From a05b957498b0d82c8480e97ad0c5dc293761cff8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 15 Aug 2016 10:24:23 -0700 Subject: [PATCH] Corrections in the shorewall[6].conf manpages Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall.conf.xml | 53 +++++++++++++------------ Shorewall6/manpages/shorewall6.conf.xml | 45 +++++++++++---------- 2 files changed, 52 insertions(+), 46 deletions(-) diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index d263b5787..a7dab5393 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -307,6 +307,9 @@ that were active when Shorewall stopped continue to work and all new connections from the firewall system itself are allowed. + + Note that the routestopped file is not supported in + Shorewall 5.0 and later versions. @@ -481,8 +484,8 @@ ALL sends all packets through the blacklist chains. - Note: The ESTABLISHED state may not be specified if FASTACCEPT - is specified. + Note: The ESTABLISHED state may not be specified if + FASTACCEPT=Yes is specified. @@ -577,13 +580,14 @@ If this option is set to No then Shorewall won't clear the current traffic control rules during - [re]start. This setting is intended for use by people who prefer to - configure traffic shaping when the network interfaces come up rather - than when the firewall is started. If that is what you want to do, - set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an - /etc/shorewall/tcstart file. That way, your traffic shaping rules - can still use the “fwmark” classifier based on packet marking - defined in re]start or + reload. This setting is intended for use by + people who prefer to configure traffic shaping when the network + interfaces come up rather than when the firewall is started. If that + is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do + not supply an /etc/shorewall/tcstart file. That way, your traffic + shaping rules can still use the “fwmark” classifier based on packet + marking defined in shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed. @@ -677,8 +681,8 @@ If set to Yes (the default value), entries in the - /etc/shorewall/route_stopped files cause an 'ip rule del' command to - be generated in addition to an 'ip rule add' command. Setting this + /etc/shorewall/rtrules files cause an 'ip rule del' command to be + generated in addition to an 'ip rule add' command. Setting this option to No, causes the 'ip rule del' command to be omitted. @@ -829,7 +833,7 @@ net all DROP infothen the chain name is 'net-all' helpers file from the administrative system into the script. When set to No or not specified, the compiler will not copy the modules or helpers file from /usr/share/shorewall but - will copy the found in another location on the CONFIG_PATH. + will copy those found in another location on the CONFIG_PATH. When compiling for direct use by Shorewall, causes the contents of the local module or helpers file to be copied into the @@ -863,7 +867,7 @@ net all DROP infothen the chain name is 'net-all' role="bold">Yes|No} - Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has + Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to @@ -2194,18 +2198,18 @@ LOG:info:,bar net fw #TARGET SOURCE DEST PROTO Broadcast(DROP) - - - DROP - - 2 -INLINE - - 6 ; -j REJECT --reject-with tcp-reset +INLINE - - 6 ;; -j REJECT --reject-with tcp-reset ?if __ENHANCED_REJECT -INLINE - - 17 ; -j REJECT +INLINE - - 17 ;; -j REJECT ?if __IPV4 -INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable -INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited +INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable +INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited ?else -INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable -INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited +INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable +INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited ?endif ?else -INLINE - - - ; -j REJECT +INLINE - - - ;; -j REJECT ?endif @@ -2275,7 +2279,7 @@ INLINE - - - ; -j REJECT restored unconditionally at the top of the mangle OUTPUT and PREROUTING chains, even if the saved mark is zero. When this option is set to No, the mark is restored - even when it is zero. If you have problems with IPSEC ESP packets + only if it is non-zero. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to No. @@ -2451,10 +2455,9 @@ INLINE - - - ; -j REJECT This option is used to specify the shell program to be used to - run the Shorewall compiler and to interpret the compiled script. If - not specified or specified as a null value, /bin/sh is assumed. - Using a light-weight shell such as ash or dash can significantly - improve performance. + interpret the compiled script. If not specified or specified as a + null value, /bin/sh is assumed. Using a light-weight shell such as + ash or dash can significantly improve performance. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 2d8afb7fe..2789b656c 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -239,6 +239,9 @@ that were active when Shorewall stopped continue to work and all new connections from the firewall system itself are allowed. + + Note that the routestopped file is not supported in + Shorewall 5.0 and later versions. @@ -497,13 +500,14 @@ If this option is set to No then Shorewall6 won't clear the current traffic control rules during - [re]start. This setting is intended for use by people that prefer to - configure traffic shaping when the network interfaces come up rather - than when the firewall is started. If that is what you want to do, - set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an - /etc/shorewall6/tcstart file. That way, your traffic shaping rules - can still use the “fwmark” classifier based on packet marking - defined in re]start or + reload. This setting is intended for use by + people that prefer to configure traffic shaping when the network + interfaces come up rather than when the firewall is started. If that + is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do + not supply an /etc/shorewall6/tcstart file. That way, your traffic + shaping rules can still use the “fwmark” classifier based on packet + marking defined in shorewall6-tcrules(5). If not specified, CLEAR_TC=No is assumed. @@ -604,10 +608,9 @@ If set to Yes (the default value), entries in the - /etc/shorewall6/route_stopped files cause an 'ip rule del' command - to be generated in addition to an 'ip rule add' command. Setting - this option to No, causes the 'ip rule del' command to be - omitted. + /etc/shorewall6/rtrules file cause an 'ip rule del' command to be + generated in addition to an 'ip rule add' command. Setting this + option to No, causes the 'ip rule del' command to be omitted. @@ -691,7 +694,7 @@ net all DROP infothen the chain name is 'net-all' helpers file from the administrative system into the script. When set to No or not specified, the compiler will not copy the modules or helpers file from /usr/share/shorewall6 but - will copy the found in another location on the CONFIG_PATH. + will copy those found in another location on the CONFIG_PATH. When compiling for direct use by Shorewall6, causes the contents of the local module or helpers file to be copied into the @@ -725,7 +728,7 @@ net all DROP infothen the chain name is 'net-all' role="bold">Yes|No} - Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has + Added in Shorewall 4.4.11. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to @@ -1922,18 +1925,18 @@ LOG:info:,bar net fw #TARGET SOURCE DEST PROTO Broadcast(DROP) - - - DROP - - 2 -INLINE - - 6 ; -j REJECT --reject-with tcp-reset +INLINE - - 6 ;; -j REJECT --reject-with tcp-reset ?if __ENHANCED_REJECT -INLINE - - 17 ; -j REJECT +INLINE - - 17 ;; -j REJECT ?if __IPV4 -INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable -INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited +INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable +INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited ?else -INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable -INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited +INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable +INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited ?endif ?else -INLINE - - - ; -j REJECT +INLINE - - - ;; -j REJECT ?endif @@ -1982,7 +1985,7 @@ INLINE - - - ; -j REJECT restored unconditionally at the top of the mangle OUTPUT and PREROUTING chains, even if the saved mark is zero. When this option is set to No, the mark is restored - even when it is zero. If you have problems with IPSEC ESP packets + only if it is non-zero. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to No.