diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index 0fd9989f4..1cac34cd7 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -36,6 +36,53 @@
The following options may be set in shorewall.conf.
+
+ ADD_IP_ALIASES={Yes|No}
+
+
+ This parameter determines whether Shorewall automatically adds
+ the external address(es) in shorewall.nat(5). If the variable is set
+ to Yes or yes then Shorewall automatically adds these
+ aliases. If it is set to No or
+ no, you must add these aliases
+ yourself using your distribution's network configuration
+ tools.
+
+ If this variable is not set or is given an empty value
+ (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.
+
+
+ Addresses added by ADD_IP_ALIASES=Yes are deleted and
+ re-added during shorewall restart. As a consequence, connections
+ using those addresses may be severed.
+
+
+
+
+
+ ADD_SNAT_ALIASES={Yes|No}
+
+
+ This parameter determines whether Shorewall automatically adds
+ the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set to
+ “Yes” or “yes” then Shorewall automatically adds these addresses. If
+ it is set to “No” or “no”, you must add these addresses yourself
+ using your distribution's network configuration tools.
+
+ If this variable is not set or is given an empty value
+ (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
+
+
+ Addresses added by ADD_SNAT_ALIASES=Yes are deleted and
+ re-added during shorewall restart. As a consequence, connections
+ using those addresses may be severed.
+
+
+
+
ADMINISABSENTMINDED={Yes|No}
@@ -116,6 +163,20 @@
+
+ DETECT_DNAT_ADDRS={Yes|No}
+
+
+ If set to “Yes” or “yes”, Shorewall will detect the first IP
+ address of the interface to the source zone and will include this
+ address in DNAT rules as the original destination IP address. If set
+ to “No” or “no”, Shorewall will not detect this address and any
+ destination IP address will match the DNAT rule. If not specified or
+ empty, “DETECT_DNAT_ADDRS=Yes” is assumed.
+
+
+
DYNAMIC_ZONES={Yes|No}
@@ -211,6 +272,52 @@
+
+ IP_FORWARDING={On|Off|Keep}
+
+
+ This parameter determines whether Shorewall enables or
+ disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
+ Possible values are:
+
+
+
+ On or on
+
+
+ packet forwarding will be enabled.
+
+
+
+
+ Off or off
+
+
+ packet forwarding will be disabled.
+
+
+
+
+ Keep or keep
+
+
+ Shorewall will neither enable nor disable packet
+ forwarding.
+
+
+
+
+ If this variable is not set or is given an empty value
+ (IP_FORWARD="") then IP_FORWARD=On is assumed.
+
+
+
IPTABLES=pathname
@@ -223,6 +330,21 @@
+
+ LOG_MARTIANS={Yes|No}
+
+
+ If set to Yes or yes, sets
+ /proc/sys/net/ipv4/conf/all/log_martians and
+ /proc/sys/net/ipv4/conf/default/log_martians to 1. Default is which
+ sets both of the above to zero. If you do not enable martian logging
+ for all interfaces, you may still enable it for individual
+ interfaces using the logmartians interface option in
+ shorewall-interfaces(5).
+
+
+
LOGALLNEW=log-level
@@ -244,11 +366,11 @@
- Example: Using the default LOGFORMAT, the log prefix for
+ For example, using the default LOGFORMAT, the log prefix for
logging from the nat table's PREROUTING chain is:
Shorewall:nat:PREROUTING
-
+
There is no rate limiting on these logging rules so use
@@ -264,6 +386,21 @@
+
+ LOGFILE=pathname
+
+
+ This parameter tells the /sbin/shorewall program where to look
+ for Shorewall messages when processing the dump, logwatch, show
+ log, and hits commands.
+ If not assigned or if assigned an empty value, /var/log/messages is
+ assumed.
+
+
+
LOGFORMAT="formatstring
+
+ LOGBURST=burst
+
+
+
+
+
+
+
+ LOGRATE=rate/{minute|second}
+
+
+ These parameters set the match rate and initial burst size for
+ logged packets. Please see the iptables man page for a description
+ of the behavior of these parameters (the iptables option --limit is
+ set by LOGRATE and --limit-burst is set by LOGBURST). If both
+ parameters are set empty, no rate-limiting will occur.
+
+ Example:
+
+ LOGRATE=10/minute
+ LOGBURST=5
+
+ For each logging rule, the first time the rule is reached, the
+ packet will be logged; in fact, since the burst is 5, the first five
+ packets will be logged. After this, it will be 6 seconds (1 minute
+ divided by the rate of 10) before a message will be logged from the
+ rule, regardless of how many packets reach it. Also, every 6 seconds
+ which passes without matching a packet, one of the bursts will be
+ regained; if no packets hit the rule for 30 seconds, the burst will
+ be fully recharged; back where we started.
+
+
+
MACLIST_DISPOSITION={ACCEPT|
+
+ MACLIST_LOG_LEVEL=[log-level]
+
+
+ Determines the syslog level for logging connection requests
+ that fail MAC Verification. The value must be a valid syslogd log
+ level. If you don't want to log these connection requests, set to
+ the empty value (e.g., MACLIST_LOG_LEVEL="").
+
+
+
MACLIST_TABLE={mangle|
- MODULE_SUFFIX="suffix
+ MODULE_SUFFIX="suffix
..."
@@ -381,6 +570,34 @@
+
+ MODULESDIR=pathname[:pathname]...
+
+
+ This parameter specifies the directory/directories where your
+ kernel netfilter modules may be found. If you leave the variable
+ empty, Shorewall will supply the value "/lib/modules/`uname
+ -r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
+ 3.2.4 and "/lib/modules/`uname
+ -r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
+ -r`/kernel/net/ipv4/netfilter" in later versions.
+
+
+
+
+ NAT_BEFORE_RULES={Yes|No}
+
+
+ If set to “No” or “no”, port forwarding rules can override the
+ contents of the /etc/shorewall/nat file. If set to “Yes” or “yes”,
+ port forwarding rules cannot override one-to-one NAT. If not set or
+ set to an empty value, “Yes” is assumed.
+
+
+
PKTTYPE={Yes|No}
@@ -423,6 +640,26 @@
+
+ RETAIN_ALIASES={Yes|No}
+
+
+ During shorewall start, IP
+ addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
+ ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and
+ shorewall-masq(5) are processed then are re-added later. This is
+ done to help ensure that the addresses can be added with the
+ specified labels but can have the undesirable side effect of causing
+ routes to be quietly deleted. When RETAIN_ALIASES is set to Yes,
+ existing addresses will not be deleted. Regardless of the setting of
+ RETAIN_ALIASES, addresses added during shorewall start are still deleted at a
+ subsequent shorewall stop or
+ shorewall restart.
+
+
+
RFC1918_LOG_LEVEL=log-level
@@ -505,6 +742,20 @@
+
+ SUBSYSLOCK=pathname
+
+
+ This parameter should be set to the name of a file that the
+ firewall should create if it starts successfully and remove when it
+ stops. Creating and removing this file allows Shorewall to work with
+ your distribution's initscripts. For RedHat, this should be set to
+ /var/lock/subsys/shorewall. For Debian, the value is
+ /var/state/shorewall and in LEAF it is /var/run/shorwall.
+
+
+
TCP_FLAGS_DISPOSITION={