holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Some 4.4 cleanup of the Configuration File Basics doc

Browse Source
This commit is contained in:
Tom Eastep 2009-06-28 08:11:27 -07:00
parent bbd9ff0a25
commit 355a515b1b
1 changed files with 19 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
docs/configuration_file_basics.xml
View File

@ -88,11 +88,6 @@
Translation (SNAT).</para> Translation (SNAT).</para>
</listitem> </listitem>
<listitem>
<para><filename>/etc/shorewall/modules</filename> - directs the
firewall to load kernel modules.</para>
</listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/rules</filename> - defines rules that <para><filename>/etc/shorewall/rules</filename> - defines rules that
are exceptions to the overall policies established in are exceptions to the overall policies established in
@ -219,14 +214,20 @@
macros defined by Shorewall.</para> macros defined by Shorewall.</para>
</listitem> </listitem>
<listitem>
<para><filename>/usr/share/shorewall/modules</filename> - directs
the firewall to load kernel modules. </para>
</listitem>
<listitem> <listitem>
<para><filename>/usr/share/modules</filename> — Specifies the kernel <para><filename>/usr/share/modules</filename> — Specifies the kernel
modules to be loaded during shorewall start/restart . <emphasis modules to be loaded during shorewall start/restart . .</para>
role="bold">If you need to change this file, copy it to
<filename>/etc/shorewall</filename> and modify the
copy</emphasis>.</para>
</listitem> </listitem>
</itemizedlist></para> </itemizedlist></para>
<para><emphasis role="bold">If you need to change a file in
/usr/share/shorewall/, copy it to <filename>/etc/shorewall</filename> and
modify the copy</emphasis></para>
</section> </section>
<section id="Manpages"> <section id="Manpages">
@ -976,30 +977,18 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
<para>In most cases where a port or port range may appear, a <para>In most cases where a port or port range may appear, a
comma-separated list of ports or port ranges may also be entered. comma-separated list of ports or port ranges may also be entered.
Shorewall will use the Netfilter <emphasis Shorewall requires the Netfilter <emphasis
role="bold">multiport</emphasis> match capability if it is available (see role="bold">multiport</emphasis> match capability if ports lists are used
the output of "<emphasis role="bold">shorewall show (see the output of "<emphasis role="bold">shorewall show
capabilities</emphasis>") and if its use is appropriate.</para> capabilities</emphasis>").</para>
<para>Shorewall can use multiport match if:</para>
<orderedlist>
<listitem>
<para>The list contains 15 or fewer port number; and</para>
</listitem>
<listitem>
<para>There are no port ranges listed OR your iptables/kernel support
the Extended <emphasis role="bold">multiport</emphasis> match (again
see the output of "<command>shorewall show capabilities</command>").
Where the Extended <emphasis role="bold">multiport</emphasis> match is
available, each port range counts as two ports toward the maximum of
15.</para>
</listitem>
</orderedlist>
<para>Also, unless otherwise documented, a port list can be preceded by <para>Also, unless otherwise documented, a port list can be preceded by
'!' to specify "All ports except these" (e.g., "!80,443").</para> '!' to specify "All ports except these" (e.g., "!80,443").</para>
<para>Port lists appearing in the <ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
file may specify no more than 15 ports; port ranges appearing in a list
count as two ports each.</para>
</section> </section>
<section id="MAC"> <section id="MAC">