From 240d7c838100d66751e74163608854298955657e Mon Sep 17 00:00:00 2001 From: frannie Date: Sun, 20 Apr 2003 14:37:26 +0000 Subject: [PATCH] Updated Comments For 1.4.x Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@542 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 2 +- Samples/one-interface/policy | 25 ++++++++++++++++++++++++- Samples/one-interface/rules | 7 ++++++- Samples/three-interfaces/policy | 25 ++++++++++++++++++++++++- Samples/three-interfaces/rules | 7 ++++++- Samples/two-interfaces/policy | 25 ++++++++++++++++++++++++- Samples/two-interfaces/rules | 7 ++++++- 7 files changed, 91 insertions(+), 7 deletions(-) diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 588784761..5a9a9fca8 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Interface File For One Interface +# Shorewall 1.4 -- Sample Interface File For One Interface # # /etc/shorewall/interfaces # diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index d86fd6e13..9c2e73f60 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -22,7 +22,30 @@ # Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE" +# +# ACCEPT +# Accept the connection +# DROP +# Ignore the connection request. +# REJECT +# For TCP, send RST. For all other, send +# "port unreachable" ICMP. +# CONTINUE +# Pass the connection request past +# any other rules that it might also +# match (where the source or destination +# zone in those rules is a superset of +# the SOURCE or DEST in this policy) +# NONE +# Assume that there will never be any +# packets from this SOURCE to this +# DEST. Shorewall will not set up any +# infrastructure to handle such packets +# and you may not have any rules with +# this SOURCE and DEST in the /etc/shorewall/rules +# file. If such a packet is received the result +# is undefined. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index e419ddd3b..f6423c1e7 100755 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -15,7 +15,8 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, +# CONTINUE or LOG. # # ACCEPT # Allow the connection request @@ -46,6 +47,8 @@ # connection request will be passed # to the rules defined for that # (those) zones(s). +# LOG +# Simply log the packet and continue. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be @@ -110,6 +113,8 @@ # 2. In DNAT rules, only IP addresses are # allowed; no FQDNs or subnet addresses # are permitted. +# 3. You may not specify both an interface and +# an address # # The port that the server is listening on may be # included and separated from the server's IP address by diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index 9e59c6880..3a5375d69 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -22,7 +22,30 @@ # Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE" +# +# ACCEPT +# Accept the connection +# DROP +# Ignore the connection request. +# REJECT +# For TCP, send RST. For all other, send +# "port unreachable" ICMP. +# CONTINUE +# Pass the connection request past +# any other rules that it might also +# match (where the source or destination +# zone in those rules is a superset of +# the SOURCE or DEST in this policy) +# NONE +# Assume that there will never be any +# packets from this SOURCE to this +# DEST. Shorewall will not set up any +# infrastructure to handle such packets +# and you may not have any rules with +# this SOURCE and DEST in the /etc/shorewall/rules +# file. If such a packet is received the result +# is undefined. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index ac85560c7..4c49393e3 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -15,7 +15,8 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, +# CONTINUE or LOG. # # ACCEPT # Allow the connection request @@ -46,6 +47,8 @@ # connection request will be passed # to the rules defined for that # (those) zones(s). +# LOG +# Simply log the packet and continue. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be @@ -110,6 +113,8 @@ # 2. In DNAT rules, only IP addresses are # allowed; no FQDNs or subnet addresses # are permitted. +# 3. You may not specify both an interface and +# an address. # # The port that the server is listening on may be # included and separated from the server's IP address by diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index 7d297638e..09f59f217 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -22,8 +22,31 @@ # Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE" # +# ACCEPT +# Accept the connection +# DROP +# Ignore the connection request. +# REJECT +# For TCP, send RST. For all other, send +# "port unreachable" ICMP. +# CONTINUE +# Pass the connection request past +# any other rules that it might also +# match (where the source or destination +# zone in those rules is a superset of +# the SOURCE or DEST in this policy) +# NONE +# Assume that there will never be any +# packets from this SOURCE to this +# DEST. Shorewall will not set up any +# infrastructure to handle such packets +# and you may not have any rules with +# this SOURCE and DEST in the /etc/shorewall/rules +# file. If such a packet is received the result +# is undefined. +# # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 597f131bc..363a54826 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -15,7 +15,8 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, +# CONTINUE or LOG. # # ACCEPT # Allow the connection request @@ -46,6 +47,8 @@ # connection request will be passed # to the rules defined for that # (those) zones(s). +# LOG +# Simply log the packet and continue. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be @@ -110,6 +113,8 @@ # 2. In DNAT rules, only IP addresses are # allowed; no FQDNs or subnet addresses # are permitted. +# 3 You may not specify both an interface and +# an address. # # The port that the server is listening on may be # included and separated from the server's IP address by