Format and grammar fixes.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
el_cubano 2008-07-29 04:28:41 +00:00
parent 46ec09dddf
commit 1de5404e67
2 changed files with 146 additions and 147 deletions

View File

@ -10,7 +10,7 @@ Changes in 4.2.0-Beta3
5) Fix COPY column.
6) Add macro.RNDC.
6) Add macro.RNDC.
Changes in 4.2.0-Beta2

View File

@ -36,20 +36,20 @@ Migration Issues.
3) Specifying a destination zone in a NAT-only rule now generates a
warning and the destination zone is ignored. NAT-only rules are:
NONAT
REDIRECT-
DNAT-
NONAT
REDIRECT-
DNAT-
4) The default value for LOG_MARTIANS has been changed. Previously,
the defaults were:
Shorewall-perl - 'Off'
Shorewall-shell - 'No'
Shorewall-perl - 'Off'
Shorewall-shell - 'No'
The new default values are:
Shorewall-perl - 'On'
Shorewall-shell - 'Yes'.
Shorewall-perl - 'On'
Shorewall-shell - 'Yes'.
Shorewall-perl users may:
@ -200,16 +200,16 @@ New Features in Shorewall 4.2.
/etc/shorewall/route_rules:
#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.0/24 Blarg 1000
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000
#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.0/24 Blarg 1000
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000
/etc/shorewall/tcrules
#MARK/CLASSIFY SOURCE DEST
1 eth0:206.124.146.0/24 0.0.0.0/0
2 eth0:130.242.144.0/24 0.0.0.0/0
#MARK/CLASSIFY SOURCE DEST
1 eth0:206.124.146.0/24 0.0.0.0/0
2 eth0:130.242.144.0/24 0.0.0.0/0
2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the table name with a
@ -218,7 +218,7 @@ New Features in Shorewall 4.2.
Example:
shorewall refresh nat:
shorewall refresh nat:
3) When no chain name is given to the 'shorewall refresh' command, the
mangle table is refreshed along with the blacklist chain (if
@ -243,11 +243,11 @@ New Features in Shorewall 4.2.
/etc/shorewall/shorewall.conf:
MACLIST_LOG_LEVEL=NFLOG(1,0,1)
MACLIST_LOG_LEVEL=NFLOG(1,0,1)
/etc/shorewall/rules:
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080
5) Shorewall-perl 4.2 implements an alternative syntax for macro
parameters and for the NFQUEUE queue number. Rather than following
@ -256,8 +256,8 @@ New Features in Shorewall 4.2.
Examples -- each pair shown below are equivalent:
DNS/ACCEPT DNS(ACCEPT)
NFQUEUE/3 NFQUEUE(3)
DNS/ACCEPT DNS(ACCEPT)
NFQUEUE/3 NFQUEUE(3)
The old syntax will still be accepted but will cease to be documented
in some future Shorewall release.
@ -276,17 +276,17 @@ New Features in Shorewall 4.2.
the verbosity at which logging will occur. It uses the same
value range as VERBOSITY:
-1 Do not log
0 Almost quiet
1 Only major steps
2 Verbose
-1 Do not log
0 Almost quiet
1 Only major steps
2 Verbose
c) An absolute VERBOSITY may be specified on the command line
using the -v option followed by -1,0,1 or 2.
Example:
Example:
shorewall -v2 check
shorewall -v2 check
d) The /etc/init.d/shorewall script supplied with the
shorewall.net packages sets '-v0' as the default. This may be
@ -296,17 +296,17 @@ New Features in Shorewall 4.2.
Logging occurs on both Shorewall-perl and the generated script when
the following commands are issued:
start
restart
refresh
start
restart
refresh
Messages in the log are always timestamped.
This change implemented two new options to the Shorewall-perl
compiler (/usr/share/shorewall-perl/compiler.pl).
--log=<logfile>
--log_verbosity={-1|0-2}
--log=<logfile>
--log_verbosity={-1|0-2}
The --log option is ignored when --log_verbosity is not supplied or
is supplied with value -1.
@ -315,34 +315,34 @@ New Features in Shorewall 4.2.
Shorewall::Compiler::compile(), that function has been changed to
use named parameters. Parameter names are:
object Object file. If omitted or '', the
configuration is syntax checked.
directory Directory. If omitted or '', configuration
files are located using
CONFIG_PATH. Otherwise, the directory named by
this parameter is searched first.
verbosity Verbosity; range -1 to 2
timestamp 0|1 -- timestamp messages.
debug 0|1 -- include stack trace in warning/error
messages.
export 0|1 -- compile for export.
chains List of chains to be reloaded by 'refresh'.
log File to log compiler messages to.
log_verbosity Log Verbosity; range -1 to 2.
object Object file. If omitted or '', the
configuration is syntax checked.
directory Directory. If omitted or '', configuration
files are located using
CONFIG_PATH. Otherwise, the directory named by
this parameter is searched first.
verbosity Verbosity; range -1 to 2
timestamp 0|1 -- timestamp messages.
debug 0|1 -- include stack trace in warning/error
messages.
export 0|1 -- compile for export.
chains List of chains to be reloaded by 'refresh'.
log File to log compiler messages to.
log_verbosity Log Verbosity; range -1 to 2.
Those parameters that are supplied must have defined values.
Defaults are:
object '' ('check' command)
directory ''
verbosity 1
timestamp 0
debug 0
export 0
chains ''
log ''
log_verbosity -1
object '' ('check' command)
directory ''
verbosity 1
timestamp 0
debug 0
export 0
chains ''
log ''
log_verbosity -1
Example:
@ -352,7 +352,7 @@ New Features in Shorewall 4.2.
compiler( object => '/root/firewall',
log => '/root/compile.log',
log_verbosity => 2 );
log_verbosity => 2 );
7) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
mark values < 256 to be assigned in the OUTPUT chain. This has been
@ -371,7 +371,7 @@ New Features in Shorewall 4.2.
column. Currently only a single option is defined.
classify When specified, you must use explicit CLASSIFY tcrules
to classify traffic by class. Shorewall will not create
to classify traffic by class. Shorewall will not create
any CLASSIFY rules to classify traffic by mark value.
See http://www.shorewall.net/traffic_shaping.htm for further
@ -386,25 +386,25 @@ New Features in Shorewall 4.2.
when the top-level macro was invoked. This allows the
following:
/etc/shorewall/macro.SSH:
/etc/shorewall/macro.SSH:
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
COMMENT My SSH Macro
PARAM - - tcp 22
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
COMMENT My SSH Macro
PARAM - - tcp 22
/etc/shorewall/rules:
/etc/shorewall/rules:
COMMENT Allow SSH from home
SSH/ALLOW net:$MYIP $FW
COMMENT
COMMENT Allow SSH from home
SSH/ALLOW net:$MYIP $FW
COMMENT
The comment line in macro.SSH will not override the
COMMENT line in the rules file and the generated rule will show
The comment line in macro.SSH will not override the
COMMENT line in the rules file and the generated rule will show
/* Allow SSH from home */
/* Allow SSH from home */
when displayed through the Shorewall show and dump commands.
when displayed through the Shorewall show and dump commands.
If a macro is invoked and there is no current comment, then the
name of the macro automatically becomes the current comment. This
@ -429,7 +429,7 @@ New Features in Shorewall 4.2.
Example:
OWNER=foo GROUP=bar ./install.sh
OWNER=foo GROUP=bar ./install.sh
To install Shorewall-perl under Cygwin:
@ -450,9 +450,9 @@ New Features in Shorewall 4.2.
16) Specifying a destination zone in a NAT-only rule now generates a
warning and the destination zone is ignored. NAT-only rules are:
NONAT
REDIRECT-
DNAT-
NONAT
REDIRECT-
DNAT-
17) The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
comma-separated list of interface names where before only a single
@ -469,26 +469,26 @@ New Features in Shorewall 4.2.
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
eth0,eth1 eth2 1.2.3.4
eth0,eth1 eth2 1.2.3.4
equivalent to:
#INTERFACE SOURCE ADDRESS
eth0 eth2 1.2.3.4
eth1 eth2 1.2.3.4
eth0 eth2 1.2.3.4
eth1 eth2 1.2.3.4
Example 2:
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
eth0,eth1::192.168.1.0/24 eth2 1.2.3.4
#INTERFACE SOURCE ADDRESS
eth0,eth1::192.168.1.0/24 eth2 1.2.3.4
equivalent to:
#INTERFACE SOURCE ADDRESS
eth0::192.168.1.0/24 eth2 1.2.3.4
eth1::192.168.1.0/24 eth2 1.2.3.4
eth0::192.168.1.0/24 eth2 1.2.3.4
eth1::192.168.1.0/24 eth2 1.2.3.4
Example 3:
@ -513,11 +513,11 @@ New Features in Shorewall 4.2.
/etc/shorewall/interfaces:
vpn tun+
vpn tun+
/etc/shorewall/masq:
tun1 192.168.4.0/24
tun1 192.168.4.0/24
19) Previously, Shorewall classified non-firewall zones as either
'simple' or 'complex'. Attributes of a zone which made it 'complex'
@ -564,7 +564,7 @@ New Features in Shorewall 4.2.
So, if you have this rule:
SSH/ACCEPT loc fw
SSH/ACCEPT loc fw
then the generated netfilter rule will include "/* SSH */" when
viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
@ -594,9 +594,9 @@ New Features in Shorewall 4.2.
Example:
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
1:eth0 1300kbit 384kbit classify
2:eth1 5600kbit 1000kbit
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
1:eth0 1300kbit 384kbit classify
2:eth1 5600kbit 1000kbit
In /etc/shorewall/tcclasses:
@ -634,26 +634,26 @@ New Features in Shorewall 4.2.
Example:
ursa:~ # modprobe ifb numifbs=1
ursa:~ # ip link ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
ursa:~ # modprobe ifb numifbs=1
ursa:~ # ip link ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
ursa:~ #
link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
ursa:~ #
After you have created the IFB(s), you must bring it(them) up:
ip link set dev ifb0 up
ip link set dev ifb0 up
You can place all of this in /etc/shorewall/init as follows:
modprobe ifb numifbs=1
ip link set dev ifb0 up
modprobe ifb numifbs=1
ip link set dev ifb0 up
The /etc/shorewall/tcdevices file has been extended to include an
additional REDIRECTED DEVICES column. To convert your configuration
@ -662,15 +662,15 @@ New Features in Shorewall 4.2.
a) Look at your current /etc/shorewall/tcdevices file. Suppose you
have:
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
eth0 1300kbit 384kbit -
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
eth0 1300kbit 384kbit -
Change it as follows:
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
# DEVICES
eth0 - 384kkbit -
ifb0 - 1300kbit - eth0
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
# DEVICES
eth0 - 384kkbit -
ifb0 - 1300kbit - eth0
Note that the old IN-BANDWIDTH for eth0 has become the
OUT-BANDWIDTH for ifb0 and that neither device has an
@ -695,32 +695,32 @@ New Features in Shorewall 4.2.
INTERFACE:CLASS
The interface name or number followed by a colon (":")
and the class number.
The interface name or number followed by a colon (":")
and the class number.
SOURCE
Source IP address. May be a host or network address.
Specify "-" if any SOURCE address should match.
Specify "-" if any SOURCE address should match.
DEST
Destination IP address. May be a host or network
address. Specify "-" if any DEST address should match.
Destination IP address. May be a host or network
address. Specify "-" if any DEST address should match.
PROTO
Protocol Name/Number. Specify "-" if any PROTO should
match.
Protocol Name/Number. Specify "-" if any PROTO should
match.
DEST PORT(S)
A comma-separated list of destination ports. May only
be given if the PROTO is tcp, udp, icmp or
sctp. Port ranges may be used, except when the PROTO is
icmp. Specify "-" if any PORT should match.
A comma-separated list of destination ports. May only
be given if the PROTO is tcp, udp, icmp or
sctp. Port ranges may be used, except when the PROTO is
icmp. Specify "-" if any PORT should match.
SOURCE PORT(S)
A comma-separated list of source port. May only be
given if the PROTO is tcp, udp or sctp. Port ranges
may be used unless the protocol is icmp. Specify "-" if
any PORT should match.
A comma-separated list of source port. May only be
given if the PROTO is tcp, udp or sctp. Port ranges
may be used unless the protocol is icmp. Specify "-" if
any PORT should match.
Entries in /etc/shorewall/tcfilters generate U32 tc filters which
may be displayed using the "shorewall show filters" ("shorewall-lite
@ -745,23 +745,23 @@ New Features in Shorewall 4.2.
where <gw> is the interface name:
- in upper case
- with any characters not allowed in shell variable names
replaced by '_'.
- in upper case
- with any characters not allowed in shell variable names
replaced by '_'.
Example (from OpenWRT):
Interface: eth0.1
Variable: ETH0_1_GATEWAY
Interface: eth0.1
Variable: ETH0_1_GATEWAY
/etc/shorewall/init:
ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)
ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)
29) A new CONNBYTES column has been added to the tcrules file. The
column defines a byte or packet range that the connection must fall
within in order for the rule to match. The contents are:
[!]<min>:[<max>[:{O|R|B}[:{B|P|A}]]]
[!]<min>:[<max>[:{O|R|B}[:{B|P|A}]]]
! matches if the the packet/byte count is not within the range
defined by <min> and <max>.
@ -790,7 +790,7 @@ New Features in Shorewall 4.2.
Examples:
1000000: - Connection has transferred a total of
1000000: - Connection has transferred a total of
at least 1,000,000 bytes.
1000000::R - Connection has transferred at least
@ -799,8 +799,8 @@ New Features in Shorewall 4.2.
large download).
1000000::O:P - Connection has sent at least 1,000,000
packets in the direction of the original
connection.
packets in the direction of the original
connection.
30) A new MANGLE_ENABLED option is added to shorewall.conf. The default
setting is 'Yes' which causes Shorewall to assume responsibility for
@ -828,7 +828,7 @@ New Features in Shorewall 4.2.
columns. So that Shorewall-perl can determine which column layout
each macro has, a new FORMAT directive is added:
FORMAT {1|2}
FORMAT {1|2}
The default is FORMAT 1 which is the old format. FORMAT 2 specifies
that the macro is in the new format.
@ -839,12 +839,12 @@ New Features in Shorewall 4.2.
The macro body is:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
FORMAT 2
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
DEST - - - - - -
PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
DEST - - - - - -
PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The 'norfc1918' option on the interface associated with zone 'z'
@ -875,7 +875,6 @@ New Features in Shorewall 4.2.
35) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall
would enable ip forwarding before instantiating the rules. This
could lead to incorrect connection tracking entries being created
between the time that forwarding was enabled and when the nat table
rules were instantiated.
@ -904,12 +903,12 @@ New Features in Shorewall 4.2.
39) A 'save' extension script is added. The script is run after
iptables-save has completed successfully.
The 'load' and 'reload' commands copy the save script (if any) to
/etc/shorewall-lite/ on the remove firewall system. The 'export'
command copies the file to the same directory as the 'firewall' and
'firewall.conf' scripts.
The 'load' and 'reload' commands copy the save script (if any) to
/etc/shorewall-lite/ on the remove firewall system. The 'export'
command copies the file to the same directory as the 'firewall' and
'firewall.conf' scripts.
I have the following commands in my 'save' script:
I have the following commands in my 'save' script:
[ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup
ipset -S > /root/ipsets.save
@ -921,10 +920,10 @@ New Features in Shorewall 4.2.
if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < /root/ipsets.save
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < /root/ipsets.save
fi
Those two scripts allow me to save and restore the contents of my