From a4dc2b8af92732fd784afe6c4394046277fb678d Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 15 Oct 2005 22:10:55 +0000 Subject: [PATCH] Update samples with latest documentary comments git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2894 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 23 +---------------------- Samples/one-interface/rules | 18 +++++++++++++----- Samples/three-interfaces/interfaces | 21 --------------------- Samples/three-interfaces/rules | 18 +++++++++++++----- Samples/two-interfaces/interfaces | 21 --------------------- Samples/two-interfaces/rules | 18 +++++++++++++----- 6 files changed, 40 insertions(+), 79 deletions(-) diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index fe0bb3929..584a3e832 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -113,28 +113,7 @@ # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this -# interface are processed as if -# NEWNOTSYN=Yes had been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# -# routeback - If specified, indicates that Shorewall + routeback - If specified, indicates that Shorewall # should include rules that allow # filtering traffic arriving on this # interface back out that same interface. diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index 3ecb2084a..4088c81bc 100755 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -115,9 +115,16 @@ # -- The name of an action defined in # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std. -# -# -- The name of a macro defined in a -# file named macro.. +# -- The name of a macro defined in a +# file named macro.. If +# the macro accepts an action +# parameter (Look at the macro +# source to see if it has PARAM in +# the TARGET column) then the macro +# name is followed by "/" and the +# action (ACCEPT, DROP, REJECT, ...) +# to be substituted for the +# parameter. Example: FTP/ACCEPT. # # The ACTION may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or @@ -262,8 +269,9 @@ # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# "ipp2p:udp", "ipp2p:all" a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index ac57d11c9..47b295f56 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -113,27 +113,6 @@ # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this -# interface are processed as if -# NEWNOTSYN=Yes had been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# # routeback - If specified, indicates that Shorewall # should include rules that allow # filtering traffic arriving on this diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index bd2234aa6..946191284 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -115,9 +115,16 @@ # -- The name of an action defined in # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std. -# -# -- The name of a macro defined in a -# file named macro.. +# -- The name of a macro defined in a +# file named macro.. If +# the macro accepts an action +# parameter (Look at the macro +# source to see if it has PARAM in +# the TARGET column) then the macro +# name is followed by "/" and the +# action (ACCEPT, DROP, REJECT, ...) +# to be substituted for the +# parameter. Example: FTP/ACCEPT. # # The ACTION may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or @@ -262,8 +269,9 @@ # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# "ipp2p:udp", "ipp2p:all" a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 9204a3170..8781c6e50 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -113,27 +113,6 @@ # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this -# interface are processed as if -# NEWNOTSYN=Yes had been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# # routeback - If specified, indicates that Shorewall # should include rules that allow # filtering traffic arriving on this diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 84a499a21..9c4f313de 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -115,9 +115,16 @@ # -- The name of an action defined in # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std. -# -# -- The name of a macro defined in a -# file named macro.. +# -- The name of a macro defined in a +# file named macro.. If +# the macro accepts an action +# parameter (Look at the macro +# source to see if it has PARAM in +# the TARGET column) then the macro +# name is followed by "/" and the +# action (ACCEPT, DROP, REJECT, ...) +# to be substituted for the +# parameter. Example: FTP/ACCEPT. # # The ACTION may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or @@ -262,8 +269,9 @@ # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# "ipp2p:udp", "ipp2p:all" a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port