Almost finished with man pages

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4896 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-11-16 05:03:57 +00:00 · 2006-11-16 05:03:57 +00:00 · 44166cd662
commit 44166cd662
parent 43df47ffbd
2 changed files with 357 additions and 0 deletions
--- a/manpages/shorewall-tos.xml
+++ b/manpages/shorewall-tos.xml
@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-tos</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>tos</refname>
+
+    <refpurpose>Shorewall Type of Service rules file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/tos</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file defines rules for setting Type Of Service (TOS)</para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis></term>
+
+        <listitem>
+          <para>Name of a zone declared in shorewall.zones(5), <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">$FW</emphasis>.</para>
+
+          <para>If not <emphasis role="bold">all</emphasis> or <emphasis
+          role="bold">$FW</emphasis>, may optionally be followed by ":" and an
+          IP address, a MAC address, a subnet specification or the name of an
+          interface.</para>
+
+          <para>Example: loc:192.168.2.3</para>
+
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>
+
+          <para>Example: ~00-A0-C9-15-39-78</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis></term>
+
+        <listitem>
+          <para>Name of a zone declared in shorewall.zones(5), <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">$FW</emphasis>.</para>
+
+          <para>If not <emphasis role="bold">all</emphasis> or <emphasis
+          role="bold">$FW</emphasis>, may optionally be followed by ":" and an
+          IP address or a subnet specification</para>
+
+          <para>Example: loc:192.168.2.3</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTOCOL</emphasis></term>
+
+        <listitem>
+          <para>Protocol name or number.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE PORTS</emphasis></term>
+
+        <listitem>
+          <para>Source port or port range. If all ports, use "-".</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORTS</emphasis></term>
+
+        <listitem>
+          <para>Destination port or port range. If all ports, use "-"</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">TOS</emphasis></term>
+
+        <listitem>
+          <para>Must be one of the following;</para>
+
+          <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis> (16)
+        <emphasis role="bold">tos-maximize-throughput</emphasis> (8)
+        <emphasis role="bold">tos-maximize-reliability</emphasis> (4)
+        <emphasis role="bold">tos-minimize-cost</emphasis> (2)
+        <emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/tos</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/manpages/shorewall-tunnels.xml
+++ b/manpages/shorewall-tunnels.xml
@ -0,0 +1,232 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-tunnels</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>tunnels</refname>
+
+    <refpurpose>Shorewall VPN definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/tunnels</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">TYPE</emphasis></term>
+
+        <listitem>
+          <para>Must be <emphasis role="bold">ipsec</emphasis>, <emphasis
+          role="bold">ipsecnat</emphasis>, <emphasis
+          role="bold">ipip</emphasis>, <emphasis role="bold">gre</emphasis>,
+          <emphasis role="bold">6to4</emphasis>, <emphasis
+          role="bold">pptpclient</emphasis>, <emphasis
+          role="bold">pptpserver</emphasis>, <emphasis
+          role="bold">openvpn</emphasis>, <emphasis
+          role="bold">openvpnclient</emphasis>, <emphasis
+          role="bold">openvpnserver</emphasis> or <emphasis
+          role="bold">generic</emphasis></para>
+
+          <para>If the type is <emphasis role="bold">ipsec</emphasis> or
+          <emphasis role="bold">ipsecnat</emphasis>, it may be followed by
+          <emphasis role="bold">:noah</emphasis> to indicate that the
+          Authentication Header protocol (51) is not used by the
+          tunnel.</para>
+
+          <para>If type is <emphasis role="bold">openvpn</emphasis>, <emphasis
+          role="bold">openvpnclient</emphasis> or <emphasis
+          role="bold">openvpnserver</emphasis> it may optionally be followed
+          by ":" and <emphasis role="bold">tcp</emphasis> or <emphasis
+          role="bold">udp</emphasis> to specify the protocol to be used. If
+          not specified, <emphasis role="bold">udp</emphasis> is
+          assumed.</para>
+
+          <para>If type is <emphasis role="bold">openvpn</emphasis>, <emphasis
+          role="bold">openvpnclient</emphasis> or <emphasis
+          role="bold">openvpnserver</emphasis> it may optionally be followed
+          by ":" and the port number used by the tunnel. if no ":" and port
+          number are included, then the default port of 1194 will be used. .
+          Where both the protocol and port are specified, the protocol must be
+          given first (e.g., openvpn:tcp:4444).</para>
+
+          <para>If type is <emphasis role="bold">generic</emphasis>, it must
+          be followed by ":" and a protocol name (from /etc/protocols) or a
+          protocol number. If the protocol is <emphasis
+          role="bold">tcp</emphasis> or <emphasis role="bold">udp</emphasis>
+          (6 or 17), then it may optionally be followed by ":" and a port
+          number.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ZONE</emphasis></term>
+
+        <listitem>
+          <para>The zone of the physical interface through which tunnel
+          traffic passes. This is normally your internet zone.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">GATEWAY</emphasis></term>
+
+        <listitem>
+          <para>The IP address of the remote tunnel gateway. If the remote
+          gateway has no fixed address (Road Warrior) then specify the gateway
+          as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
+          network address and if your kernel and iptables include iprange
+          match support then IP address ranges are also allowed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>If the gateway system specified in the third column is a
+          standalone host then this column should contain a comma-separated
+          list of the names of the zones that the host might be in. This
+          column only applies to IPSEC tunnels where it enables ISAKMP traffic
+          to flow through the tunnel to the remote gateway.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>IPSec tunnel.</para>
+
+          <para>The remote gateway is 4.33.99.124 and the remote subnet is
+          192.168.9.0/24. The tunnel does not use the AH protocol</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY
+        ipsec:noah      net     4.33.99.124</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Road Warrior (LapTop that may connect from anywhere) where the
+          "gw" zone is used to represent the remote LapTop</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
+        ipsec           net     0.0.0.0/0       gw</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 3:</term>
+
+        <listitem>
+          <para>Host 4.33.99.124 is a standalone system connected via an ipsec
+          tunnel to the firewall system. The host is in zone gw.</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
+        ipsec           net     4.33.99.124     gw</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 4:</term>
+
+        <listitem>
+          <para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
+          FreeS/Wan _updown script will add the host to the appropriate zone
+          using the <command>shorewall add</command> command on connect and
+          will remove the host from the zone at disconnect time.</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
+        ipsec           net     0.0.0.0/0       vpn1,vpn2,vpn3</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 5:</term>
+
+        <listitem>
+          <para>You run the Linux PPTP client on your firewall and connect to
+          server 192.0.2.221.</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
+        pptpclient      net     192.0.2.221</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 6:</term>
+
+        <listitem>
+          <para>You run a PPTP server on your firewall.</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
+        pptpserver      net</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 7:</term>
+
+        <listitem>
+          <para>OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn
+          uses port 7777.</para>
+
+          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
+        openvpn:7777    net     4.33.99.124</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 8:</term>
+
+        <listitem>
+          <para>You have a tunnel that is not one of the supported types. Your
+          tunnel uses UDP port 4444. The other end of the tunnel is
+          4.3.99.124.</para>
+
+          <programlisting>        #TYPE            ZONE    GATEWAY         GATEWAY ZONES
+        generic:udp:4444 net     4.3.99.124</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/tunnels</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>