to 10.10.10.1 and forwards the packet on to local computer - 1. + address is reserved by RFC 1918 can't be routed across the Internet). When + the firewall receives a return packet, it rewrites the destination address + back to 10.10.10.1 and forwards the packet on to local computer 1. On Linux systems, the above process is often referred to as IP Masquerading and you will also see the term Source Network Address @@ -1086,10 +1081,17 @@ ACCEPT net $FW tcp 80 Users of the .deb package must edit /etc/default/shorewall and set startup=1. - The firewall is started using the shorewall - start command and stopped using shorewall - stop. When the firewall is stopped, routing is enabled on those - hosts that have an entry in + + While you are editing shorewall.conf, it is a + good idea to check the value of the SUBSYSLOCK option. You can find a + description of this option by typing 'man shorewall.conf' at a shell + prompt and searching for SUBSYSLOCK + + The firewall is started using the shorewall start + command and stopped using shorewall stop. When the + firewall is stopped, routing is enabled on those hosts that have an entry + in /etc/shorewall/routestopped. A running firewall may be restarted using the shorewall restart command. If you want to totally remove any trace of diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 47a03c490..70fdca3f8 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -269,11 +269,11 @@ loc ipv4Zones are defined in the /etc/shorewall/policy that matches the request is applied. If there is a common action defined for the - policy in /etc/shorewall/actions or + url="shorewall_extension_scripts.htm">common action defined for + the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is - performed before the action is applied. The purpose of the common action is - two-fold: + performed before the action is applied. The purpose of the common action + is two-fold: @@ -1002,7 +1002,12 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to workUsers of the .deb package must edit /etc/default/shorewall and set startup=1. - The firewall is started using the shorewall + While you are editing shorewall.conf, + it is a good idea to check the value of the SUBSYSLOCK option. You can + find a description of this option by typing 'man shorewall.conf' at a + shell prompt and searching for SUBSYSLOCK. + + The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is stopped, routing is enabled on those hosts that have an entry in - shorewall- + shorewall6-notrack 5 - file + notrack - Shorewall file + shorewall6 notrack file - /etc/shorewall/ + /etc/shorewall6/notrack Description + The notrack file is used to exempt certain traffic from Netfilter + connection tracking. Traffic matching entries in this fill will not be + tracked. + + The file was added in shorewall6-perl 4.2.7 and is not supported by + shorewall6-shell or by earlier versions of shorewall6-perl. + The columns in the file are as follows. - COLUMN 1 + SOURCE ‒ + zone[:interface][:address-list] - + where zone is the name of a zone, + interface is an interface to that zone, + and address-list is a comma-separated + list of addresses (may contain exclusion - see shorewall6-exclusion + (5)). + + + + + DEST ‒ [address-list] + + + where address-list is a + comma-separated list of addresses (may contain exclusion - see + shorewall6-exclusion + (5)). + + + + + PROTO ‒ + protocol-name-or-number + + + A protocol name from /etc/protocols or a + protocol number. + + + + + DEST PORT(S) - port-number/service-name-list + + + A comma-separated list of port numbers and/or service names + from /etc/services. May also include port + ranges of the form + low-port:high-port + if your kernel and iptables include port range support. + + + + + SOURCE PORT(S) - port-number/service-name-list + + + A comma-separated list of port numbers and/or service names + from /etc/services. May also include port + ranges of the form + low-port:high-port + if your kernel and iptables include port range support. + + + + + USER/GROUP ‒ + [user][:group] + + + May only be specified if the SOURCE + zone is $FW. Specifies the effective user + id and or group id of the process sending the traffic. - - Example - - - - FILES - /etc/shorewall/ + /etc/shorewall6/notrack See ALSO - shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), - shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), - shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), - shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), - shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), - shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), - shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), - shorewall-zones(5) + shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), + shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), + shorewall6-ipsec(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-providers(5), shorewall6-proxyarp(5), + shorewall6-route_rules(5), shorewall6-routestopped(5), + shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5), + shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), + shorewall6-tunnels(5), shorewall-zones(5) diff --git a/manpages/shorewall-routestopped.xml b/manpages/shorewall-routestopped.xml index ea9366916..e3ffd688a 100644 --- a/manpages/shorewall-routestopped.xml +++ b/manpages/shorewall-routestopped.xml @@ -1,4 +1,6 @@ + shorewall-routestopped @@ -127,9 +129,55 @@ + + + notrack + + + The traffic will be exempted from conntection + tracking. + + + + + PROTO (Optional) ‒ + protocol-name-or-number + + + Only available with Shorewall-perl 4.2.7 and later. + + + + + DEST PORT(S) (Optional) ‒ + service-name/port-number-list + + + Only available with Shorewall-perl 4.2.7 and later. A + comma-separated list of port numbers and/or service names from + /etc/services. May also include port ranges of + the form + low-port:high-port + if your kernel and iptables include port range support. + + + + + SOURCE PORT(S) (Optional) ‒ + service-name/port-number-list + + + Only available with Shorewall-perl 4.2.7 and later. A + comma-separated list of port numbers and/or service names from + /etc/services. May also include port ranges of + the form + low-port:high-port + if your kernel and iptables include port range support. + + @@ -148,11 +196,13 @@ Example 1: - #INTERFACE HOST(S) OPTIONS + #INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE + # PORT(S) PORT(S) eth2 192.168.1.0/24 eth0 192.0.2.44 br0 - routeback - eth3 - source + eth3 - source + eth4 - notrack 41 @@ -179,4 +229,4 @@ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) - \ No newline at end of file + diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 7526a3384..49a95b361 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -1480,9 +1480,9 @@ net all DROP infothen the chain name is 'net2all' This parameter should be set to the name of a file that the firewall should create if it starts successfully and remove when it stops. Creating and removing this file allows Shorewall to work with - your distribution's initscripts. For RedHat, this should be set to - /var/lock/subsys/shorewall. For Debian, the value is - /var/state/shorewall and in LEAF it is /var/run/shorwall. + your distribution's initscripts. For RedHat and OpenSuSE, this + should be set to /var/lock/subsys/shorewall. For Debian, the value + is /var/lock/shorewall and in LEAF it is /var/run/shorwall. diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 141d7b254..8262f5bfb 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -1306,6 +1306,19 @@ + + raw + + + Displays the Netfilter raw table using the command + iptables -t raw -L -n -v.The + -x option is passed directly + through to iptables and causes actual packet and byte counts + to be displayed. Without this option, those counts are + abbreviated. + + + tc diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index 59a503cb5..d499db8d0 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -1030,7 +1030,7 @@ net all DROP infothen the chain name is 'net2all' stops. Creating and removing this file allows Shorewall6 to work with your distribution's initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall6. For Debian, the value is - /var/state/shorewall6 and in LEAF it is /var/run/shorwall. + /var/lock/shorewall6 and in LEAF it is /var/run/shorwall.