holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1090 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-24 15:56:22 +00:00
parent 2e80e459bb
commit ac8d03c5f4
10 changed files with 172 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Shorewall-docs/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-05</pubdate>
<pubdate>2004-01-22</pubdate>
<copyright>
<year>2001-2004</year>
@ -680,6 +680,21 @@ dmz DMZ Demilitarized zone</programlisting>
</varlistentry>
</variablelist>
<variablelist>
<varlistentry>
<term>detectnets</term>
<listitem>
<para>(Added in version 1.4.10) - If this option is specified,
the zone named in the ZONE column will contain only the hosts
routed through the interface named in the INTERFACE column.
<emphasis role="bold">Do not set this option on your external
(Internet) interface!</emphasis> The interface must be in the
UP state when Shorewall is [re]started.</para>
</listitem>
</varlistentry>
</variablelist>
<para>My recommendations concerning options:</para>
<itemizedlist>
@ -688,7 +703,7 @@ dmz DMZ Demilitarized zone</programlisting>
</listitem>
<listitem>
<para>Wireless Interface -- <emphasis role="bold">maclist,routefilter,tcpflags</emphasis></para>
<para>Wireless Interface -- <emphasis role="bold">maclist,routefilter,tcpflags,detectnets</emphasis></para>
</listitem>
<listitem>
@ -926,7 +941,7 @@ loc eth1:192.168.1.0/24,192.168.12.0/24</programlisting>
to a particular connection request then the policy from
<filename>/etc/shorewall/policy</filename> is applied.</para>
<para>Four policies are defined:</para>
<para>Five policies are defined:</para>
<variablelist>
<varlistentry>
@ -1827,14 +1842,23 @@ DNAT net loc:192.168.1.101-192.168.1.109 tcp 80</programlisting>
optionally qualified by adding <quote>:</quote> and a subnet or host
IP. When this qualification is added, only packets addressed to that
host or subnet will be masqueraded. Beginning with Shorewall version
1.3.14, if you have set ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />,
you can cause Shorewall to create an alias <emphasis>label</emphasis>
of the form <emphasis>interfacename:digit</emphasis> (e.g., eth0:0)
by placing that label in this column. See example 5 below. Alias
labels created in this way allow the alias to be visible to the
ipconfig utility. <emphasis role="bold">THAT IS THE ONLY THING THAT
THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR
SHOREWALL CONFIGURATION.</emphasis></para>
1.4.10, the interface name can be qualified with &#34;:&#34;
followed by a comma separated list of hosts and/or subnets. If this
list begins with <quote>!</quote> (e.g., <quote>eth0:!192.0.2.8/29,192.0.2.32/29</quote>)
then only packets addressed to destinations <emphasis role="bold">not</emphasis>
listed will be masqueraded; otherwise (e.g., <quote>eth0:192.0.2.8/29,192.0.2.32/29</quote>),
traffic will be masqueraded if it <emphasis role="bold">does</emphasis>
match one of the listed addresses.</para>
<para>Beginning with Shorewall version 1.3.14, if you have set
ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />, you can cause
Shorewall to create an alias <emphasis>label</emphasis> of the form
<emphasis>interfacename:digit</emphasis> (e.g., eth0:0) by placing
that label in this column. See example 5 below. Alias labels created
in this way allow the alias to be visible to the ipconfig utility.
<emphasis role="bold">THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL
CONFIGURATION.</emphasis></para>
</listitem>
</varlistentry>
@ -3091,7 +3115,9 @@ eth1 -</programlisting>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.11</revnumber><date>2005-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
<para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-21</date><authorinitials>TE</authorinitials><revremark>Add
masquerade destination list.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-18</date><authorinitials>TE</authorinitials><revremark>Correct
typo.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
Compliance</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Improved
formatting of DNAT- and REDIRECT- for clarity</revremark></revision><revision><revnumber>1.9</revnumber><date>2003-12-25</date><authorinitials>MN</authorinitials><revremark>Initial
Docbook Conversion Complete</revremark></revision></revhistory></para>

8
Shorewall-docs/Documentation_Index.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2003-12-31</pubdate>
<pubdate>2004-01-21</pubdate>
<copyright>
<year>2001-2003</year>
@ -23,7 +23,7 @@
<holder>Thomas M. Eastep</holder>
</copyright>
<edition>1.4.8</edition>
<edition>1.4.9</edition>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
@ -73,6 +73,10 @@
(virtual) Interfaces (e.g., eth0:0)</ulink></para>
</listitem>
<listitem>
<para><ulink url="traffic_shaping.htm">Bandwidth Control</ulink></para>
</listitem>
<listitem>
<para><ulink url="blacklisting_support.htm">Blacklisting</ulink></para>

13
Shorewall-docs/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-01-20</pubdate>
<pubdate>2004-01-24</pubdate>
<copyright>
<year>2001-2004</year>
@ -1590,7 +1590,12 @@ Creating input Chains...
<para><emphasis role="bold">Answer:</emphasis> The above output is
perfectly normal. The Net zone is defined as all hosts that are
connected through eth0 and the local zone is defined as all hosts
connected through eth1</para>
connected through eth1. If you are running Shorewall 1.4.10 or later,
you can consider setting the <ulink url="Documentation.htm#Interfaces"><emphasis
role="bold">detectnets</emphasis> interface option</ulink> on your local
interface (eth1 in the above example). That will cause Shorewall to
restrict the local zone to only those networks routed through that
interface.</para>
</section>
<section id="faq22">
@ -1909,7 +1914,9 @@ Creating input Chains...
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
<para><revhistory><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
a note about the <emphasis role="bold">detectnets</emphasis> interface
option in FAQ 9.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
FAQ 16 answer.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Corrected
broken link</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-09</date><authorinitials>TE</authorinitials><revremark>Added
a couple of more legacy FAQ numbers.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-01-08</date><authorinitials>TE</authorinitials><revremark>Corrected

18
Shorewall-docs/IPSEC.xml
View File

@ -15,14 +15,10 @@
</author>
</authorgroup>
<pubdate>2003-10-29</pubdate>
<pubdate>2004-01-22</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -37,6 +33,16 @@
</legalnotice>
</articleinfo>
<warning>
<para>This documentation does not cover configuring IPSEC under the 2.6
Linux Kernel. David Hollis has provided i<ulink
url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation
about how to set up a simple tunnel under 2.6</ulink>. One important point
that is not made explicit in David&#39;s post is that the <emphasis
role="bold">vpn</emphasis> zone must be defined before the <emphasis
role="bold">net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</para>
</warning>
<section>
<title>Configuring FreeS/Wan</title>

8
Shorewall-docs/Shorewall_Squid_Usage.xml
View File

@ -15,10 +15,10 @@
</author>
</authorgroup>
<pubdate>2003-10-17</pubdate>
<pubdate>2004-01-20</pubdate>
<copyright>
<year>2003</year>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -33,7 +33,7 @@
</legalnotice>
</articleinfo>
<para> </para>
<para></para>
<para>This page covers Shorewall configuration to use with <ulink
url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
@ -401,7 +401,7 @@ chkconfig --level 35 iptables on</programlisting>
</section>
<section id="DMZ">
<title>Squid (transparent) Running in the DMZ (This is what I do)</title>
<title>Squid (transparent) Running in the DMZ</title>
<para>You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.

11
Shorewall-docs/Shorewall_and_Kazaa.xml
View File

@ -15,10 +15,10 @@
</author>
</authorgroup>
<pubdate>2003-10-22</pubdate>
<pubdate>2004-01-19</pubdate>
<copyright>
<year>2003</year>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -42,7 +42,7 @@
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
insert the following rules <emphasis role="bold">near the top</emphasis> of
your /etc/shorewall/rules file (before and ACCEPT rules whose source is the
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
<quote>loc</quote> zone).</para>
<programlisting> QUEUE loc net tcp
@ -51,4 +51,9 @@
<para>Now simply configure ftwall as described in the ftwall documentation
and restart Shorewall.</para>
<tip>
<para>There is an ftwall init script for use with <trademark>SuSE</trademark>
Linux at <ulink url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip>
</article>

4
Shorewall-docs/blacklisting_support.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-05</pubdate>
<pubdate>2004-01-17</pubdate>
<copyright>
<year>2002-2004</year>
@ -140,7 +140,7 @@
option in <filename>/etc/shorewall/interfaces</filename>.</para>
<example>
<title>Ingore packets from a pair of systems</title>
<title>Ignore packets from a pair of systems</title>
<programlisting> <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>

46
Shorewall-docs/errata.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-01-03</pubdate>
<pubdate>2004-01-19</pubdate>
<copyright>
<year>2001-2004</year>
@ -62,16 +62,44 @@
</itemizedlist>
</caution>
<section>
<title>RFC1918 File</title>
<para><ulink url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
</section>
<section>
<title>Problems in Version 1.4</title>
<section>
<title>All Versions</title>
<title>Shorewall 1.4.9</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
<itemizedlist>
<listitem>
<para>The column descriptions in the action.template file did not
match the column headings.</para>
</listitem>
</itemizedlist>
<para>This problem has been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.9/action.template">this
action.template file</ulink> which may be installed in /etc/shorewall.</para>
<itemizedlist>
<listitem>
<para>The presence of IPV6 addresses on devices generates error
messages during <command>[re]start </command>if ADD_IP_ALIASES=Yes
or ADD_SNAT_ALIASES=Yes are specified in
/etc/shorewall/shorewall.conf.</para>
</listitem>
</itemizedlist>
<para>This problem has been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
@ -437,9 +465,11 @@ Aborted (core dumped)</programlisting>
</section>
<appendix>
<title>Revision History</title>
<title>Revision History4</title>
<para><revhistory><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
Conversion to Docbook XML</revremark></revision></revhistory></para>

130
Shorewall-docs/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-08</pubdate>
<pubdate>2004-01-20</pubdate>
<copyright>
<year>2001-2004</year>
@ -66,8 +66,9 @@
</listitem>
<listitem>
<para>One-to-one NAT for EastepLaptop (My work system). Internal
address 192.168.1.7 and external address 206.124.146.180.</para>
<para>One-to-one NAT for EastepLaptop (My work system -- Windows XP
SP2). Internal address 192.168.1.7 and external address
206.124.146.180.</para>
</listitem>
<listitem>
@ -86,7 +87,7 @@
</listitem>
</itemizedlist>
<para>The firewall runs on a 256MB PII/233 with RH9.0.</para>
<para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
<para>Wookie, Ursa and the Firewall all run Samba and the Firewall acts as
a WINS server.</para>
@ -100,19 +101,20 @@
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
server (Pure-ftpd). The system also runs fetchmail to fetch our email from
our old and current ISPs. That server is managed through Proxy ARP.</para>
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
fetch our email from our old and current ISPs. That server is managed
through Proxy ARP.</para>
<para>The firewall system itself runs a DHCP server that serves the local
network.</para>
<para>All administration and publishing is done using ssh/scp. I have X
installed on the firewall but no X server or desktop is installed. X
applications tunnel through SSH to XWin.exe running on Ursa. The server
does have a desktop environment installed and that desktop environment is
available via XDMCP from the local zone. For the most part though, X
tunneled through SSH is used for server administration and the server runs
at run level 3 (multi-user console mode on RedHat).</para>
<para>All administration and publishing is done using ssh/scp. I have a
desktop environment installed on the firewall but I am not usually logged
in to it. X applications tunnel through SSH to Ursa. The server also has a
desktop environment installed and that desktop environment is available
via XDMCP from the local zone. For the most part though, X tunneled
through SSH is used for server administration and the server runs at run
level 3 (multi-user console mode on RedHat).</para>
<para>I run an SNMP server on my firewall to serve <ulink
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
@ -120,9 +122,9 @@
ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway
is 206.124.146.254 (Router at my ISP. This is the same default gateway
used by the firewall itself). On the firewall, my /sbin/ifup-local script
(see below) adds a host route to 206.124.146.177 through eth1 when that
interface is brought up.</para>
used by the firewall itself). On the firewall, an entry in my
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for
Road Warrior access.</para>
@ -541,90 +543,24 @@ ACCEPT all all icmp
</section>
<section>
<title>Init File</title>
<title>/etc/network/interfaces</title>
<blockquote>
<para>This file deals with redirecting html requests to <ulink
url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>.</para>
</blockquote>
<para>This file is Debian specific. My additional entry (which is
displayed in <emphasis role="bold">bold type</emphasis>) adds a route
to my DMZ server when eth1 is brought up. It allows me to enter
<quote>Yes</quote> in the HAVEROUTE column of <link linkend="ProxyARP">my
Proxy ARP file</link>.</para>
<blockquote>
<programlisting>#
# Add a second routing table with my server as the default gateway
# Use this routing table with all packets marked with value 1
#
if [ -z &#34;`ip route list table 202 2&#62; /dev/null`&#34; ] ; then
run_ip rule add fwmark 1 table www.out
run_ip route add default via 206.124.146.177 dev eth1 table www.out
run_ip route flush cache
fi</programlisting>
</blockquote>
</section>
<section>
<title>/etc/iproute2/rt_tables</title>
<blockquote>
<para>This file deals with redirecting html requests to <ulink
url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>.</para>
</blockquote>
<blockquote>
<programlisting>#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local -- I added the entry below
#
202 www.out</programlisting>
</blockquote>
</section>
<section>
<title>Tcrules File</title>
<blockquote>
<para>This file deals with redirecting html requests to <ulink
url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>
-- in my setup, it is <emphasis role="bold">not</emphasis> used for
traffic shapping/control.</para>
</blockquote>
<blockquote>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
1:P eth2,eth3 !192.168.0.0/16 tcp 80</programlisting>
</blockquote>
</section>
<section>
<title>Tcstart File</title>
<blockquote>
<para>My tcstart file is just the HTB version of <ulink
url="http://lartc.org/wondershaper/">The WonderShaper</ulink>.</para>
</blockquote>
</section>
<section>
<title>/sbin/ifup-local</title>
<blockquote>
<para>This file is Redhat specific and adds a route to my DMZ server
when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
<programlisting>#!/bin/sh
case $1 in
eth1)
ip route add 206.124.146.177 dev eth1
;;
esac</programlisting>
<programlisting>...
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
<emphasis role="bold">up ip route add 206.124.146.177 dev eth1
</emphasis>...</programlisting>
</blockquote>
</section>
</section>

62
Shorewall-docs/traffic_shaping.xml
View File

@ -15,10 +15,10 @@
</author>
</authorgroup>
<pubdate>2003-10-21</pubdate>
<pubdate>2004-01-21</pubdate>
<copyright>
<year>2001-2003</year>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -223,6 +223,21 @@
omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</para>
</listitem>
<listitem>
<para>USER (Added in Shorewall version 1.4.10) - (Optional) This
column may only be non-empty if the SOURCE is the firewall itself.
When this column is non-empty, the rule applies only if the program
generating the output is running under the effective user and/or
group. It may contain : </para>
<para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]
</para>
<para>The colon is optionnal when specifying only a user. </para>
<para>Examples : john: / john / :users / john:users</para>
</listitem>
</itemizedlist>
<example>
@ -233,7 +248,7 @@
originating on the firewall itself should be marked with 3.</para>
<informaltable>
<tgroup cols="6">
<tgroup cols="4">
<thead>
<row>
<entry align="center">MARK</entry>
@ -243,10 +258,6 @@
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
</row>
</thead>
@ -259,10 +270,6 @@
<entry>0.0.0.0/0</entry>
<entry>all</entry>
<entry></entry>
<entry></entry>
</row>
<row>
@ -273,10 +280,6 @@
<entry>0.0.0.0/0</entry>
<entry>all</entry>
<entry></entry>
<entry></entry>
</row>
<row>
@ -287,10 +290,6 @@
<entry>0.0.0.0/0</entry>
<entry>all</entry>
<entry></entry>
<entry></entry>
</row>
<row>
@ -301,10 +300,6 @@
<entry>0.0.0.0/0</entry>
<entry>all</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -318,7 +313,7 @@
destined for 155.186.235.151 should be marked with 12.</para>
<informaltable>
<tgroup cols="6">
<tgroup cols="4">
<thead>
<row>
<entry align="center">MARK</entry>
@ -328,10 +323,6 @@
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
</row>
</thead>
@ -344,10 +335,6 @@
<entry>155.186.235.151</entry>
<entry>47</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -361,7 +348,7 @@
155.186.235.151 should be marked with 22.</para>
<informaltable>
<tgroup cols="6">
<tgroup cols="5">
<thead>
<row>
<entry align="center">MARK</entry>
@ -373,8 +360,6 @@
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
</row>
</thead>
@ -389,8 +374,6 @@
<entry>tcp</entry>
<entry>22</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
@ -405,10 +388,7 @@
url="http://lartc.org/wondershaper/">The Wonder Shaper </ulink>(I just
copied wshaper.htb to /etc/shorewall/tcstart and modified it as shown in
the Wondershaper README). WonderShaper DOES NOT USE THE
/etc/shorewall/tcrules file. While I currently have entries in
/etc/shorewall/tcrules, I do so for <ulink
url="Shorewall_Squid_Usage.html">policy routing for Squid</ulink> and not
for Traffic Shaping.</para>
/etc/shorewall/tcrules file.</para>
</section>
<section>