diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index bfb3e7464..8ecb34f5b 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -660,8 +660,8 @@
Added in Shorewall 4.6.6.
- TARPIT captures and holds incoming TCP connections
- using no local per-connection resources.
+ TARPIT captures and holds incoming TCP connections using
+ no local per-connection resources.
TARPIT only works with the PROTO column set to tcp (6),
and is totally application agnostic. This module will answer a
@@ -715,7 +715,7 @@
This mode is handy because we can send an inline
- RST (reset). It has no other function.
+ RST (reset). It has no other function.
@@ -856,7 +856,10 @@
When there are nested zones, any
only refers to top-level zones (those with no parent zones). Note
that any excludes all vserver
- zones, since those zones are nested within the firewall zone.
+ zones, since those zones are nested within the firewall zone.
+ Beginning with Shorewall 4.4.13, exclusion is supported with
+ any -- see see shorewall-exclusion(5).
Hosts may also be specified as an IP address range using the
syntax
@@ -962,18 +965,28 @@
(Shorewall 4.4.17 and later).
+
+
+ loc,dmz
+
+
+ Both the loc and
+ dmz zones.
+
+
+
+
+ all!dmz
+
+
+ All but the dmz
+ zone.
+
+
-
-
-
-
-
-
-
-
DEST -
{zone|zone-list[+]|{SOURCE or DEST column, the rule is ignored.
+ all means "All Zones",
+ including the firewall itself. all-
+ means "All Zones, except the firewall itself". When all[-] is
+ used either in the SOURCE or
+ DEST column intra-zone traffic is
+ not affected. When all+[-] is "used, intra-zone traffic is affected.
+ Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+ shorewall6-exclusion(5).
+
+ any is equivalent to
+ all when there are no nested zones.
+ When there are nested zones, any
+ only refers to top-level zones (those with no parent zones). Note
+ that any excludes all vserver
+ zones, since those zones are nested within the firewall zone.
+
+ Except when all[+][-] or
+ any[+][-] is
+ specified, clients may be further restricted to a list of networks
+ and/or hosts by appending ":" and a comma-separated list of network
+ and/or host addresses. Hosts may be specified by IP or MAC address;
+ mac addresses must begin with "~" and must use "-" as a
+ separator.
+
When all is used either in
the SOURCE or DEST column intra-zone traffic is not
@@ -1025,11 +1067,6 @@
exclusion is supported -- see see shorewall-exclusion(5).
- any is equivalent to
- all when there are no nested zones.
- When there are nested zones, any
- only refers to top-level zones (those with no parent zones).
-
The zone should be omitted in
DNAT-, REDIRECT- and NONAT rules.
@@ -1050,7 +1087,8 @@
- Except when all[Except when {all|any}[+]|[-] is specified, the server may be
further restricted to a particular network, host or interface by
appending ":" and the network, host or interface. See shorewall6-exclusion(5).
+ any is equivalent to
+ all when there are no nested zones.
+ When there are nested zones, any
+ only refers to top-level zones (those with no parent zones). Note
+ that any excludes all vserver
+ zones, since those zones are nested within the firewall zone.
+
Except when all[+][-] or
any[
- any is equivalent to
- all when there are no nested zones.
- When there are nested zones, any
- only refers to top-level zones (those with no parent zones). Note
- that any excludes all vserver
- zones, since those zones are nested within the firewall zone.
-
Hosts may also be specified as an IP address range using the
syntax
lowaddress-highaddress.