From 8faf756113efa2a66277b74fc8e09bde352c4ed3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Dec 2013 08:33:58 -0800 Subject: [PATCH 1/2] Add note about non-ACCEPT fw->loc policy. Signed-off-by: Tom Eastep --- docs/UPnP.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/UPnP.xml b/docs/UPnP.xml index df9c43684..82597e581 100644 --- a/docs/UPnP.xml +++ b/docs/UPnP.xml @@ -22,6 +22,8 @@ 2010 + 2013 + Thomas M. Eastep @@ -120,6 +122,14 @@ forwardUPnP net loc Shorewall versions prior to 4.4.10 do not retain the dynamic rules added by linux-idg over a shorewall restart. + + If your firewall->loc policy is not ACCEPT, then you also need to + allow UDP traffic from the fireawll to the local zone. + + ACCEPT $FW loc udp - <dynamic port range> + + The dynamic port range is obtained by cat + /proc/sys/net/ip_local_port_range.
From d71c2688dc57c2c358ef41f404da6c728f891be7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Dec 2013 09:02:25 -0800 Subject: [PATCH 2/2] Clarify the need to quote/escaape settings with parentheses. Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall.conf.xml | 14 ++++++++++++++ Shorewall6/manpages/shorewall6.conf.xml | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 78c13378b..7ea1541a3 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -74,6 +74,20 @@ and can be configured to log all Shorewall messages to their own log file. + + If you want to specify parameters to ULOG or NFLOG (e.g., + NFLOG(1,0,1)), then you must either quote the setting or you must escape + the parentheses. + + Examples: + + MACLIST_LOG_LEVEL="NFLOG(1,0,1)" + + or + + MACLIST_LOG_LEVEL=NFLOG\(1,0,1\) + + Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which logs the packet's mark value along with the other usual information. The syntax is: diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 57a51d72f..f10ebf973 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -73,6 +73,20 @@ and can be configured to log all Shorewall6 message to their own log file + + If you want to specify parameters to ULOG or NFLOG (e.g., + NFLOG(1,0,1)), then you must either quote the setting or you must escape + the parentheses. + + Examples: + + MACLIST_LOG_LEVEL="NFLOG(1,0,1)" + + or + + MACLIST_LOG_LEVEL=NFLOG\(1,0,1\) + + The following options may be set in shorewall6.conf.