forked from extern/shorewall_code
fixed single quotes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@959 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
mhnoyes
parent
24d61f30db
commit
a7fe4b0f7c
@ -241,8 +241,8 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Locate the appropriate DNAT rule. It will be in a chain
|
<para>Locate the appropriate DNAT rule. It will be in a chain
|
||||||
called <emphasis><source zone></emphasis>_dnat
|
called <emphasis><source zone></emphasis>_dnat (<quote>net_dnat</quote>
|
||||||
('net_dnat' in the above examples).</para>
|
in the above examples).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -702,21 +702,21 @@
|
|||||||
|
|
||||||
<section id="faq4">
|
<section id="faq4">
|
||||||
<title>(FAQ 4) I just used an online port scanner to check my firewall
|
<title>(FAQ 4) I just used an online port scanner to check my firewall
|
||||||
and it shows some ports as 'closed' rather than
|
and it shows some ports as <quote>closed</quote> rather than
|
||||||
'blocked'. Why?</title>
|
<quote>blocked</quote>. Why?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> The common.def included
|
<para><emphasis role="bold">Answer:</emphasis> The common.def included
|
||||||
with version 1.3.x always rejects connection requests on TCP port 113
|
with version 1.3.x always rejects connection requests on TCP port 113
|
||||||
rather than dropping them. This is necessary to prevent outgoing
|
rather than dropping them. This is necessary to prevent outgoing
|
||||||
connection problems to services that use the 'Auth' mechanism
|
connection problems to services that use the <quote>Auth</quote>
|
||||||
for identifying requesting users. Shorewall also rejects TCP ports 135,
|
mechanism for identifying requesting users. Shorewall also rejects TCP
|
||||||
137 and 139 as well as UDP ports 137-139. These are ports that are used
|
ports 135, 137 and 139 as well as UDP ports 137-139. These are ports
|
||||||
by Windows (Windows <emphasis>can</emphasis> be configured to use the
|
that are used by Windows (Windows <emphasis>can</emphasis> be configured
|
||||||
DCE cell locator on port 135). Rejecting these connection requests
|
to use the DCE cell locator on port 135). Rejecting these connection
|
||||||
rather than dropping them cuts down slightly on the amount of Windows
|
requests rather than dropping them cuts down slightly on the amount of
|
||||||
chatter on LAN segments connected to the Firewall.</para>
|
Windows chatter on LAN segments connected to the Firewall.</para>
|
||||||
|
|
||||||
<para>If you are seeing port 80 being 'closed', that's
|
<para>If you are seeing port 80 being <quote>closed</quote>, that's
|
||||||
probably your ISP preventing you from running a web server in violation
|
probably your ISP preventing you from running a web server in violation
|
||||||
of your Service Agreement.</para>
|
of your Service Agreement.</para>
|
||||||
|
|
||||||
@ -784,8 +784,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>For a complete description of Shorewall 'ping' management,
|
<para>For a complete description of Shorewall <quote>ping</quote>
|
||||||
see <ulink url="ping.html">this page</ulink>.</para>
|
management, see <ulink url="ping.html">this page</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq15">
|
<section id="faq15">
|
||||||
@ -962,11 +962,11 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
|||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> If you are running
|
<para><emphasis role="bold">Answer:</emphasis> If you are running
|
||||||
Shorewall version 1.4.4 or 1.4.4a then check the <ulink url="errata.htm">errata</ulink>.
|
Shorewall version 1.4.4 or 1.4.4a then check the <ulink url="errata.htm">errata</ulink>.
|
||||||
Otherwise, see the 'dmesg' man page (<quote>man dmesg</quote>).
|
Otherwise, see the <quote>dmesg</quote> man page (<quote>man dmesg</quote>).
|
||||||
You must add a suitable 'dmesg' command to your startup scripts
|
You must add a suitable <quote>dmesg</quote> command to your startup
|
||||||
or place it in /etc/shorewall/start. Under RedHat, the max log level
|
scripts or place it in /etc/shorewall/start. Under RedHat, the max log
|
||||||
that is sent to the console is specified in /etc/sysconfig/init in the
|
level that is sent to the console is specified in /etc/sysconfig/init in
|
||||||
LOGLEVEL variable.</para>
|
the LOGLEVEL variable.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq17">
|
<section id="faq17">
|
||||||
@ -1195,8 +1195,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
|||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> While most people
|
<para><emphasis role="bold">Answer:</emphasis> While most people
|
||||||
associate the Internet Control Message Protocol (ICMP) with
|
associate the Internet Control Message Protocol (ICMP) with
|
||||||
'ping', ICMP is a key piece of the internet. ICMP is used to
|
<quote>ping</quote>, ICMP is a key piece of the internet. ICMP is used
|
||||||
report problems back to the sender of a packet; this is what is
|
to report problems back to the sender of a packet; this is what is
|
||||||
happening here. Unfortunately, where NAT is involved (including SNAT,
|
happening here. Unfortunately, where NAT is involved (including SNAT,
|
||||||
DNAT and Masquerade), there are a lot of broken implementations. That is
|
DNAT and Masquerade), there are a lot of broken implementations. That is
|
||||||
what you are seeing with these messages.</para>
|
what you are seeing with these messages.</para>
|
||||||
@ -1463,13 +1463,13 @@ ip route add 127.0.0.0/8 dev lo table T2</programlisting>
|
|||||||
<title>Starting and Stopping</title>
|
<title>Starting and Stopping</title>
|
||||||
|
|
||||||
<section id="faq7">
|
<section id="faq7">
|
||||||
<title>(FAQ 7) When I stop Shorewall using 'shorewall stop', I
|
<title>(FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>,
|
||||||
can't connect to anything. Why doesn't that command work?</title>
|
I can't connect to anything. Why doesn't that command work?</title>
|
||||||
|
|
||||||
<para>The 'stop' command is intended to place your firewall into
|
<para>The <quote>stop</quote> command is intended to place your firewall
|
||||||
a safe state whereby only those hosts listed in
|
into a safe state whereby only those hosts listed in
|
||||||
/etc/shorewall/routestopped' are activated. If you want to totally
|
/etc/shorewall/routestopped' are activated. If you want to totally
|
||||||
open up your firewall, you must use the 'shorewall clear'
|
open up your firewall, you must use the <quote>shorewall clear</quote>
|
||||||
command.</para>
|
command.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
|||||||
@ -201,7 +201,7 @@ ftp></programlisting>
|
|||||||
that the modules <quote>ip_conntrack_ftp</quote> and <quote>ip_nat_ftp</quote>
|
that the modules <quote>ip_conntrack_ftp</quote> and <quote>ip_nat_ftp</quote>
|
||||||
need to be loaded. Shorewall automatically loads these <quote>helper</quote>
|
need to be loaded. Shorewall automatically loads these <quote>helper</quote>
|
||||||
modules from /lib/modules/<<emphasis>kernel-version</emphasis>>/kernel/net/ipv4/netfilter/
|
modules from /lib/modules/<<emphasis>kernel-version</emphasis>>/kernel/net/ipv4/netfilter/
|
||||||
and you can determine if they are loaded using the 'lsmod'
|
and you can determine if they are loaded using the <quote>lsmod</quote>
|
||||||
command. The <<emphasis>kernel-version</emphasis>> may be obtained
|
command. The <<emphasis>kernel-version</emphasis>> may be obtained
|
||||||
by typing</para>
|
by typing</para>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user