diff --git a/Shorewall-lite/manpages/shorewall-lite-vardir.xml b/Shorewall-lite/manpages/shorewall-lite-vardir.xml index 28d87d0dd..61e83cce0 100644 --- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml +++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml @@ -6,6 +6,8 @@ shorewall-lite-vardir 5 + + Configuration Files @@ -54,7 +56,7 @@ /opt/var/lib/shorewall-lite/. - When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite + When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite will save its state in the directory specified. diff --git a/Shorewall-lite/manpages/shorewall-lite.conf.xml b/Shorewall-lite/manpages/shorewall-lite.conf.xml index 0d18603e5..325789d1a 100644 --- a/Shorewall-lite/manpages/shorewall-lite.conf.xml +++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml @@ -6,6 +6,8 @@ shorewall-lite.conf 5 + + Configuration Files diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index b721f6437..78f26966d 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -6,6 +6,8 @@ shorewall-lite 8 + + Administrative Commands diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index a7a35f4ec..47ca9695b 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -6,6 +6,8 @@ shorewall-accounting 5 + + Configuration Files diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml index a8c586a45..e01a5cde1 100644 --- a/Shorewall/manpages/shorewall-actions.xml +++ b/Shorewall/manpages/shorewall-actions.xml @@ -6,6 +6,8 @@ shorewall-actions 5 + + Configuration Files @@ -24,8 +26,8 @@ Description This file allows you to define new ACTIONS for use in rules (see - shorewall-rules(5)). You define - the iptables rules to be performed in an ACTION in + shorewall-rules(5)). + You define the iptables rules to be performed in an ACTION in /etc/shorewall/action.action-name. Columns are: diff --git a/Shorewall/manpages/shorewall-arprules.xml b/Shorewall/manpages/shorewall-arprules.xml index a83570483..f21b50eb3 100644 --- a/Shorewall/manpages/shorewall-arprules.xml +++ b/Shorewall/manpages/shorewall-arprules.xml @@ -6,6 +6,8 @@ shorewall-arprules 5 + + Configuration Files diff --git a/Shorewall/manpages/shorewall-blacklist.xml b/Shorewall/manpages/shorewall-blacklist.xml index 95393785f..b7f6e4310 100644 --- a/Shorewall/manpages/shorewall-blacklist.xml +++ b/Shorewall/manpages/shorewall-blacklist.xml @@ -6,6 +6,8 @@ shorewall-blacklist 5 + + Configuration Files @@ -44,8 +46,8 @@ (if your kernel and iptables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match). Exclusion (shorewall-exclusion(5)) is - supported. + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)) + is supported. MAC addresses must be prefixed with "~" and use "-" as a separator. diff --git a/Shorewall/manpages/shorewall-blrules.xml b/Shorewall/manpages/shorewall-blrules.xml index 05960fbff..c1684d203 100644 --- a/Shorewall/manpages/shorewall-blrules.xml +++ b/Shorewall/manpages/shorewall-blrules.xml @@ -6,6 +6,8 @@ shorewall-blrules 5 + + Configuration Files @@ -33,8 +35,9 @@ connections in the NEW and INVALID states. The format of rules in this file is the same as the format of rules - in shorewall-rules (5). The - difference in the two files lies in the ACTION (first) column. + in shorewall-rules + (5). The difference in the two files lies in the ACTION (first) + column. @@ -69,8 +72,8 @@ If BLACKLIST_LOGLEVEL is specified in shorewall.conf(5), then - the macro expands to shorewall.conf(5), + then the macro expands to blacklog. @@ -88,10 +91,11 @@ May only be used if BLACKLIST_LOGLEVEL is specified in - shorewall.conf (5). - Logs, audits (if specified) and applies the + shorewall.conf + (5). Logs, audits (if specified) and applies the BLACKLIST_DISPOSITION specified in shorewall.conf (5). + url="/manpages/shorewall.conf.html">shorewall.conf + (5). @@ -205,8 +209,8 @@ The name of an action declared in shorewall-actions(5) or - in /usr/share/shorewall/actions.std. + url="/manpages/shorewall-actions.html">shorewall-actions(5) + or in /usr/share/shorewall/actions.std. @@ -237,8 +241,8 @@ If the ACTION names an action declared in shorewall-actions(5) or in - /usr/share/shorewall/actions.std then: + url="/manpages/shorewall-actions.html">shorewall-actions(5) + or in /usr/share/shorewall/actions.std then: diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 76d281fb7..90a4c0b57 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -6,6 +6,8 @@ shorewall6-conntrack 5 + + Configuration Files @@ -365,7 +367,8 @@ Where interface is an interface to that zone, and address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall-exclusion + shorewall-exclusion (5)). COMMENT is only allowed in format 1; the remainder of the line @@ -381,7 +384,8 @@ where address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall-exclusion + shorewall-exclusion (5)). diff --git a/Shorewall/manpages/shorewall-ecn.xml b/Shorewall/manpages/shorewall-ecn.xml index 45306f4c0..fa3758a04 100644 --- a/Shorewall/manpages/shorewall-ecn.xml +++ b/Shorewall/manpages/shorewall-ecn.xml @@ -6,6 +6,8 @@ shorewall-ecn 5 + + Configuration Files @@ -64,12 +66,13 @@ See ALSO shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), - shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), - shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall/manpages/shorewall-exclusion.xml b/Shorewall/manpages/shorewall-exclusion.xml index 3dba2c739..6f414fbb2 100644 --- a/Shorewall/manpages/shorewall-exclusion.xml +++ b/Shorewall/manpages/shorewall-exclusion.xml @@ -6,6 +6,8 @@ shorewall-exclusion 5 + + Configuration Files @@ -88,8 +90,8 @@ ACCEPT all!z2 net tcp 22 In most contexts, ipset names can be used as an address-or-range. Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may also be included (see shorewall-ipsets (5)). The semantics - of these lists when used in an exclusion are as follows: + url="/manpages/shorewall-ipsets.html">shorewall-ipsets (5)). The + semantics of these lists when used in an exclusion are as follows: diff --git a/Shorewall/manpages/shorewall-hosts.xml b/Shorewall/manpages/shorewall-hosts.xml index 902184627..98e4fff8e 100644 --- a/Shorewall/manpages/shorewall-hosts.xml +++ b/Shorewall/manpages/shorewall-hosts.xml @@ -6,6 +6,8 @@ shorewall-hosts 5 + + Configuration Files @@ -29,8 +31,8 @@ The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall-zones(5) determines the order - in which the records in this file are interpreted. + url="/manpages/shorewall-zones.html">shorewall-zones(5) determines + the order in which the records in this file are interpreted. The only time that you need this file is when you have more than @@ -39,9 +41,9 @@ If you have an entry for a zone and interface in shorewall-interfaces(5) then do - not include any entries in this file for that same (zone, interface) - pair. + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) + then do not include any entries in this file for that same (zone, + interface) pair. The columns in the file are as follows. @@ -53,8 +55,8 @@ The name of a zone declared in shorewall-zones(5). You may not - list the firewall zone in this column. + url="/manpages/shorewall-zones.html">shorewall-zones(5). You + may not list the firewall zone in this column. @@ -67,9 +69,9 @@ The name of an interface defined in the shorewall-interfaces(5) file - followed by a colon (":") and a comma-separated list whose elements - are either: + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) + file followed by a colon (":") and a comma-separated list whose + elements are either: @@ -169,8 +171,8 @@ The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the shorewall-zones(5) file - then you do NOT need to specify the 'ipsec' option + url="/manpages/shorewall-zones.html">shorewall-zones(5) + file then you do NOT need to specify the 'ipsec' option here. @@ -181,8 +183,8 @@ Connection requests from these hosts are compared against the contents of shorewall-maclist(5). If - this option is specified, the interface must be an Ethernet + url="/manpages/shorewall-maclist.html">shorewall-maclist(5). + If this option is specified, the interface must be an Ethernet NIC or equivalent and must be up before Shorewall is started. @@ -212,8 +214,8 @@ Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in shorewall.conf(5). After - logging, the packets are dropped. + url="/manpages/shorewall.conf.html">shorewall.conf(5). + After logging, the packets are dropped. diff --git a/Shorewall/manpages/shorewall-init.xml b/Shorewall/manpages/shorewall-init.xml index 20c5db07c..eed0b4e97 100644 --- a/Shorewall/manpages/shorewall-init.xml +++ b/Shorewall/manpages/shorewall-init.xml @@ -6,6 +6,8 @@ shorewall-init 8 + + Administrative Commands @@ -145,10 +147,11 @@ On a laptop with both Ethernet and wireless interfaces, you will want to make both interfaces optional and set the REQUIRE_INTERFACE option - to Yes in shorewall.conf (5) or - shorewall6.conf - (5). This causes the firewall to remain stopped until at least one of the - interfaces comes up. + to Yes in shorewall.conf + (5) or shorewall6.conf (5). This + causes the firewall to remain stopped until at least one of the interfaces + comes up. @@ -163,12 +166,13 @@ See ALSO shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), - shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), - shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index cf854ce18..5b3072d6f 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -6,6 +6,8 @@ shorewall-interfaces 5 + + Configuration Files @@ -71,7 +73,8 @@ in this column. If the interface serves multiple zones that will be defined in - the shorewall-hosts(5) + the shorewall-hosts(5) file, you should place "-" in this column. If there are multiple interfaces to the same zone, you must @@ -111,8 +114,8 @@ loc eth2 - When using Shorewall versions before 4.1.4, care must be exercised when using wildcards where there is another zone that uses a matching specific interface. See shorewall-nesting(5) for a - discussion of this problem. + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) + for a discussion of this problem. Shorewall allows '+' as an interface name. @@ -433,8 +436,8 @@ loc eth2 - Connection requests from this interface are compared against the contents of shorewall-maclist(5). If - this option is specified, the interface must be an Ethernet + url="/manpages/shorewall-maclist.html">shorewall-maclist(5). + If this option is specified, the interface must be an Ethernet NIC and must be up before Shorewall is started. @@ -486,8 +489,8 @@ loc eth2 - Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in shorewall.conf(5). After - logging, the packets are dropped. + url="/manpages/shorewall.conf.html">shorewall.conf(5). + After logging, the packets are dropped. @@ -631,9 +634,9 @@ loc eth2 - If ROUTE_FILTER=Yes in shorewall.conf(5), or if - your distribution sets net.ipv4.conf.all.rp_filter=1 in - /etc/sysctl.conf, then setting + url="/manpages/shorewall.conf.html">shorewall.conf(5), + or if your distribution sets net.ipv4.conf.all.rp_filter=1 + in /etc/sysctl.conf, then setting routefilter=0 in an interface entry will not disable route filtering on that @@ -653,8 +656,8 @@ loc eth2 - If USE_DEFAULT_RT=Yes in shorewall.conf(5) and - the interface is listed in shorewall.conf(5) + and the interface is listed in shorewall-providers(5). diff --git a/Shorewall/manpages/shorewall-ipsets.xml b/Shorewall/manpages/shorewall-ipsets.xml index a7b3b850f..2f505ef10 100644 --- a/Shorewall/manpages/shorewall-ipsets.xml +++ b/Shorewall/manpages/shorewall-ipsets.xml @@ -6,6 +6,8 @@ shorewall-ipsets 5 + + Configuration Files @@ -79,7 +81,8 @@ specified, matching packets must match all of the listed sets. For information about set lists and exclusion, see shorewall-exclusion (5). + url="/manpages/shorewall-exclusion.html">shorewall-exclusion + (5). Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects each time a packet matches an ipset. You do that by listing diff --git a/Shorewall/manpages/shorewall-maclist.xml b/Shorewall/manpages/shorewall-maclist.xml index fe4c45be3..612c812e9 100644 --- a/Shorewall/manpages/shorewall-maclist.xml +++ b/Shorewall/manpages/shorewall-maclist.xml @@ -6,6 +6,8 @@ shorewall-maclist 5 + + Configuration Files @@ -27,9 +29,9 @@ associated IP addresses to be allowed to use the specified interface. The feature is enabled by using the maclist option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration - file. + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5) + or shorewall-hosts(5) + configuration file. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in @@ -45,8 +47,8 @@ ACCEPT or DROP (if MACLIST_TABLE=filter in shorewall.conf(5), then REJECT is - also allowed). If specified, the + url="/manpages/shorewall.conf.html">shorewall.conf(5), then + REJECT is also allowed). If specified, the log-level causes packets matching the rule to be logged at that level. diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index 6e52a89c2..b4cd5ba13 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -6,6 +6,8 @@ shorewall-mangle 5 + + Configuration Files @@ -24,13 +26,15 @@ Description This file was introduced in Shorewall 4.6.0 and is intended to - replace shorewall-rules(5). - This file is only processed by the compiler if: + replace shorewall-rules(5). This + file is only processed by the compiler if: No file named 'tcrules' exists on the current CONFIG_PATH (see - shorewall.conf(5)); or + shorewall.conf(5)); + or @@ -44,10 +48,10 @@ Unlike rules in the shorewall-rules(5) file, evaluation - of rules in this file will continue after a match. So the final mark for - each packet will be the one assigned by the LAST tcrule that - matches. + url="/manpages/shorewall-rules.html">shorewall-rules(5) file, + evaluation of rules in this file will continue after a match. So the + final mark for each packet will be the one assigned by the LAST tcrule + that matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall/providers be sure to read the restrictions at Unless otherwise specified for the particular command, the default chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5), and FORWARD - when MARK_IN_FORWARD_CHAIN=Yes. + url="/manpages/shorewall.conf.html">shorewall.conf(5), and + FORWARD when MARK_IN_FORWARD_CHAIN=Yes. A chain-designator may not be specified if the SOURCE or DEST columns begin with '$FW'. When the SOURCE is $FW, the generated rule @@ -310,8 +314,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark If INLINE_MATCHES=Yes in shorewall6.conf(5) then the - third rule above can be specified as follows: + url="/manpages/shorewall.conf.html">shorewall6.conf(5) + then the third rule above can be specified as follows: 2:P eth0 - ; -p tcp diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index db1a603cf..6c696db4b 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -6,6 +6,8 @@ shorewall-masq 5 + + Configuration Files @@ -35,8 +37,8 @@ If you have more than one ISP link, adding entries to this file will not force connections to go out through a particular link. You must use entries in shorewall-rtrules(5) or PREROUTING - entries in shorewall-rtrules(5) or + PREROUTING entries in shorewall-mangle(5) to do that. @@ -55,27 +57,26 @@ Outgoing interfacelist. This may be a comma-separated list of interface names. This is usually your internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you may add ":" - and a digit to indicate that you want the alias - added with that name (e.g., eth0:0). This will allow the alias to be - displayed with ifconfig. That is the only use - for the alias name; it may not appear in any other place in your - Shorewall configuration. + url="/manpages/shorewall.conf.html">shorewall.conf(5), you + may add ":" and a digit to indicate that you + want the alias added with that name (e.g., eth0:0). This will allow + the alias to be displayed with ifconfig. That + is the only use for the alias name; it may not appear in any other + place in your Shorewall configuration. Each interface must match an entry in shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For - example, ppp0 in this file - will match a shorewall-interfaces(5). + For example, ppp0 in this + file will match a shorewall-interfaces(5) entry that defines ppp+. - Where more that - one internet provider share a single interface, the provider - is specified by including the provider name or number in + Where more that one + internet provider share a single interface, the provider is + specified by including the provider name or number in parentheses: eth0(Avvanta) @@ -88,8 +89,8 @@ addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations. Exclusion is allowed (see shorewall-exclusion(5)) as - are ipset names preceded by a plus sign '+'; + url="/manpages/shorewall-exclusion.html">shorewall-exclusion(5)) + as are ipset names preceded by a plus sign '+'; If you wish to inhibit the action of ADD_SNAT_ALIASES for this entry then include the ":" but omit the digit: @@ -99,9 +100,9 @@ Normally Masq/SNAT rules are evaluated after those for one-to-one NAT (defined in shorewall-nat(5)). If you want the - rule to be applied before one-to-one NAT rules, prefix the interface - name with "+": + url="/manpages/shorewall-nat.html">shorewall-nat(5)). If you + want the rule to be applied before one-to-one NAT rules, prefix the + interface name with "+": +eth0 +eth0:192.0.2.32/27 @@ -174,7 +175,8 @@ If you specify an address here, SNAT will be used and this will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes - in shorewall.conf(5) then + in shorewall.conf(5) then Shorewall will automatically add this address to the INTERFACE named in the first column. @@ -689,8 +691,8 @@ If INLINE_MATCHES=Yes in shorewall.conf(5), then these - rules may be specified as follows: + url="/manpages/shorewall.conf.html">shorewall.conf(5), then + these rules may be specified as follows: /etc/shorewall/masq: diff --git a/Shorewall/manpages/shorewall-modules.xml b/Shorewall/manpages/shorewall-modules.xml index 19144c6ab..55112cab4 100644 --- a/Shorewall/manpages/shorewall-modules.xml +++ b/Shorewall/manpages/shorewall-modules.xml @@ -6,6 +6,8 @@ shorewall-modules 5 + + Configuration Files @@ -86,13 +88,13 @@ See ALSO shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), - shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), - shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), - shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), - shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5), - shorewall-zones(5) + shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index 0b1795ddf..33156e5d9 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -6,6 +6,8 @@ shorewall-nat 5 + + Configuration Files @@ -29,10 +31,10 @@ If all you want to do is simple port forwarding, do NOT use this file. See http://www.shorewall.net/FAQ.htm#faq1. - Also, in many cases, Proxy ARP (shorewall-proxyarp(5)) is a better - solution that one-to-one NAT. + url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1. Also, + in many cases, Proxy ARP (shorewall-proxyarp(5)) + is a better solution that one-to-one NAT. The columns in the file are as follows (where the column name is @@ -72,7 +74,8 @@ Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in - shorewall.conf(5), + shorewall.conf(5), Shorewall will automatically add the EXTERNAL address to this interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface name with ":" and a digit to indicate that you @@ -85,9 +88,9 @@ Each interface must match an entry in shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For - example, ppp0 in this file - will match a shorewall-interfaces(5). + For example, ppp0 in this + file will match a shorewall-interfaces(5) entry that defines ppp+. diff --git a/Shorewall/manpages/shorewall-nesting.xml b/Shorewall/manpages/shorewall-nesting.xml index 435bcfedd..9287998cd 100644 --- a/Shorewall/manpages/shorewall-nesting.xml +++ b/Shorewall/manpages/shorewall-nesting.xml @@ -6,6 +6,8 @@ shorewall-nesting 5 + + Configuration Files @@ -24,17 +26,18 @@ Description - In shorewall-zones(5), a - zone may be declared to be a sub-zone of one or more other zones using the + In shorewall-zones(5), a zone + may be declared to be a sub-zone of one or more other zones using the above syntax. The child-zone may be neither the firewall zone nor a vserver zone. The firewall zone may not appear as a parent zone, although all vserver zones are handled as sub-zones of the firewall zone. Where zones are nested, the CONTINUE policy in shorewall-policy(5) allows hosts that - are within multiple zones to be managed under the rules of all of these - zones. + url="/manpages/shorewall-policy.html">shorewall-policy(5) allows + hosts that are within multiple zones to be managed under the rules of all + of these zones. @@ -74,7 +77,8 @@ under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all). You can have this policy generated for you automatically by using the IMPLICIT_CONTINUE option in - shorewall.conf(5). + shorewall.conf(5). Partial /etc/shorewall/rules: @@ -204,12 +208,13 @@ See ALSO shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), - shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), - shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall/manpages/shorewall-netmap.xml b/Shorewall/manpages/shorewall-netmap.xml index 9fa517638..f9018b3c6 100644 --- a/Shorewall/manpages/shorewall-netmap.xml +++ b/Shorewall/manpages/shorewall-netmap.xml @@ -6,6 +6,8 @@ shorewall-netmap 5 + + Configuration Files @@ -95,9 +97,9 @@ in shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For - example, ppp0 in this file - will match a shorewall-interfaces(5). + For example, ppp0 in this + file will match a shorewall-interfaces(8) entry that defines ppp+. @@ -145,8 +147,8 @@ ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric - type, a numeric type and code separated by a slash (e.g., 3/4), or - a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, diff --git a/Shorewall/manpages/shorewall-params.xml b/Shorewall/manpages/shorewall-params.xml index 024c23515..1a923fc8f 100644 --- a/Shorewall/manpages/shorewall-params.xml +++ b/Shorewall/manpages/shorewall-params.xml @@ -6,6 +6,8 @@ shorewall-params 5 + + Configuration Files @@ -26,8 +28,8 @@ Assign any shell variables that you need in this file. The file is always processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in shorewall.conf (5) so the full range of - shell capabilities may be used. + url="/manpages/shorewall.conf.html">shorewall.conf (5) so the full + range of shell capabilities may be used. It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall @@ -40,7 +42,8 @@ Any option from shorewall.conf (5) + url="/manpages/shorewall.conf.html">shorewall.conf + (5) COMMAND diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index dac200fce..a317f80da 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -6,6 +6,8 @@ shorewall-policy 5 + + Configuration Files @@ -66,8 +68,8 @@ Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW, "all" or - "all+". + url="/manpages/shorewall-zones.html">shorewall-zones(5), + $FW, "all" or "all+". Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" @@ -84,11 +86,11 @@ Destination zone. Must be the name of a zone defined in shorewall-zones(5), $FW, "all" or - "all+". If the DEST is a bport zone, then the SOURCE must be "all", - "all+", another bport zone associated with the same bridge, or it - must be an ipv4 zone that is associated with only the same - bridge. + url="/manpages/shorewall-zones.html">shorewall-zones(5), + $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE + must be "all", "all+", another bport zone associated with the same + bridge, or it must be an ipv4 zone that is associated with only the + same bridge. Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" @@ -118,8 +120,8 @@ The word "None" or "none". This causes any default action defined in shorewall.conf(5) to be - omitted for this policy. + url="/manpages/shorewall.conf.html">shorewall.conf(5) to + be omitted for this policy. @@ -191,8 +193,8 @@ might also match (where the source or destination zone in those rules is a superset of the SOURCE or DEST in this policy). See shorewall-nesting(5) for - additional information. + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) + for additional information. diff --git a/Shorewall/manpages/shorewall-providers.xml b/Shorewall/manpages/shorewall-providers.xml index 8e050afae..b5df8e756 100644 --- a/Shorewall/manpages/shorewall-providers.xml +++ b/Shorewall/manpages/shorewall-providers.xml @@ -6,6 +6,8 @@ shorewall-providers 5 + + Configuration Files @@ -77,17 +79,17 @@ A FWMARK value used in your shorewall-mangle(5) file to - direct packets to this provider. + url="/manpages/shorewall-mangle.html">shorewall-mangle(5) + file to direct packets to this provider. If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value - must be a multiple of 256 between 256 and 65280 or their hexadecimal - equivalents (0x0100 and 0xff00 with the low-order byte of the value - being zero). Otherwise, the value must be between 1 and 255. Each - provider must be assigned a unique mark value. This column may be - omitted if you don't use packet marking to direct connections to a - particular provider. + url="/manpages/shorewall.conf.html">shorewall.conf(5), then + the value must be a multiple of 256 between 256 and 65280 or their + hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte + of the value being zero). Otherwise, the value must be between 1 and + 255. Each provider must be assigned a unique mark value. This column + may be omitted if you don't use packet marking to direct connections + to a particular provider. @@ -112,8 +114,8 @@ The name of the network interface to the provider. Must be listed in shorewall-interfaces(5). In - general, that interface should not have the + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5). + In general, that interface should not have the option specified unless is given in the OPTIONS column of this entry. @@ -177,8 +179,9 @@ Beginning with Shorewall 4.4.3, defaults to the setting of the TRACK_PROVIDERS option in - shorewall.conf (5). - If you set TRACK_PROVIDERS=Yes and want to override that + shorewall.conf + (5). If you set TRACK_PROVIDERS=Yes and want to override that setting for an individual provider, then specify (see below). diff --git a/Shorewall/manpages/shorewall-proxyarp.xml b/Shorewall/manpages/shorewall-proxyarp.xml index d11aa607e..2f199a198 100644 --- a/Shorewall/manpages/shorewall-proxyarp.xml +++ b/Shorewall/manpages/shorewall-proxyarp.xml @@ -6,6 +6,8 @@ shorewall-proxyarp 5 + + Configuration Files diff --git a/Shorewall/manpages/shorewall-routes.xml b/Shorewall/manpages/shorewall-routes.xml index c1d7cf993..b99236df4 100644 --- a/Shorewall/manpages/shorewall-routes.xml +++ b/Shorewall/manpages/shorewall-routes.xml @@ -6,6 +6,8 @@ shorewall-routes 5 + + Configuration Files @@ -34,8 +36,8 @@ The name or number of a provider defined in shorewall-providers (5). - Beginning with Shorewall 4.5.14, you may also enter + url="/manpages/shorewall-providers.html">shorewall-providers + (5). Beginning with Shorewall 4.5.14, you may also enter in this column to add routes to the main routing table. @@ -73,8 +75,8 @@ Specifies the device route. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in shorewall-providers (5). This - column must be omitted if , + url="/manpages/shorewall-providers.html">shorewall-providers + (5). This column must be omitted if , or is specified in the GATEWAY column. diff --git a/Shorewall/manpages/shorewall-routestopped.xml b/Shorewall/manpages/shorewall-routestopped.xml index 3aca6d8bf..825de0068 100644 --- a/Shorewall/manpages/shorewall-routestopped.xml +++ b/Shorewall/manpages/shorewall-routestopped.xml @@ -6,6 +6,8 @@ shorewall-routestopped 5 + + Configuration Files diff --git a/Shorewall/manpages/shorewall-rtrules.xml b/Shorewall/manpages/shorewall-rtrules.xml index 797a7a922..e2865698e 100644 --- a/Shorewall/manpages/shorewall-rtrules.xml +++ b/Shorewall/manpages/shorewall-rtrules.xml @@ -6,6 +6,8 @@ shorewall-rtrules 5 + + Configuration Files diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 7be193f97..0466f8c6f 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -6,6 +6,8 @@ shorewall-rules 5 + + Configuration Files @@ -25,8 +27,8 @@ Entries in this file govern connection establishment by defining exceptions to the policies laid out in shorewall-policy(5). By default, - subsequent requests and responses are automatically allowed using + url="/manpages/shorewall-policy.html">shorewall-policy(5). By + default, subsequent requests and responses are automatically allowed using connection tracking. For any particular (source,dest) pair of zones, the rules are evaluated in the order in which they appear in this file and the first terminating match is the one that determines the disposition of the @@ -145,8 +147,8 @@ If you specify FASTACCEPT=Yes in shorewall.conf(5) then the ALL, ESTABLISHED and shorewall.conf(5) then the + ALL, ESTABLISHED and RELATED sections must be empty. An except is made if you are running Shorewall 4.4.27 or later and @@ -234,8 +236,8 @@ The name of an action declared in shorewall-actions(5) or - in /usr/share/shorewall/actions.std. + url="/manpages/shorewall-actions.html">shorewall-actions(5) + or in /usr/share/shorewall/actions.std. @@ -329,12 +331,13 @@ Do not process any of the following rules for this (source zone,destination zone). If the source and/or destination IP address falls into a zone defined later in - shorewall-zones(5) + shorewall-zones(5) or in a parent zone of the source or destination zones, then this connection request will be passed to the rules defined for that (those) zone(s). See shorewall-nesting(5) for - additional information. + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) + for additional information. @@ -671,8 +674,8 @@ If the ACTION names an action declared in shorewall-actions(5) or in - /usr/share/shorewall/actions.std then: + url="/manpages/shorewall-actions.html">shorewall-actions(5) + or in /usr/share/shorewall/actions.std then: @@ -732,10 +735,10 @@ Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall-zones (5). This - zone-list may be optionally followed by - "+" to indicate that the rule is to apply to intra-zone traffic as - well as inter-zone traffic. + url="/manpages/shorewall-zones.html">shorewall-zones (5). + This zone-list may be optionally followed + by "+" to indicate that the rule is to apply to intra-zone traffic + as well as inter-zone traffic. When none is used either in the SOURCE or Location of Server. May be a zone declared in shorewall-zones(5), $FW to indicate the firewall itself, all. all+ or - none. + url="/manpages/shorewall-zones.html">shorewall-zones(5), + $FW to indicate the firewall + itself, all. all+ or none. Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall-zones (5). This - zone-list may be optionally followed by - "+" to indicate that the rule is to apply to intra-zone traffic as - well as inter-zone traffic. + url="/manpages/shorewall-zones.html">shorewall-zones (5). + This zone-list may be optionally followed + by "+" to indicate that the rule is to apply to intra-zone traffic + as well as inter-zone traffic. Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A @@ -1577,8 +1581,8 @@ If the HELPERS option is specified in shorewall.conf(5), then any module - specified in this column must be listed in the HELPERS + url="/manpages/shorewall.conf.html">shorewall.conf(5), then + any module specified in this column must be listed in the HELPERS setting. diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml index ec171807c..820acaf62 100644 --- a/Shorewall/manpages/shorewall-secmarks.xml +++ b/Shorewall/manpages/shorewall-secmarks.xml @@ -6,6 +6,8 @@ shorewall-secmarks 5 + + Configuration Files @@ -25,10 +27,10 @@ Unlike rules in the shorewall-rules(5) file, evaluation - of rules in this file will continue after a match. So the final secmark - for each packet will be the one assigned by the LAST rule that - matches. + url="/manpages/shorewall-rules.html">shorewall-rules(5) file, + evaluation of rules in this file will continue after a match. So the + final secmark for each packet will be the one assigned by the LAST rule + that matches. The secmarks file is used to associate an SELinux context with @@ -249,8 +251,8 @@ port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric - type, a numeric type and code separated by a slash (e.g., 3/4), or - a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml index b6532b630..9a999c5b4 100644 --- a/Shorewall/manpages/shorewall-stoppedrules.xml +++ b/Shorewall/manpages/shorewall-stoppedrules.xml @@ -6,6 +6,8 @@ shorewall-stoppedrules 5 + + Configuration Files diff --git a/Shorewall/manpages/shorewall-tcclasses.xml b/Shorewall/manpages/shorewall-tcclasses.xml index 963abb188..a53ab2617 100644 --- a/Shorewall/manpages/shorewall-tcclasses.xml +++ b/Shorewall/manpages/shorewall-tcclasses.xml @@ -6,6 +6,8 @@ shorewall-tcclasses 5 + + Configuration Files @@ -125,9 +127,9 @@ You may specify the interface number rather than the interface name. If the classify option is given for the interface in shorewall-tcdevices(5), then - you must also specify an interface class (an integer that must be - unique within classes associated with this interface). If the + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5), + then you must also specify an interface class (an integer that must + be unique within classes associated with this interface). If the classify option is not given, you may still specify a class or you may have Shorewall generate a class number from the MARK value. Interface numbers and class @@ -144,8 +146,8 @@ Normally, all classes defined here are sub-classes of a root class that is implicitly defined from the entry in shorewall-tcdevices(5). You - can establish a class hierarchy by specifying a + url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices(5). + You can establish a class hierarchy by specifying a parent class -- the number of a class that you have previously defined. The sub-class may borrow unused bandwidth from its parent. @@ -159,11 +161,12 @@ The mark value which is an integer in the range 1-255. You set mark values in the shorewall-mangle(5) file, - marking the traffic you want to fit in the classes defined in here. - Must be specified as '-' if the shorewall-mangle(5) + file, marking the traffic you want to fit in the classes defined in + here. Must be specified as '-' if the classify option is given for the interface in - shorewall-tcdevices(5) + shorewall-tcdevices(5) and you are running Shorewall 4.5.5 or earlier. You can use the same marks for different interfaces. @@ -290,7 +293,7 @@ This is the default class for that interface where all traffic should go, that is not classified otherwise. - + You must define number. For additional information, see - shorewall-tcrules + shorewall-tcrules (5). @@ -720,10 +724,10 @@ priority number, giving less delay) and will be granted excess bandwidth (up to 180kbps, the class ceiling) first, before any other traffic. A single VoIP stream, depending upon codecs, after - encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a - little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ - classes EF and AFF3-1 respectively and are often used by VOIP - devices). + encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad + a little bit just in case. (TOS byte values 0xb8 and 0x68 are + DiffServ classes EF and AFF3-1 respectively and are often used by + VOIP devices). Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP echo traffic if you use the example in tcrules) and any packet with diff --git a/Shorewall/manpages/shorewall-tcdevices.xml b/Shorewall/manpages/shorewall-tcdevices.xml index 5ff9b3411..6c5f77e2e 100644 --- a/Shorewall/manpages/shorewall-tcdevices.xml +++ b/Shorewall/manpages/shorewall-tcdevices.xml @@ -6,6 +6,8 @@ shorewall-tcdevices 5 + + Configuration Files @@ -150,8 +152,7 @@ Beginning with Shorewall 4.4.25, a rate-estimated policing filter may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by - default. See Shorewall FAQ + default. See Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with diff --git a/Shorewall/manpages/shorewall-tcfilters.xml b/Shorewall/manpages/shorewall-tcfilters.xml index 2b79ce009..8929c2012 100644 --- a/Shorewall/manpages/shorewall-tcfilters.xml +++ b/Shorewall/manpages/shorewall-tcfilters.xml @@ -6,6 +6,8 @@ shorewall-tcfilters 5 + + Configuration Files diff --git a/Shorewall/manpages/shorewall-tcinterfaces.xml b/Shorewall/manpages/shorewall-tcinterfaces.xml index 87d045a3b..1bc40c57b 100644 --- a/Shorewall/manpages/shorewall-tcinterfaces.xml +++ b/Shorewall/manpages/shorewall-tcinterfaces.xml @@ -6,6 +6,8 @@ shorewall-tcinterfaces 5 + + Configuration Files @@ -25,7 +27,8 @@ This file lists the interfaces that are subject to simple traffic shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in - shorewall.conf(5). + shorewall.conf(5). A note on the bandwidth definition used in this file: @@ -161,8 +164,7 @@ Beginning with Shorewall 4.4.25, a rate-estimated policing filter may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by - default. See Shorewall FAQ + default. See Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with diff --git a/Shorewall/manpages/shorewall-tcpri.xml b/Shorewall/manpages/shorewall-tcpri.xml index 908bfd812..dc68f60d3 100644 --- a/Shorewall/manpages/shorewall-tcpri.xml +++ b/Shorewall/manpages/shorewall-tcpri.xml @@ -6,6 +6,8 @@ shorewall-tcpri 5 + + Configuration Files @@ -25,12 +27,13 @@ This file is used to specify the priority of traffic for simple traffic shaping (TC_ENABLED=Simple in shorewall.conf(5)). The priority band of - each packet is determined by the last - entry that the packet matches. If a packet doesn't match any entry in this - file, then its priority will be determined by its TOS field. The default - mapping is as follows but can be changed by setting the TC_PRIOMAP option - in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5)). The + priority band of each packet is determined by the last entry that the packet matches. If a packet + doesn't match any entry in this file, then its priority will be determined + by its TOS field. The default mapping is as follows but can be changed by + setting the TC_PRIOMAP option in shorewall.conf(5). TOS Bits Means Linux Priority BAND ------------------------------------------------------------ @@ -131,8 +134,8 @@ [helper] - Optional. Names a Netfilter protocol helper module such as ftp, - sip, amanda, etc. A packet will match if it was accepted by the + Optional. Names a Netfilter protocol helper module such as + ftp, sip, amanda, etc. A packet will match if it was accepted by the named helper module. You can also append "-" and a port number to the helper module name (e.g., ftp-21) to specify the port number that the original connection was made on. diff --git a/Shorewall/manpages/shorewall-template.xml b/Shorewall/manpages/shorewall-template.xml index 359917b4e..6ec23013a 100644 --- a/Shorewall/manpages/shorewall-template.xml +++ b/Shorewall/manpages/shorewall-template.xml @@ -6,6 +6,8 @@ shorewall- 5 + + Configuration Files @@ -52,12 +54,13 @@ See ALSO shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), - shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), - shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall/manpages/shorewall-tos.xml b/Shorewall/manpages/shorewall-tos.xml index 76c39cca4..f54f805d5 100644 --- a/Shorewall/manpages/shorewall-tos.xml +++ b/Shorewall/manpages/shorewall-tos.xml @@ -6,6 +6,8 @@ shorewall-tos 5 + + Configuration Files @@ -25,7 +27,8 @@ This file defines rules for setting Type Of Service (TOS). Its use is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in - shorewall-mangle (5). + shorewall-mangle + (5). The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in diff --git a/Shorewall/manpages/shorewall-tunnels.xml b/Shorewall/manpages/shorewall-tunnels.xml index c252ab310..7f31473a2 100644 --- a/Shorewall/manpages/shorewall-tunnels.xml +++ b/Shorewall/manpages/shorewall-tunnels.xml @@ -6,6 +6,8 @@ shorewall-tunnels 5 + + Configuration Files @@ -27,8 +29,8 @@ encrypted) traffic to pass between the Shorewall system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism. See http://www.shorewall.net/VPNBasics.html - for details. + url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html for + details. The columns in the file are as follows. @@ -143,8 +145,8 @@ Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (shorewall-exclusion (5) ) is - not supported. + url="/manpages/shorewall-exclusion.html">shorewall-exclusion + (5) ) is not supported. diff --git a/Shorewall/manpages/shorewall-vardir.xml b/Shorewall/manpages/shorewall-vardir.xml index 71c62b699..670daa8fb 100644 --- a/Shorewall/manpages/shorewall-vardir.xml +++ b/Shorewall/manpages/shorewall-vardir.xml @@ -6,6 +6,8 @@ shorewall-vardir 5 + + Configuration Files @@ -54,12 +56,13 @@ See ALSO shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), - shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), - shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall/manpages/shorewall-zones.xml b/Shorewall/manpages/shorewall-zones.xml index 4215b7a81..e6a5d7c36 100644 --- a/Shorewall/manpages/shorewall-zones.xml +++ b/Shorewall/manpages/shorewall-zones.xml @@ -6,6 +6,8 @@ shorewall-zones 5 + + Configuration Files @@ -45,17 +47,17 @@ "none", "any", "SOURCE" and "DEST" are reserved and may not be used as zone names. The maximum length of a zone name is determined by the setting of the LOGFORMAT option in shorewall.conf(5). With the - default LOGFORMAT, zone names can be at most 5 characters + url="/manpages/shorewall.conf.html">shorewall.conf(5). With + the default LOGFORMAT, zone names can be at most 5 characters long.
The maximum length of an iptables log prefix is 29 bytes. As explained in shorewall.conf (5), the default - LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first - %s is replaced by the chain name and the second is replaced by the - disposition. + url="/manpages/shorewall.conf.html">shorewall.conf (5), + the default LOGPREFIX formatting string is “Shorewall:%s:%s:” + where the first %s is replaced by the chain name and the second is + replaced by the disposition. @@ -97,8 +99,8 @@ (sub)zone name by ":" and a comma-separated list of the parent zones. The parent zones must have been declared in earlier records in this file. See shorewall-nesting(5) for - additional information. + url="/manpages/shorewall-nesting.html">shorewall-nesting(5) + for additional information. Example: @@ -110,8 +112,8 @@ c:a,b ipv4 Currently, Shorewall uses this information to reorder the zone list so that parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE option in shorewall.conf(5) can also create - implicit CONTINUE policies to/from the subzone. + url="/manpages/shorewall.conf.html">shorewall.conf(5) can + also create implicit CONTINUE policies to/from the subzone. Where an ipsec zone is explicitly included as a child of an Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver guests. The zone contents must be defined in - shorewall-hosts + shorewall-hosts (5). Vserver zones are implicitly handled as subzones of the @@ -310,7 +313,8 @@ c:a,b ipv4 Added in Shorewall 4.5.9. May only be specified in the OPTIONS column and indicates that only a single ipset should be created for this zone if it has multiple dynamic entries in - shorewall-hosts(5). + shorewall-hosts(5). Without this option, a separate ipset is created for each interface. @@ -354,9 +358,9 @@ c:a,b ipv4 sets the MSS field in TCP packets. If you supply this option, you should also set FASTACCEPT=No in shorewall.conf(5) to insure - that both the SYN and SYN,ACK packets have their MSS field - adjusted. + url="/manpages/shorewall.conf.html">shorewall.conf(5) + to insure that both the SYN and SYN,ACK packets have their MSS + field adjusted. diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 4ad18bb77..82fa1e181 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -6,6 +6,8 @@ shorewall.conf 5 + + Configuration Files @@ -204,8 +206,8 @@ Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting is enabled (see shorewall-accounting(5)). If - not specified or set to the empty value, ACCOUNTING=Yes is + url="/manpages/shorewall-accounting.html">shorewall-accounting(5)). + If not specified or set to the empty value, ACCOUNTING=Yes is assumed. @@ -230,8 +232,8 @@ This parameter determines whether Shorewall automatically adds the external address(es) in shorewall-nat(5). If the variable - is set to Yes or shorewall-nat(5). If the + variable is set to Yes or yes then Shorewall automatically adds these aliases. If it is set to No or no, you must add these aliases @@ -256,13 +258,13 @@ This parameter determines whether Shorewall automatically adds the SNAT ADDRESS in shorewall-masq(5). If the variable - is set to Yes or yes then Shorewall automatically adds these - addresses. If it is set to No or - no, you must add these addresses - yourself using your distribution's network configuration - tools. + url="/manpages/shorewall-masq.html">shorewall-masq(5). If + the variable is set to Yes or + yes then Shorewall automatically + adds these addresses. If it is set to No or no, + you must add these addresses yourself using your distribution's + network configuration tools. If this variable is not set or is given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed. @@ -356,7 +358,8 @@ Specify the appropriate helper in the HELPER column in - shorewall-rules + shorewall-rules (5). @@ -430,7 +433,8 @@ url="/manpages/shorewall-rules.html">shorewall-rules (5). It determines the disposition of packets sent to the blacklog target of shorewall-blrules (5). + url="/manpages/shorewall-blrules.html">shorewall-blrules + (5). @@ -463,9 +467,11 @@ role="bold">yes, blacklists are only consulted for new connections and for packets in the INVALID connection state (such as TCP SYN,ACK when there has been no corresponding SYN). That includes - entries in the shorewall-blrules (5) file - and in the BLACKLIST section of shorewall-rules (5). + entries in the shorewall-blrules (5) + file and in the BLACKLIST section of shorewall-rules + (5). When set to No or no, blacklists are consulted for every packet @@ -534,8 +540,8 @@ /etc/shorewall/tcstart file. That way, your traffic shaping rules can still use the “fwmark” classifier based on packet marking defined in shorewall-tcrules(5). If not - specified, CLEAR_TC=Yes is assumed. + url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5). + If not specified, CLEAR_TC=Yes is assumed. @@ -907,8 +913,9 @@ net all DROP infothen the chain name is 'net2all' Prior to version 3.2.0, it was not possible to use connection marking in shorewall-tcrules(5) if you had - a multi-ISP configuration that uses the track option. + url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5) + if you had a multi-ISP configuration that uses the track + option. You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and connection mark into two mark fields. @@ -990,11 +997,12 @@ net all DROP infothen the chain name is 'net2all' Subzones are defined by following their name with ":" and a list of parent zones (in shorewall-zones(5)). Normally, - you want to have a set of special rules for the subzone and if a - connection doesn't match any of those subzone-specific rules then - you want the parent zone rules and policies to be applied; see - shorewall-nesting(5). + url="/manpages/shorewall-zones.html">shorewall-zones(5)). + Normally, you want to have a set of special rules for the subzone + and if a connection doesn't match any of those subzone-specific + rules then you want the parent zone rules and policies to be + applied; see shorewall-nesting(5). With IMPLICIT_CONTINUE=Yes, that happens automatically. If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, @@ -1011,9 +1019,9 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.6.0. Traditionally in shorewall-rules(5), a semicolon - separates column-oriented specifications on the left from alternative + url="/manpages/shorewall-rules.html">shorewall-rules(5), a + semicolon separates column-oriented specifications on the left from + alternative specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the specifications on the right are interpreted as if INLINE had been specified in the ACTION column. If not specified or @@ -1029,10 +1037,10 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID packets through the NEW section of shorewall-rules (5). When a - packet in INVALID state fails to match any rule in the INVALID - section, the packet is disposed of based on this setting. The - default value is CONTINUE for compatibility with earlier + url="/manpages/shorewall-rules.html">shorewall-rules (5). + When a packet in INVALID state fails to match any rule in the + INVALID section, the packet is disposed of based on this setting. + The default value is CONTINUE for compatibility with earlier versions. @@ -1117,11 +1125,11 @@ net all DROP infothen the chain name is 'net2all' This option indicates that zone-related ipsec information is found in the zones file (shorewall-zones(5)). The option - indicates to the compiler that this is not a legacy configuration - where the ipsec information was contained in a separate file. The - value of this option must not be changed and the option must not be - deleted. + url="/manpages/shorewall-zones.html">shorewall-zones(5)). + The option indicates to the compiler that this is not a legacy + configuration where the ipsec information was contained in a + separate file. The value of this option must not be changed and the + option must not be deleted. @@ -1378,7 +1386,8 @@ net all DROP infothen the chain name is 'net2all' The setting of LOGFORMAT has an effect of the permitted length of zone names. See shorewall-zones (5). + url="/manpages/shorewall-zones.html">shorewall-zones + (5). @@ -1546,8 +1555,8 @@ LOG:info:,bar net fw The performance of configurations with a large numbers of entries in shorewall-maclist(5) can be - improved by setting the MACLIST_TTL variable in shorewall-maclist(5) + can be improved by setting the MACLIST_TTL variable in shorewall.conf(5). If your iptables and kernel support the "Recent Match" (see @@ -1557,14 +1566,15 @@ LOG:info:,bar net fw When a new connection arrives from a 'maclist' interface, the packet passes through then list of entries for that interface in - shorewall-maclist(5). If - there is a match then the source IP address is added to the 'Recent' - set for that interface. Subsequent connection attempts from that IP - address occurring within $MACLIST_TTL seconds will be accepted - without having to scan all of the entries. After $MACLIST_TTL from - the first accepted connection request from an IP address, the next - connection request from that IP address will be checked against the - entire list. + shorewall-maclist(5). + If there is a match then the source IP address is added to the + 'Recent' set for that interface. Subsequent connection attempts from + that IP address occurring within $MACLIST_TTL seconds will be + accepted without having to scan all of the entries. After + $MACLIST_TTL from the first accepted connection request from an IP + address, the next connection request from that IP address will be + checked against the entire list. If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL="" or is specified as zero then 'maclist' lookups will @@ -2104,12 +2114,13 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED packets that don't match any rule in the RELATED - section of shorewall-rules - (5). Concern about the safety of this practice resulted in the - addition of this option. When a packet in RELATED state fails to - match any rule in the RELATED section, the packet is disposed of - based on this setting. The default value is ACCEPT for compatibility - with earlier versions. + section of shorewall-rules (5). + Concern about the safety of this practice resulted in the addition + of this option. When a packet in RELATED state fails to match any + rule in the RELATED section, the packet is disposed of based on this + setting. The default value is ACCEPT for compatibility with earlier + versions. @@ -2120,9 +2131,9 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Packets in the related state that do not match any rule in the RELATED section of shorewall-rules (5) are logged at - this level. The default value is empty which means no logging is - performed. + url="/manpages/shorewall-rules.html">shorewall-rules (5) are + logged at this level. The default value is empty which means no + logging is performed. @@ -2203,7 +2214,8 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.10. The default is No. If set to Yes, at least one optional interface must be up in order for the firewall to be in the started state. Intended to be used with the Shorewall Init Package. + url="/manpages/shorewall-init.html">Shorewall Init + Package. @@ -2266,17 +2278,17 @@ INLINE - - - ; -j REJECT During shorewall start, IP addresses to be added as a consequence of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and shorewall-masq(5) are processed - then are re-added later. This is done to help ensure that the - addresses can be added with the specified labels but can have the - undesirable side effect of causing routes to be quietly deleted. - When RETAIN_ALIASES is set to Yes, existing addresses will not be - deleted. Regardless of the setting of RETAIN_ALIASES, addresses - added during shorewall start are - still deleted at a subsequent shorewall - stop or shorewall - restart. + url="/manpages/shorewall-nat.html">shorewall-nat(5) and + shorewall-masq(5) + are processed then are re-added later. This is done to help ensure + that the addresses can be added with the specified labels but can + have the undesirable side effect of causing routes to be quietly + deleted. When RETAIN_ALIASES is set to Yes, existing addresses will + not be deleted. Regardless of the setting of RETAIN_ALIASES, + addresses added during shorewall + start are still deleted at a subsequent shorewall stop or shorewall restart. @@ -2374,9 +2386,9 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.20. Determines the disposition of packets matching the option (see shorewall-interfaces(5)) and - of hairpin packets on interfaces without the - option. + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) + and of hairpin packets on interfaces without + the option. Hairpin packets are packets that are routed out of the same interface that they arrived on. interfaces without the routeback option. @@ -2390,9 +2402,9 @@ INLINE - - - ; -j REJECT Added on Shorewall 4.4.20. Determines the logging of packets matching the option (see shorewall-interfaces(5)) and - of hairpin packets on interfaces without the - option. + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) + and of hairpin packets on interfaces without + the option. Hairpin packets are packets that are routed out of the same interface that they arrived on. interfaces without the routeback option. The default @@ -2421,9 +2433,9 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.20. The default setting is DROP which causes smurf packets (see the nosmurfs option in shorewall-interfaces(5)) to - be dropped. A_DROP causes the packets to be audited prior to being - dropped and requires AUDIT_TARGET support in the kernel and + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) + to be dropped. A_DROP causes the packets to be audited prior to + being dropped and requires AUDIT_TARGET support in the kernel and iptables. @@ -2435,8 +2447,8 @@ INLINE - - - ; -j REJECT Specifies the logging level for smurf packets (see the nosmurfs option in shorewall-interfaces(5)). If - set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)). + If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged. @@ -2525,7 +2537,8 @@ INLINE - - - ; -j REJECT If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), simple traffic shaping using shorewall-tcinterfaces(5) - and shorewall-tcpri(5) is + and shorewall-tcpri(5) is enabled. If you set TC_ENABLED=Internal or internal or leave the option @@ -2589,10 +2602,10 @@ INLINE - - - ; -j REJECT Determines the disposition of TCP packets that fail the checks enabled by the tcpflags interface option (see shorewall-interfaces(5)) and - must have a value of ACCEPT (accept the packet), REJECT (send an RST - response) or DROP (ignore the packet). If not set or if set to the - empty value (e.g., TCP_FLAGS_DISPOSITION="") then + url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)) + and must have a value of ACCEPT (accept the packet), REJECT (send an + RST response) or DROP (ignore the packet). If not set or if set to + the empty value (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed. A_DROP and A_REJECT are audited versions of DROP and REJECT @@ -2621,8 +2634,8 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.3. When set to Yes, causes the option to be assumed on all providers defined in shorewall-providers(5). May - be overridden on an individual provider through use of the + url="/manpages/shorewall-providers.html">shorewall-providers(5). + May be overridden on an individual provider through use of the option. The default value is 'No'. Beginning in Shorewall 4.4.6, setting this option to 'Yes' @@ -2669,10 +2682,10 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED packets through the NEW section of shorewall-rules (5). When a - packet in UNTRACKED state fails to match any rule in the UNTRACKED - section, the packet is disposed of based on this setting. The - default value is CONTINUE for compatibility with earlier + url="/manpages/shorewall-rules.html">shorewall-rules (5). + When a packet in UNTRACKED state fails to match any rule in the + UNTRACKED section, the packet is disposed of based on this setting. + The default value is CONTINUE for compatibility with earlier versions. @@ -2684,9 +2697,9 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match any rule in the UNTRACKED section of shorewall-rules (5) are logged at - this level. The default value is empty which means no logging is - performed. + url="/manpages/shorewall-rules.html">shorewall-rules (5) are + logged at this level. The default value is empty which means no + logging is performed. @@ -2708,8 +2721,8 @@ INLINE - - - ; -j REJECT Both the DUPLICATE and the COPY columns in providers(5) file must - remain empty (or contain "-"). + url="/manpages/shorewall-providers.html">providers(5) + file must remain empty (or contain "-"). @@ -2725,9 +2738,9 @@ INLINE - - - ; -j REJECT Packets are sent through the main routing table by a rule with priority 999. In routing_rules(5), the - range 1-998 may be used for inserting rules that bypass the main - table. + url="/manpages/shorewall-routing_rules.html">routing_rules(5), + the range 1-998 may be used for inserting rules that bypass the + main table. diff --git a/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml b/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml index 3daade303..cd97781f9 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml @@ -6,6 +6,8 @@ shorewall6-lite-vardir 5 + + Configuration Files diff --git a/Shorewall6-lite/manpages/shorewall6-lite.conf.xml b/Shorewall6-lite/manpages/shorewall6-lite.conf.xml index 7b7bbabad..bf846770a 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.conf.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.conf.xml @@ -6,6 +6,8 @@ shorewall6-lite.conf 5 + + Configuration Files diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index 4ee06b48b..1ee77742f 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -6,6 +6,8 @@ shorewall6-lite 8 + + Administrative Commands diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index baacd4a05..f8903ed89 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -6,6 +6,8 @@ shorewall6-accounting 5 + + Configuration Files diff --git a/Shorewall6/manpages/shorewall6-actions.xml b/Shorewall6/manpages/shorewall6-actions.xml index 92058cc8c..38f4a11a3 100644 --- a/Shorewall6/manpages/shorewall6-actions.xml +++ b/Shorewall6/manpages/shorewall6-actions.xml @@ -6,6 +6,8 @@ shorewall6-actions 5 + + Configuration Files @@ -24,8 +26,9 @@ Description This file allows you to define new ACTIONS for use in rules (see - shorewall6-rules(5)). You define - the ip6tables rules to be performed in an ACTION in + shorewall6-rules(5)). You + define the ip6tables rules to be performed in an ACTION in /etc/shorewall6/action.action-name. Columns are: diff --git a/Shorewall6/manpages/shorewall6-blacklist.xml b/Shorewall6/manpages/shorewall6-blacklist.xml index 24815e662..1f590e209 100644 --- a/Shorewall6/manpages/shorewall6-blacklist.xml +++ b/Shorewall6/manpages/shorewall6-blacklist.xml @@ -6,6 +6,8 @@ shorewall6-blacklist 5 + + Configuration Files @@ -26,10 +28,11 @@ The blacklist file is used to perform static blacklisting by source address (IP or MAC), or by application. The use of this file is deprecated in favor of shorewall6-blrules(5), and beginning - with Shorewall 4.5.7, the blacklist file is no longer installed. Existing - blacklist files can be converted to a corresponding blrules file using the - shorewall6 update -b command. + url="/manpages6/shorewall6-blrules.html">shorewall6-blrules(5), + and beginning with Shorewall 4.5.7, the blacklist file is no longer + installed. Existing blacklist files can be converted to a corresponding + blrules file using the shorewall6 update -b + command. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in @@ -47,8 +50,8 @@ (if your kernel and ip6tables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match). Exclusion (shorewall6-exclusion(5)) is - supported. + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)) + is supported. MAC addresses must be prefixed with "~" and use "-" as a separator. @@ -145,13 +148,13 @@ When a packet arrives on an interface that has the blacklist option specified in shorewall6-interfaces(5), its - source IP address and MAC address is checked against this file and + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5), + its source IP address and MAC address is checked against this file and disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall6.conf(5). If PROTOCOL or shorewall6.conf(5). If + PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching the protocol (and one of the ports if PORTS supplied) are blocked. diff --git a/Shorewall6/manpages/shorewall6-blrules.xml b/Shorewall6/manpages/shorewall6-blrules.xml index bfe977e5c..9c95c6ad3 100644 --- a/Shorewall6/manpages/shorewall6-blrules.xml +++ b/Shorewall6/manpages/shorewall6-blrules.xml @@ -6,6 +6,8 @@ shorewall6-blrules 5 + + Configuration Files @@ -34,7 +36,8 @@ connections in the NEW and INVALID states. The format of rules in this file is the same as the format of rules - in shorewall6-rules(5). The + in shorewall6-rules(5). The difference in the two files lies in the ACTION (first) column. @@ -89,10 +92,11 @@ May only be used if BLACKLIST_LOGLEVEL is specified in - shorewall6.conf (5). - Logs, audits (if specified) and applies the + shorewall6.conf + (5). Logs, audits (if specified) and applies the BLACKLIST_DISPOSITION specified in shorewall6.conf (5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf + (5). @@ -206,8 +210,8 @@ The name of an action declared in shorewall6-actions(5) or - in /usr/share/shorewall6/actions.std. + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5) + or in /usr/share/shorewall6/actions.std. @@ -238,8 +242,8 @@ If the ACTION names an action declared in shorewall6-actions(5) or in - /usr/share/shorewall6/actions.std then: + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5) + or in /usr/share/shorewall6/actions.std then: @@ -274,7 +278,8 @@ For the remaining columns, see shorewall6-rules (5). + url="/manpages6/shorewall6-rules.html">shorewall6-rules + (5). diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index b292f7ad8..0032564d8 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -6,6 +6,8 @@ shorewall6-conntrack 5 + + Configuration Files @@ -357,7 +359,8 @@ Where interface is an interface to that zone, and address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall6-exclusion + shorewall6-exclusion (5)). COMMENT is only allowed in format 1; the remainder of the line @@ -373,7 +376,8 @@ where address-list is a comma-separated list of addresses (may contain exclusion - see - shorewall6-exclusion + shorewall6-exclusion (5)). diff --git a/Shorewall6/manpages/shorewall6-exclusion.xml b/Shorewall6/manpages/shorewall6-exclusion.xml index 4abd50a6c..8f2b57c2a 100644 --- a/Shorewall6/manpages/shorewall6-exclusion.xml +++ b/Shorewall6/manpages/shorewall6-exclusion.xml @@ -6,6 +6,8 @@ shorewall6-exclusion 5 + + Configuration Files @@ -103,10 +105,11 @@ ACCEPT all!z2 net tcp 22 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), - shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), - shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5) + shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), + shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), + shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), + shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), + shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), + shorewall-zones(5) diff --git a/Shorewall6/manpages/shorewall6-hosts.xml b/Shorewall6/manpages/shorewall6-hosts.xml index a4665f8bd..71cc69f35 100644 --- a/Shorewall6/manpages/shorewall6-hosts.xml +++ b/Shorewall6/manpages/shorewall6-hosts.xml @@ -6,6 +6,8 @@ shorewall6-hosts 5 + + Configuration Files @@ -29,8 +31,9 @@ The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall6-zones(5) determines the - order in which the records in this file are interpreted. + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5) + determines the order in which the records in this file are + interpreted. The only time that you need this file is when you have more than @@ -39,9 +42,9 @@ If you have an entry for a zone and interface in shorewall6-interfaces(5) then do - not include any entries in this file for that same (zone, interface) - pair. + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) + then do not include any entries in this file for that same (zone, + interface) pair. The columns in the file are as follows (where the column name is @@ -55,8 +58,8 @@ The name of a zone declared in shorewall6-zones(5). You may not - list the firewall zone in this column. + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5). + You may not list the firewall zone in this column. @@ -137,8 +140,8 @@ The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the shorewall6-zones(5) file - then you do NOT need to specify the 'ipsec' option + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5) + file then you do NOT need to specify the 'ipsec' option here. diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index 3bd2b4592..bba8f1a76 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -6,6 +6,8 @@ shorewall6-interfaces 5 + + Configuration Files @@ -71,7 +73,8 @@ zone in this column. If the interface serves multiple zones that will be defined in - the shorewall6-hosts(5) + the shorewall6-hosts(5) file, you should place "-" in this column. If there are multiple interfaces to the same zone, you must @@ -115,8 +118,8 @@ loc eth2 - Care must be exercised when using wildcards where there is another zone that uses a matching specific interface. See shorewall6-nesting(5) for a - discussion of this problem. + url="/manpages6/shorewall6-nesting.html">shorewall6-nesting(5) + for a discussion of this problem. Shorewall6 allows '+' as an interface name. @@ -270,8 +273,8 @@ loc eth2 - the interface is a simple bridge with a - DHCP server on one port and DHCP clients on another + url="/SimpleBridge.html">simple bridge with a DHCP + server on one port and DHCP clients on another port. @@ -501,7 +504,7 @@ loc eth2 - according to the setting of TCP_FLAGS_LOG_LEVEL. Beginning with Shorewall 4.6.0, tcpflags=1 is the - default. To disable this option, specify tcpflags=0. + default. To disable this option, specify tcpflags=0. diff --git a/Shorewall6/manpages/shorewall6-ipsets.xml b/Shorewall6/manpages/shorewall6-ipsets.xml index 8e60b6778..83ff2ebf8 100644 --- a/Shorewall6/manpages/shorewall6-ipsets.xml +++ b/Shorewall6/manpages/shorewall6-ipsets.xml @@ -6,6 +6,8 @@ shorewall-ipsets 5 + + Configuration Files @@ -78,7 +80,8 @@ specified, matching packets must match all of the listed sets. For information about set lists and exclusion, see shorewall6-exclusion (5). + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion + (5). Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects each time a packet matches an ipset. You do that by listing diff --git a/Shorewall6/manpages/shorewall6-maclist.xml b/Shorewall6/manpages/shorewall6-maclist.xml index bb0ba5c93..c7011b8e6 100644 --- a/Shorewall6/manpages/shorewall6-maclist.xml +++ b/Shorewall6/manpages/shorewall6-maclist.xml @@ -6,6 +6,8 @@ shorewall6-maclist 5 + + Configuration Files @@ -27,8 +29,9 @@ associated IPv6 addresses to be allowed to use the specified interface. The feature is enabled by using the maclist option in the shorewall6-interfaces(5) or - shorewall6-hosts(5) + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5) + or shorewall6-hosts(5) configuration file. The columns in the file are as follows. @@ -43,8 +46,8 @@ ACCEPT or DROP (if MACLIST_TABLE=filter in shorewall6.conf(5), then REJECT - is also allowed). If specified, the + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), + then REJECT is also allowed). If specified, the log-level causes packets matching the rule to be logged at that level. diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index d5398f42d..df70a0cfa 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -6,6 +6,8 @@ shorewall6-mangle 5 + + Configuration Files @@ -25,13 +27,14 @@ This file was introduced in Shorewall 4.6.0 and is intended to replace shorewall6-tcrules(5). This file is - only processed by the compiler if: + url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5). + This file is only processed by the compiler if: No file named 'tcrules' exists on the current CONFIG_PATH (see - shorewall6.conf(5)); + shorewall6.conf(5)); or @@ -46,10 +49,10 @@ Unlike rules in the shorewall6-rules(5) file, evaluation - of rules in this file will continue after a match. So the final mark for - each packet will be the one assigned by the LAST tcrule that - matches. + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5) file, + evaluation of rules in this file will continue after a match. So the + final mark for each packet will be the one assigned by the LAST tcrule + that matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall/providers be sure to read the restrictions at Unless otherwise specified for the particular command, the default chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in shorewall6.conf(5), and FORWARD - when MARK_IN_FORWARD_CHAIN=Yes. + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), + and FORWARD when MARK_IN_FORWARD_CHAIN=Yes. A chain-designator may not be specified if the SOURCE or DEST columns begin with '$FW'. When the SOURCE is $FW, the generated rule @@ -312,8 +315,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark If INLINE_MATCHES=Yes in shorewall6.conf(5) then the - third rule above can be specified as follows: + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) + then the third rule above can be specified as follows: 2:P eth0 - ; -p tcp @@ -731,9 +734,9 @@ Normal-Service => 0x00 An interface name. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in shorewall6.conf (5)). The - interface name may be optionally followed by a colon (":") and - an IP address list. + url="/manpages6/shorewall6.conf.html">shorewall6.conf + (5)). The interface name may be optionally followed by a colon + (":") and an IP address list. diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml index 5e35b0924..6a149a093 100644 --- a/Shorewall6/manpages/shorewall6-masq.xml +++ b/Shorewall6/manpages/shorewall6-masq.xml @@ -6,6 +6,8 @@ shorewall6-masq 5 + + Configuration Files @@ -35,10 +37,10 @@ If you have more than one ISP link, adding entries to this file will not force connections to go out through a particular link. You must use entries in shorewall6-rtrules(5) or - PREROUTING entries in shorewall-tcrules(5) to do - that. + url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules(5) + or PREROUTING entries in shorewall-tcrules(5) to + do that. The columns in the file are as follows. @@ -65,10 +67,9 @@ entry that defines ppp+. - Where more that - one internet provider share a single interface, the provider - is specified by including the provider name or number in + Where more that one + internet provider share a single interface, the provider is + specified by including the provider name or number in parentheses: eth0(Avvanta) @@ -81,8 +82,8 @@ addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations. Exclusion is allowed (see shorewall6-exclusion(5)) as - are ipset names preceded by a plus sign '+'. + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion(5)) + as are ipset names preceded by a plus sign '+'. Comments may be attached to Netfilter rules generated from entries in this file through the use of COMMENT lines. These lines @@ -545,8 +546,8 @@ If INLINE_MATCHES=Yes in shorewall6.conf(5), then these - rules may be specified as follows: + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), + then these rules may be specified as follows: /etc/shorewall/masq: diff --git a/Shorewall6/manpages/shorewall6-modules.xml b/Shorewall6/manpages/shorewall6-modules.xml index ef22b24f8..86da50863 100644 --- a/Shorewall6/manpages/shorewall6-modules.xml +++ b/Shorewall6/manpages/shorewall6-modules.xml @@ -6,6 +6,8 @@ shorewall6-modules 5 + + Configuration Files @@ -30,8 +32,8 @@ These files specify which kernel modules shorewall6 will load before trying to determine your ip6tables/kernel's capabilities. The modules file is used when LOAD_HELPERS_ONLY=No in - shorewall6.conf(5); the - helpers file is used when + shorewall6.conf(5); + the helpers file is used when LOAD_HELPERS_ONLY=Yes. Each record in the files has the following format: @@ -86,8 +88,8 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-rtrules(5), + shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), + shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), diff --git a/Shorewall6/manpages/shorewall6-nesting.xml b/Shorewall6/manpages/shorewall6-nesting.xml index 000872419..2f1d6bf13 100644 --- a/Shorewall6/manpages/shorewall6-nesting.xml +++ b/Shorewall6/manpages/shorewall6-nesting.xml @@ -6,6 +6,8 @@ shorewall6-nesting 5 + + Configuration Files @@ -24,17 +26,18 @@ Description - In shorewall6-zones(5), a - zone may be declared to be a sub-zone of one or more other zones using the + In shorewall6-zones(5), a zone + may be declared to be a sub-zone of one or more other zones using the above syntax. The child-zone may be neither the firewall zone nor a vserver zone. The firewall zone may not appear as a parent zone, although all vserver zones are handled as sub-zones of the firewall zone. Where zones are nested, the CONTINUE policy in shorewall6-policy(5) allows hosts - that are within multiple zones to be managed under the rules of all of - these zones. + url="/manpages6/shorewall6-policy.html">shorewall6-policy(5) + allows hosts that are within multiple zones to be managed under the rules + of all of these zones. @@ -74,7 +77,8 @@ under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all). You can have this policy generated for you automatically by using the IMPLICIT_CONTINUE option in - shorewall6.conf(5). + shorewall6.conf(5). Partial /etc/shorewall6/rules: @@ -109,10 +113,11 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), - shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), - shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5) + shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), + shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), + shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), + shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), + shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), + shorewall6-zones(5) diff --git a/Shorewall6/manpages/shorewall6-netmap.xml b/Shorewall6/manpages/shorewall6-netmap.xml index 09f1d11c9..8778edc57 100644 --- a/Shorewall6/manpages/shorewall6-netmap.xml +++ b/Shorewall6/manpages/shorewall6-netmap.xml @@ -6,6 +6,8 @@ shorewall6-netmap 5 + + Configuration Files @@ -24,8 +26,7 @@ Description This file is used to map addresses in one network to corresponding - addresses in a second network. It was added in Shorewall6 - 4.4.23.3. + addresses in a second network. It was added in Shorewall6 4.4.23.3. To use this file, your kernel and ip6tables must have RAWPOST @@ -145,8 +146,8 @@ port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric - type, a numeric type and code separated by a slash (e.g., 3/4), or - a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, diff --git a/Shorewall6/manpages/shorewall6-params.xml b/Shorewall6/manpages/shorewall6-params.xml index d8db1a49e..f0a301a74 100644 --- a/Shorewall6/manpages/shorewall6-params.xml +++ b/Shorewall6/manpages/shorewall6-params.xml @@ -3,9 +3,11 @@ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - shorewall6-netmap(5),shorewall6-params + shorewall6-params 5 + + Configuration Files @@ -26,8 +28,8 @@ Assign any shell variables that you need in this file. The file is always processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in shorewall6.conf (5) so the full range - of shell capabilities may be used. + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5) so the + full range of shell capabilities may be used. It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index f2f0a3f6c..3d4ed0e9a 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -6,6 +6,8 @@ shorewall6-policy 5 + + Configuration Files @@ -66,8 +68,8 @@ Source zone. Must be the name of a zone defined in shorewall6-zones(5), $FW, "all" or - "all+". + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5), + $FW, "all" or "all+". Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" @@ -84,11 +86,11 @@ Destination zone. Must be the name of a zone defined in shorewall6-zones(5), $FW, "all" or - "all+". If the DEST is a bport zone, then the SOURCE must be "all", - "all+", another bport zone associated with the same bridge, or it - must be an ipv4 zone that is associated with only the same - bridge. + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5), + $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE + must be "all", "all+", another bport zone associated with the same + bridge, or it must be an ipv4 zone that is associated with only the + same bridge. Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" @@ -118,8 +120,8 @@ The word "None" or "none". This causes any default action defined in shorewall6.conf(5) to be - omitted for this policy. + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) + to be omitted for this policy. diff --git a/Shorewall6/manpages/shorewall6-providers.xml b/Shorewall6/manpages/shorewall6-providers.xml index b0dfe185b..a8c29a0a7 100644 --- a/Shorewall6/manpages/shorewall6-providers.xml +++ b/Shorewall6/manpages/shorewall6-providers.xml @@ -6,6 +6,8 @@ shorewall6-providers 5 + + Configuration Files @@ -77,17 +79,17 @@ A FWMARK value used in your shorewall6-mangle(5) file to - direct packets to this provider. + url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5) + file to direct packets to this provider. If HIGH_ROUTE_MARKS=Yes in shorewall6.conf(5), then the - value must be a multiple of 256 between 256 and 65280 or their - hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte - of the value being zero). Otherwise, the value must be between 1 and - 255. Each provider must be assigned a unique mark value. This column - may be omitted if you don't use packet marking to direct connections - to a particular provider. + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), + then the value must be a multiple of 256 between 256 and 65280 or + their hexadecimal equivalents (0x0100 and 0xff00 with the low-order + byte of the value being zero). Otherwise, the value must be between + 1 and 255. Each provider must be assigned a unique mark value. This + column may be omitted if you don't use packet marking to direct + connections to a particular provider. @@ -190,7 +192,8 @@ Beginning with Shorewall 4.4.3, defaults to the setting of the TRACK_PROVIDERS option in - shorewall6.conf + shorewall6.conf (5). If you set TRACK_PROVIDERS=Yes and want to override that setting for an individual provider, then specify (see below). diff --git a/Shorewall6/manpages/shorewall6-proxyndp.xml b/Shorewall6/manpages/shorewall6-proxyndp.xml index 7bdc8a16e..31b2f6169 100644 --- a/Shorewall6/manpages/shorewall6-proxyndp.xml +++ b/Shorewall6/manpages/shorewall6-proxyndp.xml @@ -6,6 +6,8 @@ shorewall6-proxyndp 5 + + Configuration Files diff --git a/Shorewall6/manpages/shorewall6-routes.xml b/Shorewall6/manpages/shorewall6-routes.xml index 27527a05e..534eb8bbd 100644 --- a/Shorewall6/manpages/shorewall6-routes.xml +++ b/Shorewall6/manpages/shorewall6-routes.xml @@ -6,6 +6,8 @@ shorewall6-routes 5 + + Configuration Files @@ -34,8 +36,8 @@ The name or number of a provider defined in shorewall6-providers (5). - Beginning with Shorewall 4.5.14, you may also enter + url="/manpages6/shorewall6-providers.html">shorewall6-providers + (5). Beginning with Shorewall 4.5.14, you may also enter in this column to add routes to the main routing table. diff --git a/Shorewall6/manpages/shorewall6-routestopped.xml b/Shorewall6/manpages/shorewall6-routestopped.xml index d7d02ac46..56795fcc9 100644 --- a/Shorewall6/manpages/shorewall6-routestopped.xml +++ b/Shorewall6/manpages/shorewall6-routestopped.xml @@ -6,6 +6,8 @@ shorewall6-routestopped 5 + + Configuration Files diff --git a/Shorewall6/manpages/shorewall6-rtrules.xml b/Shorewall6/manpages/shorewall6-rtrules.xml index dbbb6b04c..89909c100 100644 --- a/Shorewall6/manpages/shorewall6-rtrules.xml +++ b/Shorewall6/manpages/shorewall6-rtrules.xml @@ -6,6 +6,8 @@ shorewall6-rtrules 5 + + Configuration Files diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index cb3f78c3f..7254ddfd9 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -6,6 +6,8 @@ shorewall6-rules 5 + + Configuration Files @@ -25,8 +27,8 @@ Entries in this file govern connection establishment by defining exceptions to the policies laid out in shorewall6-policy(5). By default, - subsequent requests and responses are automatically allowed using + url="/manpages6/shorewall6-policy.html">shorewall6-policy(5). By + default, subsequent requests and responses are automatically allowed using connection tracking. For any particular (source,dest) pair of zones, the rules are evaluated in the order in which they appear in this file and the first terminating match is the one that determines the disposition of the @@ -137,8 +139,8 @@ If you specify FASTACCEPT=Yes in shorewall6.conf(5) then the ESTABLISHED and shorewall6.conf(5) then + the ESTABLISHED and RELATED sections must be empty. An except is made if you are running Shorewall 4.4.27 or later and @@ -207,8 +209,8 @@ The name of an action declared in shorewall6-actions(5) or - in /usr/share/shorewall/actions.std. + url="/manpages6/shorewall6-actions.html">shorewall6-actions(5) + or in /usr/share/shorewall/actions.std. @@ -302,7 +304,8 @@ Do not process any of the following rules for this (source zone,destination zone). If the source and/or destination IP address falls into a zone defined later in - shorewall6-zones(5) + shorewall6-zones(5) or in a parent zone of the source or destination zones, then this connection request will be passed to the rules defined for that (those) zone(s). See If the ACTION names an action declared in shorewall-actions(5) or in - /usr/share/shorewall/actions.std then: + url="/manpages/shorewall-actions.html">shorewall-actions(5) + or in /usr/share/shorewall/actions.std then: @@ -688,10 +691,10 @@ Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall6-zones (5). This - zone-list may be optionally followed by - "+" to indicate that the rule is to apply to intra-zone traffic as - well as inter-zone traffic. + url="/manpages6/shorewall6-zones.html">shorewall6-zones (5). + This zone-list may be optionally followed + by "+" to indicate that the rule is to apply to intra-zone traffic + as well as inter-zone traffic. When none is used either in the SOURCE or Location of Server. May be a zone declared in shorewall6-zones(5), $FW to indicate the firewall itself, all. all+ or - none. + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5), + $FW to indicate the firewall + itself, all. all+ or none. Beginning with Shorewall 4.4.13, you may use a zone-list which consists of a comma-separated list of zones declared in shorewall6-zones (5). Ths - zone-list may be optionally followed by - "+" to indicate that the rule is to apply to intra-zone traffic as - well as inter-zone traffic. Beginning with Shorewall-4.4.13, + url="/manpages6/shorewall6-zones.html">shorewall6-zones (5). + Ths zone-list may be optionally followed + by "+" to indicate that the rule is to apply to intra-zone traffic + as well as inter-zone traffic. Beginning with Shorewall-4.4.13, exclusion is supported -- see see shorewall6-exclusion(5). @@ -1559,9 +1563,9 @@ If the HELPERS option is specified in shorewall6.conf(5), then any module - specified in this column must be listed in the HELPERS - setting. + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5), + then any module specified in this column must be listed in the + HELPERS setting. diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml index b0c2d7777..fb5aa0ad3 100644 --- a/Shorewall6/manpages/shorewall6-secmarks.xml +++ b/Shorewall6/manpages/shorewall6-secmarks.xml @@ -6,6 +6,8 @@ shorewall6-secmarks 5 + + Configuration Files @@ -25,10 +27,10 @@ Unlike rules in the shorewall6-rules(5) file, evaluation - of rules in this file will continue after a match. So the final secmark - for each packet will be the one assigned by the LAST rule that - matches. + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5) file, + evaluation of rules in this file will continue after a match. So the + final secmark for each packet will be the one assigned by the LAST rule + that matches. The secmarks file is used to associate an SELinux context with @@ -243,8 +245,8 @@ port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric - type, a numeric type and code separated by a slash (e.g., 3/4), or - a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, diff --git a/Shorewall6/manpages/shorewall6-stoppedrules.xml b/Shorewall6/manpages/shorewall6-stoppedrules.xml index 555952e40..34cf1e83f 100644 --- a/Shorewall6/manpages/shorewall6-stoppedrules.xml +++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml @@ -6,6 +6,8 @@ shorewall6-stoppedrules 5 + + Configuration Files diff --git a/Shorewall6/manpages/shorewall6-tcclasses.xml b/Shorewall6/manpages/shorewall6-tcclasses.xml index 41b01ae59..013542a3f 100644 --- a/Shorewall6/manpages/shorewall6-tcclasses.xml +++ b/Shorewall6/manpages/shorewall6-tcclasses.xml @@ -6,6 +6,8 @@ shorewall6-tcclasses 5 + + Configuration Files @@ -140,8 +142,8 @@ Normally, all classes defined here are sub-classes of a root class (class number 1) that is implicitly defined from the entry in shorewall6-tcdevices(5). You - can establish a class hierarchy by specifying a + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5). + You can establish a class hierarchy by specifying a parent class -- the number of a class that you have previously defined. The sub-class may borrow unused bandwidth from its parent. @@ -155,13 +157,13 @@ The mark value which is an integer in the range 1-255. You set mark values in the shorewall6-mangle(5) file, - marking the traffic you want to fit in the classes defined in here. - Must be specified as '-' if the shorewall6-mangle(5) + file, marking the traffic you want to fit in the classes defined in + here. Must be specified as '-' if the classify option is given for the interface in shorewall6-tcdevices(5) and - you are running Shorewall 4.5 5 or earlier. + url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices(5) + and you are running Shorewall 4.5 5 or earlier. You can use the same marks for different interfaces. @@ -672,10 +674,10 @@ priority number, giving less delay) and will be granted excess bandwidth (up to 180kbps, the class ceiling) first, before any other traffic. A single VoIP stream, depending upon codecs, after - encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a - little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ - classes EF and AFF3-1 respectively and are often used by VOIP - devices). + encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad + a little bit just in case. (TOS byte values 0xb8 and 0x68 are + DiffServ classes EF and AFF3-1 respectively and are often used by + VOIP devices). Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP echo traffic if you use the example in tcrules) and any packet with diff --git a/Shorewall6/manpages/shorewall6-tcdevices.xml b/Shorewall6/manpages/shorewall6-tcdevices.xml index f06ef8646..01c2550d8 100644 --- a/Shorewall6/manpages/shorewall6-tcdevices.xml +++ b/Shorewall6/manpages/shorewall6-tcdevices.xml @@ -6,6 +6,8 @@ shorewall6-tcdevices 5 + + Configuration Files @@ -151,8 +153,7 @@ Beginning with Shorewall 4.4.25, a rate-estimated policing filter may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by - default. See Shorewall FAQ + default. See Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with diff --git a/Shorewall6/manpages/shorewall6-tcfilters.xml b/Shorewall6/manpages/shorewall6-tcfilters.xml index 51f9ef921..81503bc1a 100644 --- a/Shorewall6/manpages/shorewall6-tcfilters.xml +++ b/Shorewall6/manpages/shorewall6-tcfilters.xml @@ -6,6 +6,8 @@ shorewall6-tcfilters 5 + + Configuration Files diff --git a/Shorewall6/manpages/shorewall6-tcinterfaces.xml b/Shorewall6/manpages/shorewall6-tcinterfaces.xml index 56bdcd3ea..f0ff7997a 100644 --- a/Shorewall6/manpages/shorewall6-tcinterfaces.xml +++ b/Shorewall6/manpages/shorewall6-tcinterfaces.xml @@ -6,6 +6,8 @@ shorewall6-tcinterfaces 5 + + Configuration Files @@ -25,7 +27,8 @@ This file lists the interfaces that are subject to simple traffic shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in - shorewall6.conf(5). + shorewall6.conf(5). A note on the bandwidth definition used in this file: @@ -161,8 +164,7 @@ Beginning with Shorewall 4.4.25, a rate-estimated policing filter may be configured instead. Rate-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by - default. See Shorewall FAQ + default. See Shorewall FAQ 97a. To create a rate-estimated filter, precede the bandwidth with diff --git a/Shorewall6/manpages/shorewall6-tcpri.xml b/Shorewall6/manpages/shorewall6-tcpri.xml index f9ea745ae..2a61eb786 100644 --- a/Shorewall6/manpages/shorewall6-tcpri.xml +++ b/Shorewall6/manpages/shorewall6-tcpri.xml @@ -6,6 +6,8 @@ shorewall6-tcpri 5 + + Configuration Files @@ -25,12 +27,13 @@ This file is used to specify the priority band of traffic for simple traffic shaping (TC_ENABLED=Simple in shorewall6.conf(5)). The priority band - of each packet is determined by the last - entry that the packet matches. If a packet doesn't match any entry in this - file, then its priority will be determined by its TOS field. The default - mapping is as follows but can be changed by setting the TC_PRIOMAP option - in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)). The + priority band of each packet is determined by the last entry that the packet matches. If a packet + doesn't match any entry in this file, then its priority will be determined + by its TOS field. The default mapping is as follows but can be changed by + setting the TC_PRIOMAP option in shorewall6.conf(5). TOS Bits Means Linux Priority BAND ------------------------------------------------------------ @@ -131,8 +134,8 @@ [helper] - Optional. Names a Netfilter protocol helper module such as ftp, - sip, amanda, etc. A packet will match if it was accepted by the + Optional. Names a Netfilter protocol helper module such as + ftp, sip, amanda, etc. A packet will match if it was accepted by the named helper module. You can also append "-" and a port number to the helper module name (e.g., ftp-21) to specify the port number that the original connection was made on. diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index dc66fe53e..15e4a9528 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -3,9 +3,11 @@ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - shorewall6-mangle + shorewall6-tcrules 5 + + Configuration Files @@ -28,10 +30,10 @@ Unlike rules in the shorewall6-rules(5) file, evaluation - of rules in this file will continue after a match. So the final mark for - each packet will be the one assigned by the LAST tcrule that - matches. + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5) file, + evaluation of rules in this file will continue after a match. So the + final mark for each packet will be the one assigned by the LAST tcrule + that matches. If you use multiple internet providers with the 'track' option, in /etc/shorewall6/providers be sure to read the restrictions at option] ...") after any matches specified at the end of the rule. If the target is not one known to Shorewall, then it must be defined as a builtin action in - shorewall6-actions + shorewall6-actions (5). The following rules are equivalent: @@ -529,8 +532,8 @@ INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 INLINE eth0 - ; -p tcp -j MARK --set-mark 2 If INLINE_MATCHES=Yes in shorewall6.conf(5) then the - third rule above can be specified as follows: + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) + then the third rule above can be specified as follows: 2:P eth0 - ; -p tcp diff --git a/Shorewall6/manpages/shorewall6-template.xml b/Shorewall6/manpages/shorewall6-template.xml index 81e5a65ad..8e5df9200 100644 --- a/Shorewall6/manpages/shorewall6-template.xml +++ b/Shorewall6/manpages/shorewall6-template.xml @@ -6,6 +6,8 @@ shorewall6- 5 + + Configuration Files @@ -54,10 +56,11 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5), - shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), - shorewall6-rtrules(5), shorewall6-routestopped(5), - shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), - shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), - shorewall6-tunnels(5), shorewall6-zones(5) + shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), + shorewall6-providers(5), shorewall6-rtrules(5), + shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), + shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), + shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), + shorewall6-zones(5) diff --git a/Shorewall6/manpages/shorewall6-tos.xml b/Shorewall6/manpages/shorewall6-tos.xml index 5e023b7fe..981df9807 100644 --- a/Shorewall6/manpages/shorewall6-tos.xml +++ b/Shorewall6/manpages/shorewall6-tos.xml @@ -6,6 +6,8 @@ shorewall6-tos 5 + + Configuration Files diff --git a/Shorewall6/manpages/shorewall6-tunnels.xml b/Shorewall6/manpages/shorewall6-tunnels.xml index cc739f985..7ff7766ab 100644 --- a/Shorewall6/manpages/shorewall6-tunnels.xml +++ b/Shorewall6/manpages/shorewall6-tunnels.xml @@ -6,6 +6,8 @@ shorewall6-tunnels 5 + + Configuration Files @@ -27,8 +29,8 @@ encrypted) traffic to pass between the Shorewall6 system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism. See http://www.shorewall.net/VPNBasics.html - for details. + url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html for + details. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in @@ -138,8 +140,8 @@ Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (shorewall6-exclusion (5) ) - is not supported. + url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion + (5) ) is not supported. diff --git a/Shorewall6/manpages/shorewall6-vardir.xml b/Shorewall6/manpages/shorewall6-vardir.xml index 9693cb547..019251c62 100644 --- a/Shorewall6/manpages/shorewall6-vardir.xml +++ b/Shorewall6/manpages/shorewall6-vardir.xml @@ -6,6 +6,8 @@ shorewall6-vardir 5 + + Configuration Files @@ -55,10 +57,11 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), - shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), - shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5) + shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), + shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), + shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), + shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), + shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), + shorewall6-zones(5) diff --git a/Shorewall6/manpages/shorewall6-zones.xml b/Shorewall6/manpages/shorewall6-zones.xml index ceef7acad..d65e416b9 100644 --- a/Shorewall6/manpages/shorewall6-zones.xml +++ b/Shorewall6/manpages/shorewall6-zones.xml @@ -6,6 +6,8 @@ shorewall6-zones 5 + + Configuration Files @@ -44,17 +46,17 @@ "none", "SOURCE" and "DEST" are reserved and may not be used as zone names. The maximum length of a zone name is determined by the setting of the LOGFORMAT option in shorewall6.conf(5). With the - default LOGFORMAT, zone names can be at most 5 characters + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). + With the default LOGFORMAT, zone names can be at most 5 characters long.
The maximum length of an iptables log prefix is 29 bytes. As explained in shorewall6.conf (5), the default - LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first - %s is replaced by the chain name and the second is replaced by the - disposition. + url="/manpages6/shorewall6.conf.html">shorewall6.conf (5), + the default LOGPREFIX formatting string is “Shorewall:%s:%s:” + where the first %s is replaced by the chain name and the second is + replaced by the disposition. @@ -95,8 +97,8 @@ follow the (sub)zone name by ":" and a comma-separated list of the parent zones. The parent zones must have been declared in earlier records in this file. See shorewall6-nesting(5) for - additional information. + url="/manpages6/shorewall6-nesting.html">shorewall6-nesting(5) + for additional information. Example: @@ -108,8 +110,8 @@ c:a,b ipv6 Currently, Shorewall6 uses this information to reorder the zone list so that parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE option in shorewall6.conf(5) can also - create implicit CONTINUE policies to/from the subzone. + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) can + also create implicit CONTINUE policies to/from the subzone. Where an ipsec zone is explicitly included as a child of an Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver guests. The zone contents must be defined in - shorewall6-hosts + shorewall6-hosts (5). Vserver zones are implicitly handled as subzones of the @@ -353,8 +356,8 @@ c:a,b ipv6 sets the MSS field in TCP packets. If you supply this option, you should also set FASTACCEPT=No in shorewall6.conf(5) to - insure that both the SYN and SYN,ACK packets have their MSS + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) + to insure that both the SYN and SYN,ACK packets have their MSS field adjusted. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index aa61b0d8e..2490a6f40 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -6,6 +6,8 @@ shorewall6.conf 5 + + Configuration Files @@ -286,7 +288,8 @@ Specify the appropriate helper in the HELPER column in - shorewall6-rules + shorewall6-rules (5). @@ -393,9 +396,10 @@ packets that are UNTRACKED due to entries in shorewall6-conntrack(5). This includes entries in the shorewall6-blrules (5) file - and in the BLACKLIST section of shorewall6-rules (5). + url="/manpages6/shorewall6-blrules.html">shorewall6-blrules + (5) file and in the BLACKLIST section of shorewall6-rules + (5). When set to No or no, blacklists are consulted for every packet @@ -464,8 +468,8 @@ /etc/shorewall6/tcstart file. That way, your traffic shaping rules can still use the “fwmark” classifier based on packet marking defined in shorewall6-tcrules(5). If not - specified, CLEAR_TC=No is assumed. + url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5). + If not specified, CLEAR_TC=No is assumed. If you also run Shorewall and if you have @@ -861,11 +865,12 @@ net all DROP infothen the chain name is 'net2all' Subzones are defined by following their name with ":" and a list of parent zones (in shorewall6-zones(5)). Normally, - you want to have a set of special rules for the subzone and if a - connection doesn't match any of those subzone-specific rules then - you want the parent zone rules and policies to be applied; see - shorewall6-nesting(5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5)). + Normally, you want to have a set of special rules for the subzone + and if a connection doesn't match any of those subzone-specific + rules then you want the parent zone rules and policies to be + applied; see shorewall6-nesting(5). With IMPLICIT_CONTINUE=Yes, that happens automatically. If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, @@ -882,9 +887,9 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.6.0. Traditionally in shorewall6-rules(5), a semicolon - separates column-oriented specifications on the left from alternative + url="/manpages6/shorewall6-rules.html">shorewall6-rules(5), + a semicolon separates column-oriented specifications on the left + from alternative specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the specifications on the right are interpreted as if INLINE had been specified in the ACTION column. If not specified or @@ -900,10 +905,10 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID packets through the NEW section of shorewall-rules (5). When a - packet in INVALID state fails to match any rule in the INVALID - section, the packet is disposed of based on this setting. The - default value is CONTINUE for compatibility with earlier + url="/manpages6/shorewall6-rules.html">shorewall-rules (5). + When a packet in INVALID state fails to match any rule in the + INVALID section, the packet is disposed of based on this setting. + The default value is CONTINUE for compatibility with earlier versions. @@ -915,8 +920,8 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.5.13. Packets in the INVALID state that do not match any rule in the INVALID section of shorewall6-rules (5) are - logged at this level. The default value is empty which means no + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5) + are logged at this level. The default value is empty which means no logging is performed. @@ -1205,7 +1210,8 @@ net all DROP infothen the chain name is 'net2all' The setting of LOGFORMAT has an effect of the permitted length of zone names. See shorewall6-zones (5). + url="/manpages6/shorewall6-zones.html">shorewall6-zones + (5). @@ -1373,8 +1379,8 @@ LOG:info:,bar net fw The performance of configurations with a large numbers of entries in shorewall6-maclist(5) can be - improved by setting the MACLIST_TTL variable in shorewall6-maclist(5) + can be improved by setting the MACLIST_TTL variable in shorewall6.conf(5). If your iptables and kernel support the "Recent Match" (see @@ -1384,14 +1390,15 @@ LOG:info:,bar net fw When a new connection arrives from a 'maclist' interface, the packet passes through then list of entries for that interface in - shorewall6-maclist(5). If - there is a match then the source IP address is added to the 'Recent' - set for that interface. Subsequent connection attempts from that IP - address occurring within $MACLIST_TTL seconds will be accepted - without having to scan all of the entries. After $MACLIST_TTL from - the first accepted connection request from an IP address, the next - connection request from that IP address will be checked against the - entire list. + shorewall6-maclist(5). + If there is a match then the source IP address is added to the + 'Recent' set for that interface. Subsequent connection attempts from + that IP address occurring within $MACLIST_TTL seconds will be + accepted without having to scan all of the entries. After + $MACLIST_TTL from the first accepted connection request from an IP + address, the next connection request from that IP address will be + checked against the entire list. If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL="" or is specified as zero then 'maclist' lookups will @@ -1860,10 +1867,10 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED packets that don't match any rule in the RELATED section of shorewall6-rules (5). Concern - about the safety of this practice resulted in the addition of this - option. When a packet in RELATED state fails to match any rule in - the RELATED section, the packet is disposed of based on this + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5). + Concern about the safety of this practice resulted in the addition + of this option. When a packet in RELATED state fails to match any + rule in the RELATED section, the packet is disposed of based on this setting. The default value is ACCEPT for compatibility with earlier versions. @@ -1876,8 +1883,8 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Packets in the related state that do not match any rule in the RELATED section of shorewall6-rules (5) are - logged at this level. The default value is empty which means no + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5) + are logged at this level. The default value is empty which means no logging is performed. @@ -2040,9 +2047,9 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.20. The default setting is DROP which causes smurf packets (see the nosmurfs option in shorewall6-interfaces(5)) to - be dropped. A_DROP causes the packets to be audited prior to being - dropped and requires AUDIT_TARGET support in the kernel and + url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)) + to be dropped. A_DROP causes the packets to be audited prior to + being dropped and requires AUDIT_TARGET support in the kernel and ip6tables. @@ -2187,7 +2194,8 @@ INLINE - - - ; -j REJECT tcdevices and tcclasses files. This allows the compiler to have access to your Shorewall traffic shaping configuration so that it can validate CLASSIFY rules - in shorewall6-tcrules + in shorewall6-tcrules (5). @@ -2222,12 +2230,12 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to priority bands. See shorewall6-tcpri(5). The - map consists of 16 space-separated digits with - values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to - Linux priority 1, and 3 to Linux Priority 2. The first entry gives - the priority of TOS value 0, the second of TOS value 1, and so on. - See tc-prio(8) for additional information. + url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri(5). + The map consists of 16 space-separated digits + with values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, + 2 to Linux priority 1, and 3 to Linux Priority 2. The first entry + gives the priority of TOS value 0, the second of TOS value 1, and so + on. See tc-prio(8) for additional information. The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2". @@ -2273,8 +2281,8 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.4.3. When set to Yes, causes the option to be assumed on all providers defined in shorewall6-providers(5). May - be overridden on an individual provider through use of the + url="/manpages6/shorewall6-providers.html">shorewall6-providers(5). + May be overridden on an individual provider through use of the option. The default value is 'No'. Beginning in Shorewall 4.4.6, setting this option to 'Yes' @@ -2286,14 +2294,15 @@ INLINE - - - ; -j REJECT to zero, thus allowing the packet to be routed using the 'main' routing table. Using the main table allowed dynamic routes (such as those added for VPNs) to be effective. The shorewall6-rtrules(5) file was - created to provide a better alternative to clearing the packet mark. - As a consequence, passing these packets to PREROUTING complicates - things without providing any real benefit. Beginning with Shorewall - 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving - through 'tracked' interfaces will not be passed to the PREROUTING - rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this - change should be transparent to most, if not all, users. + url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules(5) + file was created to provide a better alternative to clearing the + packet mark. As a consequence, passing these packets to PREROUTING + complicates things without providing any real benefit. Beginning + with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, + packets arriving through 'tracked' interfaces will not be passed to + the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in + 4.4.3, this change should be transparent to most, if not all, + users. @@ -2322,10 +2331,10 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED packets through the NEW section of shorewall6-rules (5). When a - packet in UNTRACKED state fails to match any rule in the UNTRACKED - section, the packet is disposed of based on this setting. The - default value is CONTINUE for compatibility with earlier + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5). + When a packet in UNTRACKED state fails to match any rule in the + UNTRACKED section, the packet is disposed of based on this setting. + The default value is CONTINUE for compatibility with earlier versions. @@ -2337,8 +2346,8 @@ INLINE - - - ; -j REJECT Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match any rule in the UNTRACKED section of shorewall6-rules (5) are - logged at this level. The default value is empty which means no + url="/manpages6/shorewall6-rules.html">shorewall6-rules (5) + are logged at this level. The default value is empty which means no logging is performed. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index 5a74d97a2..fa6fa683a 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -6,6 +6,8 @@ shorewall6 8 + + Administrative Commands @@ -659,9 +661,9 @@ role="bold">v and q. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in shorewall6.conf(5). Each v adds one to the effective verbosity and each - q subtracts one from the effective + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). Each + v adds one to the effective verbosity and + each q subtracts one from the effective VERBOSITY. Alternatively, v may be followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may be no white-space between v and @@ -701,10 +703,10 @@ Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) allows a - single ipset to handle entries for multiple interfaces. When that - option is specified for a zone, the add command - has the alternative syntax in which the + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5)) + allows a single ipset to handle entries for multiple interfaces. + When that option is specified for a zone, the add + command has the alternative syntax in which the zone name precedes the host-list. @@ -756,7 +758,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -822,7 +825,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -842,11 +846,11 @@ Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) allows a - single ipset to handle entries for multiple interfaces. When that - option is specified for a zone, the delete - command has the alternative syntax in which the - zone name precedes the + url="/manpages6/shorewall6-zones.html">shorewall6-zones(5)) + allows a single ipset to handle entries for multiple interfaces. + When that option is specified for a zone, the + delete command has the alternative syntax in + which the zone name precedes the host-list. @@ -865,8 +869,8 @@ any optional network interface. interface may be either the logical or physical name of the interface. The command removes any routes added from shorewall6-routes(5) and any - traffic shaping configuration for the interface. + url="/manpages6/shorewall6-routes.html">shorewall6-routes(5) + and any traffic shaping configuration for the interface. @@ -912,8 +916,8 @@ may be either the logical or physical name of the interface. The command sets /proc entries for the interface, adds any route specified in shorewall6-routes(5) and - installs the interface's traffic shaping configuration, if + url="/manpages6/shorewall6-routes.html">shorewall6-routes(5) + and installs the interface's traffic shaping configuration, if any. @@ -1032,7 +1036,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1043,7 +1048,8 @@ Causes traffic from the listed addresses to be logged then discarded. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf + (5). @@ -1052,7 +1058,8 @@ Monitors the log file specified by the LOGFILE option in - shorewall6.conf(5) and + shorewall6.conf(5) and produces an audible alarm when new Shorewall6 messages are logged. The -m option causes the MAC address of each packet source to be displayed if that information is @@ -1072,7 +1079,8 @@ Causes traffic from the listed addresses to be logged then rejected. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf + (5). @@ -1124,7 +1132,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). The - option was added in Shorewall 4.5.3 and causes Shorewall to look in the given @@ -1184,7 +1193,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1229,9 +1239,9 @@ The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall6.conf(5). When both - and are present, the result - is determined by the option that appears last. + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). + When both and are present, + the result is determined by the option that appears last. The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each @@ -1241,7 +1251,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1445,8 +1456,8 @@ Displays the last 20 Shorewall6 messages from the log file specified by the LOGFILE option in shorewall6.conf(5). The - -m option causes the MAC + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). + The -m option causes the MAC address of each packet source to be displayed if that information is available. @@ -1537,16 +1548,16 @@ for configuration files. If -f is specified, the saved configuration specified by the RESTOREFILE option in shorewall6.conf(5) will be - restored if that saved configuration exists and has been modified - more recently than the files in /etc/shorewall6. When -f is given, a + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5) + will be restored if that saved configuration exists and has been + modified more recently than the files in /etc/shorewall6. When + -f is given, a directory may not be specified. Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option was added to shorewall6.conf(5). When - LEGACY_FASTSTART=No, the modification times of files in + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). + When LEGACY_FASTSTART=No, the modification times of files in /etc/shorewall6 are compared with that of /var/lib/shorewall6/firewall (the compiled script that last started/restarted the firewall). @@ -1557,9 +1568,9 @@ The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall6.conf(5). When both - and are present, the result - is determined by the option that appears last. + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). + When both and are present, + the result is determined by the option that appears last. The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each @@ -1569,7 +1580,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). @@ -1581,9 +1593,9 @@ listed in shorewall6-routestopped(5) or permitted by the ADMINISABSENTMINDED option in shorewall6.conf(5), are taken - down. The only new traffic permitted through the firewall is from - systems listed in shorewall6.conf(5), + are taken down. The only new traffic permitted through the firewall + is from systems listed in shorewall6-routestopped(5) or by ADMINISABSENTMINDED. @@ -1652,13 +1664,15 @@ The option was added in Shorewall 4.4.26 and causes legacy blacklisting rules (shorewall6-blacklist (5) ) - to be converted to entries in the blrules file (shorewall6-blrules (5) ). The - blacklist keyword is removed from shorewall6-zones (5), shorewall6-interfaces (5) - and shorewall6-hosts (5). + url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist + (5) ) to be converted to entries in the blrules file (shorewall6-blrules + (5) ). The blacklist keyword is removed from shorewall6-zones (5), + shorewall6-interfaces + (5) and shorewall6-hosts (5). The unmodified files are saved with a .bak suffix. The option was added in Shorewall 4.5.11. @@ -1672,7 +1686,8 @@ warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). + shorewall6.conf(5). For a description of the other options, see the check command above.