Updated Comments For 1.4.x Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@542 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 1.4 -- Sample Interface File For One Interface
+# 	Shorewall 1.4  -- Sample Interface File For One Interface
 #
 # 	/etc/shorewall/interfaces
 #

Samples/one-interface/policy

@@ -22,7 +22,30 @@
 #			Shorewall will not start!
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
+#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE"
+#			
+#			ACCEPT
+#				Accept the connection
+#			DROP
+#				Ignore the connection request.
+#			REJECT
+#				For TCP, send RST. For all other, send
+#				"port unreachable" ICMP.
+#			CONTINUE
+#				Pass the connection request past
+#				any other rules that it might also
+#				match (where the source or destination
+#				zone in those rules is a superset of
+#				the SOURCE or DEST in this policy)
+#			NONE
+#				Assume that there will never be any
+#				packets from this SOURCE to this
+#				DEST. Shorewall will not set up any
+#				infrastructure to handle such packets
+#				and you may not have any rules with 
+#				this SOURCE and DEST in the /etc/shorewall/rules
+#				file. If such a packet is received the result
+#				is undefined.
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no

Samples/one-interface/rules

@@ -15,7 +15,8 @@
 # Columns are:
 #
 #
-#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
+#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
+#				CONTINUE or LOG.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -46,6 +47,8 @@
 #						connection request will be passed
 #						to the rules defined for that
 #						(those) zones(s).
+#				LOG		
+#						Simply log the packet and continue.
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
@@ -110,6 +113,8 @@
 #			2. 	In DNAT rules, only IP addresses are
 #				allowed; no FQDNs or subnet addresses
 #				are permitted.
+#			3.	You may not specify both an interface and
+#				an address
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by

Samples/three-interfaces/policy

@@ -22,7 +22,30 @@
 #			Shorewall will not start!
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
+#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE"
+#
+#			ACCEPT
+#				Accept the connection
+#			DROP
+#				Ignore the connection request.
+#			REJECT
+#				For TCP, send RST. For all other, send
+#				"port unreachable" ICMP.
+#			CONTINUE
+#				Pass the connection request past
+#				any other rules that it might also
+#				match (where the source or destination
+#				zone in those rules is a superset of
+#				the SOURCE or DEST in this policy)
+#			NONE
+#				Assume that there will never be any
+#				packets from this SOURCE to this
+#				DEST. Shorewall will not set up any
+#				infrastructure to handle such packets
+#				and you may not have any rules with
+#				this SOURCE and DEST in the /etc/shorewall/rules
+#				file. If such a packet is received the result
+#				is undefined.
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no

Samples/three-interfaces/rules

@@ -15,7 +15,8 @@
 # Columns are:
 #
 #
-#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
+#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
+#				CONTINUE or LOG.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -46,6 +47,8 @@
 #						connection request will be passed
 #						to the rules defined for that
 #						(those) zones(s).
+#				LOG		
+#						Simply log the packet and continue.
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
@@ -110,6 +113,8 @@
 #			2. 	In DNAT rules, only IP addresses are
 #				allowed; no FQDNs or subnet addresses
 #				are permitted.
+#			3.	You may not specify both an interface and
+#				an address.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by

Samples/two-interfaces/policy

@@ -22,8 +22,31 @@
 #			Shorewall will not start!
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
+#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE"
 #
+#			ACCEPT
+#				Accept the connection
+#			DROP
+#				Ignore the connection request.
+#			REJECT
+#				For TCP, send RST. For all other, send
+#				"port unreachable" ICMP.
+#			CONTINUE
+#				Pass the connection request past
+#				any other rules that it might also
+#				match (where the source or destination
+#				zone in those rules is a superset of
+#				the SOURCE or DEST in this policy)
+#			NONE
+#				Assume that there will never be any
+#				packets from this SOURCE to this
+#				DEST. Shorewall will not set up any
+#				infrastructure to handle such packets
+#				and you may not have any rules with
+#				this SOURCE and DEST in the /etc/shorewall/rules
+#				file. If such a packet is received the result
+#				is undefined.
+#				
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
 #			log message is generated. See syslog.conf(5) for a

Samples/two-interfaces/rules

@@ -15,7 +15,8 @@
 # Columns are:
 #
 #
-#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
+#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
+#				CONTINUE or LOG.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -46,6 +47,8 @@
 #						connection request will be passed
 #						to the rules defined for that
 #						(those) zones(s).
+#				LOG		
+#						Simply log the packet and continue.
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
@@ -110,6 +113,8 @@
 #			2. 	In DNAT rules, only IP addresses are
 #				allowed; no FQDNs or subnet addresses
 #				are permitted.
+#			3	You may not specify both an interface and 
+#				an address.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by