From 0ee4b0137aef42366e0b5dde7d3e8a9effcad62b Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 24 Oct 2006 16:45:40 +0000 Subject: [PATCH] Document 'maclog'; document that ACCEPT rules are required with one-to-one NAT git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4729 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/NAT.xml | 11 +++++++++++ docs/shorewall_extension_scripts.xml | 8 ++++++++ 2 files changed, 19 insertions(+) diff --git a/docs/NAT.xml b/docs/NAT.xml index d6c965a7b..b7e003ad8 100644 --- a/docs/NAT.xml +++ b/docs/NAT.xml @@ -117,6 +117,17 @@ feature requires kernel 2.4.19 or later and iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel. + + Entries in /etc/shorewall/nat only arrange for + address translation; they do not allow traffic to pass through the + firewall in violation of your policies. In the above example, suppose that + you wish to run a web server on 10.1.1.2 (a.k.a. 130.252.100.18). You + would need the following entry in + /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIG +# PORT(S) PORT(S) DEST +ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18
diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index daa353c4c..3c3e1044b 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -111,6 +111,14 @@ is invoked earlier in the [re]start process than is the initdone script described above. + + + maclog -- (Added in Shorewall version 3.2.5) invoked while mac + filtering rules are being created. It is invoked once for each interface + having 'maclist' specified and it is invoked just before the logging + rule is added to the current chain (the name of that chain will be in + $CHAIN). + If your version of Shorewall doesn't have the