More doc updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1978 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-04 00:16:13 +00:00
parent e5f040d070
commit 1984e51b64
3 changed files with 25 additions and 23 deletions

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-01-03</pubdate> <pubdate>2005-03-03</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -257,7 +257,7 @@ jbd 47860 2 [ext3]
have:</title> have:</title>
<programlisting>loadmodule ip_conntrack_ftp ports=21,49 <programlisting>loadmodule ip_conntrack_ftp ports=21,49
loadmodule ip_nat_ftp ports=21,49</programlisting> loadmodule ip_nat_ftp ports=21,49 # NOTE: This is not necessary with kernel 2.6.11 and later!</programlisting>
<para><note> <para><note>
<para>you MUST include port 21 in the ports list or you may have <para>you MUST include port 21 in the ports list or you may have
@ -269,7 +269,7 @@ loadmodule ip_nat_ftp ports=21,49</programlisting>
/etc/modules.conf:</para> /etc/modules.conf:</para>
<programlisting>options ip_conntrack_ftp ports=21,49 <programlisting>options ip_conntrack_ftp ports=21,49
options ip_nat_ftp ports=21,49</programlisting> options ip_nat_ftp ports=21,49 # NOTE: This is not necessary with kernel 2.6.11 and later!</programlisting>
<para><important> <para><important>
<para>Once you have made these changes to /etc/shorewall/modules <para>Once you have made these changes to /etc/shorewall/modules

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-02-19</pubdate> <pubdate>2005-03-03</pubdate>
<copyright> <copyright>
<year>2005</year> <year>2005</year>
@ -66,11 +66,15 @@
<graphic fileref="images/Netfilter.png" /> <graphic fileref="images/Netfilter.png" />
<para>The light blue boxes indicate where routing decisions are made. The <para>The light blue boxes indicate where routing decisions are made. Upon
green boxes show where Netfilter processing takes place (as directed by exit from one of these boxes, if the packet is being sent to another
Shorewall). You will notice that there are two different paths through system then the interface and the next hop have been uniquely
this maze, depending on where the packet originates. We will look at each determined.</para>
of these separately.</para>
<para>The green boxes show where Netfilter processing takes place (as
directed by Shorewall). You will notice that there are two different paths
through this maze, depending on where the packet originates. We will look
at each of these separately.</para>
<section> <section>
<title>Packets Entering the Firewall from Outside</title> <title>Packets Entering the Firewall from Outside</title>
@ -89,6 +93,14 @@
<firstterm>alternate routing table</firstterm>; see the <ulink <firstterm>alternate routing table</firstterm>; see the <ulink
url="Shorewall_Squid_Usage.html">Shorewall Squid url="Shorewall_Squid_Usage.html">Shorewall Squid
documentation</ulink> for examples.</para> documentation</ulink> for examples.</para>
<caution>
<para>Marking packets then using the <emphasis>fwmark</emphasis>
selector in your "<emphasis role="bold">ip rule add</emphasis>"
commands should NOT be your first choice. In most cases, you can
use the <emphasis>from</emphasis> or <emphasis>dev</emphasis>
selector instead.</para>
</caution>
</listitem> </listitem>
<listitem> <listitem>
@ -165,6 +177,6 @@
the Shorewall init script (<filename>/etc/init.d/shorewall</filename>) to the Shorewall init script (<filename>/etc/init.d/shorewall</filename>) to
configure your alternate routing table at boot time and that <emphasis configure your alternate routing table at boot time and that <emphasis
role="bold">other than as described in the previous section, there is no role="bold">other than as described in the previous section, there is no
connection between Shorewall and routing</emphasis>. </para> connection between Shorewall and routing</emphasis>.</para>
</section> </section>
</article> </article>

View File

@ -13,10 +13,10 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2004-08-25</pubdate> <pubdate>20045-03-03</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2005</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -326,7 +326,7 @@ ACCEPT dmz loc udp 53</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
ACCEPT&nbsp;&nbsp; <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasis>&lt;destination zone&gt;</emphasis>&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; echo-request</programlisting> AllowPing <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasis>&lt;destination zone&gt;</emphasis></programlisting>
<para>The ramifications of this can be subtle. For example, if you <para>The ramifications of this can be subtle. For example, if you
have the following in <filename><ulink have the following in <filename><ulink
@ -339,16 +339,6 @@ ACCEPT&nbsp;&nbsp; <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasi
between the zone containing the system you are pinging from and the between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped.</para> zone containing 10.1.1.2, the ping requests will be dropped.</para>
</listitem> </listitem>
<listitem>
<para>Similarly, since Shorewall gives no special treatment to
<quote>ping</quote>packets, these packets are subject to logging
specifications in policies. This allows people pinging your firewall
to create large number of messages in your log. These messages can be
eliminated by the following rule:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
DROP net fw icmp echo-request</programlisting></para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>