Changes for 1.3.7

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@208 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE/documentation/shorewall_firewall_structure.htm

@@ -6,14 +6,19 @@
 <meta name="ProgId" content="FrontPage.Editor.Document">
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>Shorewall Firewall Structure</title>
-<meta name="Microsoft Theme" content="radial 011, default">
 </head>
 
-<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
+<body>
 
-      <h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Firewall Structure<!--mstheme--></font></h1>
+      <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+        <tr>
+          <td width="100%">
+          <h1 align="center"><font color="#FFFFFF">Firewall Structure</font></h1>
+          </td>
+        </tr>
+      </table>
       <p>
- Shorewall views the network in which it is running as a set of disjoint
+ Shorewall views the network in which it is running as a set of
       <i> zones. </i>Shorewall itself defines exactly   one zone called "fw"
 which refers to the firewall system itself . The   /etc/shorewall/zones file
 is used to define additional zones and the example file   provided with Shorewall 
@@ -36,6 +41,21 @@ from the internet and from the DMZ and in       some cases, from each other.</li
  with the exception of the firewall zone, Shorewall itself attaches no meaning to
  zone names. Zone names are simply labels used to refer to a collection of
  network hosts.</p>
+ <p>While zones are normally disjoint (no two zones have a host in common), 
+ there are cases where nested or overlapping zone definitions are appropriate.</p>
+ <p>Packets entering the firewall first pass through the <i>mangle </i>table's 
+ PREROUTING chain (you can see the mangle table by typing &quot;shorewall show 
+ mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b> 
+ option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop 
+ the packet if its destination IP address is reserved (as specified in the 
+ /etc/shorewall/rfc1918 file). Next the packet passes through the<b> pretos</b> 
+ chain to set its TOS field as specified in the /etc/shorewall/tos file. 
+ Finally, if traffic control/shaping is being used, the packet is sent through 
+ the<b> tcpre</b> chain to be marked for later use in policy routing or traffic 
+ control.</p>
+ <p>Next, if the packet isn't part of an established connection, it passes 
+ through the<i> nat</i> table's PREROUTING chain (you can see the nat table by 
+ typing &quot;shorewall show nat&quot;). </p>
       <p>
  Traffic entering the 
  firewall is sent to an<i> input </i>chain. If the traffic is destined for the 
@@ -133,4 +153,4 @@ server, <font color="#ff6633"><b><u> adding a rule won't help</u></b></font>
     (see point 3 above).</p>
 <p><font size="2">Last modified 7/26/2002 - <a href="support.htm">Tom
 Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
-<font size="2">Copyright</font> <20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
+<font size="2">Copyright</font> <20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>