holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Rest of the Shorewall6 manpages

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9045 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-14 17:37:30 +00:00
parent 3272f6797e
commit 3f85cc86aa
26 changed files with 837 additions and 2117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
manpages6-lite/shorewall6-lite-vardir.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-lite-vardir</refentrytitle>
<refentrytitle>shorewall6-lite-vardir</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>vardir</refname>
<refpurpose>Shorewall Lite file</refpurpose>
<refpurpose>Shorewall6 Lite file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall-lite/vardir</command>
<command>/etc/shorewall6-lite/vardir</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -22,9 +24,9 @@
<title>Description</title>
<para>This file does not exist by default. You may create the file if you
want to change the directory used by Shorewall Lite to store state
want to change the directory used by Shorewall6 Lite to store state
information, including compiled firewall scripts. By default, the
directory used is <filename>/var/lib/shorewall-lite/</filename>.</para>
directory used is <filename>/var/lib/shorewall6-lite/</filename>.</para>
<para>The file contains a single variable assignment:</para>
@ -32,33 +34,31 @@
<para>where <replaceable>directory</replaceable> is the name of a
directory. If you add this file, you should copy the files from
<filename>/var/lib/shorewall-lite</filename> to the new directory before
performing a <command>shorewall-lite restart</command>.</para>
<filename>/var/lib/shorewall6-lite</filename> to the new directory before
performing a <command>shorewall6-lite restart</command>.</para>
</refsect1>
<refsect1>
<title>Example</title>
<para>VARDIR=/root/shorewall</para>
<para>VARDIR=/root/shorewall6</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall-lite/vardir</para>
<para>/etc/shorewall6-lite/vardir</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

74
manpages6-lite/shorewall6-lite.conf.xml
View File

@ -1,27 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-lite.conf</refentrytitle>
<refentrytitle>shorewall6-lite.conf</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>shorewall-lite.conf</refname>
<refname>shorewall6-lite.conf</refname>
<refpurpose>Shorewall Lite global configuration file</refpurpose>
<refpurpose>Shorewall6 Lite global configuration file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall-lite/shorewall-lite.conf</command>
<command>/etc/shorewall6-lite/shorewall6-lite.conf</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file sets options that apply to Shorewall Lite as a
<para>This file sets options that apply to Shorewall6 Lite as a
whole.</para>
<para>The file consists of Shell comments (lines beginning with '#'),
@ -31,15 +33,15 @@
it's effect.</para>
<para>Any option not specified in this file gets its value from the
shorewall.conf file used during compilation of
/var/lib/shorewall-lite/firewall. Those settings may be found in the file
/var/lib/shorewall-lite/firewall.conf.</para>
shorewall6.conf file used during compilation of
/var/lib/shorewall6-lite/firewall. Those settings may be found in the file
/var/lib/shorewall6-lite/firewall.conf.</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<para>The following options may be set in shorewall.conf.</para>
<para>The following options may be set in shorewall6.conf.</para>
<variablelist>
<varlistentry>
@ -48,7 +50,7 @@
<listitem>
<para>This parameter names the iptables executable to be used by
Shorewall. If not specified or if specified as a null value, then
Shorewall6. If not specified or if specified as a null value, then
the iptables executable located using the PATH option is
used.</para>
</listitem>
@ -59,8 +61,8 @@
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>This parameter tells the /sbin/shorewall program where to look
for Shorewall messages when processing the <emphasis
<para>This parameter tells the /sbin/shorewall6 program where to look
for Shorewall6 messages when processing the <emphasis
role="bold">dump</emphasis>, <emphasis
role="bold">logwatch</emphasis>, <emphasis role="bold">show
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
@ -76,7 +78,7 @@
<listitem>
<para>The value of this variable generate the --log-prefix setting
for Shorewall logging rules. It contains a “printf” formatting
for Shorewall6 logging rules. It contains a “printf” formatting
template which accepts three arguments (the chain name, logging rule
number (optional) and the disposition). To use LOGFORMAT with
fireparse, set it as:</para>
@ -87,7 +89,7 @@
logging rule number is calculated and formatted in that position; if
that substring is not included then the rule number is not included.
If not supplied or supplied as empty (LOGFORMAT="") then
“Shorewall:%s:%s:” is assumed.</para>
“Shorewall6:%s:%s:” is assumed.</para>
</listitem>
</varlistentry>
@ -96,7 +98,7 @@
role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
<listitem>
<para>Determines the order in which Shorewall searches directories
<para>Determines the order in which Shorewall6 searches directories
for executable files.</para>
</listitem>
</varlistentry>
@ -106,22 +108,22 @@
role="bold">RESTOREFILE=</emphasis>[<emphasis>filename</emphasis>]</term>
<listitem>
<para>Specifies the simple name of a file in /var/lib/shorewall to
<para>Specifies the simple name of a file in /var/lib/shorewall6 to
be used as the default restore script in the <emphasis
role="bold">shorewall save</emphasis>, <emphasis
role="bold">shorewall restore</emphasis>, <emphasis
role="bold">shorewall forget </emphasis>and <emphasis
role="bold">shorewall -f start</emphasis> commands.</para>
role="bold">shorewall6 save</emphasis>, <emphasis
role="bold">shorewall6 restore</emphasis>, <emphasis
role="bold">shorewall6 forget </emphasis>and <emphasis
role="bold">shorewall6 -f start</emphasis> commands.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
role="bold">SHOREWALL6_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>This option is used to specify the shell program to be used to
run the Shorewall compiler and to interpret the compiled script. If
run the Shorewall6 compiler and to interpret the compiled script. If
not specified or specified as a null value, /bin/sh is assumed.
Using a light-weight shell such as ash or dash can significantly
improve performance.</para>
@ -135,10 +137,10 @@
<listitem>
<para>This parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when it
stops. Creating and removing this file allows Shorewall to work with
stops. Creating and removing this file allows Shorewall6 to work with
your distribution's initscripts. For RedHat, this should be set to
/var/lock/subsys/shorewall. For Debian, the value is
/var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
/var/lock/subsys/shorewall6. For Debian, the value is
/var/state/shorewall6 and in LEAF it is /var/run/shorwall.</para>
</listitem>
</varlistentry>
@ -146,7 +148,7 @@
<term>VERBOSITY=[<emphasis role="bold">number</emphasis>]</term>
<listitem>
<para>Shorewall has traditionally been very noisy (produced lots of
<para>Shorewall6 has traditionally been very noisy (produced lots of
output). You may set the default level of verbosity using the
VERBOSITY OPTION.</para>
@ -171,7 +173,7 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall-lite/shorewall.conf</para>
<para>/etc/shorewall6-lite/shorewall6.conf</para>
</refsect1>
<refsect1>
@ -180,13 +182,13 @@
<para><ulink
url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
<para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6-lite(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

269
manpages6-lite/shorewall6-lite.xml
View File

@ -1,21 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-lite</refentrytitle>
<refentrytitle>shorewall6-lite</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>shorewall-lite</refname>
<refname>shorewall6-lite</refname>
<refpurpose>Administration tool for Shoreline Firewall Lite
(Shorewall-lite)</refpurpose>
<refpurpose>Administration tool for Shoreline Firewall 6 Lite
(Shorewall6-lite)</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -28,7 +30,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -39,7 +41,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -52,7 +54,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -66,7 +68,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -78,7 +80,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -88,7 +90,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -98,38 +100,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>ipcalc</option></arg>
<group choice="req">
<arg choice="plain"><replaceable>address</replaceable>
<replaceable>mask</replaceable></arg>
<arg
choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
</group>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iprange</option></arg>
<arg
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -142,7 +113,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -156,7 +127,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -169,7 +140,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -182,7 +153,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -194,7 +165,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -207,7 +178,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -220,7 +191,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -231,14 +202,14 @@
<arg><option>-x</option></arg>
<arg><option>-t</option>
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
{<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg>
<arg><arg><option>chain</option></arg><arg choice="plain"
rep="repeat"><replaceable>chain</replaceable></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -252,7 +223,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -265,7 +236,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -279,7 +250,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -291,7 +262,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -305,22 +276,19 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>start</option></arg>
<arg><option>-n</option></arg>
<arg><option>-f</option><arg><option>-p</option></arg></arg>
<arg
choice="plain"><option>start</option><arg>-<option>n</option></arg><arg>-<option>p</option></arg><arg>-<option>f</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -331,7 +299,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -341,7 +309,7 @@
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -354,8 +322,8 @@
<refsect1>
<title>Description</title>
<para>The shorewall-lite utility is used to control the Shoreline Firewall
(Shorewall) Lite.</para>
<para>The shorewall6-lite utility is used to control the Shoreline
Firewall 6 (Shorewall6) Lite.</para>
</refsect1>
<refsect1>
@ -366,8 +334,8 @@
url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
<para>The nolock <option>option</option> prevents the command from
attempting to acquire the Shorewall Lite lockfile. It is useful if you
need to include <command>shorewall-lite</command> commands in the
attempting to acquire the Shorewall6 Lite lockfile. It is useful if you
need to include <command>shorewall6-lite</command> commands in the
<filename>started</filename> extension script.</para>
<para>The <emphasis>options</emphasis> control the amount of output that
@ -375,7 +343,7 @@
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
@ -394,29 +362,6 @@
<para>The available commands are listed below.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">add</emphasis></term>
<listitem>
<para>Adds a list of hosts or subnets to a dynamic zone usually used
with VPN's.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are a host or network address.<caution>
<para>The <command>add</command> command is not very robust. If
there are errors in the <replaceable>host-list</replaceable>,
you may see a large number of error messages yet a subsequent
<command>shorewall show zones</command> command will indicate
that all hosts were added. If this happens, replace
<command>add</command> by <command>delete</command> and run the
same command again. Then enter the correct command.</para>
</caution></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">allow</emphasis></term>
@ -433,28 +378,13 @@
<term><emphasis role="bold">clear</emphasis></term>
<listitem>
<para>Clear will remove all rules and chains installed by Shorewall
<para>Clear will remove all rules and chains installed by Shorewall6
Lite. The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
<listitem>
<para>The delete command reverses the effect of an earlier <emphasis
role="bold">add</emphasis> command.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are a host or network address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">drop</emphasis></term>
@ -474,7 +404,7 @@
<para>The <emphasis role="bold">-x</emphasis> option causes actual
packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <emphasis role="bold">-m</emphasis>
option causes any MAC addresses included in Shorewall Lite log
option causes any MAC addresses included in Shorewall6 Lite log
messages to be displayed.</para>
</listitem>
</varlistentry>
@ -483,11 +413,11 @@
<term><emphasis role="bold">forget</emphasis></term>
<listitem>
<para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
and /var/lib/shorewall-lite/save. If no
<para>Deletes /var/lib/shorewall6-lite/<emphasis>filenam</emphasis>e
and /var/lib/shorewall6-lite/save. If no
<emphasis>filename</emphasis> is given then the file specified by
RESTOREFILE in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) is
assumed.</para>
</listitem>
</varlistentry>
@ -504,30 +434,11 @@
<term><emphasis role="bold">hits</emphasis></term>
<listitem>
<para>Generates several reports from Shorewall Lite log messages in
<para>Generates several reports from Shorewall6 Lite log messages in
the current log file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipcalc</emphasis></term>
<listitem>
<para>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the
input[s].</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iprange</emphasis></term>
<listitem>
<para>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logdrop</emphasis></term>
@ -542,14 +453,14 @@
<listitem>
<para>Monitors the log file specified by theLOGFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
produces an audible alarm when new Shorewall Lite messages are
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) and
produces an audible alarm when new Shorewall6 Lite messages are
logged. The <emphasis role="bold">-m</emphasis> option causes the
MAC address of each packet source to be displayed if that
information is available. The
<replaceable>refresh-interval</replaceable> specifies the time in
seconds between screen refreshes. You can enter a negative number by
preceding the number with "--" (e.g., <command>shorewall-lite
preceding the number with "--" (e.g., <command>shorewall6-lite
logwatch -- -30</command>). In this case, when a packet count
changes, you will be prompted to hit any key to resume screen
refreshes.</para>
@ -578,11 +489,11 @@
<term><emphasis role="bold">restart</emphasis></term>
<listitem>
<para>Restart is similar to <emphasis role="bold">shorewall-lite
stop</emphasis> followed by <emphasis role="bold">shorewall-lite
<para>Restart is similar to <emphasis role="bold">shorewall6-lite
stop</emphasis> followed by <emphasis role="bold">shorewall6-lite
start</emphasis>. Existing connections are maintained.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
<para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
@ -595,14 +506,14 @@
<term><emphasis role="bold">restore</emphasis></term>
<listitem>
<para>Restore Shorewall Lite to a state saved using the <emphasis
role="bold">shorewall-lite save</emphasis> command. Existing
<para>Restore Shorewall6 Lite to a state saved using the <emphasis
role="bold">shorewall6-lite save</emphasis> command. Existing
connections are maintained. The <emphasis>filename</emphasis> names
a restore file in /var/lib/shorewall-lite created using <emphasis
role="bold">shorewall-lite save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall Lite will be
a restore file in /var/lib/shorewall6-lite created using <emphasis
role="bold">shorewall6-lite save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall6 Lite will be
restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -611,13 +522,13 @@
<listitem>
<para>The dynamic blacklist is stored in
/var/lib/shorewall-lite/save. The state of the firewall is stored in
/var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
<emphasis role="bold">shorewall-lite restore</emphasis> and
<emphasis role="bold">shorewall-lite -f start</emphasis> commands.
/var/lib/shorewall6-lite/save. The state of the firewall is stored
in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
the <emphasis role="bold">shorewall6-lite restore</emphasis> and
<emphasis role="bold">shorewall6-lite -f start</emphasis> commands.
If <emphasis>filename</emphasis> is not given then the state is
saved in the file specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -655,7 +566,7 @@
<listitem>
<para>The rules in each <emphasis>chain</emphasis> are
displayed using the <emphasis role="bold">iptables
displayed using the <emphasis role="bold">ip6tables
-L</emphasis> <emphasis>chain</emphasis> <emphasis
role="bold">-n -v</emphasis> command. If no
<emphasis>chain</emphasis> is given, all of the chains in the
@ -679,8 +590,8 @@
<listitem>
<para>Displays information about the packet classifiers
defined on the system 10-080213-8397as a result of traffic
shaping configuration.</para>
defined on the system as a result of traffic shaping
configuration.</para>
</listitem>
</varlistentry>
@ -715,7 +626,7 @@
<listitem>
<para>Displays the Netfilter mangle table using the command
<emphasis role="bold">iptables -t mangle -L -n
<emphasis role="bold">ip6tables -t mangle -L -n
-v</emphasis>.The <emphasis role="bold">-x</emphasis> option
is passed directly through to iptables and causes actual
packet and byte counts to be displayed. Without this option,
@ -728,7 +639,7 @@
<listitem>
<para>Displays the Netfilter nat table using the command
<emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
<emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.The
<emphasis role="bold">-x</emphasis> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
@ -749,7 +660,7 @@
<term><emphasis role="bold">zones</emphasis></term>
<listitem>
<para>Displays the current composition of the Shorewall Lite
<para>Displays the current composition of the Shorewall6 Lite
zones on the system.</para>
</listitem>
</varlistentry>
@ -761,16 +672,16 @@
<term><emphasis role="bold">start</emphasis></term>
<listitem>
<para>Start shorewall Lite. Existing connections through
shorewall-lite managed interfaces are untouched. New connections
<para>Start shorewall6 Lite. Existing connections through
shorewall6-lite managed interfaces are untouched. New connections
will be allowed only if they are allowed by the firewall rules or
policies. If <emphasis role="bold">-f</emphasis> is specified, the
saved configuration specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) will
be restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall. </para>
more recently than the files in /etc/shorewall6.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
<para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
@ -785,11 +696,11 @@
<listitem>
<para>Stops the firewall. All existing connections, except those
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
are taken down. The only new traffic permitted through the firewall
is from systems listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in
shorewall6.conf(5), are taken down. The only new traffic permitted
through the firewall is from systems listed in <ulink
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
</listitem>
</varlistentry>
@ -799,7 +710,7 @@
<listitem>
<para>Produces a short report about the state of the
Shorewall-configured firewall.</para>
Shorewall6-configured firewall.</para>
</listitem>
</varlistentry>
@ -807,7 +718,7 @@
<term><emphasis role="bold">version</emphasis></term>
<listitem>
<para>Displays Shorewall-lite's version.</para>
<para>Displays Shorewall6-lite's version.</para>
</listitem>
</varlistentry>
</variablelist>
@ -816,23 +727,21 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall-lite/</para>
<para>/etc/shorewall6-lite/</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
url="http://www.shorewall.net/starting_and_stopping_shorewall6.htm">http://www.shorewall.net/starting_and_stopping_shorewall6.htm</ulink></para>
<para>shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

9
manpages6/shorewall6-accounting.xml
View File

@ -156,12 +156,12 @@
role="bold">udp</emphasis> (6 or 17).</para>
<para>You may place a comma-separated list of port names or numbers
in this column if your kernel and iptables include multiport match
in this column if your kernel and ip6tables include multiport match
support.</para>
<para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
this column must contain an <emphasis>ipp2p-option</emphasis>
("iptables -m ipp2p --help") without the leading "--". If no option
("ip6tables -m ipp2p --help") without the leading "--". If no option
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para>
</listitem>
@ -179,7 +179,7 @@
UDP (6 or 17).</para>
<para>You may place a comma-separated list of port numbers in this
column if your kernel and iptables include multiport match
column if your kernel and ip6tables include multiport match
support.</para>
</listitem>
</varlistentry>
@ -287,8 +287,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall-perl.</para>
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>

4
manpages6/shorewall6-actions.xml
View File

@ -25,7 +25,7 @@
<para>This file allows you to define new ACTIONS for use in rules (see
<ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink>). You define
the iptables rules to be performed in an ACTION in
the ip6tables rules to be performed in an ACTION in
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
<para>ACTION names should begin with an upper-case letter to distinguish
@ -47,7 +47,7 @@
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/Actions.html">http://shorewall6.net/Actions.html</ulink></para>
url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),

4
manpages6/shorewall6-blacklist.xml
View File

@ -37,7 +37,7 @@
<listitem>
<para>Host address, network address, MAC address, IP address range
(if your kernel and iptables contain iprange match support) or ipset
(if your kernel and ip6tables contain iprange match support) or ipset
name prefaced by "+" (if your kernel supports ipset match).</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
@ -128,7 +128,7 @@
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/blacklisting_support.htm">http://shorewall6.net/blacklisting_support.htm</ulink></para>
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),

2
manpages6/shorewall6-exclusion.xml
View File

@ -29,7 +29,7 @@
from a definition. An exclaimation point is followed by a comma-separated
list of addresses. The addresses may be single host addresses (e.g.,
fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
(e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and iptables include
(e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include
iprange support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>

2
manpages6/shorewall6-hosts.xml
View File

@ -83,7 +83,7 @@
<listitem>
<para>An IP address range of the form
<emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
Your kernel and iptables must have iprange match support.</para>
Your kernel and ip6tables must have iprange match support.</para>
</listitem>
<listitem>

18
manpages6/shorewall6-interfaces.xml
View File

@ -78,7 +78,7 @@ loc eth2 -</programlisting>
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
discussion of this problem.</para>
<para>Shorewall6-perl allows '+' as an interface name.</para>
<para>Shorewall6 allows '+' as an interface name.</para>
<para>There is no need to define the loopback interface (lo) in this
file.</para>
@ -127,8 +127,7 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">bridge</emphasis></term>
<listitem>
<para>(shorewall6-perl only) Designates the interface as a
bridge.</para>
<para>Designates the interface as a bridge.</para>
</listitem>
</varlistentry>
@ -188,8 +187,7 @@ loc eth2 -</programlisting>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para>
<para>The option value (0 or 1) may only be specified if you
are using shorewall6-perl. With shorewall6-perl, only those
<para>If a value (0 or 1) is specified, then only those
interfaces with the <option>routefilter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
@ -248,16 +246,6 @@ loc eth2 -</programlisting>
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">upnp</emphasis></term>
<listitem>
<para>Incoming requests from this interface may be remapped
via UPNP (upnpd). See <ulink
url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>

4
manpages6/shorewall6-maclist.xml
View File

@ -80,9 +80,9 @@
<listitem>
<para>If specified, both the MAC and IP address must match. This
column can contain a comma-separated list of host and/or subnet
addresses. If your kernel and iptables have iprange match support
addresses. If your kernel and ip6tables have iprange match support
then IP address ranges are also allowed. Similarly, if your kernel
and iptables include ipset support than set names (prefixed by "+")
and ip6tables include ipset support than set names (prefixed by "+")
are also allowed.</para>
</listitem>
</varlistentry>

2
manpages6/shorewall6-modules.xml
View File

@ -24,7 +24,7 @@
<title>Description</title>
<para>This file specifies which kernel modules shorewall6 will load before
trying to determine your iptables/kernel's capabilities. Each record in
trying to determine your ip6tables/kernel's capabilities. Each record in
the file has the following format:</para>
<cmdsynopsis>

2
manpages6/shorewall6-params.xml
View File

@ -57,7 +57,7 @@ net eth0 - dhcp,nosmurfs</programlisting>
<title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall6.net/configuration_file_basics.htm#Variables</ulink></para>
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),

28
manpages6/shorewall6-policy.xml
View File

@ -165,9 +165,9 @@
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Added in shorewall6-perl 4.0.3. Queue the request for a
user-space application using the nfnetlink_queue mechanism. If
a <replaceable>queuenumber</replaceable> is not given, queue
<para>Queue the request for a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not given, queue
zero (0) is assumed.</para>
</listitem>
</varlistentry>
@ -243,17 +243,17 @@
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>Added in shorewall6-perl 4.2.1. May be used to limit the
number of simultaneous connections from each individual host to
<replaceable>limit</replaceable> connections. While the limit is
only checked on connections to which this policy could apply, the
number of current connections is calculated over all current
connections from the SOURCE host. By default, the limit is applied
to each host individually but can be made to apply to networks of
hosts by specifying a <replaceable>mask</replaceable>. The
<replaceable>mask</replaceable> specifies the width of a VLSM mask
to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<para>May be used to limit the number of simultaneous connections
from each individual host to <replaceable>limit</replaceable>
connections. While the limit is only checked on connections to which
this policy could apply, the number of current connections is
calculated over all current connections from the SOURCE host. By
default, the limit is applied to each host individually but can be
made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
specifies the width of a VLSM mask to be applied to the source
address; the number of current connections is then taken over all
hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
</listitem>
</varlistentry>

2
manpages6/shorewall6-providers.xml
View File

@ -285,7 +285,7 @@
<title>See ALSO</title>
<para><ulink
url="http://shorewall6.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),

2
manpages6/shorewall6-routestopped.xml
View File

@ -48,7 +48,7 @@
<listitem>
<para>Comma-separated list of IP/subnet addresses. If your kernel
and iptables include iprange match support, IP address ranges are
and ip6tables include iprange match support, IP address ranges are
also allowed.</para>
<para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>

505
manpages6/shorewall6-rules.xml
View File

@ -32,13 +32,6 @@
first terminating match is the one that determines the disposition of the
request. All rules are terminating except LOG and QUEUE rules.</para>
<warning>
<para>If you masquerade or use SNAT from a local system to the internet,
you cannot use an ACCEPT rule to allow traffic from the internet to that
system. You <emphasis role="bold">must</emphasis> use a DNAT rule
instead.</para>
</warning>
<para>The rules file is divided into sections. Each section is introduced
by a "Section Header" which is a line beginning with SECTION and followed
by the section name.</para>
@ -169,19 +162,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ACCEPT+</emphasis></term>
<listitem>
<para>like ACCEPT but also excludes the connection from any
subsequent matching <emphasis
role="bold">DNAT</emphasis>[<emphasis
role="bold">-</emphasis>] or <emphasis
role="bold">REDIRECT</emphasis>[<emphasis
role="bold">-</emphasis>] rules</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ACCEPT!</emphasis></term>
@ -192,17 +172,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NONAT</emphasis></term>
<listitem>
<para>Excludes the connection from any subsequent <emphasis
role="bold">DNAT</emphasis>[-] or <emphasis
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
a rule to accept the traffic.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DROP</emphasis></term>
@ -240,76 +209,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DNAT</emphasis></term>
<listitem>
<para>Forward the request to another system (and optionally
another port).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DNAT-</emphasis></term>
<listitem>
<para>Advanced users only.</para>
<para>Like <emphasis role="bold">DNAT</emphasis> but only
generates the <emphasis role="bold">DNAT</emphasis> iptables
rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SAME</emphasis></term>
<listitem>
<para>Similar to <emphasis role="bold">DNAT</emphasis> except
that the port may not be remapped and when multiple server
addresses are listed, all requests from a given remote system
go to the same server.<warning>
<para>Support for SAME is scheduled for removal from the
Linux kernel in 2008.</para>
</warning></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SAME-</emphasis></term>
<listitem>
<para>Advanced users only.</para>
<para>Like SAME but only generates the nat iptables rule and
not the companion <emphasis role="bold">ACCEPT</emphasis>
rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REDIRECT</emphasis></term>
<listitem>
<para>Redirect the request to a server running on the
firewall.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REDIRECT-</emphasis></term>
<listitem>
<para>Advanced users only.</para>
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
generates the <emphasis role="bold">REDIRECT</emphasis>
iptables rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CONTINUE</emphasis></term>
@ -371,8 +270,6 @@
<term>NFQUEUE</term>
<listitem>
<para>Only supported by Shorewall6-perl &gt;= 4.0.3.</para>
<para>Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not specified, queue
@ -443,12 +340,8 @@
<blockquote>
<para>The <emphasis role="bold">ACTION</emphasis> may optionally
be followed by ":" and a syslog log level (e.g, REJECT:info or
DNAT:debug). This causes the packet to be logged at the specified
level. Note that if the <emphasis role="bold">ACTION</emphasis>
involves destination network address translation (DNAT, REDIRECT,
SAME, etc.) then the packet is logged <emphasis
role="bold">before</emphasis> the destination address is
rewritten.</para>
ACCEPT:debug). This causes the packet to be logged at the
specified level.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
@ -533,13 +426,17 @@
<para>Hosts may also be specified as an IP address range using the
syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
This requires that your kernel and iptables contain iprange match
support. If your kernel and iptables have ipset match support then
This requires that your kernel and ip6tables contain iprange match
support. If your kernel and ip6tables have ipset match support then
you may give the name of an ipset prefaced by "+". The ipset name
may be optionally followed by a number from 1 to 6 enclosed in
square brackets ([]) to indicate the number of levels of source
bindings to be matched.</para>
<para>When an <replaceable>interface</replaceable> is not specified,
you may omit the angled brackets ('&lt;' and '&gt;') around the
address(es) or you may supply them to improve readability.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
@ -548,7 +445,7 @@
<variablelist>
<varlistentry>
<term>dmz:2002:ce7c:92b4:1::2</term>
<term>dmz:2002:ce7c::92b4:1::2</term>
<listitem>
<para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
@ -556,7 +453,7 @@
</varlistentry>
<varlistentry>
<term>net:2001:4d48:ad51:24:;/64</term>
<term>net:2001:4d48:ad51:24::/64</term>
<listitem>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
@ -564,11 +461,11 @@
</varlistentry>
<varlistentry>
<term>loc:192.168.1.1,192.168.1.2</term>
<term>loc:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
<listitem>
<para>Hosts 192.168.1.1 and 192.168.1.2 in the local
zone.</para>
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
local zone.</para>
</listitem>
</varlistentry>
@ -582,11 +479,11 @@
</varlistentry>
<varlistentry>
<term>net:155.186.235.0/24!155.186.235.16/28</term>
<term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term>
<listitem>
<para>Subnet 155.186.235.0/24 on the Internet except for
155.186.235.16/28</para>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
2001:4d48:ad51:24:6:/80.</para>
</listitem>
</varlistentry>
</variablelist>
@ -598,45 +495,22 @@
client that communicates with the firewall system through eth1.
This may be optionally followed by another colon (":") and an
IP/MAC/subnet address as described above (e.g., <emphasis
role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
<para>It is important to note that when <emphasis
role="bold">using Shorewall6-shell</emphasis> and specifying an
address list that will be split (i.e., a comma separated list),
there is a subtle behavior which has the potential to cause
confusion. Consider the two examples below:</para>
role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
</blockquote>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>loc:eth1:192.168.1.3,192.168.1.5</term>
<term>loc:eth1:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
<listitem>
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
from any interface in the zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:eth1:192.168.1.3,eth1:192.168.1.5</term>
<listitem>
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
with <emphasis role="bold">both</emphasis> originating from
eth1.</para>
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
Local zone, with <emphasis role="bold">both</emphasis>
originating from eth1</para>
</listitem>
</varlistentry>
</variablelist>
<blockquote>
<para>That is, the interface name must be explicitly stated for
each member of the comma separated list. Again, this distinction
in behavior only occurs when <emphasis role="bold">using
Shorewall6-shell</emphasis>.</para>
</blockquote>
</listitem>
</varlistentry>
@ -647,8 +521,7 @@
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
role="bold">random</emphasis>]]</term>
role="bold">+</emphasis><emphasis>ipset</emphasis>}]]</term>
<listitem>
<para>Location of Server. May be a zone declared in <ulink
@ -667,10 +540,6 @@
affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected.</para>
<para>Beginning with Shorewall6 4.1.4, the
<replaceable>zone</replaceable> should be omitted in DNAT-,
REDIRECT- and NONAT rules.</para>
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
then either:<orderedlist numeration="loweralpha">
<listitem>
@ -689,8 +558,6 @@
</orderedlist></para>
<blockquote>
<para></para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
role="bold">+]|[-</emphasis>] is specified, the server may be
further restricted to a particular network, host or interface by
@ -706,23 +573,7 @@
<para>1. MAC addresses are not allowed (this is a Netfilter
restriction).</para>
<para>2.Prior to Shorewall6 4.1.4, only IP addresses are allowed
in <emphasis role="bold">DNAT</emphasis> rules; no DNS names are
permitted. In no case may a network be specified as the
server.</para>
<para>3. You may not specify both an interface and an
address.</para>
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
you may specify a range of IP addresses using the syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">DNAT</emphasis> or <emphasis
role="bold">DNAT-</emphasis>, the connections will be assigned to
addresses in the range in a round-robin fashion.</para>
<para>If you kernel and iptables have ipset match support then you
<para>If you kernel and ip6tables have ipset match support then you
may give the name of an ipset prefaced by "+". The ipset name may
be optionally followed by a number from 1 to 6 enclosed in square
brackets ([]) to indicate the number of levels of destination
@ -730,48 +581,6 @@
role="bold">SOURCE</emphasis> and <emphasis
role="bold">DEST</emphasis> columns may specify an ipset
name.</para>
<para>The <replaceable>port</replaceable> that the server is
listening on may be included and separated from the server's IP
address by ":". If omitted, the firewall will not modifiy the
destination port. A destination port may only be included if the
<emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">DNAT</emphasis> or <emphasis
role="bold">REDIRECT</emphasis>.</para>
<variablelist>
<varlistentry>
<term>Example:</term>
<listitem>
<para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
specifies a local server at IP address 192.168.1.3 and
listening on port 3128.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If you are using Shorewall6-shell or Shorewall6-perl before
version 4.0.5, then the port number MUST be specified as an
integer and not as a name from services(5). Shorewall6-perl 4.0.5
and later permit the <emphasis>port</emphasis> to be specified as
a service name. Additionally, Shorewall6-perl 4.0.5 and later
permit specifying a port range in the form
<emphasis>lowport-highport</emphasis> to cause connections to be
assigned to ports in the range in round-robin fashion. When a port
range is specified, <emphasis>lowport</emphasis> and
<emphasis>highport</emphasis> must be given as integers; service
names are not permitted. Beginning with Shorewall6 4.0.6, the port
range may be optionally followed by <emphasis
role="bold">:random</emphasis> which causes assignment to ports in
the list to be random.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">REDIRECT</emphasis> or <emphasis
role="bold">REDIRECT-</emphasis>, this column needs only to
contain the port number on the firewall that the request should be
redirected to. That is equivalent to specifying
<option>$FW</option>::<replaceable>port</replaceable>.</para>
</blockquote>
</listitem>
</varlistentry>
@ -787,7 +596,7 @@
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
ipp2p match support in your kernel and iptables. <emphasis
ipp2p match support in your kernel and ip6tables. <emphasis
role="bold">tcp:syn</emphasis> implies <emphasis
role="bold">tcp</emphasis> plus the SYN flag must be set and the
RST,ACK and FIN flags must be reset.</para>
@ -827,13 +636,8 @@
<para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and iptables
<para>2. No port ranges are included or your kernel and ip6tables
contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall6-perl.html">Shorewall6-perl</ulink>, a separate
rule will be generated for each port. Shorewall6-perl does not
automatically break up lists into individual rules.</para>
</listitem>
</varlistentry>
@ -857,8 +661,7 @@
<blockquote>
<para>If you don't want to restrict client ports but need to
specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the
next column, then place "-" in this column.</para>
specify a later column, then place "-" in this column.</para>
<para>If your kernel contains multi-port match support, then only
a single Netfilter rule will be generated if in this list and the
@ -866,61 +669,19 @@
<para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and iptables
<para>2. No port ranges are included or your kernel and ip6tables
contain extended multiport match support.</para>
<para>Otherwise, unless you are using <ulink
url="../Shorewall6-perl.html">Shorewall6-perl</ulink>, a separate
rule will be generated for each port. Shorewall6-perl does not
automatically break up lists into individual rules.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
[<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
[<emphasis role="bold">-</emphasis>]</term>
<listitem>
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
role="bold">-</emphasis>] or <emphasis
role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
then if this column is included and is different from the IP address
given in the <emphasis role="bold">SERVER</emphasis> column, then
connections destined for that address will be forwarded to the IP
and port specified in the <emphasis role="bold">DEST</emphasis>
column.</para>
<para>A comma-separated list of addresses may also be used. This is
most useful with the <emphasis role="bold">REDIRECT</emphasis>
target where you want to redirect traffic destined for particular
set of hosts. Finally, if the list of addresses begins with "!"
(<emphasis>exclusion</emphasis>) then the rule will be followed only
if the original destination address in the connection request does
not match any of the addresses listed.</para>
<para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are
generated that require that the original destination address matches
one of the listed addresses. This feature is most useful when you
want to generate a filter rule that corresponds to a <emphasis
role="bold">DNAT-</emphasis> or <emphasis
role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
addresses should not begin with "!".</para>
<para>It is also possible to specify a set of addresses then exclude
part of those addresses. For example, <emphasis
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
See <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>See <ulink
url="../PortKnocking.html">http://shorewall6.net/PortKnocking.html</ulink>
for an example of using an entry in this column with a user-defined
action rule.</para>
<para>Included for compatibility with Shorewall. Enter '-' in this
column if you need to specify one of the later columns.</para>
</listitem>
</varlistentry>
@ -950,8 +711,7 @@
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
[<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
<listitem>
<para>This column may only be non-empty if the SOURCE is the
@ -990,19 +750,6 @@
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
@ -1049,8 +796,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall6-perl.</para>
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
@ -1062,18 +808,17 @@
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>Added in Shorewall6-perl 4.2.1. May be used to limit the
number of simultaneous connections from each individual host to
<replaceable>limit</replaceable> connections. Requires connlimit
match in your kernel and iptables. While the limit is only checked
on rules specifying CONNLIMIT, the number of current connections is
calculated over all current connections from the SOURCE host. By
default, the limit is applied to each host but can be made to apply
to networks of hosts by specifying a
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
specifies the width of a VLSM mask to be applied to the source
address; the number of current connections is then taken over all
hosts in the subnet
<para>May be used to limit the number of simultaneous connections
from each individual host to <replaceable>limit</replaceable>
connections. Requires connlimit match in your kernel and ip6tables.
While the limit is only checked on rules specifying CONNLIMIT, the
number of current connections is calculated over all current
connections from the SOURCE host. By default, the limit is applied
to each host but can be made to apply to networks of hosts by
specifying a <replaceable>mask</replaceable>. The
<replaceable>mask</replaceable> specifies the width of a VLSM mask
to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
When<option> !</option> is specified, the rule matches when the
number of connection exceeds the
@ -1086,10 +831,10 @@
<emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
<listitem>
<para>Added in Shorewall6-perl 4.2.1. May be used to limit the rule
to a particular time period each day, to particular days of the week
or month, or to a range defined by dates and times. Requires time
match support in your kernel and iptables.</para>
<para>May be used to limit the rule to a particular time period each
day, to particular days of the week or month, or to a range defined
by dates and times. Requires time match support in your kernel and
ip6tables.</para>
<para><replaceable>timeelement</replaceable> may be:</para>
@ -1169,17 +914,6 @@
</variablelist>
</refsect1>
<refsect1>
<title>Restrictions</title>
<para>Unless you are using <ulink
url="../Shorewall6-perl.html">Shorewall6-perl</ulink> and your
iptables/kernel have <firstterm>Repeat Match</firstterm> support (see the
output of <command>shorewall6 show capabilities</command>), if you specify
a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
versa.</para>
</refsect1>
<refsect1>
<title>Example</title>
@ -1200,12 +934,12 @@
<term>Example 2:</term>
<listitem>
<para>Forward all ssh and http connection requests from the internet
to local system 192.168.1.3</para>
<para>Allow all ssh and http connection requests from the internet
to local system 2002:cec792b4:1::44</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
DNAT net loc:2002:cec792b4:1::44 tcp ssh,http</programlisting>
</listitem>
</varlistentry>
@ -1213,132 +947,26 @@
<term>Example 3:</term>
<listitem>
<para>Forward all http connection requests from the internet to
local system 192.168.1.3 with a limit of 3 per second and a maximum
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
<para>Allow http connection requests from the internet to local
system 2002:cec792b4:1::44 with a limit of 3 per second and a
maximum burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
DNAT net loc:&lt;2002:cec792b4:1::44&gt; tcp http - - 3/sec:10</programlisting></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 4:</term>
<listitem>
<para>Redirect all locally-originating www connection requests to
port 3128 on the firewall (Squid running on the firewall system)
except when the destination address is 192.168.2.2</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 5:</term>
<listitem>
<para>All http requests from the internet to address 130.252.100.69
are to be forwarded to 192.168.1.3</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 6:</term>
<listitem>
<para>You want to accept SSH connections to your firewall only from
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
internet IP addresses 2002:ce7c::92b4:1::2 and
2002:ce7c::92b4:1::22</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
tcp 22</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 7:</term>
<listitem>
<para>You wish to accept connections from the internet to your
firewall on port 2222 and you want to forward them to local system
192.168.1.3, port 22</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
DNAT net loc:192.168.1.3:22 tcp 2222</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 8:</term>
<listitem>
<para>You want to redirect connection requests to port 80 randomly
to the port range 81-90.</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
REDIRECT net $FW::81-90:random tcp www</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 9:</term>
<listitem>
<para>Shorewall6 does not impose as much structure on the Netfilter
rules in the 'nat' table as it does on those in the filter table. As
a consequence, when using Shorewall6 versions before 4.1.4, care
must be exercised when using DNAT and REDIRECT rules with zones
defined with wildcard interfaces (those ending with '+'. Here is an
example:</para>
<para><ulink
url="shorewall6-zones.html">shorewall6-zones</ulink>(8):<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv4
dmz ipv4
loc ipv4</programlisting></para>
<para><ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(8):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1 detect
dmz eth2 detect
- ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para>
<para><ulink
url="shorewall6-hosts.html">shorewall6-host</ulink>(8):<programlisting> #ZONE HOST(S) OPTIONS
loc ppp+:192.168.3.0/24</programlisting></para>
<para>rules:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
REDIRECT loc 3128 tcp 80 </programlisting>
<simpara>Note that it would have been tempting to simply define the
loc zone entirely in shorewall6-interfaces(8):</simpara>
<para><programlisting> #******************* INCORRECT *****************
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1 detect
loc ppp+
dmz eth2</programlisting></para>
<para>This would have made it impossible to run a
internet-accessible web server in the DMZ because all traffic
entering ppp+ interfaces would have been redirected to port 3128 on
the firewall and there would have been no net-&gt;fw ACCEPT rule for
that traffic.</para>
ACCEPT net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
$FW tcp 22</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -1355,11 +983,10 @@
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

50
manpages6/shorewall6-tcclasses.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tcclasses</refentrytitle>
<refentrytitle>shorewall6-tcclasses</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>tcclasses</refname>
<refpurpose>Shorewall file to define HTB classes</refpurpose>
<refpurpose>Shorewall6 file to define HTB classes</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcclasses</command>
<command>/etc/shorewall6/tcclasses</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -119,20 +121,19 @@
alias (e.g., eth0:0) here; see <ulink
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
<para>If you are running Shorewall-perl 4.1.6 or later, you may
specify the interface number rather than the interface name. If the
<emphasis role="bold">classify</emphasis> option is given for the
interface in <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
you must also specify an interface class (an integer that must be
unique within classes associated with this interface).</para>
<para>You may specify either the interface number or the interface
name. If the <emphasis role="bold">classify</emphasis> option is
given for the interface in <ulink
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
then you must also specify an interface class (an integer that must
be unique within classes associated with this interface).</para>
<para>You may NOT specify wildcards here, e.g. if you have multiple
ppp interfaces, you need to put them all in here!</para>
<para>Please note that you can only use interface names in here that
have a bandwidth defined in the <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
file</para>
</listitem>
</varlistentry>
@ -144,12 +145,12 @@
<listitem>
<para>The mark <emphasis>value</emphasis> which is an integer in the
range 1-255. You set mark values in the <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) file,
url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5) file,
marking the traffic you want to fit in the classes defined in here.
Must be specified as '-' if the <emphasis
role="bold">classify</emphasis> option is given for the interface in
<ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)</para>
<para>You can use the same marks for different interfaces.</para>
</listitem>
@ -207,8 +208,8 @@
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>Added in Shorewall-perl 4.1. A comma-separated list of options
including the following:</para>
<para>A comma-separated list of options including the
following:</para>
<variablelist>
<varlistentry>
@ -347,7 +348,7 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcclasses</para>
<para>/etc/shorewall6/tcclasses</para>
</refsect1>
<refsect1>
@ -356,13 +357,12 @@
<para><ulink
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

43
manpages6/shorewall6-tcdevices.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tcdevices</refentrytitle>
<refentrytitle>shorewall6-tcdevices</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>tcdevices</refname>
<refpurpose>Shorewall Traffic Shaping Devices file</refpurpose>
<refpurpose>Shorewall6 Traffic Shaping Devices file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcdevices</command>
<command>/etc/shorewall6/tcdevices</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -106,13 +108,13 @@
ppp interfaces, you need to put them all in here!</para>
<para>If the device doesn't exist, a warning message will be issued
during "shorewall [re]start" and "shorewall refresh" and traffic
during "shorewall6 [re]start" and "shorewall6 refresh" and traffic
shaping configuration will be skipped for that device.</para>
<para>Shorewall assigns a sequential <firstterm>interface
<para>Shorewall6 assigns a sequential <firstterm>interface
number</firstterm> to each interface (the first entry in the file is
interface 1, the second is interface 2 and so on) Beginning with
Shorewall-perl 4.1.6, you can explicitly specify the interface
Shorewall6-perl 4.1.6, you can explicitly specify the interface
number by prefixing the interface name with the number and a colon
(":"). Example: 1:eth0.</para>
</listitem>
@ -132,7 +134,7 @@
to avoid queuing at your providers side.</para>
<para>If you don't want any traffic to be dropped, set this to a
value to zero in which case Shorewall will not create an ingress
value to zero in which case Shorewall6 will not create an ingress
qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
non-empty.</para>
</listitem>
@ -146,7 +148,7 @@
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
This is the maximum speed your connection can handle. It is also the
speed you can refer as "full" if you define the tc classes in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).
Outgoing traffic above this rate will be dropped.</para>
</listitem>
</varlistentry>
@ -157,10 +159,10 @@
role="bold">classify</emphasis>}</term>
<listitem>
<para>classify ― When specified, Shorewall will not generate tc or
<para>classify ― When specified, Shorewall6 will not generate tc or
Netfilter rules to classify traffic based on packet marks. You must
do all classification using CLASSIFY rules in <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).</para>
</listitem>
</varlistentry>
@ -169,7 +171,7 @@
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
<listitem>
<para>Added in Shorewall-perl 4.1.6. May only be specified if the
<para>Added in Shorewall6-perl 4.1.6. May only be specified if the
interface in the INTERFACE column is an Intermediate Frame Block
(IFB) device. Causes packets that enter each listed interface to be
passed through the egress filters defined for this device, thus
@ -204,7 +206,7 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcdevices</para>
<para>/etc/shorewall6/tcdevices</para>
</refsect1>
<refsect1>
@ -213,13 +215,12 @@
<para><ulink
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

157
manpages6/shorewall6-tcrules.xml
View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tcrules</refentrytitle>
<refentrytitle>shorewall6-tcrules</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -11,12 +11,12 @@
<refnamediv>
<refname>tcrules</refname>
<refpurpose>Shorewall Packet Marking rules file</refpurpose>
<refpurpose>Shorewall6 Packet Marking rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/rules</command>
<command>/etc/shorewall6/rules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -28,13 +28,13 @@
<important>
<para>Unlike rules in the <ulink
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.</para>
<para>If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at <ulink
/etc/shorewall6/providers be sure to read the restrictions at <ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
</important>
@ -71,7 +71,7 @@
current mark value to produce a new mark value.</para>
<para>Both "|" and "&amp;" require Extended MARK Target support
in your kernel and iptables; neither may be used with connection
in your kernel and ip6tables; neither may be used with connection
marks (see below).</para>
<para>May optionally be followed by <emphasis
@ -90,19 +90,16 @@
role="bold">$FW</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
then the rule is inserted into the OUTPUT chain. The behavior
changed in Shorewall-perl 4.1. Previously, when
HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values
&lt; 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned there.
Packet marking rules for traffic shaping of packets originating
on the firewall must be coded in the POSTROUTING chain (see
below).</para>
changed in Shorewall6-perl 4.1. Only high mark values may be
assigned in this case. Packet marking rules for traffic shaping
of packets originating on the firewall must be coded in the
POSTROUTING chain (see below).</para>
<para>- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>If your kernel and iptables include CONNMARK support then
<para>If your kernel and ip6tables include CONNMARK support then
you can also mark the connection rather than the packet.</para>
<para>The mark value may be optionally followed by "/" and a
@ -147,18 +144,18 @@
<para><emphasis role="bold">Special considerations for If
HIGH_ROUTE_MARKS=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5</emphasis>).</para>
<para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
in the range 0x0100-0xFF00 with the low-order byte being zero.
Such values may only be used in the PREROUTING chain (value
followed by <emphasis role="bold">:P</emphasis> or you have set
MARK_IN_FORWARD_CHAIN=No in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
followed the value with <option>:F</option>) or the OUTPUT chain
(SOURCE is <emphasis role="bold">$FW</emphasis>). With
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) and have
not followed the value with <option>:F</option>) or the OUTPUT
chain (SOURCE is <emphasis role="bold">$FW</emphasis>). With
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
permitted. Shorewall 4.1 and later versions prohibit non-zero
permitted. Shorewall6 4.1 and later versions prohibit non-zero
mark values less that 256 in the OUTPUT chain when
HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
in the OUTPUT chain, it is strongly recommended that with
@ -185,14 +182,14 @@
role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in
which case classification occurs in the OUTPUT chain.</para>
<para>When using Shorewall's built-in traffic shaping tool, the
<para>When using Shorewall6's built-in traffic shaping tool, the
<emphasis>major</emphasis> class is the device number (the first
device in <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
major class 1, the second device is major class 2, and so on)
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
is major class 1, the second device is major class 2, and so on)
and the <emphasis>minor</emphasis> class is the class's MARK
value in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
preceded by the number 1 (MARK 1 corresponds to minor class 11,
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
minor class 122, etc.).</para>
@ -202,7 +199,7 @@
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
supplied mask if any. Your kernel and ip6tables must include
CONNMARK support.</para>
<para>As in 1) above, may be followed by <emphasis
@ -214,7 +211,7 @@
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and iptables must include CONNMARK
mask if any. Your kernel and ip6tables must include CONNMARK
support.</para>
<para>As in 1) above, may be followed by <emphasis
@ -231,14 +228,14 @@
role="bold">:F</emphasis>. Currently, CONTINUE may not be used
with <emphasis>exclusion</emphasis> (see the SOURCE and DEST
columns below); that restriction will be removed when
iptables/Netfilter provides the necessary support.</para>
ip6tables/Netfilter provides the necessary support.</para>
</listitem>
<listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall
delimited by "/* ... */" in the output of <command>shorewall6
show mangle</command></para>
<para>To stop the comment from being attached to further rules,
@ -252,8 +249,8 @@
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
role="bold">$FW</emphasis>}:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]&gt;</term>
<listitem>
<para>Source of the packet. A comma-separated list of interface
@ -278,20 +275,24 @@
<para>Example: ~00-A0-C9-15-39-78</para>
<para>When an interface is not specified, the angled brackets
('&lt;' and '&gt;') surrounding the address(es) may be
omitted.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]&gt;</term>
<listitem>
<para>Destination of the packet. Comma separated list of IP
addresses and/or subnets. If your kernel and iptables include
addresses and/or subnets. If your kernel and ip6tables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the <emphasis
@ -299,9 +300,13 @@
the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
this column may also contain an interface name.</para>
<para>When an interface is not specified, the angled brackets
('&lt;' and '&gt;') surrounding the address(es) may be
omitted.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
@ -316,7 +321,7 @@
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
ipp2p match support in your kernel and iptables.</para>
ipp2p match support in your kernel and ip6tables.</para>
</listitem>
</varlistentry>
@ -360,8 +365,7 @@
<varlistentry>
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
<listitem>
<para>This column may only be non-empty if the SOURCE is the
@ -400,19 +404,6 @@
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
@ -474,7 +465,7 @@
<listitem>
<para>Packet Length. This field, if present allow you to match the
length of a packet against a specific value or range of values. You
must have iptables length support for this to work. A range is
must have ip6tables length support for this to work. A range is
specified in the form
<emphasis>min</emphasis>:<emphasis>max</emphasis> where either
<emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
@ -506,12 +497,11 @@
role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
role="bold">B</emphasis>}[:{<emphasis
role="bold">B</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">A</emphasis>}]]] </term>
role="bold">A</emphasis>}]]]</term>
<listitem>
<para>Connection Bytes; defines a byte or packet range that the
connection must fall within in order for the rule to match. Added in
Shorewall-perl 4.2.0.</para>
connection must fall within in order for the rule to match.</para>
<para>A packet matches if the the packet/byte count is within the
range defined by <emphasis>min</emphasis> and
@ -532,8 +522,8 @@
directions.</para>
</blockquote></para>
<para>If omitted, <emphasis role="bold">B</emphasis> is assumed.
</para>
<para>If omitted, <emphasis role="bold">B</emphasis> is
assumed.</para>
<para>The second letter determines what the range refers
to.<blockquote>
@ -544,7 +534,7 @@
<para><emphasis role="bold">A</emphasis> - Average packet
size.</para>
</blockquote>If omitted, <emphasis role="bold">B</emphasis> is
assumed. </para>
assumed.</para>
</listitem>
</varlistentry>
@ -553,18 +543,18 @@
</emphasis><emphasis>helper</emphasis></term>
<listitem>
<para>Added in Shorewall-perl 4.2.0. Names a Netfiler protocol
<firstterm>helper</firstterm> module such as <option>ftp</option>,
<option>sip</option>, <option>amanda</option>, etc. A packet will
match if it was accepted by the named helper module. You can also
append "-" and a port number to the helper module name (e.g.,
<emphasis role="bold">ftp-21</emphasis>) to specify the port number
that the original connection was made on.</para>
<para>Names a Netfiler protocol <firstterm>helper</firstterm> module
such as <option>ftp</option>, <option>sip</option>,
<option>amanda</option>, etc. A packet will match if it was accepted
by the named helper module. You can also append "-" and a port
number to the helper module name (e.g., <emphasis
role="bold">ftp-21</emphasis>) to specify the port number that the
original connection was made on.</para>
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
#CLASSIFY PORT(S)
4 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
4 ::/ ::/ TCP - - - - - - - ftp</programlisting></para>
</listitem>
</varlistentry>
</variablelist>
@ -578,8 +568,8 @@
<term>Example 1:</term>
<listitem>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
to peer traffic with packet mark 4.</para>
<para>Mark all forwarded ICMP echo traffic with packet mark 1. Mark
all forwarded peer to peer traffic with packet mark 4.</para>
<para>This is a little more complex than otherwise expected. Since
the ipp2p module is unable to determine all packets in a connection
@ -590,12 +580,12 @@
<programlisting> #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
#CLASSIFY PORT(S)
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting>
1 ::/ ::/ icmp echo-request
1 ::/ ::/ icmp echo-reply
RESTORE ::/ ::/ all - - - 0
CONTINUE ::/ ::/ all - - - !0
4 ::/ ::/ ipp2p:all
SAVE ::/ ::/ all - - - !0</programlisting>
<para>If a packet hasn't been classifed (packet mark is 0), copy the
connection mark to the packet mark. If the packet mark is set, we're
@ -609,7 +599,7 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcrules</para>
<para>/etc/shorewall6/tcrules</para>
</refsect1>
<refsect1>
@ -624,14 +614,13 @@
<para><ulink
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

29
manpages6/shorewall6-template.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-</refentrytitle>
<refentrytitle>shorewall6-</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>file</refname>
<refpurpose>Shorewall file</refpurpose>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/</command>
<command>/etc/shorewall6/</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -43,20 +45,19 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/</para>
<para>/etc/shorewall6/</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

84
manpages6/shorewall6-tos.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tos</refentrytitle>
<refentrytitle>shorewall6-tos</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>tos</refname>
<refpurpose>Shorewall Type of Service rules file</refpurpose>
<refpurpose>Shorewall6 Type of Service rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tos</command>
<command>/etc/shorewall6/tos</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -26,45 +28,18 @@
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> -
{<emphasis>zone</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
(Shorewall-shell)</term>
<listitem>
<para>Name of a <replaceable>zone</replaceable> declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), <emphasis
role="bold">all</emphasis> or <emphasis
role="bold">$FW</emphasis>.</para>
<para>If not <emphasis role="bold">all</emphasis> or <emphasis
role="bold">$FW</emphasis>, may optionally be followed by ":" and an
IP address, a MAC address, a subnet specification or the name of an
interface.</para>
<para>Example: loc:192.168.2.3</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
role="bold">$FW</emphasis>} (Shorewall-perl)</term>
role="bold">$FW</emphasis>}</term>
<listitem>
<para>If <emphasis role="bold">all</emphasis>, may optionally be
followed by ":" and an IP address, a MAC address, a subnet
specification or the name of an interface.</para>
<para>Example: all:192.168.2.3</para>
<para>Example: all:2002:ce7c::92b4:1::2</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
@ -73,32 +48,13 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
{<emphasis>zone</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>} (Shorewall-shell)</term>
<listitem>
<para>Name of a zone declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) or <emphasis
role="bold">all</emphasis>.</para>
<para>If not <emphasis role="bold">all</emphasis>, may optionally be
followed by ":" and an IP address or a subnet specification</para>
<para>Example: loc:192.168.2.3</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>}
(Shorewall-perl)</term>
role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
<listitem>
<para>Example: 192.168.2.3</para>
<para>Example: 2002:ce7c::92b4:1::2</para>
</listitem>
</varlistentry>
@ -185,8 +141,7 @@
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested. This option is only supported by
Shorewall-perl.</para>
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
@ -198,19 +153,18 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tos</para>
<para>/etc/shorewall6/tos</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

112
manpages6/shorewall6-tunnels.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tunnels</refentrytitle>
<refentrytitle>shorewall6-tunnels</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>tunnels</refname>
<refpurpose>Shorewall VPN definition file</refpurpose>
<refpurpose>Shorewall6 VPN definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tunnels</command>
<command>/etc/shorewall6/tunnels</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -22,7 +24,7 @@
<title>Description</title>
<para>The tunnels file is used to define rules for encapsulated (usually
encrypted) traffic to pass between the Shorewall system and a remote
encrypted) traffic to pass between the Shorewall6 system and a remote
gateway. Traffic flowing through the tunnel is handled using the normal
zone/policy/rule mechanism. See <ulink
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
@ -53,13 +55,10 @@
<listitem>
<para>Types are as follows:</para>
<programlisting> <emphasis role="bold">ipsec</emphasis> - IPv4 IPSEC
<emphasis role="bold">ipsecnat</emphasis> - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
<emphasis role="bold">ipip</emphasis> - IPv4 encapsulated in IPv4 (Protocol 4)
<programlisting> <emphasis role="bold">ipsec</emphasis> - IPv6 IPSEC
<emphasis role="bold">ipsecnat</emphasis> - IPv6 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
<emphasis role="bold">gre</emphasis> - Generalized Routing Encapsulation (Protocol 47)
<emphasis role="bold">l2tp</emphasis> - Layer 2 Tunneling Protocol (UDP port 1701)
<emphasis role="bold">pptpclient</emphasis> - PPTP Client runs on the firewall
<emphasis role="bold">pptpserver</emphasis> - PPTP Server runs on the firewall
<emphasis role="bold">openvpn</emphasis> - OpenVPN in point-to-point mode
<emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
<emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
@ -80,8 +79,8 @@
role="bold">openvpnserver</emphasis> it may optionally be followed
by ":" and <emphasis role="bold">tcp</emphasis> or <emphasis
role="bold">udp</emphasis> to specify the protocol to be used. If
not specified, <emphasis role="bold">udp</emphasis> is
assumed.</para>
not specified, <emphasis role="bold">udp</emphasis> is assumed.
Note: At this writing, OpenVPN does not support IPv6.</para>
<para>If type is <emphasis role="bold">openvpn</emphasis>, <emphasis
role="bold">openvpnclient</emphasis> or <emphasis
@ -127,7 +126,7 @@
<para>The IP address of the remote tunnel gateway. If the remote
gateway has no fixed address (Road Warrior) then specify the gateway
as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
network address and if your kernel and iptables include iprange
network address and if your kernel and ip6tables include iprange
match support then IP address ranges are also allowed.</para>
</listitem>
</varlistentry>
@ -158,11 +157,11 @@
<listitem>
<para>IPSec tunnel.</para>
<para>The remote gateway is 4.33.99.124 and the remote subnet is
192.168.9.0/24. The tunnel does not use the AH protocol</para>
<para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
use the AH protocol</para>
<programlisting> #TYPE ZONE GATEWAY
ipsec:noah net 4.33.99.124</programlisting>
ipsec:noah net 2002:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
@ -173,8 +172,8 @@
<para>Road Warrior (LapTop that may connect from anywhere) where the
"gw" zone is used to represent the remote LapTop</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 0.0.0.0/0 gw</programlisting>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net ::/ gw</programlisting>
</listitem>
</varlistentry>
@ -182,11 +181,12 @@
<term>Example 3:</term>
<listitem>
<para>Host 4.33.99.124 is a standalone system connected via an ipsec
tunnel to the firewall system. The host is in zone gw.</para>
<para>Host 2001:cec792b4:1::44 is a standalone system connected via
an ipsec tunnel to the firewall system. The host is in zone
gw.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 4.33.99.124 gw</programlisting>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 2001:cec792b4:1::44 gw</programlisting>
</listitem>
</varlistentry>
@ -194,48 +194,11 @@
<term>Example 4:</term>
<listitem>
<para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
FreeS/Wan _updown script will add the host to the appropriate zone
using the <command>shorewall add</command> command on connect and
will remove the host from the zone at disconnect time.</para>
<para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
openvpn uses port 7777.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 5:</term>
<listitem>
<para>You run the Linux PPTP client on your firewall and connect to
server 192.0.2.221.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
pptpclient net 192.0.2.221</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 6:</term>
<listitem>
<para>You run a PPTP server on your firewall.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
pptpserver net 0.0.0.0/0</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 7:</term>
<listitem>
<para>OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn
uses port 7777.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
openvpn:7777 net 4.33.99.124</programlisting>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
openvpn:7777 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
@ -245,10 +208,10 @@
<listitem>
<para>You have a tunnel that is not one of the supported types. Your
tunnel uses UDP port 4444. The other end of the tunnel is
4.3.99.124.</para>
2001:cec792b4:1::44.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
generic:udp:4444 net 4.3.99.124</programlisting>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
generic:udp:4444 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -257,19 +220,18 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tunnels</para>
<para>/etc/shorewall6/tunnels</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

40
manpages6/shorewall6-vardir.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-vardir</refentrytitle>
<refentrytitle>shorewall6-vardir</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>vardir</refname>
<refpurpose>Shorewall file</refpurpose>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/vardir</command>
<command>/etc/shorewall6/vardir</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -22,9 +24,9 @@
<title>Description</title>
<para>This file does not exist by default. You may create the file if you
want to change the directory used by Shorewall to store state information,
including compiled firewall scripts. By default, the directory used is
<filename>/var/lib/shorewall/</filename>.</para>
want to change the directory used by Shorewall6 to store state
information, including compiled firewall scripts. By default, the
directory used is <filename>/var/lib/shorewall6/</filename>.</para>
<para>The file contains a single variable assignment:</para>
@ -32,33 +34,31 @@
<para>where <replaceable>directory</replaceable> is the name of a
directory. If you add this file, you should copy the files from
<filename>/var/lib/shorewall</filename> to the new directory before
performing a <command>shorewall restart</command>.</para>
<filename>/var/lib/shorewall6</filename> to the new directory before
performing a <command>shorewall6 restart</command>.</para>
</refsect1>
<refsect1>
<title>Example</title>
<para>VARDIR=/root/shorewall</para>
<para>VARDIR=/root/shorewall6</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/vardir</para>
<para>/etc/shorewall6/vardir</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>
</refentry>

90
manpages6/shorewall6-zones.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-zones</refentrytitle>
<refentrytitle>shorewall6-zones</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,22 +11,22 @@
<refnamediv>
<refname>zones</refname>
<refpurpose>Shorewall zone declaration file</refpurpose>
<refpurpose>Shorewall6 zone declaration file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/zones</command>
<command>/etc/shorewall6/zones</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The /etc/shorewall/zones file declares your network zones. You
<para>The /etc/shorewall6/zones file declares your network zones. You
specify the hosts in each zone through entries in
<filename>/etc/shorewall/interfaces</filename> or
<filename>/etc/shorewall/hosts</filename>.</para>
<filename>/etc/shorewall6/interfaces</filename> or
<filename>/etc/shorewall6/hosts</filename>.</para>
<para>The columns in the file are as follows.</para>
@ -40,34 +42,34 @@
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
names. The maximum length of a zone name is determined by the
setting of the LOGFORMAT option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). With the
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
default LOGFORMAT, zone names can be at most 5 characters
long.</para>
<para>The order in which Shorewall matches addresses from packets to
zones is determined by the order of zone declarations. Where a zone
is nested in one or more other zones, you may either ensure that the
nested zone precedes its parents in this file, or you may follow the
(sub)zone name by ":" and a comma-separated list of the parent
zones. The parent zones must have been declared in earlier records
in this file. See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
<para>The order in which Shorewall6 matches addresses from packets
to zones is determined by the order of zone declarations. Where a
zone is nested in one or more other zones, you may either ensure
that the nested zone precedes its parents in this file, or you may
follow the (sub)zone name by ":" and a comma-separated list of the
parent zones. The parent zones must have been declared in earlier
records in this file. See <ulink
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
additional information.</para>
<para>Example:</para>
<programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
a ipv4
b ipv4
c:a,b ipv4</programlisting>
a ipv6
b ipv6
c:a,b ipv6</programlisting>
<para>Currently, Shorewall uses this information to reorder the zone
list so that parent zones appear after their subzones in the list.
The IMPLICIT_CONTINUE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) can also create
implicit CONTINUE policies to/from the subzone.</para>
<para>Currently, Shorewall6 uses this information to reorder the
zone list so that parent zones appear after their subzones in the
list. The IMPLICIT_CONTINUE option in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
create implicit CONTINUE policies to/from the subzone.</para>
<para>In the future, Shorewall may make additional use of nesting
<para>In the future, Shorewall6 may make additional use of nesting
information.</para>
</listitem>
</varlistentry>
@ -78,15 +80,15 @@ c:a,b ipv4</programlisting>
<listitem>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ipv4</emphasis></term>
<term><emphasis role="bold">ipv6</emphasis></term>
<listitem>
<para>This is the standard Shorewall zone type and is the
<para>This is the standard Shorewall6 zone type and is the
default if you leave this column empty or if you enter "-" in
the column. Communication with some zone hosts may be
encrypted. Encrypted hosts are designated using the
'ipsec'option in <ulink
url="shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
</listitem>
</varlistentry>
@ -95,7 +97,7 @@ c:a,b ipv4</programlisting>
<listitem>
<para>Communication with all zone hosts is encrypted. Your
kernel and iptables must include policy match support.</para>
kernel and ip6tables must include policy match support.</para>
</listitem>
</varlistentry>
@ -113,11 +115,11 @@ c:a,b ipv4</programlisting>
</varlistentry>
<varlistentry>
<term>bport (or bport4)</term>
<term>bport (or bport6)</term>
<listitem>
<para>(Shorewall-perl only) The zone is associated with one or
more ports on a single bridge.</para>
<para>The zone is associated with one or more ports on a
single bridge.</para>
</listitem>
</varlistentry>
</variablelist>
@ -173,9 +175,9 @@ c:a,b ipv4</programlisting>
<listitem>
<para>sets the MSS field in TCP packets. If you supply this
option, you should also set FASTACCEPT=No in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) to insure
that both the SYN and SYN,ACK packets have their MSS field
adjusted.</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to
insure that both the SYN and SYN,ACK packets have their MSS
field adjusted.</para>
</listitem>
</varlistentry>
@ -239,7 +241,7 @@ c:a,b ipv4</programlisting>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/zones</para>
<para>/etc/shorewall6/zones</para>
</refsect1>
<refsect1>
@ -248,14 +250,12 @@ c:a,b ipv4</programlisting>
<para><ulink
url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5)</para>
</refsect1>
</refentry>
</refentry>

757
manpages6/shorewall6.conf.xml
View File

File diff suppressed because it is too large Load Diff

627
manpages6/shorewall6.xml
View File

File diff suppressed because it is too large Load Diff