holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

fix (a lot of) typos

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2190 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
judas_iscariote 2005-05-27 23:11:33 +00:00
parent 33b0096fcc
commit a511f5db63
3 changed files with 47 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Shorewall-docs2/CorpNetwork.xml
View File

@ -33,7 +33,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -50,7 +51,8 @@
<listitem>
<para>Make sure you know what public IP addresses are currently
being used and verify these <emphasis>before</emphasis> starting.</para>
being used and verify these <emphasis>before</emphasis>
starting.</para>
</listitem>
<listitem>
@ -69,9 +71,9 @@
<para>This configuration uses a combination of One-to-one NAT and Proxy
ARP. This is generally not relevant to a simple configuration with a
single public IP address. If you have just a single public IP address,
most of what you see here won&#39;t apply to your setup so beware of
copying parts of this configuration and expecting them to work for you.
What you copy may or may not work in your configuration.</para>
most of what you see here won't apply to your setup so beware of copying
parts of this configuration and expecting them to work for you. What you
copy may or may not work in your configuration.</para>
</warning>
<para>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
@ -79,7 +81,8 @@
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
an IPSec tunnel connecting our offices in Germany to our offices in the
US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram below.</para>
behind the firewall hence, the two Exchange servers in the diagram
below.</para>
<section>
<title>Summary</title>
@ -140,18 +143,20 @@
installed on the firewall and the system in the DMZ. X applications
tunnel through SSH to Hummingbird Exceed running on a PC located in the
LAN. Access to the firewall using SSH is restricted to systems in the
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</para>
LAN, DMZ or the system Kaos which is on the Internet and managed by
me.</para>
<graphic fileref="images/CorpNetwork.gif" />
<para>The Ethernet 0 interface in the Server is configured with IP
address 192.0.18.68, netmask 255.255.255.192. The server&#39;s default
address 192.0.18.68, netmask 255.255.255.192. The server's default
gateway is 192.0.18.65, the Router connected to my network and the ISP.
This is the same default gateway used by the firewall itself. On the
firewall, Shorewall automatically adds a host route to 192.0.18.80
through Ethernet 2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and init
scripts to include the fixes suggested when having an IPSec tunnel.</para>
scripts to include the fixes suggested when having an IPSec
tunnel.</para>
</section>
<section>
@ -213,8 +218,8 @@
<listitem>
<para>When asking for assistance, be honest and include as much
detail as requested. Don&#39;t try and hide IP addresses etc., you
will probably screw up the logs and make receiving assistance
detail as requested. Don't try and hide IP addresses etc., you will
probably screw up the logs and make receiving assistance
harder.</para>
</listitem>
@ -235,7 +240,7 @@
</section>
<section>
<title>Configuation Files</title>
<title>Configuration Files</title>
<para>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has
@ -421,7 +426,8 @@ ipsec net 134.147.129.82
</section>
<section>
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
<title>Rules File (The shell variables are set in
/etc/shorewall/params)</title>
<programlisting>##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL

51
Shorewall-docs2/Documentation.xml
View File

@ -946,7 +946,7 @@ loc eth1 192.168.1.255,192.168.12.255</programlisting>
<listitem>
<para>Packets arriving on this port and that have a source
address that is reserved in RFC 1918 will be dropped after
being optionally logged as specified in the settion of
being optionally logged as specified in the section of
RFC1918_LOG_LEVEL in shorewall.conf.</para>
</listitem>
</varlistentry>
@ -1197,7 +1197,7 @@ loc eth1:192.168.1.0/24,192.168.12.0/24</programlisting>
will be 10 per second and a burst of 40 connections will be
tolerated. Connection requests in excess of these limits will be
dropped. See the <link linkend="Rules">rules file
documentation</link> for an explaination of how rate limiting
documentation</link> for an explanation of how rate limiting
works.</para>
</listitem>
</varlistentry>
@ -1264,7 +1264,7 @@ loc loc REJECT info</programlisting>
<orderedlist>
<listitem>
<para>A zone should be homogenous with respect to security
<para>A zone should be homogeneous with respect to security
requirements.</para>
</listitem>
@ -2249,7 +2249,8 @@ eth1::192.0.2.32/27
Netfilter should use the addresses in the range in round-robin
fashion. Beginning with Shorewall version 1.4.7, you may include a
list of ranges and/or addresses in this column; again, Netfilter
will use all listed ranges/addresses in rounde-robin fashion.</para>
will use all listed ranges/addresses in rounded-robin
fashion.</para>
<para>Beginning with Shorewall 2.2.0, you may also specify the
source port range to be used (the PROTO column must specify tcp or
@ -2742,7 +2743,7 @@ eth0 eth1 206.124.146.176</programlisting>
packet passes through then list of entries for that interface in
/etc/shorewall/maclist. If there is a match then the source IP
address is added to the 'Recent' set for that interface. Subsequent
connection attempts from that IP address occuring within
connection attempts from that IP address occurring within
$MACLIST_TTL seconds will be accepted without having to scan all of
the entries. After $MACLIST_TTL from the first accepted connection
request from an IP address, the next connection request from that IP
@ -2823,7 +2824,7 @@ eth0 eth1 206.124.146.176</programlisting>
<listitem>
<para>(Aded at version 2.2.0)- When set to a log level, this option
causes Shorewall to generaate a logging rule as the first rule in
causes Shorewall to generate a logging rule as the first rule in
each builtin chain.</para>
<itemizedlist>
@ -2987,7 +2988,7 @@ eth0 eth1 206.124.146.176</programlisting>
Shorewall's <ulink url="starting_and_stopping_shorewall.htm">stopped
state</ulink>. When ADMINISABSENTMINDES=No, only traffic to/from
those addresses listed in /etc/shorewall/routestopped is accepted
when Shorewall is stopped.When ADMINISABSENTMINDED=Yes, in addition
when Shorewall is stopped. When ADMINISABSENTMINDED=Yes, in addition
to traffic to/from addresses in
<filename>/etc/shorewall/routestopped</filename>, connections that
were active when Shorewall stopped continue to work and all new
@ -3014,7 +3015,7 @@ eth0 eth1 206.124.146.176</programlisting>
<listitem>
<para>(Added at version 2.2.0) — This parameter names the iptables
executable to be used by Shorewall. If not specified or if specified
as a null value, then the iptables executable located usint the PATH
as a null value, then the iptables executable located using the PATH
option is used.</para>
</listitem>
</varlistentry>
@ -3138,8 +3139,8 @@ eth0 eth1 206.124.146.176</programlisting>
<para>(Added in Version 1.3.11) - Determines the <ulink
url="shorewall_logging.html">syslog level</ulink> for logging
packets that fail the checks enabled by the <link
linkend="Interfaces">tcpflags</link> interface option.The value must
be a valid syslogd log level. If you don't want to log these
linkend="Interfaces">tcpflags</link> interface option. The value
must be a valid syslogd log level. If you don't want to log these
packets, set to the empty value (e.g.,
TCP_FLAGS_LOG_LEVEL="").</para>
</listitem>
@ -3178,7 +3179,7 @@ eth0 eth1 206.124.146.176</programlisting>
<listitem>
<para>(Added in Version 1.3.8) - When set to <quote>Yes</quote> or
<quote>yes</quote>, Shorewall will filter TCP packets that are not
part of an established connention and that are not SYN packets (SYN
part of an established connection and that are not SYN packets (SYN
flag on - ACK flag off). If set to <quote>No</quote>, Shorewall will
silently drop such packets. If not set or set to the empty value
(e.g., <quote>NEWNOTSYN=</quote>), NEWNOTSYN=No is assumed.</para>
@ -3458,12 +3459,12 @@ LOGBURST=5</programlisting>
<listitem>
<para>This parameter determines the logging level of mangled/invalid
packets controlled by the <quote>dropunclean and logunclean</quote>
interface options. If LOGUNCLEAN is empty (LOGUNCLEAN=) then packets
selected by <quote>dropclean</quote> are dropped silently
(<quote>logunclean</quote> packets are logged under the
<quote>info</quote> log level). Otherwise, these packets are logged
at the specified level (Example: LOGUNCLEAN=debug).</para>
packets controlled by the <quote>dropunclean" and
"logunclean</quote> interface options. If LOGUNCLEAN is empty
(LOGUNCLEAN=) then packets selected by <quote>dropclean</quote> are
dropped silently (<quote>logunclean</quote> packets are logged under
the <quote>info</quote> log level). Otherwise, these packets are
logged at the specified level (Example: LOGUNCLEAN=debug).</para>
</listitem>
</varlistentry>
@ -3483,9 +3484,9 @@ LOGBURST=5</programlisting>
<term>BLACKLIST_LOGLEVEL</term>
<listitem>
<para>This paremter determines if packets from blacklisted hosts are
logged and it determines the syslog level that they are to be logged
at. Its value is a <ulink url="shorewall_logging.html">syslog
<para>This parameter determines if packets from blacklisted hosts
are logged and it determines the syslog level that they are to be
logged at. Its value is a <ulink url="shorewall_logging.html">syslog
level</ulink> (Example: BLACKLIST_LOGLEVEL=debug). If you do not
assign a value or if you assign an empty value then packets from
blacklisted hosts are not logged.</para>
@ -3560,7 +3561,7 @@ LOGBURST=5</programlisting>
<para>If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If
CROSSBEAM_BACKBONE is set to Yes, CROSSBEAM_BACKBONE indicates the
network interface used by the backbone. </para>
network interface used by the backbone.</para>
<para>If not specified or if specified as empty (e.g., CROSSBEAM="")
then CROSSBEAM=No is assumed.</para>
@ -4002,7 +4003,7 @@ all all tcp ftp-data - 8</programlisting
<term>INTERFACE</term>
<listitem>
<para>The firewall interface through which the host(s) comminicate
<para>The firewall interface through which the host(s) communicate
with the firewall.</para>
</listitem>
</varlistentry>
@ -4032,7 +4033,7 @@ eth1 -</programlisting>
<note>
<para>Prior to Shorewall version 2.2.3, the contents of the
<filename>/etc/shorewall/routestopped</filename> file did NOT affect
connection attempts occuring during the processing of the
connection attempts occurring during the processing of the
<command>shorewall start</command> and <command>shorewall
restart</command> commands. Beginning with version 2.2.3, Shorewall
allows connections defined by the contents of
@ -4118,7 +4119,7 @@ eth1 -</programlisting>
<member><emphasis
role="bold">reqid[!]=&lt;<emphasis>number</emphasis>&gt;</emphasis>
— A number assiged to a security policy using the
— A number assigned to a security policy using the
unique:&lt;number&gt; as the SPD level. See setkey(8).</member>
<member><emphasis
@ -4135,7 +4136,7 @@ eth1 -</programlisting>
<member><emphasis role="bold">mss</emphasis>=&lt;number&gt; — Sets
the MSS field in TCP syn packets forwarded to/from this zone. May
be used to compensate for the lack of IPSEC pseuo-deviceses with
be used to compensate for the lack of IPSEC pseudo-devices with
their own MTU in the 2.6 Kernel IPSEC implementation. If specified
in the IN OPTIONS, TCP SYN packets from the zone will have MSS
altered; if specified in the OUT OPTIONS, TCP SYN packets to the

4
Shorewall-docs2/configuration_file_basics.xml
View File

@ -174,7 +174,7 @@
<listitem>
<para><filename>/etc/shorewall/providers</filename> - defines an
alternate routing table.(Shorewall 2.3.2 and later). </para>
alternate routing table.(Shorewall 2.3.2 and later).</para>
</listitem>
<listitem>
@ -370,7 +370,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
</listitem>
</itemizedlist>
<para>Each DNS name much be fully qualified and include a minumum of two
<para>Each DNS name much be fully qualified and include a minimum of two
periods (although one may be trailing). This restriction is imposed by
Shorewall to insure backward compatibility with existing configuration
files.</para>