diff --git a/docs/6to4.xml b/docs/6to4.xml
index 9c40edc4f..bb2446979 100644
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -345,15 +345,15 @@ all all REJECT info
#
# Accept DNS connections from the firewall to the network
#
-DNS/ACCEPT $FW net
+DNS(ACCEPT) $FW net
#
# Accept SSH connections from the local network for administration
#
-SSH/ACCEPT loc $FW
+SSH(ACCEPT) loc $FW
#
# Allow Ping everywhere
#
-Ping/ACCEPT all all
+Ping(ACCEPT) all all
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 03f401c69..38dbd0fcf 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -850,7 +850,7 @@ to debug/develop the newnat interface.
invokes the Auth macro (defined in
/usr/share/shorewall/macro.Auth) specifying the
REJECT action (i.e., Auth/REJECT). This is necessary to prevent
+ role="bold">Auth(REJECT)). This is necessary to prevent
outgoing connection problems to services that use the
Auth mechanism for identifying requesting users. That is
the only service which the default setup rejects.
diff --git a/docs/FTP.xml b/docs/FTP.xml
index af5fca1d0..6e81ff89d 100644
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -405,13 +405,13 @@ DNAT ACTION =
#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
-FTP/DNAT net loc:192.168.1.5
+FTP(DNAT) net loc:192.168.1.5
Allow your DMZ FTP access to the Internet#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION
-FTP/ACCEPT dmz net
+FTP(ACCEPT) dmz net
Note that the FTP connection tracking in the kernel cannot handle
diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml
index d6f13f974..25af3688c 100644
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -804,15 +804,15 @@ all all REJECT info
# PORT(S) PORT(S)
SECTION ESTABLISHED
# Prevent IPSEC bypass by hosts behind a NAT gateway
-L2TP/REJECT net $FW
+L2TP/(REJECT) net $FW
REJECT $FW net udp - 1701
# l2tp over the IPsec VPN
ACCEPT vpn $FW udp 1701
# webserver that can only be accessed internally
-HTTP/ACCEPT loc $FW
-HTTP/ACCEPT l2tp $FW
-HTTPS/ACCEPT loc $FW
-HTTPS/ACCEPT l2tp $FW
+HTTP(ACCEPT) loc $FW
+HTTP(ACCEPT) l2tp $FW
+HTTPS(ACCEPT) loc $FW
+HTTPS(ACCEPT) l2tp $FW
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/docs/Macros.xml b/docs/Macros.xml
index 6f860ca4c..9bfed0ae2 100644
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -114,7 +114,7 @@ PARAM - - tcp 135,139,445
When invoking a parameterized macro, you follow the name of the
macro with the action that you want to substitute for PARAM enclosed in
- parentheses.
+ parentheses.Example:
@@ -160,7 +160,7 @@ PARAM - loc tcp 25
/etc/shorewall/rules (Shorewall 4.0):#ACTION SOURCE DEST PROTO DEST PORT(S)
-SMTP/DNAT:info net 192.168.1.5
+SMTP(DNAT):info net 192.168.1.5
/etc/shorewall/rules (Shorewall 4.2.0 and later):
@@ -182,12 +182,7 @@ DNAT:info net loc:192.168.1.5 tcp 25
#TARGET SOURCE DEST PROTO DEST PORT(S)
PARAM - 192.168.1.5 tcp 25
- /etc/shorewall/rules (Shorewall 4.0)
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-SMTP/DNAT:info net loc
-
- /etc/shorewall/rules (Shorewall 4.2.0 and later)
+ /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S)
SMTP(DNAT):info net loc
@@ -222,12 +217,7 @@ PARAM DEST SOURCE udp 1024: 137
PARAM DEST SOURCE tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- /etc/shorewall/rules (Shorewall 4.0):
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-SMBBI/ACCEPT loc fw
-
- /etc/shorewall/rules (Shorewall 4.2.0 and later):
+ /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S)
SMBBI(ACCEPT) loc fw
diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml
index e10c581bd..85d626119 100644
--- a/docs/XenMyWay-Routed.xml
+++ b/docs/XenMyWay-Routed.xml
@@ -436,9 +436,9 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
url="shorewall_setup_guide.htm">Shorewall Setup Guide with the
exception that I've added a fourth interface for our wireless network.
The firewall runs a routed OpenVPN
- server to provide road warrior access for our three laptops and a
- bridged OpenVPN server for the wireless network in our home. Here is the
- firewall's view of the network:
+ server to provide road warrior access for our three laptops and
+ a bridged OpenVPN server for the wireless network in our home. Here is
+ the firewall's view of the network:
@@ -692,20 +692,20 @@ REDIRECT- loc 3128 tcp
#
ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631
-Ping/ACCEPT vpn fw
+Ping(ACCEPT) vpn fw
###############################################################################################################################################################################
# Road Warriors to DMZ
#
ACCEPT vpn dmz udp domain
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
-Ping/ACCEPT vpn dmz
+Ping(ACCEPT) vpn dmz
###############################################################################################################################################################################
# Local network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
ACCEPT loc dmz tcp smtp
-Trcrt/ACCEPT loc dmz
+Trcrt(ACCEPT) loc dmz
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
@@ -723,7 +723,7 @@ ACCEPT net dmz udp
Mirrors net dmz tcp rsync
Limit:$LOG:SSHA,3,60\
net dmz tcp 22
-Trcrt/ACCEPT net dmz
+Trcrt(ACCEPT) net dmz
##############################################################################################################################################################################
#
# Net to Local
@@ -768,7 +768,7 @@ ACCEPT net loc:192.168.1.6 tcp
#
# Traceroute
#
-Trcrt/ACCEPT net loc:192.168.1.3
+Trcrt(ACCEPT) net loc:192.168.1.3
#
# Silently Handle common probes
#
@@ -780,7 +780,7 @@ DROP net loc icmp
ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3
-Ping/ACCEPT dmz net
+Ping(ACCEPT) dmz net
#
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
@@ -792,13 +792,13 @@ ACCEPT:$LOG dmz net tcp
#
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
-Trcrt/ACCEPT loc dmz
+Trcrt(ACCEPT) loc dmz
###############################################################################################################################################################################
# DMZ to Local
#
ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21
-Ping/ACCEPT dmz loc
+Ping(ACCEPT) dmz loc
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
@@ -815,7 +815,7 @@ ACCEPT net loc:192.168.1.6 tcp
#
# Traceroute
#
-Trcrt/ACCEPT net loc:192.168.1.3
+Trcrt(ACCEPT) net loc:192.168.1.3
#
# Silently Handle common probes
#
@@ -827,7 +827,7 @@ DROP net loc icmp
ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3
-Ping/ACCEPT dmz net
+Ping(ACCEPT) dmz net
#
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
@@ -839,26 +839,26 @@ ACCEPT:$LOG dmz net tcp
#
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
-Trcrt/ACCEPT loc dmz
+Trcrt(ACCEPT) loc dmz
###############################################################################################################################################################################
# DMZ to Local
#
ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21
-Ping/ACCEPT dmz loc
+Ping(ACCEPT) dmz loc
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
-Trcrt/ACCEPT loc dmz
+Trcrt(ACCEPT) loc dmz
###############################################################################################################################################################################
# DMZ to Local
#
ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21
-Ping/ACCEPT dmz loc
+Ping(ACCEPT) dmz loc
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
@@ -866,7 +866,7 @@ Ping/ACCEPT dmz loc
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161,ntp
REJECT dmz fw tcp auth
-Ping/ACCEPT dmz fw
+Ping(ACCEPT) dmz fw
###############################################################################################################################################################################
# Internet to Firewall
#
@@ -878,7 +878,7 @@ ACCEPT net fw tcp
ACCEPT net:$OMAK fw tcp 22
Limit:$LOG:SSHA,3,60\
net fw tcp 22
-Trcrt/ACCEPT net fw
+Trcrt(ACCEPT) net fw
#
# Bittorrent
#
@@ -890,7 +890,7 @@ ACCEPT net fw udp
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
-Ping/ACCEPT fw dmz
+Ping(ACCEPT) fw dmz
##############################################################################################################################################################################
# Avoid logging Freenode.net probes
#
diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml
index 37c77f7a0..212d24e1c 100644
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@@ -686,27 +686,27 @@ ACCEPT loc fw tcp
ACCEPT loc fw udp 161,ntp,631
ACCEPT loc:192.168.1.5 fw udp 111
DROP loc fw tcp 3185 #SUSE Meta pppd
-Ping/ACCEPT loc fw
+Ping(ACCEPT) loc fw
REDIRECT loc 3128 tcp 80 - !206.124.146.177
###############################################################################################################################################################################
# Road Warriors to Firewall
#
ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631
-Ping/ACCEPT vpn fw
+Ping(ACCEPT) vpn fw
###############################################################################################################################################################################
# Road Warriors to DMZ
#
ACCEPT vpn dmz udp domain
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
-Ping/ACCEPT vpn dmz
+Ping(ACCEPT) vpn dmz
###############################################################################################################################################################################
# Local network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
ACCEPT loc dmz tcp smtp
-Trcrt/ACCEPT loc dmz
+Trcrt(ACCEPT) loc dmz
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
@@ -723,7 +723,7 @@ ACCEPT net dmz udp
Mirrors net dmz tcp rsync
Limit:$LOG:SSHA,3,60\
net dmz tcp 22
-Trcrt/ACCEPT net dmz
+Trcrt(ACCEPT) net dmz
##############################################################################################################################################################################
#
# Net to Local
@@ -755,7 +755,7 @@ ACCEPT net loc:192.168.1.6 tcp
#
# Traceroute
#
-Trcrt/ACCEPT net loc:192.168.1.3
+Trcrt(ACCEPT) net loc:192.168.1.3
#
# Silently Handle common probes
#
@@ -767,7 +767,7 @@ DROP net loc icmp
ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3
-Ping/ACCEPT dmz net
+Ping(ACCEPT) dmz net
#
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
@@ -779,13 +779,13 @@ ACCEPT:$LOG dmz net tcp
#
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
-Trcrt/ACCEPT loc dmz
+Trcrt(ACCEPT) loc dmz
###############################################################################################################################################################################
# DMZ to Local
#
ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21
-Ping/ACCEPT dmz loc
+Ping(ACCEPT) dmz loc
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
@@ -793,7 +793,7 @@ Ping/ACCEPT dmz loc
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161
REJECT dmz fw tcp auth
-Ping/ACCEPT dmz fw
+Ping(ACCEPT) dmz fw
###############################################################################################################################################################################
# Internet to Firewall
#
@@ -805,14 +805,14 @@ ACCEPT net fw tcp
ACCEPT net:$OMAK fw tcp 22
Limit:$LOG:SSHA,3,60\
net fw tcp 22
-Trcrt/ACCEPT net fw
+Trcrt(ACCEPT) net fw
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
-Ping/ACCEPT fw dmz
+Ping(ACCEPT) fw dmz
##############################################################################################################################################################################
# Avoid logging Freenode.net probes
#
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 02c3358ee..7cd27dfcf 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -720,7 +720,7 @@ gmail-pop.l.google.com. 300 IN A 209.85.2
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
-POP/ACCEPT loc net:pop.gmail.com
+POP(ACCEPT) loc net:pop.gmail.com
If your firewall rules include DNS names then:
diff --git a/docs/ping.xml b/docs/ping.xml
index 7dcbe305b..ab382dd94 100644
--- a/docs/ping.xml
+++ b/docs/ping.xml
@@ -56,7 +56,7 @@
/etc/shorewall/rules of the form:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-Ping/ACCEPT z1 z2
+Ping(ACCEPT) z1 z2
Ping from local zone to firewall
@@ -64,7 +64,7 @@ Ping/ACCEPT z1 z2
To permit ping from the local zone to the firewall:#ACTION SOURCE DEST PROTO DEST PORT(S)
-Ping/ACCEPT loc $FW
+Ping(ACCEPT) loc $FW
If you would like to accept ping by default even when
@@ -74,13 +74,13 @@ Ping/ACCEPT loc $FW
/etc/shorewall and simply add this
line to the copy:
- Ping/ACCEPT
+ Ping(ACCEPT)With that rule in place, if you want to ignore ping
from z1 to z2 then you need a rule of the form:#ACTION SOURCE DEST PROTO DEST PORT(S)
-Ping/DROP z1 z2
+Ping(DROP) z1 z2
Silently drop pings from the Internet
@@ -89,7 +89,7 @@ Ping/DROP z1 z2
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-Ping/DROP net $FW
+Ping(DROP) net $FW
Note that the above rule may be used without changing the action
diff --git a/docs/ports.xml b/docs/ports.xml
index bf00d6944..500d41f73 100644
--- a/docs/ports.xml
+++ b/docs/ports.xml
@@ -62,7 +62,7 @@
role="bold">net zone:#ACTION SOURCE DESTINATION
-DNS/ACCEPT dmz net
+DNS(ACCEPT) dmz net
@@ -75,12 +75,12 @@ DNS/ACCEPT dmz net
at 192.168.1.4 in your DMZ. The FTP section below gives you:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-FTP/ACCEPT <source><destination>
+FTP(ACCEPT) <source><destination>You would code your rule as follows:#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-FTP/DNAT net dmz:192.168.1.4
+FTP(DNAT) net dmz:192.168.1.4
@@ -94,7 +94,7 @@ FTP/DNAT net dmz:192.168.1.4
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Auth/ACCEPT <source><destination>
+Auth(ACCEPT) <source><destination>
@@ -111,14 +111,14 @@ Auth/ACCEPT <source><destination&
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-BitTorrent/ACCEPT <source><destination>
+BitTorrent(ACCEPT)<source><destination>DNS#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-DNS/ACCEPT <source><destination>
+DNS(ACCEPT) <source><destination>Note that if you are setting up a DNS server that supports recursive
resolution, the server is the <destination> for
@@ -129,8 +129,8 @@ DNS/ACCEPT <source><destination&
local clients then you would need:#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-DNS/ACCEPT all dmz
-DNS/ACCEPT dmz net
+DNS(ACCEPT) all dmz
+DNS(ACCEPT) dmz net
Recursive Resolution means that if the server itself can't resolve
@@ -175,7 +175,7 @@ DNS/ACCEPT dmz net
/etc/shorewall/rules:#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Edonkey/DNAT net loc:192.168.1.4
+Edonkey(DNAT) net loc:192.168.1.4
#if you wish to enable the Emule webserver, add this rule too.
DNAT net loc:192.168.1.4 tcp 4711
@@ -184,7 +184,7 @@ DNAT net loc:192.168.1.4 tcp 4711
FTP#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-FTP/ACCEPT <source><destination>
+FTP(ACCEPT) <source><destination>Look here for much more
information.
@@ -213,14 +213,14 @@ FTP/ACCEPT <source><destination>
Your loc->net policy is ACCEPT#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Gnutella/DNAT net loc:192.168.1.4
+Gnutella(DNAT) net loc:192.168.1.4
ICQ/AIM#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ICQ/ACCEPT <source> net
+ICQ(ACCEPT) <source> net
@@ -237,8 +237,8 @@ ICQ/ACCEPT <source> net
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-IMAP/ACCEPT <source><destination> # Unsecure IMAP
-IMAPS/ACCEPT <source> <destination> # IMAP over SSL.
+IMAP(ACCEPT) <source><destination> # Unsecure IMAP
+IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.
@@ -264,8 +264,8 @@ ACCEPT <destination><source>
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-LDAP/ACCEPT <source> <destination> #Insecure LDAP
-LDAPS/ACCEPT <source> <destination> # LDAP over SSL
+LDAP(ACCEPT) <source> <destination> #Insecure LDAP
+LDAPS(ACCEPT) <source> <destination> # LDAP over SSL
@@ -285,7 +285,7 @@ LDAPS/ACCEPT <source> &
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-MySQL/ACCEPT <source> <destination>
+MySQL(ACCEPT) <source> <destination>
@@ -303,14 +303,14 @@ ACCEPT <z1>:<list of client IPs> NTP (Network Time Protocol)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-NTP/ACCEPT <source><destination>
+NTP(ACCEPT) <source><destination><trademark>PCAnywhere</trademark>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-PCA/ACCEPT <source><destination>
+PCA(ACCEPT) <source><destination>
@@ -326,8 +326,8 @@ PCA/ACCEPT <source><destination>
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-POP3/ACCEPT <source><destination> # Secure
-POP3S/ACCEPT <source> <destination> #Unsecure Pop3
+POP3(ACCEPT) <source><destination> # Secure
+POP3S(ACCEPT) <source> <destination> #Unsecure Pop3
@@ -345,14 +345,14 @@ ACCEPT <source><destination>rdate
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Rdate/ACCEPT <source><destination>
+Rdate(ACCEPT) <source><destination>rsync#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Rsync/ACCEPT <source><destination>
+Rsync(ACCEPT) <source><destination>
@@ -373,7 +373,7 @@ ACCEPT net fw udp 7070:7089SSH/SFTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-SSH/ACCEPT <source><destination>
+SSH(ACCEPT)<source><destination>
@@ -381,8 +381,8 @@ SSH/ACCEPT <source><destination>
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-SMB/ACCEPT <source> <destination>
-SMB/ACCEPT <destination><source>
+SMB(ACCEPT) <source> <destination>
+SMB(ACCEPT) <destination><source>Also, see this page.
@@ -395,15 +395,15 @@ SMB/ACCEPT <destination><source>
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-SMTP/ACCEPT <source><destination> #Insecure SMTP
-SMTPS/ACCEPT <source><destination> #SMTP over SSL (TLS)
+SMTP(ACCEPT) <source><destination> #Insecure SMTP
+SMTPS(ACCEPT) <source><destination> #SMTP over SSL (TLS)
SNMP#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-SNMP/ACCEPT <source><destination>
+SNMP(ACCEPT) <source><destination>
@@ -419,7 +419,7 @@ SNMP/ACCEPT <source><destination&g
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-SVN/ACCEPT <source><destination>
+SVN(ACCEPT) <source><destination>
@@ -431,7 +431,7 @@ SVN/ACCEPT <source><destination>
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Telnet/ACCEPT <source><destination>
+Telnet(ACCEPT) <source><destination>
@@ -455,7 +455,7 @@ ACCEPT <source><destination>Traceroute
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Trcrt/ACCEPT <source><destination> #Good for 10 hops
+Trcrt(ACCEPT) <source><destination> #Good for 10 hops
UDP traceroute uses ports 33434 through 33434+<max number of
hops>-1. Note that for the firewall to respond with a TTL expired ICMP
@@ -474,8 +474,8 @@ ACCEPT fw ...
Usenet (NNTP)#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-NNTP/ACCEPT <source><destination>
-NNTPS/ACCEPT <source> <destination> # secure NNTP
+NNTP(ACCEPT) <source><destination>
+NNTPS(ACCEPT) <source> <destination> # secure NNTP
TCP Port 119
@@ -494,13 +494,13 @@ NNTPS/ACCEPT <source> <destination> # secure NNTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-VNC/ACCEPT <source><destination>
+VNC(ACCEPT) <source><destination>Vncserver to Vncviewer in listen mode -- TCP port 5500.#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-VNCL/ACCEPT <source><destination>
+VNCL(ACCEPT) <source><destination>
@@ -520,15 +520,15 @@ VNCL/ACCEPT <source><destination&g
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-HTTP/ACCEPT <source><destination> #Insecure HTTP
-HTTPS/ACCEPT <source> <destination> #Secure HTTP
+HTTP(ACCEPT) <source><destination> #Insecure HTTP
+HTTPS(ACCEPT) <source> <destination> #Secure HTTP
Webmin#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Webmin/ACCEPT <source><destination>Webmin
+Webmin(ACCEPT) <source><destination> Webmin
use TCP port 10000.
@@ -536,7 +536,7 @@ Webmin/ACCEPT <source><destination
Whois#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Whois/ACCEPT <source><destination>
+Whois(ACCEPT) <source><destination>
diff --git a/docs/samba.xml b/docs/samba.xml
index dd07082a7..97549e92e 100644
--- a/docs/samba.xml
+++ b/docs/samba.xml
@@ -35,9 +35,9 @@
- This article applies to Shorewall 3.0 and
+ This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
- 3.0.0 then please see the documentation for that
+ 4.3.5 then please see the documentation for that
release.
@@ -46,15 +46,15 @@
#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
-SMB/ACCEPT $FW loc
-SMB/ACCEPT loc $FW
+SMB(ACCEPT) $FW loc
+SMB(ACCEPT) loc $FW
To pass traffic SMB/Samba traffic between zones Z1 and Z2:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
-SMB/ACCEPT Z1 Z2
-SMB/ACCEPT Z2 Z1
+SMB(ACCEPT) Z1 Z2
+SMB(ACCEPT) Z2 Z1
To make network browsing (Network Neighborhood) work
properly between Z1 and Z2 requires a Windows Domain
@@ -74,8 +74,8 @@ SMB/ACCEPT Z2 Z1
Edit the copies and remove the SMB/DROP and SMB/REJECT lines.
+ role="bold">SMB(DROP) and SMB(REJECT) lines.
diff --git a/docs/standalone.xml b/docs/standalone.xml
index 8bdfd2e68..cd7c5dfd1 100644
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -507,7 +507,7 @@ root@lists:~#
in /etc/shorewall/rules is:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-<macro>/ACCEPT net $FW
+<macro>(ACCEPT) net $FW
Be sure to add your rules after the line that reads
system:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Web/ACCEPT net $FW
-IMAP/ACCEPT net $FW
+Web(ACCEPT) net $FW
+IMAP(ACCEPT)net $FW
You may also choose to code your rules directly without using the
@@ -549,7 +549,7 @@ ACCEPT net $FW tcp 143
firewall from the Internet, use SSH:#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-SSH/ACCEPT net $FW
+SSH(ACCEPT) net $FW
diff --git a/docs/three-interface.xml b/docs/three-interface.xml
index 508dfd50b..c780bb8de 100644
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -739,8 +739,8 @@ DNAT net dmz:<server local IP address>[:#ACTION SOURCE DEST PROTO DEST PORT(S)
-Web/DNAT net dmz:10.10.11.2
-Web/ACCEPT loc dmz:10.10.11.2
+Web(DNAT) net dmz:10.10.11.2
+Web(ACCEPT) loc dmz:10.10.11.2Entry 1 forwards port 80 from the Internet.
@@ -857,13 +857,13 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP
If you run the name server on the firewall:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-DNS/ACCEPT loc $FW
-DNS/ACCEPT dmz $FW Run name server on DMZ
+DNS(ACCEPT) loc $FW
+DNS(ACCEPT) dmz $FW Run name server on DMZ
computer 1: #ACTION SOURCE DEST PROTO DEST PORT(S)
-DNS/ACCEPT loc dmz:10.10.11.1
-DNS/ACCEPT $FW dmz:10.10.11.1
+DNS(ACCEPT) loc dmz:10.10.11.1
+DNS(ACCEPT) $FW dmz:10.10.11.1
- In the rules shown above, DNS/ACCEPT is an example of
+ In the rules shown above, DNS(ACCEPT)is an example of
a defined macro. Shorewall includes a number of
defined macros and you can add your own.
To see the list of macros included with your version of Shorewall, run the
@@ -892,20 +892,20 @@ ACCEPT dmz $FW udp 53 The three-interface sample includes the following rule:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-DNS/ACCEPT $FW net That rule allow DNS access
+DNS(ACCEPT) $FW net That rule allow DNS access
from your firewall and may be removed if you commented out the line in
/etc/shorewall/policy allowing all connections from
the firewall to the Internet.The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S)
-SSH/ACCEPT loc $FW
-SSH/ACCEPT loc dmz Those rules allow you to run
+SSH(ACCEPT) loc $FW
+SSH(ACCEPT) loc dmz Those rules allow you to run
an SSH server on your firewall and in each of your DMZ systems and to
connect to those servers from your local systems.If you wish to enable other connections between your systems, the
general format for using a defined macro is: #ACTION SOURCE DEST PROTO DEST PORT(S)
-<macro>/ACCEPT <source zone> <destination zone>
+<macro>(ACCEPT) <source zone> <destination zone>The general format when not using a defined action
is:#ACTION SOURCE DEST PROTO DEST PORT(S)
@@ -918,7 +918,7 @@ ACCEPT <source zone> <destination zone> <protocol&g
Using defined macros:#ACTION SOURCE DEST PROTO DEST PORT(S)
-DNS/ACCEPT net $FW
+DNS(ACCEPT) net $FWNot using defined macros:
@@ -937,7 +937,7 @@ ACCEPT net $FW udp 53
I don't recommend enabling telnet to/from the Internet because it
uses clear text (even for login!). If you want shell access to your
firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DEST PORT(S)
-SSH/ACCEPT net $FW
+SSH(ACCEPT) net $FW Bering
@@ -1086,7 +1086,7 @@ ACCEPT net $FW tcp 80 While you are editing shorewall.conf, it is a
good idea to check the value of the SUBSYSLOCK option. You can find a
description of this option by typing 'man shorewall.conf' at a shell
- prompt and searching for SUBSYSLOCK
+ prompt and searching for SUBSYSLOCK
The firewall is started using the shorewall start
command and stopped using shorewall stop. When the
diff --git a/docs/troubleshoot.xml b/docs/troubleshoot.xml
index 94e37ee1d..26c5aac47 100644
--- a/docs/troubleshoot.xml
+++ b/docs/troubleshoot.xml
@@ -336,7 +336,7 @@ ACCEPT dmz loc udp 53
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
-Ping/ACCEPT <source zone><destination zone>
+Ping(ACCEPT)<source zone><destination zone>The ramifications of this can be subtle. For example, if you
have the following in <source zone><destination z
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
-Ping/DROP net all
+Ping(DROP)net all
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index 70fdca3f8..ad3a86411 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -701,14 +701,14 @@ DNAT net loc:<server local ip address>[:the above diagram and you want to forward
incoming TCP port 80 to that system:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-Web/DNAT net loc:10.10.10.2
+Web(DNAT) net loc:10.10.10.2
FTP ServerYou run an FTP Server on computer 1 so you want to forward incoming
TCP port 21 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S)
-FTP/DNAT net loc:10.10.10.1 For
+FTP(DNAT) net loc:10.10.10.1 For
FTP, you will also need to have
FTP connection tracking and NAT
support in your kernel. For vendor-supplied kernels, this means that
@@ -808,7 +808,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000
in /etc/shorewall/rules.
#ACTION SOURCE DEST PROTO DEST PORT(S)
-DNS/ACCEPT loc $FW
+DNS(ACCEPT)loc $FW
@@ -818,13 +818,13 @@ DNS/ACCEPT loc $FW
The two-interface sample includes the following rules:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-DNS/ACCEPT $FW netThis rule allows
+DNS(ACCEPT) $FW netThis rule allows
DNS access from your firewall and may be removed if you
uncommented the line in /etc/shorewall/policy
allowing all connections from the firewall to the Internet.
- In the rule shown above, DNS/ACCEPT is an example of
+ In the rule shown above, DNS(ACCEPT)is an example of
a macro invocation. Shorewall includes a number of
macros (see /usr/share/shorewall/macro.*) and you can add your own.
@@ -841,13 +841,13 @@ ACCEPT $FW net tcp 53
code the appropriate rules directly.
The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S)
-SSH/ACCEPT loc $FW That rule allows you to run an
+SSH(ACCEPT) loc $FW That rule allows you to run an
SSH server on your firewall and connect to that server
from your local systems.If you wish to enable other connections from your firewall to other
systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DEST PORT(S)
-<macro>/ACCEPT $FW <destination zone>The
+<macro>(ACCEPT) $FW <destination zone>The
general format when not using defined actions is:#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT $FW <destination zone> <protocol> <port>
@@ -855,8 +855,8 @@ ACCEPT $FW <destination zone> <protocol> <por
You want to run a Web Server on your firewall system:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-Web/ACCEPT net $FW
-Web/ACCEPT loc $FW Those two rules would of
+Web(ACCEPT) net $FW
+Web(ACCEPT) loc $FW Those two rules would of
course be in addition to the rules listed above under You can configure a Caching Name Server on your
firewall.
@@ -868,7 +868,7 @@ Web/ACCEPT loc $FW Those two rules would of
SSH:#ACTION SOURCE DEST PROTO DEST PORT(S)
-SSH/ACCEPT net $FW
+SSH(ACCEPT) net $FW
Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DEST PORT(S)