holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Some more mind-numbing manpage updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9034 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-13 20:22:41 +00:00
parent a23bc2d9f2
commit 1d7bad61ab
8 changed files with 194 additions and 466 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
manpages6/shorewall6-ecn.xml
View File

@ -1,74 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-ecn</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>ecn</refname>
<refpurpose>shorewall6 ECN file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/ecn</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Use this file to list the destinations for which you want to disable
ECN (Explicit Congestion Notification).</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis></term>
<listitem>
<para>Interface through which host(s) communicate with the
firewall</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HOST(S)</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis>address-or-address-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-address-range</emphasis>]...]</term>
<listitem>
<para>Comma-separated list of host and/or network addresses. If left
empty or supplied as "-", ::/0 is assumed. If your kernel and
ip6tables include iprange match support then IP address ranges are
also permitted.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/ecn</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

18
manpages6/shorewall6-params.xml
View File

@ -32,20 +32,19 @@
<para>Example params file:</para>
<programlisting>NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918</programlisting>
NET_OPTIONS=dhcp,nosmurfs</programlisting>
<para>Example <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
file.</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
net $NET_IF $NET_BCAST $NET_OPTIONS</programlisting>
net $NET_IF - $NET_OPTIONS</programlisting>
<para>This is the same as if the interfaces file had contained:</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
net eth0 130.252.100.255 routefilter,norfc1918</programlisting>
net eth0 - dhcp,nosmurfs</programlisting>
</refsect1>
<refsect1>
@ -62,11 +61,10 @@ net eth0 130.252.100.255 routefilter,norfc1918</programlisting>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-maclist(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

62
manpages6/shorewall6-policy.xml
View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-policy</refentrytitle>
<refentrytitle>shorewall6-policy</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -11,12 +11,12 @@
<refnamediv>
<refname>policy</refname>
<refpurpose>Shorewall policy file</refpurpose>
<refpurpose>shorewall6 policy file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/policy</command>
<command>/etc/shorewall6/policy</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -25,13 +25,13 @@
<para>This file defines the high-level policy for connections between
zones defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
<important>
<para>The order of entries in this file is important</para>
<para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall/rules file . For each
we don't get a match from the /etc/shorewall6/rules file . For each
source/destination pair, the file is processed in order until a match is
found ("all" will match any client or server).</para>
</important>
@ -39,13 +39,13 @@
<important>
<para>Intra-zone policies are pre-defined</para>
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
<para>For $FW and for all of the zones defined in /etc/shorewall6/zones,
the POLICY for connections from the zone to itself is ACCEPT (with no
logging or TCP connection rate limiting but may be overridden by an
entry in this file. The overriding entry must be explicit (cannot use
"all" in the SOURCE or DEST).</para>
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf,
then the implicit policy to/from any sub-zone is CONTINUE. These
implicit CONTINUE policies may also be overridden by an explicit entry
in this file.</para>
@ -61,7 +61,7 @@
<listitem>
<para>Source zone. Must be the name of a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW or
"all".</para>
</listitem>
</varlistentry>
@ -73,10 +73,10 @@
<listitem>
<para>Destination zone. Must be the name of a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or "all".
If the DEST is a bport zone, then the SOURCE must be "all", another
bport zone associated with the same bridge, or it must be an ipv4
zone that is associated with only the same bridge.</para>
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW or
"all". If the DEST is a bport zone, then the SOURCE must be "all",
another bport zone associated with the same bridge, or it must be an
ipv6 zone that is associated with only the same bridge.</para>
</listitem>
</varlistentry>
@ -102,13 +102,13 @@
<listitem>
<para>The word "None" or "none". This causes any default action
defined in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
omitted for this policy.</para>
</listitem>
<listitem>
<para>The name of an action (requires that USE_ACTIONS=Yes in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).
That action will be invoked before the policy is
enforced.</para>
</listitem>
@ -165,7 +165,7 @@
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Added in Shorewall-perl 4.0.3. Queue the request for a
<para>Added in shorewall6-perl 4.0.3. Queue the request for a
user-space application using the nfnetlink_queue mechanism. If
a <replaceable>queuenumber</replaceable> is not given, queue
zero (0) is assumed.</para>
@ -180,8 +180,8 @@
might also match (where the source or destination zone in
those rules is a superset of the SOURCE or DEST in this
policy). See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
additional information.</para>
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
for additional information.</para>
</listitem>
</varlistentry>
@ -190,9 +190,9 @@
<listitem>
<para>Assume that there will never be any packets from this
SOURCE to this DEST. Shorewall will not create any
SOURCE to this DEST. shorewall6 will not create any
infrastructure to handle such packets and you may not have any
rules with this SOURCE and DEST in the /etc/shorewall/rules
rules with this SOURCE and DEST in the /etc/shorewall6/rules
file. If such a packet <emphasis role="bold">is</emphasis>
received, the result is undefined. NONE may not be used if the
SOURCE or DEST columns contain the firewall zone ($FW) or
@ -243,8 +243,8 @@
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
of simultaneous connections from each individual host to
<para>Added in shorewall6-perl 4.2.1. May be used to limit the
number of simultaneous connections from each individual host to
<replaceable>limit</replaceable> connections. While the limit is
only checked on connections to which this policy could apply, the
number of current connections is calculated over all current
@ -293,20 +293,20 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/policy</para>
<para>/etc/shorewall6/policy</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

100
manpages6/shorewall6-providers.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-providers</refentrytitle>
<refentrytitle>shorewall6-providers</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>providers</refname>
<refpurpose>Shorewall Providers file</refpurpose>
<refpurpose>Shorewall6 Providers file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/providers</command>
<command>/etc/shorewall6/providers</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -75,15 +77,15 @@
<listitem>
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink> file to
url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink> file to
direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
must be a multiple of 256 between 256 and 65280 or their hexadecimal
equivalents (0x0100 and 0xff00 with the low-order byte of the value
being zero). Otherwise, the value must be between 1 and 255. Each
provider must be assigned a unique mark value.</para>
url="shorewall6.conf.html">shorewall6.conf(5)</ulink>, then the
value must be a multiple of 256 between 256 and 65280 or their
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
of the value being zero). Otherwise, the value must be between 1 and
255. Each provider must be assigned a unique mark value.</para>
</listitem>
</varlistentry>
@ -97,23 +99,18 @@
previously listed provider. You may select only certain entries from
the table to copy by using the COPY column below. This column should
contain a dash ("-') when USE_DEFAULT_RT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf(5)</ulink>. </para>
url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis>[:<emphasis>address</emphasis>]</term>
<emphasis>interface</emphasis></term>
<listitem>
<para>The name of the network interface to the provider. Must be
listed in <ulink
url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.</para>
<para>Where more than one provider is serviced through a single
interface, the <emphasis>interface</emphasis> must be followed by a
colon and the IP <emphasis>address</emphasis> of the interface that
is supplied by the associated provider.</para>
url="shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -125,7 +122,7 @@
<listitem>
<para>The IP address of the provider's gateway router.</para>
<para>You can enter "detect" here and Shorewall will attempt to
<para>You can enter "detect" here and Shorewall6 will attempt to
detect the gateway automatically.</para>
<para>For PPP devices, you may omit this column.</para>
@ -177,7 +174,7 @@
<term><emphasis role="bold">loose</emphasis></term>
<listitem>
<para>Shorewall normally adds a routing rule for each IP
<para>Shorewall6 normally adds a routing rule for each IP
address on an interface which forces traffic whose source is
that IP address to be sent using the routing table for that
interface. Setting <option>loose</option> prevents creation of
@ -193,7 +190,7 @@
and configured with an IPv4 address then ignore this provider.
If not specified, the value of the <option>optional</option>
option for the INTERFACE in <ulink
url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>
url="shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>
is assumed.</para>
</listitem>
</varlistentry>
@ -202,13 +199,13 @@
<term>src=<replaceable>source-address</replaceable></term>
<listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the source
address to use when routing to this provider and none is known
(the local client has bound to the 0 address). May not be
specified when an <replaceable>address</replaceable> is given
in the INTERFACE column. If this option is not used, Shorewall
substitutes the primary IP address on the interface named in
the INTERFACE column.</para>
<para>Specifies the source address to use when routing to this
provider and none is known (the local client has bound to the
0 address). May not be specified when an
<replaceable>address</replaceable> is given in the INTERFACE
column. If this option is not used, Shorewall6 substitutes the
primary IP address on the interface named in the INTERFACE
column.</para>
</listitem>
</varlistentry>
@ -216,9 +213,9 @@
<term>mtu=<replaceable>number</replaceable></term>
<listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the MTU when
forwarding through this provider. If not given, the MTU of the
interface named in the INTERFACE column is assumed.</para>
<para>Specifies the MTU when forwarding through this provider.
If not given, the MTU of the interface named in the INTERFACE
column is assumed.</para>
</listitem>
</varlistentry>
</variablelist>
@ -250,11 +247,11 @@
<term>Example 1:</term>
<listitem>
<para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
interface is eth2</para>
<para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
Your DMZ interface is eth2</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 192.168.2.99 -</programlisting>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 2002:ce7c:92b4:1::2 -</programlisting>
</listitem>
</varlistentry>
@ -262,19 +259,17 @@
<term>Example 2:</term>
<listitem>
<para>eth0 connects to ISP 1. The IP address of eth0 is
206.124.146.176 and the ISP's gateway router has IP address
206.124.146.254.</para>
<para>eth0 connects to ISP 1. The ISP's gateway router has IP
address 2001:ce7c:92b4:1::2.</para>
<para>eth1 connects to ISP 2. The IP address of eth1 is
130.252.99.27 and the ISP's gateway router has IP address
130.252.99.254.</para>
<para>eth1 connects to ISP 2. The ISP's gateway router has IP
address 2001:d64c:83c9:12::8b.</para>
<para>eth2 connects to a local network.</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ISP1 1 1 main eth0 206.124.146.254 track,balance eth2
ISP2 2 2 main eth1 130.252.99.254 track,balance eth2</programlisting>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track,balance eth2
ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track,balance eth2</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -283,22 +278,21 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/providers</para>
<para>/etc/shorewall6/providers</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
url="http://shorewall6.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

48
manpages6/shorewall6-route_rules.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-route_rules</refentrytitle>
<refentrytitle>shorewall6-route_rules</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>route_rules</refname>
<refpurpose>Shorewall Routing Rules file</refpurpose>
<refpurpose>Shorewall6 Routing Rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/route_rules</command>
<command>/etc/shorewall6/route_rules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -23,7 +25,7 @@
<para>Entries in this file cause traffic to be routed to one of the
providers listed in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>The columns in the file are as follows.</para>
@ -87,7 +89,7 @@
<term>1000-1999</term>
<listitem>
<para>Before Shorewall-generated 'MARK' rules</para>
<para>Before Shorewall6-generated 'MARK' rules</para>
</listitem>
</varlistentry>
@ -95,7 +97,7 @@
<term>11000-11999</term>
<listitem>
<para>After 'MARK' rules but before Shorewall-generated rules
<para>After 'MARK' rules but before Shorewall6-generated rules
for ISP interfaces.</para>
</listitem>
</varlistentry>
@ -127,23 +129,6 @@
<programlisting> #SOURCE DEST PROVIDER PRIORITY
eth1 - ISP1 1000
</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>You use OpenVPN (routed setup /tunX) in combination with
multiple providers. In this case you have to set up a rule to ensure
that the OpenVPN traffic is routed back through the tunX
interface(s) rather than through any of the providers. 10.8.0.0/24
is the subnet chosen in your OpenVPN configuration (server 10.8.0.0
255.255.255.0).</para>
<programlisting> #SOURCE DEST PROVIDER PRIORITY
- 10.8.0.0/24 main 1000
</programlisting>
</listitem>
</varlistentry>
@ -153,7 +138,7 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/route_rules</para>
<para>/etc/shorewall6/route_rules</para>
</refsect1>
<refsect1>
@ -162,13 +147,12 @@
<para><ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-routestopped(5), shorewall6-rules(5),
shorewall6.conf(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

37
manpages6/shorewall6-routestopped.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-routestopped</refentrytitle>
<refentrytitle>shorewall6-routestopped</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,13 +11,13 @@
<refnamediv>
<refname>routestopped</refname>
<refpurpose>The Shorewall file that governs what traffic flows through the
firewall while it is in 'stopped' state.</refpurpose>
<refpurpose>The Shorewall6 file that governs what traffic flows through
the firewall while it is in 'stopped' state.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/routestopped</command>
<command>/etc/shorewall6/routestopped</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -23,7 +25,7 @@
<title>Description</title>
<para>This file is used to define the hosts that are accessible when the
firewall is stopped or is being stopped. When shorewall-shell is being
firewall is stopped or is being stopped. When shorewall6-shell is being
used, the file also determines those hosts that are accessible when the
firewall is in the process of being [re]started.</para>
@ -136,7 +138,7 @@
<para>The <emphasis role="bold">source</emphasis> and <emphasis
role="bold">dest</emphasis> options work best when used in conjunction
with ADMINISABSENTMINDED=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</note>
</refsect1>
@ -149,8 +151,8 @@
<listitem>
<programlisting> #INTERFACE HOST(S) OPTIONS
eth2 192.168.1.0/24
eth0 192.0.2.44
eth2 2002:ce7c:92b4::/64
eth0 2002:ce7c:92b4:1::/64
br0 - routeback
eth3 - source</programlisting>
</listitem>
@ -161,22 +163,21 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/routestopped</para>
<para>/etc/shorewall6/routestopped</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
url="http://shorewall.net/starting_and_stopping_shorewall6.htm">http://shorewall.net/starting_and_stopping_shorewall6.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-rules(5),
shorewall6.conf(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

157
manpages6/shorewall6-rules.xml
View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-rules</refentrytitle>
<refentrytitle>shorewall6-rules</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -11,12 +11,12 @@
<refnamediv>
<refname>rules</refname>
<refpurpose>Shorewall rules file</refpurpose>
<refpurpose>Shorewall6 rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/rules</command>
<command>/etc/shorewall6/rules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -25,7 +25,7 @@
<para>Entries in this file govern connection establishment by defining
exceptions to the policies layed out in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5). By default,
url="shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
subsequent requests and responses are automatically allowed using
connection tracking. For any particular (source,dest) pair of zones, the
rules are evaluated in the order in which they appear in this file and the
@ -97,7 +97,7 @@
<warning>
<para>If you specify FASTACCEPT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
role="bold">ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections must be empty.</para>
</warning>
@ -188,7 +188,7 @@
<listitem>
<para>like ACCEPT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -217,7 +217,7 @@
<listitem>
<para>like DROP but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -236,7 +236,7 @@
<listitem>
<para>like REJECT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -319,12 +319,12 @@
<para>Do not process any of the following rules for this
(source zone,destination zone). If the source and/or
destination IP address falls into a zone defined later in
<ulink url="shorewall-zones.html">shorewall-zones</ulink>(5)
<ulink url="shorewall6-zones.html">shorewall6-zones</ulink>(5)
or in a parent zone of the source or destination zones, then
this connection request will be passed to the rules defined
for that (those) zone(s). See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
additional information.</para>
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
for additional information.</para>
</listitem>
</varlistentry>
@ -334,7 +334,7 @@
<listitem>
<para>like CONTINUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -363,7 +363,7 @@
<listitem>
<para>like QUEUE but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -371,7 +371,7 @@
<term>NFQUEUE</term>
<listitem>
<para>Only supported by Shorewall-perl &gt;= 4.0.3.</para>
<para>Only supported by Shorewall6-perl &gt;= 4.0.3.</para>
<para>Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a
@ -386,7 +386,7 @@
<listitem>
<para>like NFQUEUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -397,9 +397,9 @@
<para>the rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
"shorewall show &lt;chain&gt;". To stop the comment from being
attached to further rules, simply include COMMENT on a line by
itself.</para>
"shorewall6 show &lt;chain&gt;". To stop the comment from
being attached to further rules, simply include COMMENT on a
line by itself.</para>
</listitem>
</varlistentry>
@ -409,8 +409,8 @@
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
in /usr/share/shorewall/actions.std.</para>
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
in /usr/share/shorewall6/actions.std.</para>
</listitem>
</varlistentry>
@ -452,8 +452,8 @@
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
/usr/share/shorewall/actions.std then:</para>
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
/usr/share/shorewall6/actions.std then:</para>
<itemizedlist>
<listitem>
@ -482,7 +482,7 @@
<para>Actions specifying logging may be followed by a log tag (a
string of alphanumeric characters) which is appended to the string
generated by the LOGPREFIX (in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
the log prefix generated by the LOGPREFIX setting.</para>
@ -497,12 +497,12 @@
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
<listitem>
<para>Source hosts to which the rule applies. May be a zone declared
in /etc/shorewall/zones, <emphasis role="bold">$FW</emphasis> to
in /etc/shorewall6/zones, <emphasis role="bold">$FW</emphasis> to
indicate the firewall itself, <emphasis role="bold">all</emphasis>,
<emphasis role="bold">all+</emphasis>, <emphasis
role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
@ -542,24 +542,24 @@
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>dmz:192.168.2.2</term>
<term>dmz:2002:ce7c:92b4:1::2</term>
<listitem>
<para>Host 192.168.2.2 in the DMZ</para>
<para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:155.186.235.0/24</term>
<term>net:2001:4d48:ad51:24:;/64</term>
<listitem>
<para>Subnet 155.186.235.0/24 on the Internet</para>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
</listitem>
</varlistentry>
@ -581,23 +581,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>net:192.0.2.11-192.0.2.17</term>
<listitem>
<para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:!192.0.2.11-192.0.2.17</term>
<listitem>
<para>All hosts in the net zone except for
192.0.2.11-192.0.2.17.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:155.186.235.0/24!155.186.235.16/28</term>
@ -618,7 +601,7 @@
role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
<para>It is important to note that when <emphasis
role="bold">using Shorewall-shell</emphasis> and specifying an
role="bold">using Shorewall6-shell</emphasis> and specifying an
address list that will be split (i.e., a comma separated list),
there is a subtle behavior which has the potential to cause
confusion. Consider the two examples below:</para>
@ -652,7 +635,7 @@
<para>That is, the interface name must be explicitly stated for
each member of the comma separated list. Again, this distinction
in behavior only occurs when <emphasis role="bold">using
Shorewall-shell</emphasis>.</para>
Shorewall6-shell</emphasis>.</para>
</blockquote>
</listitem>
</varlistentry>
@ -669,7 +652,7 @@
<listitem>
<para>Location of Server. May be a zone declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
<emphasis role="bold">none</emphasis>.</para>
@ -684,7 +667,7 @@
affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected.</para>
<para>Beginning with Shorewall 4.1.4, the
<para>Beginning with Shorewall6 4.1.4, the
<replaceable>zone</replaceable> should be omitted in DNAT-,
REDIRECT- and NONAT rules.</para>
@ -716,15 +699,15 @@
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
<para>Restrictions:</para>
<para>1. MAC addresses are not allowed (this is a Netfilter
restriction).</para>
<para>2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
<emphasis role="bold">DNAT</emphasis> rules; no DNS names are
<para>2.Prior to Shorewall6 4.1.4, only IP addresses are allowed
in <emphasis role="bold">DNAT</emphasis> rules; no DNS names are
permitted. In no case may a network be specified as the
server.</para>
@ -768,17 +751,17 @@
</varlistentry>
</variablelist>
<para>If you are using Shorewall-shell or Shorewall-perl before
<para>If you are using Shorewall6-shell or Shorewall6-perl before
version 4.0.5, then the port number MUST be specified as an
integer and not as a name from services(5). Shorewall-perl 4.0.5
integer and not as a name from services(5). Shorewall6-perl 4.0.5
and later permit the <emphasis>port</emphasis> to be specified as
a service name. Additionally, Shorewall-perl 4.0.5 and later
a service name. Additionally, Shorewall6-perl 4.0.5 and later
permit specifying a port range in the form
<emphasis>lowport-highport</emphasis> to cause connections to be
assigned to ports in the range in round-robin fashion. When a port
range is specified, <emphasis>lowport</emphasis> and
<emphasis>highport</emphasis> must be given as integers; service
names are not permitted. Beginning with Shorewall 4.0.6, the port
names are not permitted. Beginning with Shorewall6 4.0.6, the port
range may be optionally followed by <emphasis
role="bold">:random</emphasis> which causes assignment to ports in
the list to be random.</para>
@ -848,8 +831,8 @@
contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate rule
will be generated for each port. Shorewall-perl does not
url="../Shorewall6-perl.html">Shorewall6-perl</ulink>, a separate
rule will be generated for each port. Shorewall6-perl does not
automatically break up lists into individual rules.</para>
</listitem>
</varlistentry>
@ -887,8 +870,8 @@
contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate
rule will be generated for each port. Shorewall-perl does not
url="../Shorewall6-perl.html">Shorewall6-perl</ulink>, a separate
rule will be generated for each port. Shorewall6-perl does not
automatically break up lists into individual rules.</para>
</blockquote>
</listitem>
@ -932,10 +915,10 @@
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
See <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>See <ulink
url="../PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
url="../PortKnocking.html">http://shorewall6.net/PortKnocking.html</ulink>
for an example of using an entry in this column with a user-defined
action rule.</para>
</listitem>
@ -1067,7 +1050,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall-perl.</para>
Shorewall6-perl.</para>
</listitem>
</varlistentry>
</variablelist>
@ -1079,8 +1062,8 @@
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
of simultaneous connections from each individual host to
<para>Added in Shorewall6-perl 4.2.1. May be used to limit the
number of simultaneous connections from each individual host to
<replaceable>limit</replaceable> connections. Requires connlimit
match in your kernel and iptables. While the limit is only checked
on rules specifying CONNLIMIT, the number of current connections is
@ -1103,7 +1086,7 @@
<emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the rule
<para>Added in Shorewall6-perl 4.2.1. May be used to limit the rule
to a particular time period each day, to particular days of the week
or month, or to a range defined by dates and times. Requires time
match support in your kernel and iptables.</para>
@ -1190,9 +1173,9 @@
<title>Restrictions</title>
<para>Unless you are using <ulink
url="../Shorewall-perl.html">Shorewall-perl</ulink> and your
url="../Shorewall6-perl.html">Shorewall6-perl</ulink> and your
iptables/kernel have <firstterm>Repeat Match</firstterm> support (see the
output of <command>shorewall show capabilities</command>), if you specify
output of <command>shorewall6 show capabilities</command>), if you specify
a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
versa.</para>
</refsect1>
@ -1310,29 +1293,29 @@
<term>Example 9:</term>
<listitem>
<para>Shorewall does not impose as much structure on the Netfilter
<para>Shorewall6 does not impose as much structure on the Netfilter
rules in the 'nat' table as it does on those in the filter table. As
a consequence, when using Shorewall versions before 4.1.4, care must
be exercised when using DNAT and REDIRECT rules with zones defined
with wildcard interfaces (those ending with '+'. Here is an
a consequence, when using Shorewall6 versions before 4.1.4, care
must be exercised when using DNAT and REDIRECT rules with zones
defined with wildcard interfaces (those ending with '+'. Here is an
example:</para>
<para><ulink
url="shorewall-zones.html">shorewall-zones</ulink>(8):<programlisting> #ZONE TYPE OPTIONS
url="shorewall6-zones.html">shorewall6-zones</ulink>(8):<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv4
dmz ipv4
loc ipv4</programlisting></para>
<para><ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(8):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1 detect
dmz eth2 detect
- ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para>
<para><ulink
url="shorewall-hosts.html">shorewall-host</ulink>(8):<programlisting> #ZONE HOST(S) OPTIONS
url="shorewall6-hosts.html">shorewall6-host</ulink>(8):<programlisting> #ZONE HOST(S) OPTIONS
loc ppp+:192.168.3.0/24</programlisting></para>
<para>rules:</para>
@ -1342,7 +1325,7 @@
REDIRECT loc 3128 tcp 80 </programlisting>
<simpara>Note that it would have been tempting to simply define the
loc zone entirely in shorewall-interfaces(8):</simpara>
loc zone entirely in shorewall6-interfaces(8):</simpara>
<para><programlisting> #******************* INCORRECT *****************
#ZONE INTERFACE BROADCAST OPTIONS
@ -1364,19 +1347,19 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/rules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

158
manpages6/shorewall6-tcfilters.xml
View File

@ -1,158 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry>
<refmeta>
<refentrytitle>shorewall-tcfilters</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>tcfilters</refname>
<refpurpose>Shorewall u32 classifier rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcfilters</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Entries in this file cause packets to be classified for traffic
shaping.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">CLASS</emphasis> -
<emphasis>interface</emphasis><emphasis
role="bold">:</emphasis><emphasis>class</emphasis></term>
<listitem>
<para>The name or number of an <returnvalue>interface</returnvalue>
defined in <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
followed by a <replaceable>class</replaceable> number defined for
that interface in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term>
<listitem>
<para>Source of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}}</term>
<listitem>
<para>Destination of the packet. Comma separated list of IP
addresses and/or subnets. If your kernel and iptables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the <emphasis
role="bold">MARK</emphasis> column specificies a classification of
the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
this column may also contain an interface name.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
<listitem>
<para>Protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT</emphasis> (Optional) -
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Destination Ports. A Port name (from services(5)) or a
<emphasis>port number</emphasis>; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) -
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Source port.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Place all ICMP echo traffic on interface 1 in class 10.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcfilters</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
<para><ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para><ulink
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>