holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Correct policy file column heading names

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 11:04:20 -08:00
parent 0a73d365dd
commit 839f7f3329
8 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/6to4.xml
View File

@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
wireless). eth4 goes to my DMZ which holds a single server. Here is a wireless). eth4 goes to my DMZ which holds a single server. Here is a
diagram of the IPv4 network:</para> diagram of the IPv4 network:</para>
<graphic align="center" fileref="images/Network2009.png" /> <graphic align="center" fileref="images/Network2009.png"/>
<para>Here is the configuration after IPv6 is configured; the part in <para>Here is the configuration after IPv6 is configured; the part in
bold font is configured by the /etc/init.d/ipv6 script.</para> bold font is configured by the /etc/init.d/ipv6 script.</para>
@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
<para>Here is the resulting simple IPv6 Network:</para> <para>Here is the resulting simple IPv6 Network:</para>
<graphic align="center" fileref="images/Network2009b.png" /> <graphic align="center" fileref="images/Network2009b.png"/>
</section> </section>
<section> <section>
@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
<para>So the IPv4 network was transformed to this:</para> <para>So the IPv4 network was transformed to this:</para>
<graphic align="center" fileref="images/Network2009a.png" /> <graphic align="center" fileref="images/Network2009a.png"/>
<para>To implement the same IPv6 network as described above, I used this <para>To implement the same IPv6 network as described above, I used this
/etc/shorewall/interfaces file:</para> /etc/shorewall/interfaces file:</para>
@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
<para>That file produces the following IPv6 network.</para> <para>That file produces the following IPv6 network.</para>
<graphic align="center" fileref="images/Network2008c.png" /> <graphic align="center" fileref="images/Network2008c.png"/>
</section> </section>
<section> <section>
@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1</programlisting></par
<para><filename>/etc/shorewall6/policy</filename>:</para> <para><filename>/etc/shorewall6/policy</filename>:</para>
<blockquote> <blockquote>
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
net all DROP info net all DROP info
loc net ACCEPT loc net ACCEPT
dmz net ACCEPT dmz net ACCEPT
@ -505,8 +505,7 @@ SSH(ACCEPT) loc $FW
# #
# Allow Ping everywhere # Allow Ping everywhere
# #
Ping(ACCEPT) all all</programlisting> Ping(ACCEPT) all all</programlisting></para>
</para>
</blockquote> </blockquote>
</section> </section>
</section> </section>
@ -652,7 +651,7 @@ interface eth2 {
<para>Suppose that we have the following situation:</para> <para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoIPv6Nets1.png" /> <graphic fileref="images/TwoIPv6Nets1.png"/>
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is communicate with the systems in the 2002:488:999::/64 network. This is

11
docs/ConnectionRate.xml
View File

@ -74,12 +74,11 @@
<section> <section>
<title>Policy Rate Limiting</title> <title>Policy Rate Limiting</title>
<para>The LIMIT:BURST column in the <para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
<filename>/etc/shorewall/policy</filename> file applies to TCP file applies to TCP connections that are subject to the policy. The
connections that are subject to the policy. The limiting is applied limiting is applied BEFORE the connection request is passed through the
BEFORE the connection request is passed through the rules generated by rules generated by entries in <filename>/etc/shorewall/rules</filename>.
entries in <filename>/etc/shorewall/rules</filename>. Those connections Those connections in excess of the limit are logged and dropped.</para>
in excess of the limit are logged and dropped.</para>
</section> </section>
<section> <section>

2
docs/FAQ.xml
View File

@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
<para>You have a policy for traffic from <para>You have a policy for traffic from
<replaceable>zone1</replaceable> to <replaceable>zone1</replaceable> to
<replaceable>zone2</replaceable> that specifies TCP connection <replaceable>zone2</replaceable> that specifies TCP connection
rate limiting (value in the LIMIT:BURST column). The logged packet rate limiting (value in the LIMIT column). The logged packet
exceeds that limit and was dropped. Note that these log messages exceeds that limit and was dropped. Note that these log messages
themselves are severely rate-limited so that a syn-flood won't themselves are severely rate-limited so that a syn-flood won't
generate a secondary DOS because of excessive log message. These generate a secondary DOS because of excessive log message. These

4
docs/IPSEC-2.6.xml
View File

@ -771,7 +771,7 @@ l2tp ppp+ -
<blockquote> <blockquote>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW all ACCEPT $FW all ACCEPT
loc net ACCEPT loc net ACCEPT
loc l2tp ACCEPT # Allows local machines to connect to road warriors loc l2tp ACCEPT # Allows local machines to connect to road warriors
@ -913,7 +913,7 @@ loc eth0:192.168.20.0/24</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW all ACCEPT $FW all ACCEPT
loc $FW ACCEPT loc $FW ACCEPT
net loc NONE net loc NONE

7
docs/Introduction.xml
View File

@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
<para>The <filename <para>The <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the three-interface sample has the following policies: file included with the three-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting>In the three-interface all all REJECT info</programlisting>In the three-interface
sample, the line below is included but commented out. If you want your sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the Internet, uncomment firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting> The above policies will: $FW net ACCEPT</programlisting> The above policies will:
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -316,8 +316,7 @@ $FW net ACCEPT</programlisting> The above policies will:
url="manpages/shorewall-rules.html"><filename url="manpages/shorewall-rules.html"><filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para> class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net $FW tcp 22</programlisting> ACCEPT net $FW tcp 22</programlisting>
<para>So although you have a policy of ignoring all connection attempts <para>So although you have a policy of ignoring all connection attempts

2
docs/MultiISP.xml
View File

@ -892,7 +892,7 @@ net eth1 detect …</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST <programlisting>#SOURCE DESTINATION POLICY LOGLEVEL LIMIT
net net DROP</programlisting> net net DROP</programlisting>
<para><filename>/etc/shorewall/masq</filename>:</para> <para><filename>/etc/shorewall/masq</filename>:</para>

3
docs/MyNetwork.xml
View File

@ -552,8 +552,7 @@ smc COMC_IF:10.0.0.0/24
<section id="policy"> <section id="policy">
<title>/etc/shorewall/policy</title> <title>/etc/shorewall/policy</title>
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
# LEVEL
$FW dmz REJECT $LOG $FW dmz REJECT $LOG
$FW net REJECT $LOG $FW net REJECT $LOG
?else ?else

2
docs/bridge-Shorewall-perl.xml
View File

@ -581,7 +581,7 @@ loc:world bport
<para>A conventional two-zone policy file is appropriate here — <para>A conventional two-zone policy file is appropriate here —
<filename>/etc/shorewall/policy</filename>:</para> <filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info all all REJECT info