From a8c7dd101d35c04dea7ef95e30a7081505de869d Mon Sep 17 00:00:00 2001 From: frannie Date: Mon, 21 Jul 2003 18:01:35 +0000 Subject: [PATCH] Updated Comments For 1.4.6 Shorewall Distrubution Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@669 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 12 ++++++++++++ Samples/one-interface/rules | 26 +++++++++++++++++++++----- Samples/one-interface/zones | 2 +- Samples/three-interfaces/interfaces | 8 ++++++++ Samples/three-interfaces/masq | 12 +++++++----- Samples/three-interfaces/rules | 26 +++++++++++++++++++++----- Samples/three-interfaces/zones | 2 +- Samples/two-interfaces/interfaces | 12 ++++++++++++ Samples/two-interfaces/masq | 15 +++++++++------ Samples/two-interfaces/rules | 26 +++++++++++++++++++++----- Samples/two-interfaces/zones | 2 +- 11 files changed, 114 insertions(+), 29 deletions(-) diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 5a9a9fca8..81da9d4c1 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -19,6 +19,10 @@ # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 +# +# You may specify wildcards here. For example, if you +# want to make a entry that applies to all PPP +# interfaces, use 'ppp+' # # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # @@ -94,6 +98,14 @@ # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# newnotsyn +# TCP packets that don't have the SYN flag set and +# which are not part of an established connection +# will be accepted from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if NEWNOTSYN=Yes # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index fe30a926f..c0c7fe6d3 100755 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -16,7 +16,7 @@ # # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, -# CONTINUE or LOG. +# REDIRECT-, CONTINUE or LOG. # # ACCEPT # Allow the connection request @@ -121,6 +121,12 @@ # 3. You may not specify both an interface and # an address # +# Unlike in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the @@ -136,7 +142,7 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number or # "all". # # DEST PORT(S) Destination Ports. A comma-separated list of Port @@ -147,11 +153,11 @@ # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. +# entered if any of the following fields are supplied. # In that case, it is suggested that this field contain # "-" # -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the CLIENT PORT(S) list below: # 1. There are 15 or less ports listed. @@ -168,7 +174,7 @@ # specify an ADDRESS in the next column, then place "-" # in this column. # -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# If your kernel contains multiport match support, then # only a single Netfilter rule will be generated if in # this list and the DEST PORT(S) list above: # 1. There are 15 or less ports listed. @@ -183,6 +189,16 @@ # that address will be forwarded to the IP and port # specified in the DEST column. # +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# a particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# # The address may optionally be followed by # a colon (":") and a second IP address. This causes # Shorewall to use the second IP address as the source diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones index 504452e92..7a1ca8461 100644 --- a/Samples/one-interface/zones +++ b/Samples/one-interface/zones @@ -4,7 +4,7 @@ # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone +# ZONE Short name of the zone (5 Characters or less in length). # DISPLAY Display name of the zone # COMMENTS Comments about the zone # diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 5aa0f7256..9f51c0e01 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -98,6 +98,14 @@ # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# netnotsyn +# TCP packets that don't have the SYN flag set and +# which are not part of an established connection +# will be accepted from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if NEWNOTSYN=Yes. # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index 12b88d709..688f32680 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -45,12 +45,14 @@ # will automatically add this address to the # INTERFACE named in the first column. # -# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if -# the address given in this column is the primary -# IP address for the interface in the INTERFACE -# column. +# You may also specify a range of up to 256 IP addresses +# if you want the SNAT address to be assigned from that +# range in a round-robin range by connection. The range is +# specified by -. # -# This column may not contain a DNS Name. +# Example: 206.124.146.177-206.124.146.180 +# +# This column may not contain a DNS Names. # # Example 1: # diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index c09336e04..37371e9a6 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -16,7 +16,7 @@ # # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, -# CONTINUE or LOG. +# REDIRECT-, CONTINUE or LOG. # # ACCEPT # Allow the connection request @@ -121,6 +121,12 @@ # 3. You may not specify both an interface and # an address. # +# Unlike in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the @@ -147,11 +153,11 @@ # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. +# entered if any of the following fields are supplied. # In that case, it is suggested that this field contain # "-" # -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the CLIENT PORT(S) list below: # 1. There are 15 or less ports listed. @@ -168,7 +174,7 @@ # specify an ADDRESS in the next column, then place "-" # in this column. # -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the DEST PORT(S) list above: # 1. There are 15 or less ports listed. @@ -183,6 +189,16 @@ # that address will be forwarded to the IP and port # specified in the DEST column. # +# A comma separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# a particular set of hosts. +# +# Finally, if the list of addresses begines with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# # The address may optionally be followed by # a colon (":") and a second IP address. This causes # Shorewall to use the second IP address as the source @@ -247,7 +263,7 @@ ACCEPT loc dmz tcp 22 ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 # -# Make ping work bi-directionally between the dmz, net, Firewall and local zone +# Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # ACCEPT net fw icmp 8 diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones index 7d921737c..4cb4abd63 100644 --- a/Samples/three-interfaces/zones +++ b/Samples/three-interfaces/zones @@ -4,7 +4,7 @@ # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone +# ZONE Short name of the zone (5 Characters or less in length). # DISPLAY Display name of the zone # COMMENTS Comments about the zone # diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index bc042c3c9..1eba6e15b 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -22,6 +22,10 @@ # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 # +# You may specify wildcards here. For example, if you +# want to make a entry that applies to all PPP +# interfaces, use 'ppp+'. +# # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # # BROADCAST @@ -98,6 +102,14 @@ # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# newnotsyn +# TCP packets that don't have the SYN flag set and +# which are not part of an established connection +# will be accepted from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if NEWNOTSYN=Yes. # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index 6710f94c4..591db6d0c 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -44,13 +44,16 @@ # /etc/shorewall/shorewall.conf then Shorewall # will automatically add this address to the # INTERFACE named in the first column. +# +# You may also specify a range of up to 256 IP +# addresses if you want the SNAT address to be +# assigned from that range in a round robin range +# by connection. The range is specified by +# -. +# +# Example: 206.124.146.177-206.124.146.180 # -# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if -# the address given in this column is the primary -# IP address for the interface in the INTERFACE -# column. -# -# This column may not contain a DNS Name. +# This column may not contain DNS names. # # Example 1: # diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index f5c000054..45a0719ee 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -16,7 +16,7 @@ # # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, -# CONTINUE or LOG. +# REDIRECT-, CONTINUE or LOG. # # ACCEPT # Allow the connection request @@ -121,6 +121,12 @@ # 3 You may not specify both an interface and # an address. # +# Unlike in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to the addresses in the +# range in a round-robin fashion. +# # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the @@ -136,7 +142,7 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number or # "all". # # DEST PORT(S) Destination Ports. A comma-separated list of Port @@ -147,11 +153,11 @@ # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. +# entered if any of the following fields are supplied. # In that case, it is suggested that this field contain # "-" # -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the CLIENT PORT(S) list below: # 1. There are 15 or less ports listed. @@ -168,7 +174,7 @@ # specify an ADDRESS in the next column, then place "-" # in this column. # -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the DEST PORT(S) list above: # 1. There are 15 or less ports listed. @@ -183,6 +189,16 @@ # that address will be forwarded to the IP and port # specified in the DEST column. # +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# a particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# # The address may optionally be followed by # a colon (":") and a second IP address. This causes # Shorewall to use the second IP address as the source diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index 09716ac0d..98c9cf1f3 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -4,7 +4,7 @@ # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone +# ZONE Short name of the zone (5 Characters or less in length). # DISPLAY Display name of the zone # COMMENTS Comments about the zone #