Apply Alex's changes to the standalone guide

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3169 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-12-15 21:22:28 +00:00 · 2005-12-15 21:22:28 +00:00 · 94a28b078e
commit 94a28b078e
parent c572c2cb0f
1 changed files with 110 additions and 88 deletions
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@ -71,25 +71,27 @@
      </listitem>
      <listitem>
-        <para>Single external IP address</para>
+        <para>Single external <acronym>IP</acronym> address</para>
      </listitem>
      <listitem>
-        <para>Connection through Cable Modem, DSL, ISDN, Frame Relay,
+        <para>Connection through Cable Modem, <acronym>DSL</acronym>,
-        dial-up... or connected to a LAN and you simply wish to protect your
+        <acronym>ISDN</acronym>, Frame Relay, dial-up... or connected to a
-        Linux system from other systems on that LAN.</para>
+        <acronym>LAN</acronym> and you simply wish to protect your Linux
        system from other systems on that <acronym>LAN</acronym>.</para>
      </listitem>
    </itemizedlist>
    <section>
-      <title>Requirements</title>
+      <title>System Requirements</title>
-      <para>Shorewall requires that you have the iproute/iproute2 package
+      <para>Shorewall requires that you have the
-      installed (on RedHat, the package is called
+      <command>iproute</command>/<command>iproute2</command> package installed
-      <emphasis>iproute</emphasis>). You can tell if this package is installed
+      (on<trademark> RedHat</trademark>, the package is called
-      by the presence of an <emphasis role="bold">ip</emphasis> program on
+      <command>iproute</command>). You can tell if this package is installed
-      your firewall system. As root, you can use the <quote>which</quote>
+      by the presence of an <command>ip</command> program on your firewall
-      command to check for this program:</para>
+      system. As root, you can use the <command>which</command> command to
      check for this program:</para>
      <programlisting>[root@gateway root]# <command>which ip</command>
 /sbin/ip
@ -104,21 +106,26 @@
      configuration changes.</para>
      <caution>
-        <para>If you edit your configuration files on a Windows system, you
+        <para>If you edit your configuration files on a
-        must save them as Unix files if your editor supports that option or
+        <trademark>Windows</trademark> system, you must save them as
-        you must run them through dos2unix before trying to use them.
+        <trademark>Unix</trademark> files if your editor supports that option
-        Similarly, if you copy a configuration file from your Windows hard
+        or you must run them through <command>dos2unix</command> before trying
-        drive to a floppy disk, you must run dos2unix against the copy before
+        to use them. Similarly, if you copy a configuration file from your
-        using it with Shorewall.</para>
+        <trademark>Windows</trademark> hard drive to a floppy disk, you must
        run <command>dos2unix</command> against the copy before using it with
        Shorewall. <itemizedlist>
            <listitem>
              <para><ulink
              url="http://www.simtel.net/pub/pd/51438.html"><trademark>Windows</trademark>
              Version of <command>dos2unix</command></ulink></para>
            </listitem>
-        <simplelist>
+            <listitem>
-          <member><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
+              <para><ulink
-          Version of dos2unix</ulink></member>
+              url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
-
+              Version of <command>dos2unix</command></ulink></para>
-          <member><ulink
+            </listitem>
-          url="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
+          </itemizedlist></para>
          dos2unix</ulink></member>
        </simplelist>
      </caution>
    </section>
@ -136,12 +143,12 @@
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    <para>If you have an ADSL Modem and you use PPTP to communicate with a
+    <para>If you have an <acronym>ADSL</acronym> Modem and you use
-    server in that modem, you must make the <ulink
+    <acronym>PPTP</acronym> to communicate with a server in that modem, you
-    url="PPTP.htm#PPTP_ADSL">changes recommended here</ulink> <emphasis
+    must make the changes recommended <ulink
-    role="underline">in addition to those described in the steps
+    url="PPTP.htm#PPTP_ADSL">here</ulink> in addition to those detailed below.
-    below</emphasis>. ADSL with PPTP is most commonly found in Europe, notably
+    <acronym>ADSL</acronym> with <acronym>PPTP</acronym> is most commonly
-    in Austria.</para>
+    found in Europe, notably in Austria.</para>
  </section>
  <section>
@ -157,10 +164,12 @@
    <orderedlist>
      <listitem>
-        <para>If you installed using an RPM, the samples will be in the
+        <para>If you installed using an <acronym>RPM</acronym>, the samples
-        Samples/one-interface/ subdirectory of the Shorewall documentation
+        will be in the <filename
-        directory. If you don't know where the Shorewall documentation
+        class="directory">Samples/one-interface</filename> subdirectory of the
-        directory is, you can find the samples using this command:</para>
+        Shorewall documentation directory. If you don't know where the
        Shorewall documentation directory is, you can find the samples using
        this command:</para>
        <programlisting>~# rpm -ql shorewall | fgrep one-interface
 /usr/share/doc/packages/shorewall/Samples/one-interface
@ -173,12 +182,13 @@
      <listitem>
        <para>If you installed using the tarball, the samples are in the
-        Samples/one-interface directory in the tarball.</para>
+        <filename class="directory">Samples/one-interface</filename> directory
        in the tarball.</para>
      </listitem>
      <listitem>
-        <para>If you installed using the .deb, the samples are in
+        <para>If you installed using the .deb, the samples are in <filename
-        /usr/share/doc/shorewall/examples/one-interface.</para>
+        class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>.</para>
      </listitem>
    </orderedlist>
@ -196,9 +206,10 @@
      <para>Note that you must copy <filename
      class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
-      and /usr/share/doc/shorewall/default-config/modules to <filename
+      and <filename
-      class="directory">/etc/shorewall</filename> even if you do not modify
+      class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
-      those files.</para>
+      to <filename class="directory">/etc/shorewall</filename> even if you do
      not modify those files.</para>
    </warning>
    <para>As each file is introduced, I suggest that you look through the
@ -218,10 +229,11 @@ net     ipv4</programlisting>
    url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
    <para>Note that Shorewall recognizes the firewall system as its own zone.
-    The name of the firewall zone (<emphasis role="bold">fw</emphasis> in the
+    When the <filename>/etc/shorewall/zones</filename> file is processed, the
-    above example) is stored in the shell variable <firstterm>$FW</firstterm>
+    name of the firewall zone (<quote>fw</quote> in the above example) is
-    which may be used throughout the rest of the Shorewall configuration to
+    stored in the shell variable <firstterm>$FW</firstterm> which may be used
-    refer to the firewall itself.</para>
+    to refer to the firewall zone throughout the Shorewall
    configuration.</para>
    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones.</para>
@ -287,54 +299,62 @@ all            all                REJECT   info</programlisting>
    <title>External Interface</title>
    <para>The firewall has a single network interface. Where Internet
-    connectivity is through a cable or DSL <quote>Modem</quote>, the
+    connectivity is through a cable or <acronym>DSL</acronym>
-    <emphasis>External Interface</emphasis> will be the ethernet adapter
+    <quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be
-    (<emphasis role="bold">eth0</emphasis>) that is connected to that
+    the ethernet adapter (<filename class="devicefile">eth0</filename>) that
-    <quote>Modem</quote> <emphasis role="underline">unless</emphasis> you
+    is connected to that <quote>Modem</quote> <emphasis
-    connect via <emphasis>Point-to-Point Protocol over Ethernet</emphasis>
+    role="underline">unless</emphasis> you connect via
-    (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP)
+    <emphasis>Point-to-Point Protocol over Ethernet</emphasis>
-    in which case the External Interface will be a <emphasis
+    (<acronym>PPPoE</acronym>) or <emphasis>Point-to-Point Tunneling
-    role="bold">ppp0</emphasis>. If you connect via a regular modem, your
+    Protocol</emphasis> (<acronym>PPTP</acronym>) in which case the External
-    External Interface will also be <emphasis role="bold">ppp0</emphasis>. If
+    Interface will be a <acronym>PPP</acronym> interface (e.g., <filename
-    you connect using ISDN, your external interface will be <emphasis
+    class="devicefile">ppp0</filename>). If you connect via a regular modem,
-    role="bold">ippp0</emphasis>.</para>
+    your External Interface will also be <filename
    class="devicefile">ppp0</filename>. If you connect using
    <acronym>ISDN</acronym>, your external interface will be <filename
    class="devicefile">ippp0</filename>.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para>The Shorewall one-interface sample configuration assumes that the
-    external interface is <emphasis role="bold">eth0</emphasis>. If your
+    external interface is <filename class="devicefile">eth0</filename>. If
-    configuration is different, you will have to modify the sample
+    your configuration is different, you will have to modify the sample
-    /etc/shorewall/interfaces file accordingly. While you are there, you may
+    <filename>/etc/shorewall/interfaces</filename> file accordingly. While you
-    wish to review the list of options that are specified for the interface.
+    are there, you may wish to review the list of options that are specified
-    Some hints:</para>
+    for the interface. Some hints:</para>
    <tip>
-      <para>If your external interface is <emphasis
+      <para>If your external interface is <filename
-      role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis>,
+      class="devicefile">ppp0</filename> or <filename
-      you can replace the <quote>detect</quote> in the second column with
+      class="devicefile">ippp0</filename>, you can replace the
-      <quote>-</quote>.</para>
+      <quote>detect</quote> in the second column with <quote>-</quote> (minus
      the quotes).</para>
    </tip>
    <tip>
-      <para>If your external interface is <emphasis
+      <para>If your external interface is <filename
-      role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis> or
+      class="devicefile">ppp0</filename> or <filename
-      if you have a static IP address, you can remove <quote>dhcp</quote> from
+      class="devicefile">ippp0</filename> or if you have a static IP address,
-      the option list.</para>
+      you can remove <quote>dhcp</quote> from the option list.</para>
    </tip>
  </section>
  <section>
    <title>IP Addresses</title>
-    <para>Before going further, we should say a few words about IP Addresses.
+    <para>Before going further, we should say a few words about
-    Normally, your ISP will assign you a single IP address. That address can
+    <emphasis>Internet Protocol</emphasis> (<acronym>IP</acronym>) addresses.
-    be assigned statically, by the Dynamic Host Configuration Protocol (DHCP),
+    Normally, your <emphasis>Internet Service Provider</emphasis>
-    through the establishment of your dial-up connection, or during
+    (<acronym>ISP</acronym>) will assign you a single <acronym>IP</acronym>
-    establishment of your other type of PPP connection (PPPoA, PPPoE,
+    address. That address can be assigned statically, by the <emphasis>Dynamic
-    etc.).</para>
+    Host Configuration Protocol</emphasis> (<acronym>DHCP</acronym>), through
    the establishment of your dial-up connection, or during establishment of
    your other type of <acronym>PPP</acronym> (<acronym>PPPoA</acronym>,
    <acronym>PPPoE</acronym>, etc.) connection.</para>
-    <para>RFC 1918 reserves several <emphasis>Private</emphasis> IP address
+    <para><emphasis role="bold">RFC-1918</emphasis> reserves several
-    ranges for use in private networks:</para>
+    <emphasis>Private</emphasis> <acronym>IP</acronym> address ranges for use
    in private networks:</para>
    <programlisting>10.0.0.0    - 10.255.255.255
 172.16.0.0  - 172.31.255.255
@ -342,10 +362,12 @@ all            all                REJECT   info</programlisting>
    <para>These addresses are sometimes referred to as
    <emphasis>non-routable</emphasis> because the Internet backbone routers
-    will not forward a packet whose destination address is reserved by RFC
+    will not forward a packet whose destination address is reserved by
-    1918. In some cases though, ISPs are assigning these addresses then using
+    <emphasis role="bold">RFC-1918</emphasis>. In some cases though,
-    <emphasis>Network Address Translation</emphasis> to rewrite packet headers
+    <acronym>ISP</acronym>s are assigning these addresses then using
-    when forwarding to/from the internet.</para>
+    <emphasis>Network Address Translation</emphasis> <emphasis>-
    </emphasis><acronym>NAT</acronym>) to rewrite packet headers when
    forwarding to/from the internet.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -404,7 +426,7 @@ ACCEPT    net       $FW             tcp          143</programlisting></para>
    <important>
      <para>I don't recommend enabling telnet to/from the internet because it
      uses clear text (even for login!). If you want shell access to your
-      firewall from the internet, use SSH:</para>
+      firewall from the internet, use <acronym>SSH</acronym>:</para>
      <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
 SSH/ACCEPT  net       $FW           </programlisting>
@ -429,15 +451,15 @@ SSH/ACCEPT  net       $FW           </programlisting>
    STARTUP_ENABLED=Yes.</para>
    <important>
-      <para><emphasis role="bold">Users of the .deb package must edit
+      <para>Users of the .deb package must edit
      <filename>/etc/default/shorewall</filename> and set
-      <quote>startup=1</quote>.</emphasis></para>
+      <varname>STARTUP=1.</varname></para>
    </important>
    <important>
-      <para><emphasis role="bold">You must enable startup by editing
+      <para>You must enable startup by editing
-      /etc/shorewall/shorewall.conf and setting
+      <filename>/etc/shorewall/shorewall.conf</filename> and setting
-      STARTUP_ENABLED=Yes.</emphasis></para>
+      <varname>STARTUP_ENABLED=Yes.</varname></para>
    </important>
    <para>The firewall is started using the <quote><command>shorewall
@ -462,7 +484,7 @@ SSH/ACCEPT  net       $FW           </programlisting>
      url="configuration_file_basics.htm#Configs">alternate
      configuration</ulink></emphasis> and test it using the <ulink
      url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
-      try</command></quote> command</ulink>.</para>
+      try</command></quote></ulink> command.</para>
    </warning>
  </section>