1
0
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-10 23:58:14 +01:00

Remove references to Shorewall-shell, Shorewall-perl and prior Shorewall versions from the manpages

This commit is contained in:
Tom Eastep 2009-07-15 17:50:55 -07:00
parent 9c2966448e
commit f16b2300b6
21 changed files with 214 additions and 450 deletions

View File

@ -743,6 +743,14 @@ sub compiler {
# Setup Masquerading/SNAT
#
setup_masq;
#
# Setup Nat
#
setup_nat;
#
# Setup NETMAP
#
setup_netmap;
}
#
@ -770,17 +778,6 @@ sub compiler {
# Apply Policies
#
apply_policy_rules;
if ( $family == F_IPV4 ) {
#
# Setup Nat
#
setup_nat;
#
# Setup NETMAP
#
setup_netmap;
}
#
# Accounting.
#

View File

@ -1303,7 +1303,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $chn;
for ( zone_interfaces $sourcezone ) {
for ( keys %{zone_interfaces $sourcezone} ) {
my $ichain = input_chain $_;
if ( $nat_table->{$ichain} ) {

View File

@ -4,6 +4,10 @@ Changes in Shorewall 4.4.0-RC1
2) Fix routing when no providers.
3) Add 'any' as a SOURCE/DEST in rules.
4) Fix NONAT on child zone.
Changes in Shorewall 4.4.0-Beta4
1) Add more macros.

View File

@ -118,6 +118,9 @@ Shorewall 4.4.0 RC1
2) Previously, Shorewall might alter the routing when there were no
providers, even if the "-n" option was given.
3) Previously, NONAT rules on a sub-zone were not exempted from
DNAT/REDIRECT rules of a parent zone.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
@ -128,7 +131,11 @@ None.
N E W F E A T U R E S I N 4 . 4 . 0 RC1
----------------------------------------------------------------------------
None.
1) A new keyword 'any' may be used in the SOURCE and DEST columns of
the rules file. In the absense of nested zones, 'any' works the
same as 'all'. When there are nested zones, 'any' only selects the
top-level zones. 'any' is intended to be used with
IMPLICIT_CONTINUE=Yes in shorewall.conf.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4

View File

@ -300,8 +300,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall-perl.</para>
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -79,16 +79,15 @@ loc eth2 -</programlisting>
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
discussion of this problem.</para>
<para>Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as
an interface name.</para>
<para>Shorewall allows '+' as an interface name.</para>
<para>There is no need to define the loopback interface (lo) in this
file.</para>
<para>(Shorewall-perl only) If a <replaceable>port</replaceable> is
given, then the <replaceable>interface</replaceable> must have been
defined previously with the <option>bridge</option> option. The
OPTIONS column may not contain the following options when a
<para>If a <replaceable>port</replaceable> is given, then the
<replaceable>interface</replaceable> must have been defined
previously with the <option>bridge</option> option. The OPTIONS
column may not contain the following options when a
<replaceable>port</replaceable> is given.</para>
<simplelist>
@ -134,12 +133,6 @@ loc eth2 -</programlisting>
<para>If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter <emphasis
role="bold">-</emphasis> in this column.</para>
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
Shorewall-perl only supports <option>detect</option> or <emphasis
role="bold">-</emphasis> in this column. If you specify
<replaceable>address</replaceable>es, a compilation warning will be
issued.</para>
</listitem>
</varlistentry>
@ -164,12 +157,10 @@ loc eth2 -</programlisting>
requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>arp_filter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>Only those interfaces with the
<option>arp_filter</option> option will have their setting
changes; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<para></para>
@ -237,8 +228,7 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">bridge</emphasis></term>
<listitem>
<para>(Shorewall-perl only) Designates the interface as a
bridge.</para>
<para>Designates the interface as a bridge.</para>
</listitem>
</varlistentry>
@ -300,12 +290,10 @@ loc eth2 -</programlisting>
specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>logmartians</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>Only those interfaces with the
<option>logmartians</option> option will have their setting
changes; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of
@ -377,9 +365,8 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para>Only supported by Shorewall-perl. When
<option>optional</option> is specified for an interface,
Shorewall will be silent when:</para>
<para>When <option>optional</option> is specified for an
interface, Shorewall will be silent when:</para>
<itemizedlist>
<listitem>
@ -436,12 +423,10 @@ loc eth2 -</programlisting>
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>proxyarp</option> option will have
their setting changed; the value assigned to the setting will
be the value specified (if any) or 1 if no value is
given.</para>
<para>Only those interfaces with the <option>proxyarp</option>
option will have their setting changed; the value assigned to
the setting will be the value specified (if any) or 1 if no
value is given.</para>
</listitem>
</varlistentry>
@ -466,12 +451,10 @@ loc eth2 -</programlisting>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>routefilter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>Only those interfaces with the
<option>routefilter</option> option will have their setting
changes; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<para></para>
@ -502,12 +485,10 @@ loc eth2 -</programlisting>
This might represent a security risk and is not usually
needed.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>sourceroute</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>Only those interfaces with the
<option>sourceroute</option> option will have their setting
changes; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<para></para>
@ -551,7 +532,7 @@ loc eth2 -</programlisting>
causes Shorewall to detect the default gateway through the
interface and to accept UDP packets from that gateway. Note
that, like all aspects of UPnP, this is a security hole so use
this option at your own risk. </para>
this option at your own risk.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -50,22 +50,19 @@
role="bold">,</emphasis><emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]]|COMMENT}</term>
<listitem>
<para>Outgoing <emphasis>interfacelist</emphasis>. Prior to
Shorewall 4.1.4, this must be a single interface name; in 4.1.4 and
later, this may be a comma-separated list of interface names. This
is usually your internet interface. If ADD_SNAT_ALIASES=Yes in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5), you may
add ":" and a <emphasis>digit</emphasis> to indicate that you want
the alias added with that name (e.g., eth0:0). This will allow the
alias to be displayed with ifconfig. <emphasis role="bold">That is
the only use for the alias name; it may not appear in any other
place in your Shorewall configuratio</emphasis>n.</para>
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
comma-separated list of interface names. This is usually your
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
and a <emphasis>digit</emphasis> to indicate that you want the alias
added with that name (e.g., eth0:0). This will allow the alias to be
displayed with ifconfig. <emphasis role="bold">That is the only use
for the alias name; it may not appear in any other place in your
Shorewall configuratio</emphasis>n.</para>
<para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
Shorewall allows loose matches to wildcard entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
@ -113,7 +110,7 @@
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
-
{<emphasis>interface</emphasis>[[:]<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
{<emphasis>interface</emphasis>[:<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
<listitem>
@ -131,15 +128,11 @@
list of IP addresses (host or net) that you wish to exclude (see
<ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
Note that with Shorewall-perl, a colon (":") must appear between an
Note that a colon (":") must appear between an
<replaceable>interface</replaceable> name and the
<replaceable>exclusion</replaceable>;</para>
<para>Example (shorewall-shell):
eth1!192.168.1.4,192.168.32.0/27</para>
<para>Example (shorewall-perl):
eth1:!192.168.1.4,192.168.32.0/27</para>
<para>Example: eth1:!192.168.1.4,192.168.32.0/27</para>
<para>In that example traffic from eth1 would be masqueraded unless
it came from 192.168.1.4 or 196.168.32.0/27</para>
@ -166,12 +159,11 @@
want the SNAT address to be assigned from that range in a
round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
Beginning with Shorewall 4.0.6, you may follow the port range
with<emphasis role="bold"> :random</emphasis> in which case
assignment of ports from the list will be random. <emphasis
role="bold">random</emphasis> may also be specified by itself in
this column in which case random local port assignments are made for
the outgoing connections.</para>
You may follow the port range with<emphasis role="bold">
:random</emphasis> in which case assignment of ports from the list
will be random. <emphasis role="bold">random</emphasis> may also be
specified by itself in this column in which case random local port
assignments are made for the outgoing connections.</para>
<para>Example: 206.124.146.177-206.124.146.180</para>
@ -379,8 +371,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall-perl.</para>
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -85,9 +85,7 @@
<para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
Shorewall allows loose matches to wildcard entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
@ -95,11 +93,6 @@
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Prior to Shorewall 4.1.4,
<replaceable>interfacelist</replaceable> must be a single interface
name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may
specify a comma-separated list of interfaces.</para>
<para>If you want to override ADD_IP_ALIASES=Yes for a particular
entry, follow the interface name with ":" and no digit (e.g.,
"eth0:").</para>

View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-netmap</refentrytitle>
@ -66,10 +68,8 @@
<listitem>
<para>The name of a network interface. The interface must be defined
in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
@ -111,4 +111,4 @@
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>
</refentry>

View File

@ -27,9 +27,6 @@
connection tracking. Traffic matching entries in this fill will not be
tracked.</para>
<para>The file was added in shorewall-perl 4.2.7 and is not supported by
shorewall-shell or by earlier versions of shorewall-perl.</para>
<para>The columns in the file are as follows.</para>
<variablelist>

View File

@ -165,9 +165,9 @@
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Added in Shorewall-perl 4.0.3. Queue the request for a
user-space application using the nfnetlink_queue mechanism. If
a <replaceable>queuenumber</replaceable> is not given, queue
<para>Queue the request for a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not given, queue
zero (0) is assumed.</para>
</listitem>
</varlistentry>
@ -256,17 +256,17 @@
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
of simultaneous connections from each individual host to
<replaceable>limit</replaceable> connections. While the limit is
only checked on connections to which this policy could apply, the
number of current connections is calculated over all current
connections from the SOURCE host. By default, the limit is applied
to each host individually but can be made to apply to networks of
hosts by specifying a <replaceable>mask</replaceable>. The
<replaceable>mask</replaceable> specifies the width of a VLSM mask
to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<para>May be used to limit the number of simultaneous connections
from each individual host to <replaceable>limit</replaceable>
connections. While the limit is only checked on connections to which
this policy could apply, the number of current connections is
calculated over all current connections from the SOURCE host. By
default, the limit is applied to each host individually but can be
made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
specifies the width of a VLSM mask to be applied to the source
address; the number of current connections is then taken over all
hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
</listitem>
</varlistentry>

View File

@ -214,13 +214,13 @@
role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
<listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the source
address to use when routing to this provider and none is known
(the local client has bound to the 0 address). May not be
specified when an <replaceable>address</replaceable> is given
in the INTERFACE column. If this option is not used, Shorewall
substitutes the primary IP address on the interface named in
the INTERFACE column.</para>
<para>Specifies the source address to use when routing to this
provider and none is known (the local client has bound to the
0 address). May not be specified when an
<replaceable>address</replaceable> is given in the INTERFACE
column. If this option is not used, Shorewall substitutes the
primary IP address on the interface named in the INTERFACE
column.</para>
</listitem>
</varlistentry>
@ -229,9 +229,9 @@
role="bold">mtu=</emphasis><replaceable>number</replaceable></term>
<listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the MTU when
forwarding through this provider. If not given, the MTU of the
interface named in the INTERFACE column is assumed.</para>
<para>Specifies the MTU when forwarding through this provider.
If not given, the MTU of the interface named in the INTERFACE
column is assumed.</para>
</listitem>
</varlistentry>
@ -240,9 +240,8 @@
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
<listitem>
<para>Added in Shorewall-perl 4.2.5. Indicates that a default
route through the provider should be added to the default
routing table (table 253). If a
<para>Indicates that a default route through the provider
should be added to the default routing table (table 253). If a
<replaceable>weight</replaceable> is given, a balanced route
is added with the weight of this provider equal to the
specified <replaceable>weight</replaceable>. If the option is

View File

@ -25,9 +25,7 @@
<title>Description</title>
<para>This file is used to define the hosts that are accessible when the
firewall is stopped or is being stopped. When shorewall-shell is being
used, the file also determines those hosts that are accessible when the
firewall is in the process of being [re]started.</para>
firewall is stopped or is being stopped.</para>
<warning>
<para>Changes to this file do not take effect until after the next
@ -125,7 +123,7 @@
<replaceable>protocol-name-or-number</replaceable></term>
<listitem>
<para>Only available with Shorewall-perl 4.2.7 and later.</para>
<para>Protocol.</para>
</listitem>
</varlistentry>
@ -134,10 +132,9 @@
<replaceable>service-name/port-number-list</replaceable></term>
<listitem>
<para>Only available with Shorewall-perl 4.2.7 and later. A
comma-separated list of port numbers and/or service names from
<filename>/etc/services</filename>. May also include port ranges of
the form
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>
@ -148,10 +145,9 @@
<replaceable>service-name/port-number-list</replaceable></term>
<listitem>
<para>Only available with Shorewall-perl 4.2.7 and later. A
comma-separated list of port numbers and/or service names from
<filename>/etc/services</filename>. May also include port ranges of
the form
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>

View File

@ -343,8 +343,6 @@
<term>NFQUEUE</term>
<listitem>
<para>Only supported by Shorewall-perl &gt;= 4.0.3.</para>
<para>Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not specified, queue
@ -471,8 +469,9 @@
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> -
{<emphasis>zone</emphasis>|<emphasis
role="bold">all</emphasis>[<emphasis
{<emphasis>zone</emphasis>|{<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">any</emphasis>}[<emphasis
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
@ -509,6 +508,11 @@
mac addresses must begin with "~" and must use "-" as a
separator.</para>
<para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones.
When there are nested zones, <emphasis role="bold">any</emphasis>
only refers to top-level zones (those with no parent zones).</para>
<para>Hosts may also be specified as an IP address range using the
syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
@ -586,60 +590,14 @@
</listitem>
</varlistentry>
</variablelist>
<blockquote>
<para>Alternatively, clients may be specified by interface by
appending ":" to the zone name followed by the interface name. For
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
client that communicates with the firewall system through eth1.
This may be optionally followed by another colon (":") and an
IP/MAC/subnet address as described above (e.g., <emphasis
role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
<para>It is important to note that when <emphasis
role="bold">using Shorewall-shell</emphasis> and specifying an
address list that will be split (i.e., a comma separated list),
there is a subtle behavior which has the potential to cause
confusion. Consider the two examples below:</para>
</blockquote>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>loc:eth1:192.168.1.3,192.168.1.5</term>
<listitem>
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
from any interface in the zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:eth1:192.168.1.3,eth1:192.168.1.5</term>
<listitem>
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
with <emphasis role="bold">both</emphasis> originating from
eth1.</para>
</listitem>
</varlistentry>
</variablelist>
<blockquote>
<para>That is, the interface name must be explicitly stated for
each member of the comma separated list. Again, this distinction
in behavior only occurs when <emphasis role="bold">using
Shorewall-shell</emphasis>.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
{<emphasis>zone</emphasis>|<emphasis
role="bold">all</emphasis>[<emphasis
{<emphasis>zone</emphasis>|{<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">any</emphasis>}[<emphasis
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
@ -663,9 +621,13 @@
affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected.</para>
<para>Beginning with Shorewall 4.1.4, the
<replaceable>zone</replaceable> should be omitted in DNAT-,
REDIRECT- and NONAT rules.</para>
<para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones.
When there are nested zones, <emphasis role="bold">any</emphasis>
only refers to top-level zones (those with no parent zones).</para>
<para>The <replaceable>zone</replaceable> should be omitted in
DNAT-, REDIRECT- and NONAT rules.</para>
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
then either:<orderedlist numeration="loweralpha">
@ -702,12 +664,7 @@
<para>1. MAC addresses are not allowed (this is a Netfilter
restriction).</para>
<para>2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
<emphasis role="bold">DNAT</emphasis> rules; no DNS names are
permitted. In no case may a network be specified as the
server.</para>
<para>3. You may not specify both an interface and an
<para>2. You may not specify both an interface and an
address.</para>
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
@ -747,20 +704,15 @@
</varlistentry>
</variablelist>
<para>If you are using Shorewall-shell or Shorewall-perl before
version 4.0.5, then the port number MUST be specified as an
integer and not as a name from services(5). Shorewall-perl 4.0.5
and later permit the <emphasis>port</emphasis> to be specified as
a service name. Additionally, Shorewall-perl 4.0.5 and later
permit specifying a port range in the form
<para>The <emphasis>port</emphasis> may be specified as a service
name. You may specify a port range in the form
<emphasis>lowport-highport</emphasis> to cause connections to be
assigned to ports in the range in round-robin fashion. When a port
range is specified, <emphasis>lowport</emphasis> and
<emphasis>highport</emphasis> must be given as integers; service
names are not permitted. Beginning with Shorewall 4.0.6, the port
range may be optionally followed by <emphasis
role="bold">:random</emphasis> which causes assignment to ports in
the list to be random.</para>
names are not permitted. Additionally, the port range may be
optionally followed by <emphasis role="bold">:random</emphasis>
which causes assignment to ports in the list to be random.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">REDIRECT</emphasis> or <emphasis
@ -825,11 +777,6 @@
<para>2. No port ranges are included or your kernel and iptables
contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate rule
will be generated for each port. Shorewall-perl does not
automatically break up lists into individual rules.</para>
</listitem>
</varlistentry>
@ -864,11 +811,6 @@
<para>2. No port ranges are included or your kernel and iptables
contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate
rule will be generated for each port. Shorewall-perl does not
automatically break up lists into individual rules.</para>
</blockquote>
</listitem>
</varlistentry>
@ -1058,8 +1000,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall-perl.</para>
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
@ -1178,18 +1119,7 @@
</refsect1>
<refsect1>
<title>Restrictions</title>
<para>Unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink> and your
iptables/kernel have <firstterm>Repeat Match</firstterm> support (see the
output of <command>shorewall show capabilities</command>), if you specify
a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
versa.</para>
</refsect1>
<refsect1>
<title>Example</title>
<title>Examples</title>
<variablelist>
<varlistentry>

View File

@ -236,8 +236,8 @@
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>Added in Shorewall-perl 4.1. A comma-separated list of options
including the following:</para>
<para>A comma-separated list of options including the
following:</para>
<variablelist>
<varlistentry>
@ -266,7 +266,7 @@
<para>This lets you define a classifier for the given
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
combination of the IP packet's TOS/Precedence/DiffSrv octet
(aka the TOS byte). </para>
(aka the TOS byte).</para>
</listitem>
</varlistentry>

View File

@ -113,10 +113,9 @@
<para>Shorewall assigns a sequential <firstterm>interface
number</firstterm> to each interface (the first entry in the file is
interface 1, the second is interface 2 and so on) Beginning with
Shorewall-perl 4.1.6, you can explicitly specify the interface
number by prefixing the interface name with the number and a colon
(":"). Example: 1:eth0.</para>
interface 1, the second is interface 2 and so on) You can explicitly
specify the interface number by prefixing the interface name with
the number and a colon (":"). Example: 1:eth0.</para>
</listitem>
</varlistentry>
@ -176,13 +175,12 @@
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
<listitem>
<para>Added in Shorewall-perl 4.1.6. May only be specified if the
interface in the INTERFACE column is an Intermediate Frame Block
(IFB) device. Causes packets that enter each listed interface to be
passed through the egress filters defined for this device, thus
providing a form of incoming traffic shaping. When this column is
non-empty, the <emphasis role="bold">classify</emphasis> option is
assumed.</para>
<para>May only be specified if the interface in the INTERFACE column
is an Intermediate Frame Block (IFB) device. Causes packets that
enter each listed interface to be passed through the egress filters
defined for this device, thus providing a form of incoming traffic
shaping. When this column is non-empty, the <emphasis
role="bold">classify</emphasis> option is assumed.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -93,14 +93,11 @@
<para>- If the SOURCE is <emphasis
role="bold">$FW</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
then the rule is inserted into the OUTPUT chain. The behavior
changed in Shorewall-perl 4.1. Previously, when
HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values
&lt; 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned there.
Packet marking rules for traffic shaping of packets originating
on the firewall must be coded in the POSTROUTING chain (see
below).</para>
then the rule is inserted into the OUTPUT chain. When
HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING
chain (see below).</para>
<para>- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in <ulink
@ -162,12 +159,12 @@
followed the value with <option>:F</option>) or the OUTPUT chain
(SOURCE is <emphasis role="bold">$FW</emphasis>). With
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
permitted. Shorewall 4.1 and later versions prohibit non-zero
mark values less that 256 in the OUTPUT chain when
HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
in the OUTPUT chain, it is strongly recommended that with
HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
traffic shaping marks/classification.</para>
permitted. Shorewall prohibits non-zero mark values less that
256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
versions allow such values in the OUTPUT chain, it is strongly
recommended that with HIGH_ROUTE_MARKS=Yes, you use the
POSTROUTING chain to apply traffic shaping
marks/classification.</para>
</listitem>
<listitem>
@ -239,16 +236,15 @@
</listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
<programlisting>#MARK/ SOURCE DEST PROTO DEST
<para><emphasis role="bold">SAME</emphasis> Some websites run
applications that require multiple connections from a client
browser. Where multiple 'balanced' providers are configured,
this can lead to problems when some of the connections are
routed through one provider and some through another. The SAME
target allows you to work around that problem. SAME may be used
in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
causes matching connections from an individual local system to
all use the same provider. For example: <programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
@ -682,8 +678,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<listitem>
<para>Connection Bytes; defines a byte or packet range that the
connection must fall within in order for the rule to match. Added in
Shorewall-perl 4.2.0.</para>
connection must fall within in order for the rule to match.</para>
<para>A packet matches if the the packet/byte count is within the
range defined by <emphasis>min</emphasis> and
@ -697,8 +692,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para><emphasis role="bold">O</emphasis> - The original
direction of the connection.</para>
<para><emphasis role="bold">R</emphasis> - The opposite
direction from the original connection.</para>
<para>- The opposite direction from the original
connection.</para>
<para><emphasis role="bold">B</emphasis> - The total of both
directions.</para>
@ -725,13 +720,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</emphasis><emphasis>helper</emphasis></term>
<listitem>
<para>Added in Shorewall-perl 4.2.0. Names a Netfiler protocol
<firstterm>helper</firstterm> module such as <option>ftp</option>,
<option>sip</option>, <option>amanda</option>, etc. A packet will
match if it was accepted by the named helper module. You can also
append "-" and a port number to the helper module name (e.g.,
<emphasis role="bold">ftp-21</emphasis>) to specify the port number
that the original connection was made on.</para>
<para>Names a Netfiler protocol <firstterm>helper</firstterm> module
such as <option>ftp</option>, <option>sip</option>,
<option>amanda</option>, etc. A packet will match if it was accepted
by the named helper module. You can also append "-" and a port
number to the helper module name (e.g., <emphasis
role="bold">ftp-21</emphasis>) to specify the port number that the
original connection was made on.</para>
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER

View File

@ -141,8 +141,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall-perl.</para>
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -158,8 +158,8 @@ c:a,b ipv4</programlisting>
<term>bport (or bport4)</term>
<listitem>
<para>(Shorewall-perl only) The zone is associated with one or
more ports on a single bridge.</para>
<para>The zone is associated with one or more ports on a
single bridge.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -117,7 +117,7 @@
<varlistentry>
<term><emphasis
role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
role="bold">none</emphasis>} (Shorewall-perl 4.0.3 and later)</term>
role="bold">none</emphasis>}</term>
<listitem>
<para>In earlier Shorewall versions, a "default action" for DROP and
@ -140,10 +140,7 @@
<member>a) The name of an
<replaceable>action</replaceable>.</member>
<member>b) The name of a <replaceable>macro</replaceable>
(Shorewall-shell only)</member>
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
<member>b) <emphasis role="bold">None</emphasis> or <emphasis
role="bold">none</emphasis></member>
</simplelist>
@ -334,22 +331,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, enables Shorewall Bridging
support.</para>
<para><note>
<para>BRIDGING=Yes may not work properly with Linux kernel
2.6.20 or later and is not supported by Shorewall-perl.</para>
</note></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis
@ -433,40 +414,15 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DELAYBLACKLISTLOAD=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Users with a large static black list (<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)) may
want to set the DELAYBLACKLISTLOAD option to <emphasis
role="bold">Yes</emphasis>. When DELAYBLACKLISTLOAD=Yes, Shorewall
will enable new connections before loading the blacklist rules.
While this may allow connections from blacklisted hosts to slip by
during construction of the blacklist, it can substantially reduce
the time that all new connections are disabled during <emphasis
role="bold">shorewall</emphasis> [<emphasis
role="bold">re</emphasis>]<emphasis
role="bold">start</emphasis>.</para>
<note>
<para>DELAYBLACKLISTLOAD=Yes is not supported by
Shorewall-perl.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DELETE_THEN_ADD=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.0.4. If set to Yes (the default value),
entries in the /etc/shorewall/route_stopped files cause an 'ip rule
del' command to be generated in addition to an 'ip rule add'
command. Setting this option to No, causes the 'ip rule del' command
to be omitted.</para>
<para>If set to Yes (the default value), entries in the
/etc/shorewall/route_stopped files cause an 'ip rule del' command to
be generated in addition to an 'ip rule add' command. Setting this
option to No, causes the 'ip rule del' command to be omitted.</para>
</listitem>
</varlistentry>
@ -520,9 +476,6 @@
role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
is not allowed in configurations that will run under Shorewall
Lite.</para>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
later.</para>
</listitem>
</varlistentry>
@ -538,8 +491,8 @@
# LEVEL
net all DROP info</programlisting>then the chain name is 'net2all'
which is also the chain named in Shorewall log messages generated as
a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall-perl
will create a separate chain for each pair of zones covered by the
a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall will
create a separate chain for each pair of zones covered by the
policy. This makes the resulting log messages easier to interpret
since the chain in the messages will have a name of the form 'a2b'
where 'a' is the SOURCE zone and 'b' is the DEST zone.</para>
@ -776,10 +729,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.0.3. When set to <option>Yes</option>,
this option prevents scripts generated by Shorewall-perl from
altering the /etc/iproute2/rt_tables database when there are entries
in <filename>/etc/shorewall/providers</filename>. If you set this
<para>When set to <option>Yes</option>, this option prevents
generated scripts from altering the /etc/iproute2/rt_tables database
when there are entries in
<filename>/etc/shorewall/providers</filename>. If you set this
option to <option>Yes</option> while Shorewall (Shorewall-lite) is
running, you should remove the file
<filename>/var/lib/shorewall/rt_tables</filename>
@ -1059,28 +1012,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Previously, Shorewall included a large number of standard
actions (AllowPing, AllowFTP, ...). These have been replaced with
parameterized macros. For compatibility, Shorewall can map the old
names into invocations of the new macros if you set
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
<para></para>
<note>
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
value then MAPOLDACTIONS=No is assumed.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@ -1151,9 +1082,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>In such cases, you will configure a <option>destonly</option>
network on each zone receiving multicasts.</para>
<para>The MULTICAST option is only recognized by Shorewall-perl and
is ignored by Shorewall-shell.</para>
</listitem>
</varlistentry>
@ -1320,9 +1248,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.2.6, this option determines whether to
restore the default route saved when here are 'balance' providers
defined but all of them are down.</para>
<para>This option determines whether to restore the default route
saved when here are 'balance' providers defined but all of them are
down.</para>
<para>The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.</para>
@ -1384,9 +1312,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
state. The default value is <emphasis
role="bold">no</emphasis>.</para>
<para>The value <emphasis role="bold">Keep</emphasis> is only
allowed under Shorewall-perl. It causes Shorewall to ignore the
option. If the option is set to <emphasis
<para>The value <emphasis role="bold">Keep</emphasis> causes
Shorewall to ignore the option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then route filtering occurs on all
interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then route filtering is disabled on all
@ -1408,35 +1335,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SHOREWALL_COMPILER=</emphasis>{<emphasis
role="bold">perl</emphasis>|<emphasis
role="bold">shell</emphasis>}</term>
<listitem>
<para>Specifies the compiler to use to generate firewall scripts
when both compilers are installed. The value of this option can be
either <option>perl</option> or <option>shell</option>. If both
compilers are installed and SHOREWALL_SHELL is not set, then
SHOREWALL_SHELL=shell is assumed.</para>
<para>If you add 'SHOREWALL_COMPILER=perl' to
<filename>/etc/shorewall/shorewall.conf</filename> then by default,
the Shorewall-perl compiler will be used on the system. If you add
it to <filename>shorewall.conf</filename> in a separate directory
(such as a Shorewall-lite export directory) then the Shorewall-perl
compiler will only be used when you compile from that
directory.</para>
<para>If you only install one compiler, it is suggested that you do
not set SHOREWALL_COMPILER.</para>
<para>This setting may be overriden in those commands that invoke
the compiler by using the -C command option (see <ulink
url="shorewall.html">shorewall</ulink>(8)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
@ -1584,22 +1482,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USE_ACTIONS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>While Shorewall Actions can be very useful, they also require
a sizable amount of code to implement. By setting USE_ACTIONS=No,
embedded Shorewall installations can omit the large library
/usr/share/shorewall-shell/lib.actions.</para>
<note>
<para>USE_ACTIONS=No is not supported by Shorewall-perl.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -1644,10 +1526,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>All provider gateways must be specified explicitly in the
GATEWAY column. <emphasis role="bold">detect</emphasis> may not
be specified.<note>
<para>Beginning with Shorewall 4.2.6, <emphasis
role="bold">detect</emphasis> may be specified for
interfaces whose configuration is managed by dhcpcd.
Shorewall will use dhcpcd's database to find the
<para><emphasis role="bold">detect</emphasis> may be
specified for interfaces whose configuration is managed by
dhcpcd. Shorewall will use dhcpcd's database to find the
interfaces's gateway.</para>
</note></para>
</listitem>

View File

@ -701,9 +701,8 @@
are untouched. Clear is often used to see if the firewall is causing
connection problems.</para>
<para>The <option>-f</option> option was added in Shorewall 4.0.3.
If <option>-f</option> is given, the command will be processed by
the compiled script that executed the last successful <emphasis
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
@ -736,9 +735,8 @@
capabilities</emphasis> on a system with Shorewall Lite
installed</para>
<para>The <option>-d</option> option only works when the compiler is
Shorewall-perl. It causes the compiler to be run under control of
the Perl debugger.</para>
<para>The <option>-d</option> option causes the compiler to be run
under control of the Perl debugger.</para>
<para>The <option>-p</option> option causes the compiler to be
profiled via the Perl <option>-wd:DProf</option> command-line
@ -995,13 +993,13 @@
<para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
<para>Beginning with Shorewall 4.1, the <emphasis
role="bold">refresh</emphasis> command has slightly different
behavior. When no chain name is given to the <emphasis
role="bold">refresh</emphasis> command, the mangle table is
refreshed along with the blacklist chain (if any). This allows you
to modify <filename>/etc/shorewall/tcrules </filename>and install
the changes using <emphasis role="bold">refresh</emphasis>.</para>
<para>The <emphasis role="bold">refresh</emphasis> command has
slightly different behavior. When no chain name is given to the
<emphasis role="bold">refresh</emphasis> command, the mangle table
is refreshed along with the blacklist chain (if any). This allows
you to modify <filename>/etc/shorewall/tcrules </filename>and
install the changes using <emphasis
role="bold">refresh</emphasis>.</para>
</listitem>
</varlistentry>
@ -1346,9 +1344,8 @@
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
<para>The <option>-f</option> option was added in Shorewall 4.0.3.
If <option>-f</option> is given, the command will be processed by
the compiled script that executed the last successful <emphasis
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>