Documentation improvements

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7031 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-08-02 22:09:56 +00:00 · 2007-08-02 22:09:56 +00:00 · 2aee7f135a
commit 2aee7f135a
parent 981e337c41
4 changed files with 129 additions and 92 deletions
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@ -231,10 +231,11 @@
        <caution>
          <para>If you want to be able to allow non-root users to manage
-          remote filewall systems, then the file
+          remote filewall systems, then the files
          <filename>/etc/shorewall/params</filename> and
          <filename>/etc/shorewall/shorewall.conf</filename> must be readable
          by all users on the administrative system. Not all packages secure
-          the file that way and you may have to change the file permissions
+          the files that way and you may have to change the file permissions
          yourself. /sbin/shorewall uses the SHOREWALL_SHELL setting from
          <filename>/etc/shorewall/shorewall.conf</filename> to determine the
          shell to use when compiling programs and it uses the VERBOSITY
@ -330,7 +331,7 @@
 <command>/sbin/shorewall load firewall</command></programlisting>
              <para>The <ulink
-              url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
+              url="manpages/shorewall.html"><command>load</command></ulink>
              command compiles a firewall script from the configuration files
              in the current working directory (using <command>shorewall
              compile -e</command>), copies that file to the remote system via
@ -374,7 +375,7 @@
 <command>/sbin/shorewall reload firewall</command></programlisting>
        <para>The <ulink
-        url="starting_and_stopping_shorewall.htm#Reload"><command>reload</command></ulink>
+        url="manpages/shorewall.html"><command>reload</command></ulink>
        command compiles a firewall script from the configuration files in the
        current working directory (using <command>shorewall compile
        -e</command>), copies that file to the remote system via scp and
@ -771,31 +772,37 @@ clean:
    file:</para>
    <blockquote>
-      <programlisting>NAT_ENABLED=Yes                 # NAT
+      <programlisting>#
-MANGLE_ENABLED=Yes              # Packet Mangling
+# Shorewall  detected the following iptables/netfilter capabilities - Fri Jul 27 14:22:31 PDT 2007
-MULTIPORT=Yes                   # Multi-port Match
+#
-XMULTIPORT=Yes                  # Extended Multi-port Match
+NAT_ENABLED=Yes
-CONNTRACK_MATCH=Yes             # Connection Tracking Match
+MANGLE_ENABLED=Yes
-USEPKTTYPE=                     # Packet Type Match
+MULTIPORT=Yes
-POLICY_MATCH=Yes                # Policy Match
+XMULTIPORT=Yes
-PHYSDEV_MATCH=Yes               # Physdev Match
+CONNTRACK_MATCH=Yes
-LENGTH_MATCH=Yes                # Packet Length Match
+USEPKTTYPE=Yes
-IPRANGE_MATCH=Yes               # IP range Match
+POLICY_MATCH=Yes
-RECENT_MATCH=Yes                # Recent Match
+PHYSDEV_MATCH=Yes
-OWNER_MATCH=Yes                 # Owner match
+LENGTH_MATCH=Yes
-IPSET_MATCH=                    # Ipset Match
+IPRANGE_MATCH=Yes
-CONNMARK=Yes                    # CONNMARK Target
+RECENT_MATCH=Yes
-XCONNMARK=Yes                   # Extended CONNMARK Target
+OWNER_MATCH=Yes
-CONNMARK_MATCH=Yes              # Connmark Match
+IPSET_MATCH=
-XCONNMARK_MATCH=Yes             # Extended Connmark Match
+CONNMARK=Yes
-RAW_TABLE=Yes                   # Raw Table
+XCONNMARK=Yes
-IPP2P_MATCH=                    # IPP2P Match
+CONNMARK_MATCH=Yes
-CLASSIFY_TARGET=Yes             # CLASSIFY Target
+XCONNMARK_MATCH=Yes
-ENHANCED_REJECT=Yes             # Extended REJECT
+RAW_TABLE=Yes
-KLUDGEFREE=                     # iptables accepts multiple "-m iprange" or "-m physdev" in a single command
+IPP2P_MATCH=
-MARK=Yes                        # MARK Target Support
+CLASSIFY_TARGET=Yes
-XMARK=YES                       # Extended MARK Target Support
+ENHANCED_REJECT=Yes
-MANGLE_FORWARD                  # Mangle table has FORWARD chain</programlisting>
+KLUDGEFREE=Yes
 MARK=Yes
 XMARK=Yes
 MANGLE_FORWARD=Yes
 COMMENTS=Yes
 ADDRTYPE=Yes
 CAPVERSION=30405</programlisting>
    </blockquote>
    <para>As you can see, the file contains a simple list of shell variable
@ -876,4 +883,4 @@ MANGLE_FORWARD                  # Mangle table has FORWARD chain</programlisting
    is the level specified in the shorewall.conf file used when then program
    was compiled.</para>
  </section>
-</article>
+</article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@ -182,29 +182,26 @@
          </row>
          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
+            <entry><ulink url="two-interface.htm#DNAT">DNAT</ulink> (Port
-            subnet</ulink></entry>
+            Forwarding)</entry>
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
            <entry><ulink
            url="troubleshoot.htm">Troubleshooting</ulink></entry>
          </row>
          <row>
            <entry><ulink url="shorewall_extension_scripts.htm">Extension
            Scripts</ulink> (User Exits)</entry>
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="ECN.html">ECN Disabling by host or
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            subnet</ulink></entry>
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
          </row>
          <row>
            <entry><ulink url="shorewall_extension_scripts.htm">Extension
            Scripts</ulink> (User Exits)</entry>
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@ -214,21 +211,32 @@
          </row>
          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
            url="fallback.htm">Fallback/Uninstall</ulink></entry>
            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>
          <row>
            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
            <entry><ulink url="whitelisting_under_shorewall.htm">White List
            Creation</ulink></entry>
          </row>
          <row>
            <entry><ulink
            url="shorewall_features.htm">Features</ulink></entry>
            <entry><ulink url="ports.htm">Port Information</ulink></entry>
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            Creation</ulink></entry>
+            DomU</ulink></entry>
          </row>
          <row>
@ -238,8 +246,8 @@
            <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
            of the 'Recent Match'</ulink></entry>
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            DomU</ulink></entry>
+            Xen Dom0</ulink></entry>
          </row>
          <row>
@ -247,8 +255,7 @@
            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            <entry></entry>
            Xen Dom0</ulink></entry>
          </row>
          <row>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2001 - 2005</year>
+      <year>2001 - 2007</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -52,9 +52,10 @@
      <listitem>
        <para>The packet is part of an established connecection. While the
        packet can be logged using LOG rules in the ESTABLISHED section of
-        <ulink url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>,
+        <ulink
-        that is not recommended because of the large amount of information
+        url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
-        that may be logged.</para>
+        is not recommended because of the large amount of information that may
        be logged.</para>
      </listitem>
      <listitem>
@ -67,8 +68,8 @@
      <listitem>
        <para>The packet is rejected because of an option in <ulink
-        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink> or
+        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>
-        <ulink
+        or <ulink
        url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.
        These packets can be logged by setting the appropriate logging-related
        option in <ulink
@ -87,9 +88,9 @@
      <listitem>
        <para>The packet doesn't match a rule so it is handled by a policy
        defined in <ulink
-        url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink>. These
+        url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink>.
-        may be logged by specifying a syslog level in the LOG LEVEL column of
+        These may be logged by specifying a syslog level in the LOG LEVEL
-        the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
+        column of the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
        role="bold">info</emphasis></quote>).</para>
      </listitem>
    </orderedlist>
@ -154,11 +155,11 @@
      If you are unsure of the level to choose, 6 (info) is a safe bet. You
      may specify levels by name or by number.</para>
-      <para>Syslogd writes log messages to files (typically in /var/log/*)
+      <para>Syslogd writes log messages to files (typically in <filename
-      based on their facility and level. The mapping of these facility/level
+      class="directory">/var/log/</filename>*) based on their facility and
-      pairs to log files is done in /etc/syslog.conf (5). If you make changes
+      level. The mapping of these facility/level pairs to log files is done in
-      to this file, you must restart syslogd before the changes can take
+      /etc/syslog.conf (5). If you make changes to this file, you must restart
-      effect.</para>
+      syslogd before the changes can take effect.</para>
      <para>Syslog may also write to your system console. See <ulink
      url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
@ -197,9 +198,9 @@
      <note>
        <para>The ULOG logging mechanism is <emphasis
        role="underline">completely separate</emphasis> from syslog. Once you
-        switch to ULOG, the settings in /etc/syslog.conf have absolutely no
+        switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
-        effect on your Shorewall logging (except for Shorewall status messages
+        have absolutely no effect on your Shorewall logging (except for
-        which still go to syslog).</para>
+        Shorewall status messages which still go to syslog).</para>
      </note>
      <para>You will need to change all instances of log levels (usually
@ -224,11 +225,13 @@ shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG
 shorewall.conf:RFC1918_LOG_LEVEL=$LOG
 gateway:/etc/shorewall#                                               </programlisting>
-      <para>Finally edit /etc/shorewall/shorewall.conf and set
+      <para>Finally edit <filename>/etc/shorewall/shorewall.conf</filename>
-      LOGFILE=&lt;<emphasis>file that you wish to log to</emphasis>&gt;. This
+      and set LOGFILE=&lt;<emphasis>file that you wish to log
-      tells the /sbin/shorewall program where to look for the log when
+      to</emphasis>&gt;. This tells the <filename>/sbin/shorewall</filename>
-      processing its <quote>show log</quote>, <quote>logwatch</quote> and
+      program where to look for the log when processing its
-      <quote>monitor</quote> commands.</para>
+      <quote><command>show log</command></quote>,
      <quote><command>logwatch</command></quote> and
      <quote><command>dump</command></quote> commands.</para>
    </section>
  </section>
@ -237,7 +240,10 @@ gateway:/etc/shorewall#                                               </programl
    <para><ulink
    url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;amp;m=106040714910563&amp;amp;w=2">Here</ulink>
-    is a post describing configuring syslog-ng to work with Shorewall.</para>
+    is a post describing configuring syslog-ng to work with Shorewall. Recent
    <trademark>SuSE</trademark> releases come preconfigured with syslog-ng
    with Netfilter messages (including Shorewall's) are written to
    <filename>/var/log/firewall</filename>.</para>
  </section>
  <section id="Contents">
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -559,8 +559,8 @@ root@lists:~# </programlisting>
    (<ulink
    url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para>
-    <para>The remainder of this quide will assume that you have configured
+    <para id="Diagram">The remainder of this quide will assume that you have
-    your network as shown here: <mediaobject>
+    configured your network as shown here: <mediaobject>
        <imageobject>
          <imagedata fileref="images/basics1.png" format="PNG" />
        </imageobject>
@ -656,8 +656,9 @@ root@lists:~# </programlisting>
    rather necessary for those clients to address their connection requests to
    the firewall who rewrites the destination address to the address of your
    server and forwards the packet to that server. When your server responds,
-    the firewall automatically performs <acronym>SNAT</acronym> to rewrite the
+    the firewall automatically performs <acronym><link
-    source address in the response.</para>
+    linkend="SNAT">SNAT</link></acronym> to rewrite the source address in the
    response.</para>
    <para>The above process is called <emphasis>Port Forwarding</emphasis> or
    <emphasis>Destination Network Address Translation</emphasis>
@ -672,35 +673,45 @@ root@lists:~# </programlisting>
 DNAT      net       loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important>
        <para>Be sure to add your rules after the line that reads <emphasis
        role="bold">SECTON NEW.</emphasis></para>
      </important><important>
        <para>The server must have a static IP address. If you assign IP
        addresses to your local system using DHCP, you need to configure your
        DHCP server to always assign the same IP address to systems that are
        the target of a DNAT rule.</para>
      </important>Shorewall has <ulink url="Macros.html">macros</ulink> for
-    many popular applications. Look at /usr/share/shorewall/macro.* to see
+    many popular applications. Look at the output of <command>shorewall show
-    what is available in your release. Macros simplify creating DNAT rules by
+    macros</command> to see what is available in your release. Macros simplify
-    supplying the protocol and port(s) as shown in the following
+    creating DNAT rules by supplying the protocol and port(s) as shown in the
-    examples.</para>
+    following examples.</para>
    <para><example id="Example1" label="1">
        <title>Web Server</title>
-        <para>You run a Web Server on computer 2 and you want to forward
+        <para>You run a Web Server on computer 2 in <link
        linkend="Diagram">the above diagram</link> and you want to forward
        incoming <acronym>TCP</acronym> port 80 to that system:
        <programlisting>#ACTION   SOURCE    DEST             PROTO     DEST PORT(S)
 Web/DNAT  net       loc:10.10.10.2</programlisting></para>
      </example> <example id="Example2" label="2">
        <title>FTP Server</title>
-        <para>You run an <acronym>FTP</acronym> Server on computer 1 so you
+        <para>You run an <acronym>FTP</acronym> Server on <link
-        want to forward incoming <acronym>TCP</acronym> port 21 to that
+        linkend="Diagram">computer 1</link> so you want to forward incoming
-        system: <programlisting>#ACTION    SOURCE    DEST            PROTO     DEST PORT(S)
+        <acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION    SOURCE    DEST            PROTO     DEST PORT(S)
 FTP/DNAT   net       loc:10.10.10.1</programlisting> For
        <acronym>FTP</acronym>, you will also need to have
        <acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
        support in your kernel. For vendor-supplied kernels, this means that
        the <filename class="libraryfile">ip_conntrack_ftp</filename> and
-        <filename class="libraryfile">ip_nat_ftp</filename> modules must be
+        <filename class="libraryfile">ip_nat_ftp</filename> modules
-        loaded. Shorewall will automatically load these modules if they are
+        (<filename>nf_conntrack_ftp</filename> and
-        available and located in the standard place under <filename
+        <filename>nf_nat_ftp</filename> in later 2.6 kernels) must be loaded.
        Shorewall will automatically load these modules if they are available
        and located in the standard place under <filename
        class="directory">/lib/modules/&lt;kernel
-        version&gt;/kernel/net/ipv4/netfilter</filename>.</para>
+        version&gt;/kernel/net/ipv4/netfilter</filename>. See the <ulink
        url="FTP.html">Shorewall FTP documentation</ulink> for more
        information.</para>
      </example> A couple of important points to keep in mind: <itemizedlist>
        <listitem>
          <para>You must test the above rule from a client outside of your
@ -736,10 +747,16 @@ DNAT       net       loc:10.10.10.2:80  tcp       5000</programlisting>
      <para>For DNAT troubleshooting tips, <ulink url="FAQ.htm#faq1a">see FAQs
      1a and 1b</ulink>.</para>
    </important>
    <para>For information about DNAT when there are multiple external IP
    addresses, see the <ulink
    url="Shorewall_and_Aliased_Interfaces.html">Shorewall Aliased Interface
    documentation</ulink> and the <ulink
    url="shorewall_setup_guide.htm#dnat">Shorewall Setup Guide</ulink>.</para>
  </section>
  <section id="DNS">
-    <title>Domain Name Server (DNS)</title>
+    <title>DDomain Name Server (DNS)</title>
    <para>Normally, when you connect to your ISP, as part of getting an IP
    address your firewall's <emphasis>Domain Name Service</emphasis>