Minor Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@813 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs/Documentation.htm

@@ -105,6 +105,15 @@ rules. This file was added in version 1.4.7.<br>
 (/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall
 beginning in version 1.3.9) that describes the version of Shorewall
 installed on your system.</li>
+  <li><a href="UserSets.html" style="font-weight: bold;">users and
+usersets</a> - files in /etc/shorewall allowing connections originating
+on the firewall to be policed by the user id and/or group id of the
+user.</li>
+  <li><a href="User_defined_Actions.html"><span
+ style="font-weight: bold;">actions and action.template</span></a> -
+files in /etc/shorewall that allow you to define your own actions for
+rules in /etc/shorewall/rules.<br>
+  </li>
 </ul>
 <h2><a name="Variables"></a> /etc/shorewall/params</h2>
 <p>You may use the file /etc/shorewall/params file to set shell
@@ -1189,6 +1198,9 @@ facility is provided to allow interfacing to <a
 protocol specified in the PROTO column is TCP ("tcp", "TCP" or "6"),
 Shorewall will only pass connection requests (SYN packets) to user
 space. This is for compatibility with ftwall.</li>
+      <li>A <a href="User_defined_Actions.html">&lt;user-defined
+action&gt;</a> (Shorewall 1.4.9 and later)<br>
+      </li>
     </ul>
     <p>Beginning with Shorewall version 1.4.7, you may rate-limit the
 rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
@@ -2846,7 +2858,7 @@ Validation Documentation</a>.<br>
 <h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
 This file is described in the <a href="ECN.html">ECN Control
 Documentation</a>.<br>
-<p><font size="-1"> Updated 11/15/2003 - <a href="support.htm">Tom
+<p><font size="-1"> Updated 12/08/2003 - <a href="support.htm">Tom
 Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font

Shorewall-docs/configuration_file_basics.htm

@@ -63,7 +63,10 @@ at the completion of a "shorewall stop".</li>
   <li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
   <li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
 users/groups with
-similar access rights<br>
+similar access rights</li>
+  <li>/etc/shorewall/actions and /etc/shorewall/action.template -
+define your own actions for rules in /etc/shorewall/rules (shorewall
+1.4.9 and later).<br>
   </li>
 </ul>
 <h2>Comments</h2>

Shorewall-docs/mailing_list.htm

@@ -156,7 +156,10 @@ reporting guidelines</a>.<br>
  href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies"
  target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-newbies</a></p>
 <p align="left"> To post to the list, post to <a
- href="mailto:shorewall-newbies@lists.shorewall.net">shorewall-newbies@lists.shorewall.net</a>.</p>
+ href="mailto:shorewall-newbies@lists.shorewall.net">shorewall-newbies@lists.shorewall.net</a>.<br>
+</p>
+<p align="left">The list archives are at <a
+ href="http://lists.shorewall.net/pipermail/shorewall-newbies/index.html">http://lists.shorewall.net/pipermail/shorewall-newbies</a>.</p>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for
 users to get answers to questions and to report problems. Information

Shorewall-docs/seattlefirewall_index.htm

@@ -104,10 +104,92 @@ setup that matches the documentation on this site. See the <a
  href="two-interface.htm">Two-interface QuickStart Guide</a> for
 details.<br>
       <h2>News</h2>
+      <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1 </b><b> <img
+ style="border: 0px solid ; width: 28px; height: 12px;"
+ src="images/new10.gif" alt="(New)" title=""><br>
+      </b></p>
+      <div style="margin-left: 40px;"><a
+ href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
+      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
+      </div>
+      <p>Problems Corrected since version 1.4.8:<br>
+      </p>
+      <ol>
+        <li>There has been a low continuing level of confusion over the
+terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
+all instances of "Static NAT" have been replaced with "One-to-one NAT"
+in the documentation and configuration files.</li>
+        <li>The description of NEWNOTSYN in shorewall.conf has been
+reworded for clarity.</li>
+        <li>Wild-card rules (those involving "all" as SOURCE or DEST)
+will no longer produce an error if they attempt to add a rule that would
+override a NONE policy. The logic for expanding these wild-card rules
+now simply skips those (SOURCE,DEST) pairs that have a NONE policy.<br>
+        </li>
+      </ol>
+      <p>Migration Issues:<br>
+      <br>
+&nbsp;&nbsp;&nbsp; None.<br>
+      <br>
+New Features:<br>
+      </p>
+      <ol>
+        <li>To cut down on the number of "Why are these ports closed
+rather than stealthed?" questions, the SMB-related rules in
+/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.</li>
+        <li>For easier identification, packets logged under the
+'norfc1918' interface option are now logged out of chains named
+'rfc1918'. Previously, such packets were logged under chains named
+'logdrop'.</li>
+        <li>Distributors and developers seem to be regularly inventing
+new naming conventions for kernel modules. To avoid the need to change
+Shorewall code for each new convention, the MODULE_SUFFIX option has
+been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
+for module names in your particular distribution. If MODULE_SUFFIX is
+not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br>
+          <br>
+To see what suffix is used by your distribution:<br>
+          <br>
+ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
+          <br>
+All of the files listed should have the same suffix (extension). Set
+MODULE_SUFFIX to that suffix.<br>
+          <br>
+Examples:<br>
+          <br>
+&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
+MODULE_SUFFIX="kzo"<br>
+&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
+MODULE_SUFFIX="kz.o"</li>
+        <li>Support for user defined rule ACTIONS has been implemented
+through two new files:<br>
+          <br>
+/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
+/etc/shorewall/action.template - For each user defined &lt;action&gt;,
+copy this file to /etc/shorewall/action.&lt;action&gt; and add the
+appropriate rules for that &lt;action&gt;. Once an &lt;action&gt; has
+been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
+DROP, etc.) in /etc/shorewall/rules.<br>
+          <br>
+Example: You want an action that logs a packet at the 'info' level and
+accepts the connection.<br>
+          <br>
+In /etc/shorewall/actions, you would add:<br>
+          <br>
+&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
+          <br>
+You would then copy /etc/shorewall/action.template to
+/etc/shorewall/LogAndAccept and in that file, you would add the two
+rules:<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
+          <br>
+        </li>
+      </ol>
       <p><b>12/03/2003 - Support Torch Passed</b><b> <img
  style="border: 0px solid ; width: 28px; height: 12px;"
  src="images/new10.gif" alt="(New)" title=""></b></p>
-      <p>Effective today, I am reducing my participation in the
+Effective today, I am reducing my participation in the
 day-to-day support of Shorewall. As part of this shift to
 community-based Shorewall support a new <a
  href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
@@ -115,11 +197,8 @@ Newbies mailing list</a> has been established to field questions and
 problems from new users. I will not monitor that list personally. I
 will continue my active development of Shorewall
 and will be available via the development list to handle development
-issues -- Tom.<br>
+issues -- Tom.
-      </p>
+      <p><b>11/07/2003 - Shorewall 1.4.8</b><b><br>
-      <p><b>11/07/2003 - Shorewall 1.4.8</b><b> <img
- style="border: 0px solid ; width: 28px; height: 12px;"
- src="images/new10.gif" alt="(New)" title=""></b><b><br>
       <br>
       </b>Problems Corrected since version 1.4.7:<br>
       </p>
@@ -348,7 +427,7 @@ Children's Foundation</a>. Thanks!</big><br>
 </table>
 </center>
 </div>
-<p><font size="2">Updated 12/02/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 12/07/2003 - <a href="support.htm">Tom Eastep</a></font>
 <br>
 </p>
 </body>

Shorewall-docs/shorewall_quickstart_guide.htm

@@ -97,7 +97,7 @@ in Shorewall</a> </li>
   </ul>
   <li><a href="Documentation.htm">Configuration File Reference Manual</a>
     <ul>
-      <li> <a href="Documentation.htm#Variables">params</a></li>
+      <li><a href="Documentation.htm#Variables">params</a></li>
       <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
       <li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
       <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
@@ -116,7 +116,10 @@ in Shorewall</a> </li>
       <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
       <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
       <li><a href="Accounting.html">accounting</a></li>
-      <li><a href="UserSets.html">usersets and users</a><br>
+      <li><a href="UserSets.html">usersets and users</a></li>
+      <li><a href="MAC_Validation.html">maclist</a></li>
+      <li><a href="User_defined_Actions.html">actions and
+action.template</a><br>
       </li>
     </ul>
   </li>
@@ -244,6 +247,8 @@ Firewall</a></font></li>
   <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
   <li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
 doesn't work)</a></li>
+  <li><a href="User_defined_Actions.html">User-defined Actions</a><br>
+  </li>
   <li><a href="UserSets.html">UID/GID Based Rules</a><br>
   </li>
   <li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
@@ -268,7 +273,7 @@ firewall to a remote network.</li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement
 <a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
+<p><font size="2">Last modified 12/08/2003 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
 M. Eastep</font></a><br>

Shorewall-docs/sourceforge_index.htm

@@ -93,6 +93,87 @@ setup that matches the documentation on this site. See the <a
 details.
       <h2></h2>
       <h2><b>News</b></h2>
+      <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1 </b><b> <img
+ style="border: 0px solid ; width: 28px; height: 12px;"
+ src="images/new10.gif" alt="(New)" title=""><br>
+      </b></p>
+      <div style="margin-left: 40px;"><a
+ href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
+      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
+      </div>
+      <p>Problems Corrected since version 1.4.8:<br>
+      </p>
+      <ol>
+        <li>There has been a low continuing level of confusion over the
+terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
+all instances of "Static NAT" have been replaced with "One-to-one NAT"
+in the documentation and configuration files.</li>
+        <li>The description of NEWNOTSYN in shorewall.conf has been
+reworded for clarity.</li>
+        <li>Wild-card rules (those involving "all" as SOURCE or DEST)
+will no longer produce an error if they attempt to add a rule that
+would override a NONE policy. The logic for expanding these wild-card
+rules now simply skips those (SOURCE,DEST) pairs that have a NONE
+policy.<br>
+        </li>
+      </ol>
+      <p>Migration Issues:<br>
+      <br>
+&nbsp;&nbsp;&nbsp; None.<br>
+      <br>
+New Features:<br>
+      </p>
+      <ol>
+        <li>To cut down on the number of "Why are these ports closed
+rather than stealthed?" questions, the SMB-related rules in
+/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.</li>
+        <li>For easier identification, packets logged under the
+'norfc1918' interface option are now logged out of chains named
+'rfc1918'. Previously, such packets were logged under chains named
+'logdrop'.</li>
+        <li>Distributors and developers seem to be regularly inventing
+new naming conventions for kernel modules. To avoid the need to change
+Shorewall code for each new convention, the MODULE_SUFFIX option has
+been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
+for module names in your particular distribution. If MODULE_SUFFIX is
+not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br>
+          <br>
+To see what suffix is used by your distribution:<br>
+          <br>
+ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
+          <br>
+All of the files listed should have the same suffix (extension). Set
+MODULE_SUFFIX to that suffix.<br>
+          <br>
+Examples:<br>
+          <br>
+&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
+MODULE_SUFFIX="kzo"<br>
+&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
+MODULE_SUFFIX="kz.o"</li>
+        <li>Support for user defined rule ACTIONS has been implemented
+through two new files:<br>
+          <br>
+/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
+/etc/shorewall/action.template - For each user defined &lt;action&gt;,
+copy this file to /etc/shorewall/action.&lt;action&gt; and add the
+appropriate rules for that &lt;action&gt;. Once an &lt;action&gt; has
+been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
+DROP, etc.) in /etc/shorewall/rules.<br>
+          <br>
+Example: You want an action that logs a packet at the 'info' level and
+accepts the connection.<br>
+          <br>
+In /etc/shorewall/actions, you would add:<br>
+          <br>
+&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
+          <br>
+You would then copy /etc/shorewall/action.template to
+/etc/shorewall/LogAndAccept and in that file, you would add the two
+rules:<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
+      </ol>
       <p><b>12/03/2003 - Support Torch Passed</b><b> <img
  style="border: 0px solid ; width: 28px; height: 12px;"
  src="images/new10.gif" alt="(New)" title=""></b></p>
@@ -337,7 +418,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
     </tr>
   </tbody>
 </table>
-<p><font size="2">Updated 12/03/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 12/07/2003 - <a href="support.htm">Tom Eastep</a></font>
 <br>
 </p>
 </body>