From 6d3640dafcc077bb0584e8a73b66c39bcaf0fdac Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 28 May 2011 10:34:54 -0700 Subject: [PATCH] Alphabetize config files and sync files and manpages Signed-off-by: Tom Eastep --- Shorewall/configfiles/shorewall.conf | 206 +++++++++++++-------------- Shorewall6/shorewall6.conf | 170 +++++++++++----------- manpages/shorewall.conf.xml | 95 +++++++----- manpages6/shorewall6.conf.xml | 80 +++++++++++ 4 files changed, 327 insertions(+), 224 deletions(-) diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 3ddc97b61..429ce25be 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -21,12 +21,14 @@ VERBOSITY=1 # L O G G I N G ############################################################################### -LOGFILE=/var/log/messages +BLACKLIST_LOGLEVEL= -STARTUP_LOG=/var/log/shorewall-init.log +LOG_MARTIANS=Yes LOG_VERBOSITY=2 +LOGFILE=/var/log/messages + LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No @@ -35,169 +37,163 @@ LOGLIMIT= LOGALLNEW= -BLACKLIST_LOGLEVEL= - MACLIST_LOG_LEVEL=info -TCP_FLAGS_LOG_LEVEL=info +SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info -LOG_MARTIANS=Yes +STARTUP_LOG=/var/log/shorewall-init.log -FILTER_LOG_LEVEL=info +TCP_FLAGS_LOG_LEVEL=info ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + IPTABLES= IP= -TC= - IPSET= +MODULESDIR= + PERL=/usr/bin/perl PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +RESTOREFILE=restore + SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall -MODULESDIR= - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall - -RESTOREFILE= - -LOCKFILE= +TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -DROP_DEFAULT="Drop" -REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" -QUEUE_DEFAULT="none" +DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" +QUEUE_DEFAULT="none" +REJECT_DEFAULT="Reject" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### -RSH_COMMAND='ssh ${root}@${system} ${command}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### -IP_FORWARDING=On +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No +ADMINISABSENTMINDED=Yes + +AUTO_COMMENT=Yes + +AUTOMAKE=No + +BLACKLISTNEWONLY=Yes + +CLAMPMSS=No + +CLEAR_TC=Yes + +COMPLETE=No + +DISABLE_IPV6=No + +DELETE_THEN_ADD=Yes + +DETECT_DNAT_IPADDRS=No + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +EXPORTPARAMS=No + +FASTACCEPT=No + +FORWARD_CLEAR_MARK= + +IMPLICIT_CONTINUE=No + +HIGH_ROUTE_MARKS=No + +IP_FORWARDING=On + +KEEP_RT_TABLES=No + +LOAD_HELPERS_ONLY=No + +LEGACY_FASTSTART=Yes + +MACLIST_TABLE=filter + +MACLIST_TTL= + +MANGLE_ENABLED=Yes + +MAPOLDACTIONS=No + +MARK_IN_FORWARD_CHAIN=No + +MODULE_SUFFIX=ko + +MULTICAST=No + +MUTEX_TIMEOUT=60 + +NULL_ROUTE_RFC1918=No + +OPTIMIZE=0 + +OPTIMIZE_ACCOUNTING=No + +REQUIRE_INTERFACE=No + +RESTORE_DEFAULT_ROUTE=Yes + RETAIN_ALIASES=No +ROUTE_FILTER=No + +SAVE_IPSETS=No + TC_ENABLED=Internal TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" -CLEAR_TC=Yes - -MARK_IN_FORWARD_CHAIN=No - -CLAMPMSS=No - -ROUTE_FILTER=No - -DETECT_DNAT_IPADDRS=No - -MUTEX_TIMEOUT=60 - -ADMINISABSENTMINDED=Yes - -BLACKLISTNEWONLY=Yes - -MODULE_SUFFIX=ko - -DISABLE_IPV6=No - -DYNAMIC_ZONES=No - -NULL_ROUTE_RFC1918=No - -MACLIST_TABLE=filter - -MACLIST_TTL= - -SAVE_IPSETS=No - -MAPOLDACTIONS=No - -FASTACCEPT=No - -IMPLICIT_CONTINUE=No - -HIGH_ROUTE_MARKS=No - -OPTIMIZE=0 - -EXPORTPARAMS=No - -EXPAND_POLICIES=Yes - -KEEP_RT_TABLES=No - -DELETE_THEN_ADD=Yes - -MULTICAST=No - -DONT_LOAD= - -AUTO_COMMENT=Yes - -MANGLE_ENABLED=Yes +TRACK_PROVIDERS=No USE_DEFAULT_RT=No -RESTORE_DEFAULT_ROUTE=Yes - -AUTOMAKE=No - WIDE_TC_MARKS=No -TRACK_PROVIDERS=No - ZONE2ZONE=2 -ACCOUNTING=Yes - -DYNAMIC_BLACKLIST=Yes - -OPTIMIZE_ACCOUNTING=No - -LOAD_HELPERS_ONLY=No - -REQUIRE_INTERFACE=No - -FORWARD_CLEAR_MARK= - -COMPLETE=No - -EXPORTMODULES=Yes - -ACCOUNTING_TABLE=filter - -LEGACY_FASTSTART=Yes - ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### @@ -206,11 +202,11 @@ BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT -TCP_FLAGS_DISPOSITION=DROP - SMURF_DISPOSITION=DROP -FILTER_DISPOSITION=DROP +SFILTER_DISPOSITION=DROP + +TCP_FLAGS_DISPOSITION=DROP ################################################################################ # L E G A C Y O P T I O N diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index f8d95fff9..071c812ba 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -22,159 +22,161 @@ VERBOSITY=1 # L O G G I N G ############################################################################### -LOGFILE=/var/log/messages - -STARTUP_LOG=/var/log/shorewall6-init.log +BLACKLIST_LOGLEVEL= LOG_VERBOSITY=2 -LOGFORMAT="Shorewall:%s:%s:" +LOGALLNEW= -LOGTAGONLY=No +LOGFILE=/var/log/messages + +LOGFORMAT="Shorewall:%s:%s:" LOGLIMIT= -LOGALLNEW= +LOGTAGONLY=No -BLACKLIST_LOGLEVEL= - -TCP_FLAGS_LOG_LEVEL=info +SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info -FILTER_LOG_LEVEL=info +STARTUP_LOG=/var/log/shorewall6-init.log + +TCP_FLAGS_LOG_LEVEL=info ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### +CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall + IP6TABLES= IP= -TC= - IPSET= +LOCKFILE= + +MODULESDIR= + PERL=/usr/bin/perl PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +RESTOREFILE= + SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall -MODULESDIR= - -CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall - -RESTOREFILE= - -LOCKFILE= +TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -DROP_DEFAULT="Drop" -REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" -QUEUE_DEFAULT="none" +DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" +QUEUE_DEFAULT="none" +REJECT_DEFAULT="Reject" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### -RSH_COMMAND='ssh ${root}@${system} ${command}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter + +ADMINISABSENTMINDED=Yes + +AUTO_COMMENT=Yes + +AUTOMAKE=No + +BLACKLISTNEWONLY=Yes + +CLAMPMSS=No + +CLEAR_TC=No + +COMPLETE=No + +DELETE_THEN_ADD=Yes + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +EXPORTPARAMS=No + +FASTACCEPT=No + +FORWARD_CLEAR_MARK=Yes + +HIGH_ROUTE_MARKS=No + +IMPLICIT_CONTINUE=No + IP_FORWARDING=Off +KEEP_RT_TABLES=Yes + +LEGACY_FASTSTART=No + +LOAD_HELPERS_ONLY=No + +MANGLE_ENABLED=Yes + +MARK_IN_FORWARD_CHAIN=No + +MODULE_SUFFIX=ko + +MUTEX_TIMEOUT=60 + +OPTIMIZE=1 + +OPTIMIZE_ACCOUNTING=No + +REQUIRE_INTERFACE=No + +RESTOREFILE=restore + TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" -CLEAR_TC=No - -MARK_IN_FORWARD_CHAIN=No - -CLAMPMSS=No - -MUTEX_TIMEOUT=60 - -ADMINISABSENTMINDED=Yes - -BLACKLISTNEWONLY=Yes - -MODULE_SUFFIX=ko - -FASTACCEPT=No - -IMPLICIT_CONTINUE=No - -HIGH_ROUTE_MARKS=No - -OPTIMIZE=1 - -EXPORTPARAMS=No - -EXPAND_POLICIES=Yes - -KEEP_RT_TABLES=Yes - -DELETE_THEN_ADD=Yes - -DONT_LOAD= - -AUTO_COMMENT=Yes - -MANGLE_ENABLED=Yes - -AUTOMAKE=No +TRACK_PROVIDERS=No WIDE_TC_MARKS=No -TRACK_PROVIDERS=No - ZONE2ZONE=2 -ACCOUNTING=Yes - -OPTIMIZE_ACCOUNTING=No - -DYNAMIC_BLACKLIST=Yes - -LOAD_HELPERS_ONLY=No - -REQUIRE_INTERFACE=No - -FORWARD_CLEAR_MARK=Yes - -COMPLETE=No - -EXPORTMODULES=Yes - -ACCOUNTING_TABLE=filter - -LEGACY_FASTSTART=No - ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP -TCP_FLAGS_DISPOSITION=DROP +SFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP -FILTER_DISPOSITION=DROP +TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 7d1b31a15..46f079378 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -185,6 +185,19 @@ + + ACCOUNTING_TABLE=[filter|mangle] + + + Added in Shorewall 4.4.20. This setting determines which + Netfilter table the accounting rules are added in. By default, + ACCOUNTING_TABLE=filter is assumed. See also shorewall-accounting(5). + + + ADD_IP_ALIASES=[Yes|No] @@ -621,41 +634,6 @@ net all DROP infothen the chain name is 'net2all' - - FILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] - - - Added in Shorewall 4.4.20. Determines the disposition of - packets matching the option (see shorewall-interfaces(5)) and - of hairpin packets on interfaces without the - option. - Hairpin packets are packets that are routed out of the - same interface that they arrived on. - interfaces without the routeback option. - - - - - FILTER_LOG_LEVEL=log-level - - - Added on Shorewall 4.4.20. Determines the logging of packets - matching the option (see shorewall-interfaces(5)) and - of hairpin packets on interfaces without the - option. - Hairpin packets are packets that are routed out of the - same interface that they arrived on. - interfaces without the routeback option. The default - is . If you don't wish for these packets to be - logged, use FILTER_LOG_LEVEL=none. - - - FORWARD_CLEAR_MARK={Yes|No} @@ -1219,6 +1197,18 @@ net all DROP infothen the chain name is 'net2all' + + MANGLE_ENABLED=[Yes|No] + + + Determines whether Shorewall will generate rules in the + Netfilter mangle table. Setting MANGLE_ENABLED=No disables all + Shorewall features that require the mangle table. The default is + MANGLE_ENABLED=Yes. + + + MAPOLDACTIONS=[Yes|No] @@ -1649,6 +1639,41 @@ net all DROP infothen the chain name is 'net2all' + + SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] + + + Added in Shorewall 4.4.20. Determines the disposition of + packets matching the option (see shorewall-interfaces(5)) and + of hairpin packets on interfaces without the + option. + Hairpin packets are packets that are routed out of the + same interface that they arrived on. + interfaces without the routeback option. + + + + + SFILTER_LOG_LEVEL=log-level + + + Added on Shorewall 4.4.20. Determines the logging of packets + matching the option (see shorewall-interfaces(5)) and + of hairpin packets on interfaces without the + option. + Hairpin packets are packets that are routed out of the + same interface that they arrived on. + interfaces without the routeback option. The default + is . If you don't wish for these packets to be + logged, use FILTER_LOG_LEVEL=none. + + + SHOREWALL_SHELL=[pathname] diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index 290325b79..47b2ffb13 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -183,6 +183,19 @@ + + ACCOUNTING_TABLE=[filter|mangle] + + + Added in Shorewall 4.4.20. This setting determines which + Netfilter table the accounting rules are added in. By default, + ACCOUNTING_TABLE=filter is assumed. See also shorewall-accounting(5). + + + ADMINISABSENTMINDED=[Yes|No] @@ -443,6 +456,26 @@ + + EXPAND_POLICIES={Yes|No} + + + Normally, when the SOURCE or DEST columns in + shorewall-policy(5) contains 'all', a single policy chain is created + and the policy is enforced in that chain. For example, if the policy + entry is#SOURCE DEST POLICY LOG +# LEVEL +net all DROP infothen the chain name is 'net2all' + which is also the chain named in Shorewall log messages generated as + a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall will + create a separate chain for each pair of zones covered by the + policy. This makes the resulting log messages easier to interpret + since the chain in the messages will have a name of the form 'a2b' + where 'a' is the SOURCE zone and 'b' is the DEST zone. + + + EXPORTMODULES=[Yes|No] @@ -997,6 +1030,18 @@ + + MANGLE_ENABLED=[Yes|No] + + + Determines whether Shorewall will generate rules in the + Netfilter mangle table. Setting MANGLE_ENABLED=No disables all + Shorewall features that require the mangle table. The default is + MANGLE_ENABLED=Yes. + + + MARK_IN_FORWARD_CHAIN=[ + + SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] + + + Added in Shorewall 4.4.20. Determines the disposition of + packets matching the option (see shorewall6-interfaces(5)) + and of hairpin packets on interfaces without + the option. + Hairpin packets are packets that are routed out of the + same interface that they arrived on. + interfaces without the routeback option. + + + + + SFILTER_LOG_LEVEL=log-level + + + Added on Shorewall 4.4.20. Determines the logging of packets + matching the option (see shorewall6-interfaces(5)) + and of hairpin packets on interfaces without + the option. + Hairpin packets are packets that are routed out of the + same interface that they arrived on. + interfaces without the routeback option. The default + is . If you don't wish for these packets to be + logged, use FILTER_LOG_LEVEL=none. + + + STARTUP_ENABLED={Yes|No}