From 5a1b6dfeb361ac237e8dfa96757bf836dcc47961 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 10 Nov 2004 19:53:54 +0000
Subject: [PATCH] Update for Shorewall 2.2.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1745 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Samples/one-interface/interfaces | 22 ++++++++++++++++++++--
 Samples/one-interface/policy     |  2 +-
 Samples/one-interface/rules      | 28 +++++++++++++++-------------
 3 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces
index 185c81a93..86b7a6923 100755
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 2.0  -- Sample Interface File For One Interface
+# 	Shorewall 2.2  -- Sample Interface File For One Interface
 #
 # 	/etc/shorewall/interfaces
 #
@@ -76,6 +76,14 @@
 #					Check packets arriving on this interface
 #					against the /etc/shorewall/blacklist
 #					file.
+#                      logmartians
+#					Turn on kernel martian logging (logging
+#					of packets with impossible source
+#					addresses. It is suggested that if you
+#					set routefilter on an interface that
+#					you also set logmartians. This option
+#					may also be enabled globally in the
+#					/etc/shorewall/shorewall.conf file.
 #			maclist
 #					Connection requests from this interface
 #					are compared against the contents of
@@ -105,9 +113,19 @@
 #					which are not part of an established connection
 #					will be accepted from this interface, even if
 #					NEWNOTSYN=No has been specified in 
-#					/etc/shorewall/shorewall.conf.
+#					/etc/shorewall/shorewall.conf. In other
+#					words, packets coming in on this interface
+#					are processed as if NEWNOTSYN=Yes had been
+#					specified in /etc/shorewall/shorewall.conf.
 #
 #					This option has no effect if NEWNOTSYN=Yes
+#
+#					It is the opinion of the author that
+#					NEWNOTSYN=No creates more problems than
+#					it solves and I recommend against using
+#					that setting in shorewall.conf (hence
+#					making the use of the 'newnotsyn'
+#					interface option unnecessary).
 #			routeback    
 #					If specified, indicates that Shorewall
 #					should include rules that allow filtering
diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy
index d38b23e49..f05657d93 100644
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 2.0 -- Sample Policy File For One Interface
+# 	Shorewall 2.2 -- Sample Policy File For One Interface
 #
 # 	/etc/shorewall/policy
 #
diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules
index c7c1b2ad0..428bdad1c 100755
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -1,5 +1,5 @@
 #	
-# 	Shorewall version 2.0 - Sample Rules File For One Interface
+# 	Shorewall version 2.2 - Sample Rules File For One Interface
 #
 # 	/etc/shorewall/rules
 #
@@ -121,6 +121,10 @@
 #			/etc/shorewall/zones, $FW to indicate the firewall
 #			itself or "all"
 #
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. You must add
+#			separate rules to handle that traffic.
+#
 #			Except when "all" is specified, the server may be
 #			further restricted to a particular subnet, host or
 #			interface by appending ":" and the subnet, host or
@@ -156,14 +160,20 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number or
-#			"all".
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
+#			a number, or "all". "ipp2p" requires ipp2p match
+#			support in your kernel and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			If the protocol is ipp2p, this column is interpreted
+#			as an ipp2p option without the leading "--" (example "bit"
+#			for bit-torrent). If no port is given, "ipp2p" is
+#			assumed.
+#
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
@@ -185,8 +195,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ADDRESS in the next column, then place "-"
-#			in this column.
+#			specify an ORIGINAL DEST in the next column, then place
+#			"-" in this column.
 #
 #			If your kernel contains multiport match support, then
 #			only a single Netfilter rule will be generated if in
@@ -213,14 +223,6 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
-#			The address may optionally be followed by
-#			a colon (":") and a second IP address. This causes
-#			Shorewall to use the second IP address as the source
-#			address in forwarded packets. See the Shorewall
-#			documentation for restrictions concerning this feature.
-#			If no source IP address is given, the original source
-#			address is not altered.
-#
 #	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
 #
 #				<rate>/<interval>[:<burst>]