diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml
index 3e550c147..3f32a9c4f 100644
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@@ -71,25 +71,27 @@
- Single external IP address
+ Single external IP address
- Connection through Cable Modem, DSL, ISDN, Frame Relay,
- dial-up... or connected to a LAN and you simply wish to protect your
- Linux system from other systems on that LAN.
+ Connection through Cable Modem, DSL,
+ ISDN, Frame Relay, dial-up... or connected to a
+ LAN and you simply wish to protect your Linux
+ system from other systems on that LAN.
- Requirements
+ System Requirements
- Shorewall requires that you have the iproute/iproute2 package
- installed (on RedHat, the package is called
- iproute). You can tell if this package is installed
- by the presence of an ip program on
- your firewall system. As root, you can use the which
- command to check for this program:
+ Shorewall requires that you have the
+ iproute/iproute2 package installed
+ (on RedHat, the package is called
+ iproute). You can tell if this package is installed
+ by the presence of an ip program on your firewall
+ system. As root, you can use the which command to
+ check for this program:
[root@gateway root]# which ip
/sbin/ip
@@ -104,21 +106,26 @@
configuration changes.
- If you edit your configuration files on a Windows system, you
- must save them as Unix files if your editor supports that option or
- you must run them through dos2unix before trying to use them.
- Similarly, if you copy a configuration file from your Windows hard
- drive to a floppy disk, you must run dos2unix against the copy before
- using it with Shorewall.
+ If you edit your configuration files on a
+ Windows system, you must save them as
+ Unix files if your editor supports that option
+ or you must run them through dos2unix before trying
+ to use them. Similarly, if you copy a configuration file from your
+ Windows hard drive to a floppy disk, you must
+ run dos2unix against the copy before using it with
+ Shorewall.
+
+ Windows
+ Version of dos2unix
+
-
- Windows
- Version of dos2unix
-
- Linux Version of
- dos2unix
-
+
+ Linux
+ Version of dos2unix
+
+
@@ -136,12 +143,12 @@
- If you have an ADSL Modem and you use PPTP to communicate with a
- server in that modem, you must make the changes recommended here in addition to those described in the steps
- below. ADSL with PPTP is most commonly found in Europe, notably
- in Austria.
+ If you have an ADSL Modem and you use
+ PPTP to communicate with a server in that modem, you
+ must make the changes recommended here in addition to those detailed below.
+ ADSL with PPTP is most commonly
+ found in Europe, notably in Austria.
@@ -157,10 +164,12 @@
- If you installed using an RPM, the samples will be in the
- Samples/one-interface/ subdirectory of the Shorewall documentation
- directory. If you don't know where the Shorewall documentation
- directory is, you can find the samples using this command:
+ If you installed using an RPM, the samples
+ will be in the Samples/one-interface subdirectory of the
+ Shorewall documentation directory. If you don't know where the
+ Shorewall documentation directory is, you can find the samples using
+ this command:
~# rpm -ql shorewall | fgrep one-interface
/usr/share/doc/packages/shorewall/Samples/one-interface
@@ -173,12 +182,13 @@
If you installed using the tarball, the samples are in the
- Samples/one-interface directory in the tarball.
+ Samples/one-interface directory
+ in the tarball.
- If you installed using the .deb, the samples are in
- /usr/share/doc/shorewall/examples/one-interface.
+ If you installed using the .deb, the samples are in /usr/share/doc/shorewall/examples/one-interface.
@@ -196,9 +206,10 @@
Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf
- and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even if you do not modify
- those files.
+ and /usr/share/doc/shorewall/default-config/modules
+ to /etc/shorewall even if you do
+ not modify those files.
As each file is introduced, I suggest that you look through the
@@ -218,10 +229,11 @@ net ipv4
url="Documentation.htm#Zones">/etc/shorewall/zones.
Note that Shorewall recognizes the firewall system as its own zone.
- The name of the firewall zone (fw in the
- above example) is stored in the shell variable $FW
- which may be used throughout the rest of the Shorewall configuration to
- refer to the firewall itself.
+ When the /etc/shorewall/zones file is processed, the
+ name of the firewall zone (fw
in the above example) is
+ stored in the shell variable $FW which may be used
+ to refer to the firewall zone throughout the Shorewall
+ configuration.
Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.
@@ -287,54 +299,62 @@ all all REJECT info
External Interface
The firewall has a single network interface. Where Internet
- connectivity is through a cable or DSL Modem
, the
- External Interface will be the ethernet adapter
- (eth0) that is connected to that
- Modem
unless you
- connect via Point-to-Point Protocol over Ethernet
- (PPPoE) or Point-to-Point Tunneling Protocol (PPTP)
- in which case the External Interface will be a ppp0. If you connect via a regular modem, your
- External Interface will also be ppp0. If
- you connect using ISDN, your external interface will be ippp0.
+ connectivity is through a cable or DSL
+ Modem
, the External Interface will be
+ the ethernet adapter (eth0) that
+ is connected to that Modem
unless you connect via
+ Point-to-Point Protocol over Ethernet
+ (PPPoE) or Point-to-Point Tunneling
+ Protocol (PPTP) in which case the External
+ Interface will be a PPP interface (e.g., ppp0). If you connect via a regular modem,
+ your External Interface will also be ppp0. If you connect using
+ ISDN, your external interface will be ippp0.
The Shorewall one-interface sample configuration assumes that the
- external interface is eth0. If your
- configuration is different, you will have to modify the sample
- /etc/shorewall/interfaces file accordingly. While you are there, you may
- wish to review the list of options that are specified for the interface.
- Some hints:
+ external interface is eth0. If
+ your configuration is different, you will have to modify the sample
+ /etc/shorewall/interfaces file accordingly. While you
+ are there, you may wish to review the list of options that are specified
+ for the interface. Some hints:
- If your external interface is ppp0 or ippp0,
- you can replace the detect
in the second column with
- -
.
+ If your external interface is ppp0 or ippp0, you can replace the
+ detect
in the second column with -
(minus
+ the quotes).
- If your external interface is ppp0 or ippp0 or
- if you have a static IP address, you can remove dhcp
from
- the option list.
+ If your external interface is ppp0 or ippp0 or if you have a static IP address,
+ you can remove dhcp
from the option list.
IP Addresses
- Before going further, we should say a few words about IP Addresses.
- Normally, your ISP will assign you a single IP address. That address can
- be assigned statically, by the Dynamic Host Configuration Protocol (DHCP),
- through the establishment of your dial-up connection, or during
- establishment of your other type of PPP connection (PPPoA, PPPoE,
- etc.).
+ Before going further, we should say a few words about
+ Internet Protocol (IP) addresses.
+ Normally, your Internet Service Provider
+ (ISP) will assign you a single IP
+ address. That address can be assigned statically, by the Dynamic
+ Host Configuration Protocol (DHCP), through
+ the establishment of your dial-up connection, or during establishment of
+ your other type of PPP (PPPoA,
+ PPPoE, etc.) connection.
- RFC 1918 reserves several Private IP address
- ranges for use in private networks:
+ RFC-1918 reserves several
+ Private IP address ranges for use
+ in private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
@@ -342,10 +362,12 @@ all all REJECT info
These addresses are sometimes referred to as
non-routable because the Internet backbone routers
- will not forward a packet whose destination address is reserved by RFC
- 1918. In some cases though, ISPs are assigning these addresses then using
- Network Address Translation to rewrite packet headers
- when forwarding to/from the internet.
+ will not forward a packet whose destination address is reserved by
+ RFC-1918. In some cases though,
+ ISPs are assigning these addresses then using
+ Network Address Translation -
+ NAT) to rewrite packet headers when
+ forwarding to/from the internet.
@@ -404,7 +426,7 @@ ACCEPT net $FW tcp 143
I don't recommend enabling telnet to/from the internet because it
uses clear text (even for login!). If you want shell access to your
- firewall from the internet, use SSH:
+ firewall from the internet, use SSH:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT net $FW
@@ -429,15 +451,15 @@ SSH/ACCEPT net $FW
STARTUP_ENABLED=Yes.
- Users of the .deb package must edit
+ Users of the .deb package must edit
/etc/default/shorewall and set
- startup=1
.
+ STARTUP=1.
- You must enable startup by editing
- /etc/shorewall/shorewall.conf and setting
- STARTUP_ENABLED=Yes.
+ You must enable startup by editing
+ /etc/shorewall/shorewall.conf and setting
+ STARTUP_ENABLED=Yes.
The firewall is started using the shorewall
@@ -462,7 +484,7 @@ SSH/ACCEPT net $FW
url="configuration_file_basics.htm#Configs">alternate
configuration and test it using the shorewall
- try
command.
+ try command.