Updates/corrections to beginner articles

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2014-03-05 08:57:21 -08:00 · 2014-03-05 08:57:21 -08:00 · 3cfee0e43c
commit 3cfee0e43c
parent 8b4d8bfa16
3 changed files with 82 additions and 41 deletions
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@ -515,15 +515,16 @@ root@lists:~# </programlisting>

    <para>If you wish to enable connections from the Internet to your firewall
    and you find an appropriate macro in
-    <filename>/etc/shorewall/macro.*</filename>, the general format of a rule
-    in <filename>/etc/shorewall/rules</filename> is:</para>
+    <filename>/usr/share/shorewall/macro.*</filename>, the general format of a
+    rule in <filename>/etc/shorewall/rules</filename> is:</para>

    <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
 &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net       $FW</programlisting>

    <important>
      <para>Be sure to add your rules after the line that reads <emphasis
-      role="bold">SECTION NEW.</emphasis></para>
+      role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and
+      later).</para>
    </important>

    <example id="Example1">
@ -605,19 +606,34 @@ SSH(ACCEPT) net       $FW           </programlisting>
    <quote><command>shorewall stop</command></quote>. When the firewall is
    stopped, routing is enabled on those hosts that have an entry in
    <filename><ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
-    A running firewall may be restarted using the <quote><command>shorewall
-    restart</command></quote> command. If you want to totally remove any trace
-    of Shorewall from your Netfilter configuration, use
-    <quote><command>shorewall clear</command></quote>.</para>
+    url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
+    (<filename><ulink
+    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
+    in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
+    the <quote><command>shorewall restart</command></quote> command. If you
+    want to totally remove any trace of Shorewall from your Netfilter
+    configuration, use <quote><command>shorewall
+    clear</command></quote>.</para>

    <warning>
      <para>If you are connected to your firewall from the Internet, do not
      issue a <quote><command>shorewall stop</command></quote> command unless
-      you have added an entry for the IP address that you are connected from
-      to <ulink
-      url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
-      Also, I don't recommend using <quote><command>shorewall
+      you have either:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>Used ADMINISABSENTMINDED=Yes in
+          <filename>/etc/shorewall/shorewall.conf</filename> or</para>
+        </listitem>
+
+        <listitem>
+          <para>added an entry for the IP address that you are connected from
+          to <ulink
+          url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>Also, I don't recommend using <quote><command>shorewall
      restart</command></quote>; it is better to create an <emphasis><ulink
      url="configuration_file_basics.htm#Configs">alternate
      configuration</ulink></emphasis> and test it using the <ulink
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@ -193,7 +193,6 @@
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
-/usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
@ -954,8 +953,8 @@ DNS(ACCEPT) $FW       dmz:10.10.11.1             </programlisting></para>
    a <emphasis>defined macro</emphasis>. Shorewall includes a number of
    defined macros and <ulink url="Macros.html">you can add your own</ulink>.
    To see the list of macros included with your version of Shorewall, run the
-    command <command>ls
-    <filename>/usr/share/shorewall/macro.*</filename></command>.</para>
+    command <command>shorewall show
+    <filename>macros</filename></command>.</para>

    <para>You don't have to use defined macros when coding a rule in
    <filename>/etc/shorewall/rules</filename>. The first example above (name
@ -1128,12 +1127,14 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    <para>The firewall is started using the <command>shorewall start</command>
    command and stopped using <command>shorewall stop</command>. When the
    firewall is stopped, routing is enabled on those hosts that have an entry
-    in <ulink
-    url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
-    A running firewall may be restarted using the <command>shorewall
-    restart</command> command. If you want to totally remove any trace of
-    Shorewall from your Netfilter configuration, use <command>shorewall
-    clear</command>.</para>
+    in <filename><ulink
+    url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
+    (<ulink
+    url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
+    on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
+    the <command>shorewall restart</command> command. If you want to totally
+    remove any trace of Shorewall from your Netfilter configuration, use
+    <command>shorewall clear</command>.</para>

    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>

@ -1144,16 +1145,26 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    DMZ or if you want to enable a different set of hosts, modify
    <filename>/etc/shorewall/routestopped</filename> accordingly. <warning>
        <para>If you are connected to your firewall from the Internet, do not
-        issue a <command>shorewall stop</command> command unless you have
-        added an entry for the IP address that you are connected from to
-        <ulink
-        url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
-        Also, I don't recommend using <command>shorewall restart</command>; it
-        is better to create an <ulink
-        url="configuration_file_basics.htm#Levels">alternate
-        configuration</ulink> and test it using the <ulink
-        url="starting_and_stopping_shorewall.htm"><command>shorewall
-        try</command> command</ulink>.</para>
+        issue a <quote><command>shorewall stop</command></quote> command
+        unless you have either:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Used ADMINISABSENTMINDED=Yes in
+            <filename>/etc/shorewall/shorewall.conf</filename>; or</para>
+          </listitem>
+
+          <listitem>
+            <para>added an entry for the <acronym>IP</acronym> address that
+            you are connected from to <filename
+            class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
+          </listitem>
+        </orderedlist>
+
+        <para>Also, I don't recommend using <quote><command>shorewall
+        restart</command></quote>; it is better to create an alternate
+        configuration and test it using the <quote><command>shorewall
+        try</command></quote> command.</para>
      </warning></para>

    <para>The firewall will start after your network interfaces have been
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -171,7 +171,6 @@
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
-/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
 ~#</programlisting>
@ -203,8 +202,9 @@

              <para>If you install using the .deb, you will find that your
              <filename class="directory">/etc/shorewall</filename> directory
-              is empty. This is intentional. The released configuration file
-              skeletons may be found on your system in the directory <filename
+              is practially empty. This is intentional. The released
+              configuration file skeletons may be found on your system in the
+              directory <filename
              class="directory">/usr/share/doc/shorewall/default-config</filename>.
              Simply copy the files you need from that directory to <filename
              class="directory">/etc/shorewall</filename> and modify the
@ -910,8 +910,8 @@ DNS(ACCEPT) $FW       net</programlisting>This rule allows

    <para>In the rule shown above, <quote>DNS</quote>(ACCEPT)is an example of
    a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
-    macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink
-    url="Macros.html">you can add your own</ulink>.</para>
+    macros (command <emphasis role="bold">shorewall show macros</emphasis>)
+    and <ulink url="Macros.html">you can add your own</ulink>.</para>

    <para>You don't have to use defined macros when coding a rule in
    <filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
@ -1046,7 +1046,9 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    <quote><command>shorewall stop</command></quote>. When the firewall is
    stopped, routing is enabled on those hosts that have an entry in <filename
    class="directory">/etc/shorewall/</filename><filename><ulink
-    url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>.
+    url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>
+    (Shorewall 4.5.7 and earlier) or in<filename> <ulink
+    url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
    A running firewall may be restarted using the <quote><command>shorewall
    restart</command></quote> command. If you want to totally remove any trace
    of Shorewall from your Netfilter configuration, use
@ -1063,10 +1065,22 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    accordingly. <warning>
        <para>If you are connected to your firewall from the Internet, do not
        issue a <quote><command>shorewall stop</command></quote> command
-        unless you have added an entry for the <acronym>IP</acronym> address
-        that you are connected from to <filename
-        class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
-        Also, I don't recommend using <quote><command>shorewall
+        unless you have either:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Used ADMINISABSENTMINDED=Yes in
+            <filename>/etc/shorewall/shorewall.conf</filename>; or</para>
+          </listitem>
+
+          <listitem>
+            <para>added an entry for the <acronym>IP</acronym> address that
+            you are connected from to <filename
+            class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
+          </listitem>
+        </orderedlist>
+
+        <para> Also, I don't recommend using <quote><command>shorewall
        restart</command></quote>; it is better to create an alternate
        configuration and test it using the <quote><command>shorewall
        try</command></quote> command.</para>