extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-04 03:49:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove references to Shorewall-shell, Shorewall-perl and prior Shorewall versions from the manpages

Browse Source
This commit is contained in:
Tom Eastep 2009-07-15 17:50:55 -07:00
parent 9c2966448e
commit f16b2300b6
21 changed files with 214 additions and 450 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -743,6 +743,14 @@ sub compiler {
# Setup Masquerading/SNAT # Setup Masquerading/SNAT
# #
setup_masq; setup_masq;
#
# Setup Nat
#
setup_nat;
#
# Setup NETMAP
#
setup_netmap;
} }
# #
@ -770,17 +778,6 @@ sub compiler {
# Apply Policies # Apply Policies
# #
apply_policy_rules; apply_policy_rules;
if ( $family == F_IPV4 ) {
#
# Setup Nat
#
setup_nat;
#
# Setup NETMAP
#
setup_netmap;
}
# #
# Accounting. # Accounting.
# #

2
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1303,7 +1303,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $chn; my $chn;
for ( zone_interfaces $sourcezone ) { for ( keys %{zone_interfaces $sourcezone} ) {
my $ichain = input_chain $_; my $ichain = input_chain $_;
if ( $nat_table->{$ichain} ) { if ( $nat_table->{$ichain} ) {

4
Shorewall/changelog.txt
View File

@ -4,6 +4,10 @@ Changes in Shorewall 4.4.0-RC1
2) Fix routing when no providers. 2) Fix routing when no providers.
3) Add 'any' as a SOURCE/DEST in rules.
4) Fix NONAT on child zone.
Changes in Shorewall 4.4.0-Beta4 Changes in Shorewall 4.4.0-Beta4
1) Add more macros. 1) Add more macros.

9
Shorewall/releasenotes.txt
View File

@ -118,6 +118,9 @@ Shorewall 4.4.0 RC1
2) Previously, Shorewall might alter the routing when there were no 2) Previously, Shorewall might alter the routing when there were no
providers, even if the "-n" option was given. providers, even if the "-n" option was given.
3) Previously, NONAT rules on a sub-zone were not exempted from
DNAT/REDIRECT rules of a parent zone.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -128,7 +131,11 @@ None.
N E W F E A T U R E S I N 4 . 4 . 0 RC1 N E W F E A T U R E S I N 4 . 4 . 0 RC1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
None. 1) A new keyword 'any' may be used in the SOURCE and DEST columns of
the rules file. In the absense of nested zones, 'any' works the
same as 'all'. When there are nested zones, 'any' only selects the
top-level zones. 'any' is intended to be used with
IMPLICIT_CONTINUE=Yes in shorewall.conf.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4 N E W F E A T U R E S IN 4 . 4

3
manpages/shorewall-accounting.xml
View File

@ -300,8 +300,7 @@
<listitem> <listitem>
<para>Designates a connection mark. If omitted, the packet <para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by mark's value is tested.</para>
Shorewall-perl.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

77
manpages/shorewall-interfaces.xml
View File

@ -79,16 +79,15 @@ loc eth2 -</programlisting>
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
discussion of this problem.</para> discussion of this problem.</para>
<para>Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as <para>Shorewall allows '+' as an interface name.</para>
an interface name.</para>
<para>There is no need to define the loopback interface (lo) in this <para>There is no need to define the loopback interface (lo) in this
file.</para> file.</para>
<para>(Shorewall-perl only) If a <replaceable>port</replaceable> is <para>If a <replaceable>port</replaceable> is given, then the
given, then the <replaceable>interface</replaceable> must have been <replaceable>interface</replaceable> must have been defined
defined previously with the <option>bridge</option> option. The previously with the <option>bridge</option> option. The OPTIONS
OPTIONS column may not contain the following options when a column may not contain the following options when a
<replaceable>port</replaceable> is given.</para> <replaceable>port</replaceable> is given.</para>
<simplelist> <simplelist>
@ -134,12 +133,6 @@ loc eth2 -</programlisting>
<para>If you don't want to give a value for this column but you want <para>If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter <emphasis to enter a value in the OPTIONS column, enter <emphasis
role="bold">-</emphasis> in this column.</para> role="bold">-</emphasis> in this column.</para>
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
Shorewall-perl only supports <option>detect</option> or <emphasis
role="bold">-</emphasis> in this column. If you specify
<replaceable>address</replaceable>es, a compilation warning will be
issued.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -164,12 +157,10 @@ loc eth2 -</programlisting>
requests for IP addresses on any of the firewall's interface. requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</para> The interface must be up when Shorewall is started.</para>
<para>The option value (0 or 1) may only be specified if you <para>Only those interfaces with the
are using Shorewall-perl. With Shorewall-perl, only those <option>arp_filter</option> option will have their setting
interfaces with the <option>arp_filter</option> option will changes; the value assigned to the setting will be the value
have their setting changes; the value assigned to the setting specified (if any) or 1 if no value is given.</para>
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para> <para></para>
@ -237,8 +228,7 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">bridge</emphasis></term> <term><emphasis role="bold">bridge</emphasis></term>
<listitem> <listitem>
<para>(Shorewall-perl only) Designates the interface as a <para>Designates the interface as a bridge.</para>
bridge.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -300,12 +290,10 @@ loc eth2 -</programlisting>
specify <option>logmartians</option> because your distribution specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para> may be enabling route filtering without you knowing it.</para>
<para>The option value (0 or 1) may only be specified if you <para>Only those interfaces with the
are using Shorewall-perl. With Shorewall-perl, only those <option>logmartians</option> option will have their setting
interfaces with the <option>logmartians</option> option will changes; the value assigned to the setting will be the value
have their setting changes; the value assigned to the setting specified (if any) or 1 if no value is given.</para>
will be the value specified (if any) or 1 if no value is
given.</para>
<para>To find out if route filtering is set on a given <para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of <replaceable>interface</replaceable>, check the contents of
@ -377,9 +365,8 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">optional</emphasis></term> <term><emphasis role="bold">optional</emphasis></term>
<listitem> <listitem>
<para>Only supported by Shorewall-perl. When <para>When <option>optional</option> is specified for an
<option>optional</option> is specified for an interface, interface, Shorewall will be silent when:</para>
Shorewall will be silent when:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -436,12 +423,10 @@ loc eth2 -</programlisting>
not work with a wild-card <replaceable>interface</replaceable> not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para> name (e.g., eth0.+) in the INTERFACE column.</para>
<para>The option value (0 or 1) may only be specified if you <para>Only those interfaces with the <option>proxyarp</option>
are using Shorewall-perl. With Shorewall-perl, only those option will have their setting changed; the value assigned to
interfaces with the <option>proxyarp</option> option will have the setting will be the value specified (if any) or 1 if no
their setting changed; the value assigned to the setting will value is given.</para>
be the value specified (if any) or 1 if no value is
given.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -466,12 +451,10 @@ loc eth2 -</programlisting>
<para>Turn on kernel route filtering for this interface <para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para> (anti-spoofing measure).</para>
<para>The option value (0 or 1) may only be specified if you <para>Only those interfaces with the
are using Shorewall-perl. With Shorewall-perl, only those <option>routefilter</option> option will have their setting
interfaces with the <option>routefilter</option> option will changes; the value assigned to the setting will be the value
have their setting changes; the value assigned to the setting specified (if any) or 1 if no value is given.</para>
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para> <para></para>
@ -502,12 +485,10 @@ loc eth2 -</programlisting>
This might represent a security risk and is not usually This might represent a security risk and is not usually
needed.</para> needed.</para>
<para>The option value (0 or 1) may only be specified if you <para>Only those interfaces with the
are using Shorewall-perl. With Shorewall-perl, only those <option>sourceroute</option> option will have their setting
interfaces with the <option>sourceroute</option> option will changes; the value assigned to the setting will be the value
have their setting changes; the value assigned to the setting specified (if any) or 1 if no value is given.</para>
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para> <para></para>
@ -551,7 +532,7 @@ loc eth2 -</programlisting>
causes Shorewall to detect the default gateway through the causes Shorewall to detect the default gateway through the
interface and to accept UDP packets from that gateway. Note interface and to accept UDP packets from that gateway. Note
that, like all aspects of UPnP, this is a security hole so use that, like all aspects of UPnP, this is a security hole so use
this option at your own risk. </para> this option at your own risk.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

47
manpages/shorewall-masq.xml
View File

@ -50,22 +50,19 @@
role="bold">,</emphasis><emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]]|COMMENT}</term> role="bold">,</emphasis><emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]]|COMMENT}</term>
<listitem> <listitem>
<para>Outgoing <emphasis>interfacelist</emphasis>. Prior to <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
Shorewall 4.1.4, this must be a single interface name; in 4.1.4 and comma-separated list of interface names. This is usually your
later, this may be a comma-separated list of interface names. This internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
is usually your internet interface. If ADD_SNAT_ALIASES=Yes in url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5), you may and a <emphasis>digit</emphasis> to indicate that you want the alias
add ":" and a <emphasis>digit</emphasis> to indicate that you want added with that name (e.g., eth0:0). This will allow the alias to be
the alias added with that name (e.g., eth0:0). This will allow the displayed with ifconfig. <emphasis role="bold">That is the only use
alias to be displayed with ifconfig. <emphasis role="bold">That is for the alias name; it may not appear in any other place in your
the only use for the alias name; it may not appear in any other Shorewall configuratio</emphasis>n.</para>
place in your Shorewall configuratio</emphasis>n.</para>
<para>Each interface must match an entry in <ulink <para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match. Shorewall allows loose matches to wildcard entries in <ulink
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink will match a <ulink
@ -113,7 +110,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET) <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
- -
{<emphasis>interface</emphasis>[[:]<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis {<emphasis>interface</emphasis>[:<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term> role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
<listitem> <listitem>
@ -131,15 +128,11 @@
list of IP addresses (host or net) that you wish to exclude (see list of IP addresses (host or net) that you wish to exclude (see
<ulink <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))). url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
Note that with Shorewall-perl, a colon (":") must appear between an Note that a colon (":") must appear between an
<replaceable>interface</replaceable> name and the <replaceable>interface</replaceable> name and the
<replaceable>exclusion</replaceable>;</para> <replaceable>exclusion</replaceable>;</para>
<para>Example (shorewall-shell): <para>Example: eth1:!192.168.1.4,192.168.32.0/27</para>
eth1!192.168.1.4,192.168.32.0/27</para>
<para>Example (shorewall-perl):
eth1:!192.168.1.4,192.168.32.0/27</para>
<para>In that example traffic from eth1 would be masqueraded unless <para>In that example traffic from eth1 would be masqueraded unless
it came from 192.168.1.4 or 196.168.32.0/27</para> it came from 192.168.1.4 or 196.168.32.0/27</para>
@ -166,12 +159,11 @@
want the SNAT address to be assigned from that range in a want the SNAT address to be assigned from that range in a
round-robin fashion by connection. The range is specified by round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>. <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
Beginning with Shorewall 4.0.6, you may follow the port range You may follow the port range with<emphasis role="bold">
with<emphasis role="bold"> :random</emphasis> in which case :random</emphasis> in which case assignment of ports from the list
assignment of ports from the list will be random. <emphasis will be random. <emphasis role="bold">random</emphasis> may also be
role="bold">random</emphasis> may also be specified by itself in specified by itself in this column in which case random local port
this column in which case random local port assignments are made for assignments are made for the outgoing connections.</para>
the outgoing connections.</para>
<para>Example: 206.124.146.177-206.124.146.180</para> <para>Example: 206.124.146.177-206.124.146.180</para>
@ -379,8 +371,7 @@
<listitem> <listitem>
<para>Designates a connection mark. If omitted, the packet <para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by mark's value is tested.</para>
Shorewall-perl.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

9
manpages/shorewall-nat.xml
View File

@ -85,9 +85,7 @@
<para>Each interface must match an entry in <ulink <para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match. Shorewall allows loose matches to wildcard entries in <ulink
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink will match a <ulink
@ -95,11 +93,6 @@
entry that defines <filename entry that defines <filename
class="devicefile">ppp+</filename>.</para> class="devicefile">ppp+</filename>.</para>
<para>Prior to Shorewall 4.1.4,
<replaceable>interfacelist</replaceable> must be a single interface
name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may
specify a comma-separated list of interfaces.</para>
<para>If you want to override ADD_IP_ALIASES=Yes for a particular <para>If you want to override ADD_IP_ALIASES=Yes for a particular
entry, follow the interface name with ":" and no digit (e.g., entry, follow the interface name with ":" and no digit (e.g.,
"eth0:").</para> "eth0:").</para>

8
manpages/shorewall-netmap.xml
View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-netmap</refentrytitle> <refentrytitle>shorewall-netmap</refentrytitle>
@ -66,10 +68,8 @@
<listitem> <listitem>
<para>The name of a network interface. The interface must be defined <para>The name of a network interface. The interface must be defined
in <ulink in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match. Shorewall allows loose matches to wildcard entries in <ulink
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink will match a <ulink

3
manpages/shorewall-notrack.xml
View File

@ -27,9 +27,6 @@
connection tracking. Traffic matching entries in this fill will not be connection tracking. Traffic matching entries in this fill will not be
tracked.</para> tracked.</para>
<para>The file was added in shorewall-perl 4.2.7 and is not supported by
shorewall-shell or by earlier versions of shorewall-perl.</para>
<para>The columns in the file are as follows.</para> <para>The columns in the file are as follows.</para>
<variablelist> <variablelist>

28
manpages/shorewall-policy.xml
View File

@ -165,9 +165,9 @@
<term><emphasis role="bold">NFQUEUE</emphasis></term> <term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.0.3. Queue the request for a <para>Queue the request for a user-space application using the
user-space application using the nfnetlink_queue mechanism. If nfnetlink_queue mechanism. If a
a <replaceable>queuenumber</replaceable> is not given, queue <replaceable>queuenumber</replaceable> is not given, queue
zero (0) is assumed.</para> zero (0) is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -256,17 +256,17 @@
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term> <emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number <para>May be used to limit the number of simultaneous connections
of simultaneous connections from each individual host to from each individual host to <replaceable>limit</replaceable>
<replaceable>limit</replaceable> connections. While the limit is connections. While the limit is only checked on connections to which
only checked on connections to which this policy could apply, the this policy could apply, the number of current connections is
number of current connections is calculated over all current calculated over all current connections from the SOURCE host. By
connections from the SOURCE host. By default, the limit is applied default, the limit is applied to each host individually but can be
to each host individually but can be made to apply to networks of made to apply to networks of hosts by specifying a
hosts by specifying a <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
<replaceable>mask</replaceable> specifies the width of a VLSM mask specifies the width of a VLSM mask to be applied to the source
to be applied to the source address; the number of current address; the number of current connections is then taken over all
connections is then taken over all hosts in the subnet hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para> <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

25
manpages/shorewall-providers.xml
View File

@ -214,13 +214,13 @@
role="bold">src=</emphasis><replaceable>source-address</replaceable></term> role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the source <para>Specifies the source address to use when routing to this
address to use when routing to this provider and none is known provider and none is known (the local client has bound to the
(the local client has bound to the 0 address). May not be 0 address). May not be specified when an
specified when an <replaceable>address</replaceable> is given <replaceable>address</replaceable> is given in the INTERFACE
in the INTERFACE column. If this option is not used, Shorewall column. If this option is not used, Shorewall substitutes the
substitutes the primary IP address on the interface named in primary IP address on the interface named in the INTERFACE
the INTERFACE column.</para> column.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -229,9 +229,9 @@
role="bold">mtu=</emphasis><replaceable>number</replaceable></term> role="bold">mtu=</emphasis><replaceable>number</replaceable></term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the MTU when <para>Specifies the MTU when forwarding through this provider.
forwarding through this provider. If not given, the MTU of the If not given, the MTU of the interface named in the INTERFACE
interface named in the INTERFACE column is assumed.</para> column is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -240,9 +240,8 @@
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term> role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.5. Indicates that a default <para>Indicates that a default route through the provider
route through the provider should be added to the default should be added to the default routing table (table 253). If a
routing table (table 253). If a
<replaceable>weight</replaceable> is given, a balanced route <replaceable>weight</replaceable> is given, a balanced route
is added with the weight of this provider equal to the is added with the weight of this provider equal to the
specified <replaceable>weight</replaceable>. If the option is specified <replaceable>weight</replaceable>. If the option is

20
manpages/shorewall-routestopped.xml
View File

@ -25,9 +25,7 @@
<title>Description</title> <title>Description</title>
<para>This file is used to define the hosts that are accessible when the <para>This file is used to define the hosts that are accessible when the
firewall is stopped or is being stopped. When shorewall-shell is being firewall is stopped or is being stopped.</para>
used, the file also determines those hosts that are accessible when the
firewall is in the process of being [re]started.</para>
<warning> <warning>
<para>Changes to this file do not take effect until after the next <para>Changes to this file do not take effect until after the next
@ -125,7 +123,7 @@
<replaceable>protocol-name-or-number</replaceable></term> <replaceable>protocol-name-or-number</replaceable></term>
<listitem> <listitem>
<para>Only available with Shorewall-perl 4.2.7 and later.</para> <para>Protocol.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -134,10 +132,9 @@
<replaceable>service-name/port-number-list</replaceable></term> <replaceable>service-name/port-number-list</replaceable></term>
<listitem> <listitem>
<para>Only available with Shorewall-perl 4.2.7 and later. A <para>A comma-separated list of port numbers and/or service names
comma-separated list of port numbers and/or service names from from <filename>/etc/services</filename>. May also include port
<filename>/etc/services</filename>. May also include port ranges of ranges of the form
the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
</listitem> </listitem>
@ -148,10 +145,9 @@
<replaceable>service-name/port-number-list</replaceable></term> <replaceable>service-name/port-number-list</replaceable></term>
<listitem> <listitem>
<para>Only available with Shorewall-perl 4.2.7 and later. A <para>A comma-separated list of port numbers and/or service names
comma-separated list of port numbers and/or service names from from <filename>/etc/services</filename>. May also include port
<filename>/etc/services</filename>. May also include port ranges of ranges of the form
the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
</listitem> </listitem>

122
manpages/shorewall-rules.xml
View File

@ -343,8 +343,6 @@
<term>NFQUEUE</term> <term>NFQUEUE</term>
<listitem> <listitem>
<para>Only supported by Shorewall-perl &gt;= 4.0.3.</para>
<para>Queues the packet to a user-space application using the <para>Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not specified, queue <replaceable>queuenumber</replaceable> is not specified, queue
@ -471,8 +469,9 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE</emphasis> -
{<emphasis>zone</emphasis>|<emphasis {<emphasis>zone</emphasis>|{<emphasis
role="bold">all</emphasis>[<emphasis role="bold">all</emphasis>|<emphasis
role="bold">any</emphasis>}[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
@ -509,6 +508,11 @@
mac addresses must begin with "~" and must use "-" as a mac addresses must begin with "~" and must use "-" as a
separator.</para> separator.</para>
<para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones.
When there are nested zones, <emphasis role="bold">any</emphasis>
only refers to top-level zones (those with no parent zones).</para>
<para>Hosts may also be specified as an IP address range using the <para>Hosts may also be specified as an IP address range using the
syntax syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>. <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
@ -586,60 +590,14 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<blockquote>
<para>Alternatively, clients may be specified by interface by
appending ":" to the zone name followed by the interface name. For
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
client that communicates with the firewall system through eth1.
This may be optionally followed by another colon (":") and an
IP/MAC/subnet address as described above (e.g., <emphasis
role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
<para>It is important to note that when <emphasis
role="bold">using Shorewall-shell</emphasis> and specifying an
address list that will be split (i.e., a comma separated list),
there is a subtle behavior which has the potential to cause
confusion. Consider the two examples below:</para>
</blockquote>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>loc:eth1:192.168.1.3,192.168.1.5</term>
<listitem>
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
from any interface in the zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:eth1:192.168.1.3,eth1:192.168.1.5</term>
<listitem>
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
with <emphasis role="bold">both</emphasis> originating from
eth1.</para>
</listitem>
</varlistentry>
</variablelist>
<blockquote>
<para>That is, the interface name must be explicitly stated for
each member of the comma separated list. Again, this distinction
in behavior only occurs when <emphasis role="bold">using
Shorewall-shell</emphasis>.</para>
</blockquote>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST</emphasis> -
{<emphasis>zone</emphasis>|<emphasis {<emphasis>zone</emphasis>|{<emphasis
role="bold">all</emphasis>[<emphasis role="bold">all</emphasis>|<emphasis
role="bold">any</emphasis>}[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis role="bold">-</emphasis>]}<emphasis
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
@ -663,9 +621,13 @@
affected. When <emphasis role="bold">all+</emphasis> is used, affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected.</para> intra-zone traffic is affected.</para>
<para>Beginning with Shorewall 4.1.4, the <para><emphasis role="bold">any</emphasis> is equivalent to
<replaceable>zone</replaceable> should be omitted in DNAT-, <emphasis role="bold">all</emphasis> when there are no nested zones.
REDIRECT- and NONAT rules.</para> When there are nested zones, <emphasis role="bold">any</emphasis>
only refers to top-level zones (those with no parent zones).</para>
<para>The <replaceable>zone</replaceable> should be omitted in
DNAT-, REDIRECT- and NONAT rules.</para>
<para>If the DEST <replaceable>zone</replaceable> is a bport zone, <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
then either:<orderedlist numeration="loweralpha"> then either:<orderedlist numeration="loweralpha">
@ -702,12 +664,7 @@
<para>1. MAC addresses are not allowed (this is a Netfilter <para>1. MAC addresses are not allowed (this is a Netfilter
restriction).</para> restriction).</para>
<para>2.Prior to Shorewall 4.1.4, only IP addresses are allowed in <para>2. You may not specify both an interface and an
<emphasis role="bold">DNAT</emphasis> rules; no DNS names are
permitted. In no case may a network be specified as the
server.</para>
<para>3. You may not specify both an interface and an
address.</para> address.</para>
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column, <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
@ -747,20 +704,15 @@
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>If you are using Shorewall-shell or Shorewall-perl before <para>The <emphasis>port</emphasis> may be specified as a service
version 4.0.5, then the port number MUST be specified as an name. You may specify a port range in the form
integer and not as a name from services(5). Shorewall-perl 4.0.5
and later permit the <emphasis>port</emphasis> to be specified as
a service name. Additionally, Shorewall-perl 4.0.5 and later
permit specifying a port range in the form
<emphasis>lowport-highport</emphasis> to cause connections to be <emphasis>lowport-highport</emphasis> to cause connections to be
assigned to ports in the range in round-robin fashion. When a port assigned to ports in the range in round-robin fashion. When a port
range is specified, <emphasis>lowport</emphasis> and range is specified, <emphasis>lowport</emphasis> and
<emphasis>highport</emphasis> must be given as integers; service <emphasis>highport</emphasis> must be given as integers; service
names are not permitted. Beginning with Shorewall 4.0.6, the port names are not permitted. Additionally, the port range may be
range may be optionally followed by <emphasis optionally followed by <emphasis role="bold">:random</emphasis>
role="bold">:random</emphasis> which causes assignment to ports in which causes assignment to ports in the list to be random.</para>
the list to be random.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">REDIRECT</emphasis> or <emphasis role="bold">REDIRECT</emphasis> or <emphasis
@ -825,11 +777,6 @@
<para>2. No port ranges are included or your kernel and iptables <para>2. No port ranges are included or your kernel and iptables
contain extended multiport match support.</para> contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate rule
will be generated for each port. Shorewall-perl does not
automatically break up lists into individual rules.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -864,11 +811,6 @@
<para>2. No port ranges are included or your kernel and iptables <para>2. No port ranges are included or your kernel and iptables
contain extended multiport match support.</para> contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate
rule will be generated for each port. Shorewall-perl does not
automatically break up lists into individual rules.</para>
</blockquote> </blockquote>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1058,8 +1000,7 @@
<listitem> <listitem>
<para>Designates a connection mark. If omitted, the packet <para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by mark's value is tested.</para>
Shorewall-perl.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -1178,18 +1119,7 @@
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Restrictions</title> <title>Examples</title>
<para>Unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink> and your
iptables/kernel have <firstterm>Repeat Match</firstterm> support (see the
output of <command>shorewall show capabilities</command>), if you specify
a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
versa.</para>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist> <variablelist>
<varlistentry> <varlistentry>

6
manpages/shorewall-tcclasses.xml
View File

@ -236,8 +236,8 @@
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term> role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.1. A comma-separated list of options <para>A comma-separated list of options including the
including the following:</para> following:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -266,7 +266,7 @@
<para>This lets you define a classifier for the given <para>This lets you define a classifier for the given
<emphasis>value</emphasis>/<emphasis>mask</emphasis> <emphasis>value</emphasis>/<emphasis>mask</emphasis>
combination of the IP packet's TOS/Precedence/DiffSrv octet combination of the IP packet's TOS/Precedence/DiffSrv octet
(aka the TOS byte). </para> (aka the TOS byte).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

20
manpages/shorewall-tcdevices.xml
View File

@ -113,10 +113,9 @@
<para>Shorewall assigns a sequential <firstterm>interface <para>Shorewall assigns a sequential <firstterm>interface
number</firstterm> to each interface (the first entry in the file is number</firstterm> to each interface (the first entry in the file is
interface 1, the second is interface 2 and so on) Beginning with interface 1, the second is interface 2 and so on) You can explicitly
Shorewall-perl 4.1.6, you can explicitly specify the interface specify the interface number by prefixing the interface name with
number by prefixing the interface name with the number and a colon the number and a colon (":"). Example: 1:eth0.</para>
(":"). Example: 1:eth0.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -176,13 +175,12 @@
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term> [<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.1.6. May only be specified if the <para>May only be specified if the interface in the INTERFACE column
interface in the INTERFACE column is an Intermediate Frame Block is an Intermediate Frame Block (IFB) device. Causes packets that
(IFB) device. Causes packets that enter each listed interface to be enter each listed interface to be passed through the egress filters
passed through the egress filters defined for this device, thus defined for this device, thus providing a form of incoming traffic
providing a form of incoming traffic shaping. When this column is shaping. When this column is non-empty, the <emphasis
non-empty, the <emphasis role="bold">classify</emphasis> option is role="bold">classify</emphasis> option is assumed.</para>
assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

65
manpages/shorewall-tcrules.xml
View File

@ -93,14 +93,11 @@
<para>- If the SOURCE is <emphasis <para>- If the SOURCE is <emphasis
role="bold">$FW</emphasis>[<emphasis role="bold">$FW</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...], role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
then the rule is inserted into the OUTPUT chain. The behavior then the rule is inserted into the OUTPUT chain. When
changed in Shorewall-perl 4.1. Previously, when HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values there. Packet marking rules for traffic shaping of packets
&lt; 256 to be assigned in the OUTPUT chain. This has been originating on the firewall must be coded in the POSTROUTING
changed so that only high mark values may be assigned there. chain (see below).</para>
Packet marking rules for traffic shaping of packets originating
on the firewall must be coded in the POSTROUTING chain (see
below).</para>
<para>- Otherwise, the chain is determined by the setting of <para>- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in <ulink MARK_IN_FORWARD_CHAIN in <ulink
@ -162,12 +159,12 @@
followed the value with <option>:F</option>) or the OUTPUT chain followed the value with <option>:F</option>) or the OUTPUT chain
(SOURCE is <emphasis role="bold">$FW</emphasis>). With (SOURCE is <emphasis role="bold">$FW</emphasis>). With
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
permitted. Shorewall 4.1 and later versions prohibit non-zero permitted. Shorewall prohibits non-zero mark values less that
mark values less that 256 in the OUTPUT chain when 256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values versions allow such values in the OUTPUT chain, it is strongly
in the OUTPUT chain, it is strongly recommended that with recommended that with HIGH_ROUTE_MARKS=Yes, you use the
HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply POSTROUTING chain to apply traffic shaping
traffic shaping marks/classification.</para> marks/classification.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -239,16 +236,15 @@
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall <para><emphasis role="bold">SAME</emphasis> Some websites run
4.3.5) -- Some websites run applications that require multiple applications that require multiple connections from a client
connections from a client browser. Where multiple 'balanced' browser. Where multiple 'balanced' providers are configured,
providers are configured, this can lead to problems when some of this can lead to problems when some of the connections are
the connections are routed through one provider and some through routed through one provider and some through another. The SAME
another. The SAME target allows you to work around that problem. target allows you to work around that problem. SAME may be used
SAME may be used in the PREROUTING and OUTPUT chains. When used in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
in PREROUTING, it causes matching connections from an individual causes matching connections from an individual local system to
local system to all use the same provider. For example: all use the same provider. For example: <programlisting>#MARK/ SOURCE DEST PROTO DEST
<programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S) #CLASSIFY PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting> SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 If a host in 192.168.1.0/24 attempts a connection on TCP port 80
@ -682,8 +678,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<listitem> <listitem>
<para>Connection Bytes; defines a byte or packet range that the <para>Connection Bytes; defines a byte or packet range that the
connection must fall within in order for the rule to match. Added in connection must fall within in order for the rule to match.</para>
Shorewall-perl 4.2.0.</para>
<para>A packet matches if the the packet/byte count is within the <para>A packet matches if the the packet/byte count is within the
range defined by <emphasis>min</emphasis> and range defined by <emphasis>min</emphasis> and
@ -697,8 +692,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para><emphasis role="bold">O</emphasis> - The original <para><emphasis role="bold">O</emphasis> - The original
direction of the connection.</para> direction of the connection.</para>
<para><emphasis role="bold">R</emphasis> - The opposite <para>- The opposite direction from the original
direction from the original connection.</para> connection.</para>
<para><emphasis role="bold">B</emphasis> - The total of both <para><emphasis role="bold">B</emphasis> - The total of both
directions.</para> directions.</para>
@ -725,13 +720,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</emphasis><emphasis>helper</emphasis></term> </emphasis><emphasis>helper</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.0. Names a Netfiler protocol <para>Names a Netfiler protocol <firstterm>helper</firstterm> module
<firstterm>helper</firstterm> module such as <option>ftp</option>, such as <option>ftp</option>, <option>sip</option>,
<option>sip</option>, <option>amanda</option>, etc. A packet will <option>amanda</option>, etc. A packet will match if it was accepted
match if it was accepted by the named helper module. You can also by the named helper module. You can also append "-" and a port
append "-" and a port number to the helper module name (e.g., number to the helper module name (e.g., <emphasis
<emphasis role="bold">ftp-21</emphasis>) to specify the port number role="bold">ftp-21</emphasis>) to specify the port number that the
that the original connection was made on.</para> original connection was made on.</para>
<para>Example: Mark all FTP data connections with mark <para>Example: Mark all FTP data connections with mark
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER 4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER

3
manpages/shorewall-tos.xml
View File

@ -141,8 +141,7 @@
<listitem> <listitem>
<para>Designates a connection mark. If omitted, the packet <para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by mark's value is tested.</para>
Shorewall-perl.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

4
manpages/shorewall-zones.xml
View File

@ -158,8 +158,8 @@ c:a,b ipv4</programlisting>
<term>bport (or bport4)</term> <term>bport (or bport4)</term>
<listitem> <listitem>
<para>(Shorewall-perl only) The zone is associated with one or <para>The zone is associated with one or more ports on a
more ports on a single bridge.</para> single bridge.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

159
manpages/shorewall.conf.xml
View File

@ -117,7 +117,7 @@
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
role="bold">none</emphasis>} (Shorewall-perl 4.0.3 and later)</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para>In earlier Shorewall versions, a "default action" for DROP and <para>In earlier Shorewall versions, a "default action" for DROP and
@ -140,10 +140,7 @@
<member>a) The name of an <member>a) The name of an
<replaceable>action</replaceable>.</member> <replaceable>action</replaceable>.</member>
<member>b) The name of a <replaceable>macro</replaceable> <member>b) <emphasis role="bold">None</emphasis> or <emphasis
(Shorewall-shell only)</member>
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
role="bold">none</emphasis></member> role="bold">none</emphasis></member>
</simplelist> </simplelist>
@ -334,22 +331,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, enables Shorewall Bridging
support.</para>
<para><note>
<para>BRIDGING=Yes may not work properly with Linux kernel
2.6.20 or later and is not supported by Shorewall-perl.</para>
</note></para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
@ -433,40 +414,15 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">DELAYBLACKLISTLOAD=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Users with a large static black list (<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)) may
want to set the DELAYBLACKLISTLOAD option to <emphasis
role="bold">Yes</emphasis>. When DELAYBLACKLISTLOAD=Yes, Shorewall
will enable new connections before loading the blacklist rules.
While this may allow connections from blacklisted hosts to slip by
during construction of the blacklist, it can substantially reduce
the time that all new connections are disabled during <emphasis
role="bold">shorewall</emphasis> [<emphasis
role="bold">re</emphasis>]<emphasis
role="bold">start</emphasis>.</para>
<note>
<para>DELAYBLACKLISTLOAD=Yes is not supported by
Shorewall-perl.</para>
</note>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DELETE_THEN_ADD=</emphasis>{<emphasis <term><emphasis role="bold">DELETE_THEN_ADD=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Added in Shorewall 4.0.4. If set to Yes (the default value), <para>If set to Yes (the default value), entries in the
entries in the /etc/shorewall/route_stopped files cause an 'ip rule /etc/shorewall/route_stopped files cause an 'ip rule del' command to
del' command to be generated in addition to an 'ip rule add' be generated in addition to an 'ip rule add' command. Setting this
command. Setting this option to No, causes the 'ip rule del' command option to No, causes the 'ip rule del' command to be omitted.</para>
to be omitted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -520,9 +476,6 @@
role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
is not allowed in configurations that will run under Shorewall is not allowed in configurations that will run under Shorewall
Lite.</para> Lite.</para>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -538,8 +491,8 @@
# LEVEL # LEVEL
net all DROP info</programlisting>then the chain name is 'net2all' net all DROP info</programlisting>then the chain name is 'net2all'
which is also the chain named in Shorewall log messages generated as which is also the chain named in Shorewall log messages generated as
a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall-perl a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall will
will create a separate chain for each pair of zones covered by the create a separate chain for each pair of zones covered by the
policy. This makes the resulting log messages easier to interpret policy. This makes the resulting log messages easier to interpret
since the chain in the messages will have a name of the form 'a2b' since the chain in the messages will have a name of the form 'a2b'
where 'a' is the SOURCE zone and 'b' is the DEST zone.</para> where 'a' is the SOURCE zone and 'b' is the DEST zone.</para>
@ -776,10 +729,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Added in Shorewall 4.0.3. When set to <option>Yes</option>, <para>When set to <option>Yes</option>, this option prevents
this option prevents scripts generated by Shorewall-perl from generated scripts from altering the /etc/iproute2/rt_tables database
altering the /etc/iproute2/rt_tables database when there are entries when there are entries in
in <filename>/etc/shorewall/providers</filename>. If you set this <filename>/etc/shorewall/providers</filename>. If you set this
option to <option>Yes</option> while Shorewall (Shorewall-lite) is option to <option>Yes</option> while Shorewall (Shorewall-lite) is
running, you should remove the file running, you should remove the file
<filename>/var/lib/shorewall/rt_tables</filename> <filename>/var/lib/shorewall/rt_tables</filename>
@ -1059,28 +1012,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Previously, Shorewall included a large number of standard
actions (AllowPing, AllowFTP, ...). These have been replaced with
parameterized macros. For compatibility, Shorewall can map the old
names into invocations of the new macros if you set
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
<para></para>
<note>
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
value then MAPOLDACTIONS=No is assumed.</para>
</note>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@ -1151,9 +1082,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>In such cases, you will configure a <option>destonly</option> <para>In such cases, you will configure a <option>destonly</option>
network on each zone receiving multicasts.</para> network on each zone receiving multicasts.</para>
<para>The MULTICAST option is only recognized by Shorewall-perl and
is ignored by Shorewall-shell.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1320,9 +1248,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.2.6, this option determines whether to <para>This option determines whether to restore the default route
restore the default route saved when here are 'balance' providers saved when here are 'balance' providers defined but all of them are
defined but all of them are down.</para> down.</para>
<para>The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the <para>The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.</para> pre-4.2.6 behavior.</para>
@ -1384,9 +1312,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
state. The default value is <emphasis state. The default value is <emphasis
role="bold">no</emphasis>.</para> role="bold">no</emphasis>.</para>
<para>The value <emphasis role="bold">Keep</emphasis> is only <para>The value <emphasis role="bold">Keep</emphasis> causes
allowed under Shorewall-perl. It causes Shorewall to ignore the Shorewall to ignore the option. If the option is set to <emphasis
option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then route filtering occurs on all role="bold">Yes</emphasis>, then route filtering occurs on all
interfaces. If the option is set to <emphasis interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then route filtering is disabled on all role="bold">No</emphasis>, then route filtering is disabled on all
@ -1408,35 +1335,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SHOREWALL_COMPILER=</emphasis>{<emphasis
role="bold">perl</emphasis>|<emphasis
role="bold">shell</emphasis>}</term>
<listitem>
<para>Specifies the compiler to use to generate firewall scripts
when both compilers are installed. The value of this option can be
either <option>perl</option> or <option>shell</option>. If both
compilers are installed and SHOREWALL_SHELL is not set, then
SHOREWALL_SHELL=shell is assumed.</para>
<para>If you add 'SHOREWALL_COMPILER=perl' to
<filename>/etc/shorewall/shorewall.conf</filename> then by default,
the Shorewall-perl compiler will be used on the system. If you add
it to <filename>shorewall.conf</filename> in a separate directory
(such as a Shorewall-lite export directory) then the Shorewall-perl
compiler will only be used when you compile from that
directory.</para>
<para>If you only install one compiler, it is suggested that you do
not set SHOREWALL_COMPILER.</para>
<para>This setting may be overriden in those commands that invoke
the compiler by using the -C command option (see <ulink
url="shorewall.html">shorewall</ulink>(8)).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term> role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
@ -1584,22 +1482,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">USE_ACTIONS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>While Shorewall Actions can be very useful, they also require
a sizable amount of code to implement. By setting USE_ACTIONS=No,
embedded Shorewall installations can omit the large library
/usr/share/shorewall-shell/lib.actions.</para>
<note>
<para>USE_ACTIONS=No is not supported by Shorewall-perl.</para>
</note>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -1644,10 +1526,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>All provider gateways must be specified explicitly in the <para>All provider gateways must be specified explicitly in the
GATEWAY column. <emphasis role="bold">detect</emphasis> may not GATEWAY column. <emphasis role="bold">detect</emphasis> may not
be specified.<note> be specified.<note>
<para>Beginning with Shorewall 4.2.6, <emphasis <para><emphasis role="bold">detect</emphasis> may be
role="bold">detect</emphasis> may be specified for specified for interfaces whose configuration is managed by
interfaces whose configuration is managed by dhcpcd. dhcpcd. Shorewall will use dhcpcd's database to find the
Shorewall will use dhcpcd's database to find the
interfaces's gateway.</para> interfaces's gateway.</para>
</note></para> </note></para>
</listitem> </listitem>

29
manpages/shorewall.xml
View File

@ -701,9 +701,8 @@
are untouched. Clear is often used to see if the firewall is causing are untouched. Clear is often used to see if the firewall is causing
connection problems.</para> connection problems.</para>
<para>The <option>-f</option> option was added in Shorewall 4.0.3. <para>If <option>-f</option> is given, the command will be processed
If <option>-f</option> is given, the command will be processed by by the compiled script that executed the last successful <emphasis
the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para> role="bold">refresh</emphasis> command if that script exists.</para>
@ -736,9 +735,8 @@
capabilities</emphasis> on a system with Shorewall Lite capabilities</emphasis> on a system with Shorewall Lite
installed</para> installed</para>
<para>The <option>-d</option> option only works when the compiler is <para>The <option>-d</option> option causes the compiler to be run
Shorewall-perl. It causes the compiler to be run under control of under control of the Perl debugger.</para>
the Perl debugger.</para>
<para>The <option>-p</option> option causes the compiler to be <para>The <option>-p</option> option causes the compiler to be
profiled via the Perl <option>-wd:DProf</option> command-line profiled via the Perl <option>-wd:DProf</option> command-line
@ -995,13 +993,13 @@
<para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para> <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
<para>Beginning with Shorewall 4.1, the <emphasis <para>The <emphasis role="bold">refresh</emphasis> command has
role="bold">refresh</emphasis> command has slightly different slightly different behavior. When no chain name is given to the
behavior. When no chain name is given to the <emphasis <emphasis role="bold">refresh</emphasis> command, the mangle table
role="bold">refresh</emphasis> command, the mangle table is is refreshed along with the blacklist chain (if any). This allows
refreshed along with the blacklist chain (if any). This allows you you to modify <filename>/etc/shorewall/tcrules </filename>and
to modify <filename>/etc/shorewall/tcrules </filename>and install install the changes using <emphasis
the changes using <emphasis role="bold">refresh</emphasis>.</para> role="bold">refresh</emphasis>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1346,9 +1344,8 @@
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5) url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para> or by ADMINISABSENTMINDED.</para>
<para>The <option>-f</option> option was added in Shorewall 4.0.3. <para>If <option>-f</option> is given, the command will be processed
If <option>-f</option> is given, the command will be processed by by the compiled script that executed the last successful <emphasis
the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para> role="bold">refresh</emphasis> command if that script exists.</para>