diff --git a/docs/6to4.xml b/docs/6to4.xml
index d4b994860..c3cfd642b 100644
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -63,9 +63,8 @@
We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
- accomplished through use of the
- /etc/shorewall/tunnels file and
- the ip
utility for network interface and routing
+ accomplished through use of the /etc/shorewall/tunnels
+ file and the ip
utility for network interface and routing
configuration.
Unlike GRE and IPIP tunneling, the
@@ -78,13 +77,13 @@
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic.
- In /etc/shorewall/tunnels on system A, we need
+ In /etc/shorewall/tunnels on system A, we need
the following:
#TYPE ZONE GATEWAY GATEWAY ZONE
6to4 net 134.28.54.2
- This entry in /etc/shorewall/tunnels, opens the
+ This entry in /etc/shorewall/tunnels opens the
firewall so that the IPv6 encapsulation protocol (41) will be accepted
to/from the remote gateway.
diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index 44938d519..2a2f1628f 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -45,15 +45,15 @@
Accounting Basics
Shorewall accounting rules are described in the file
- /etc/shorewall/accounting. By default, the accounting rules are placed in
- a chain called accounting
and can thus be displayed using
- shorewall[-lite] show accounting
. All traffic passing into,
- out of, or through the firewall traverses the accounting chain including
- traffic that will later be rejected by interface options such as
- tcpflags
and maclist
. If your kernel doesn't
- support the connection tracking match extension (Kernel 2.4.21) then some
- traffic rejected under norfc1918
will not traverse the
- accounting chain.
+ /etc/shorewall/accounting. By default, the
+ accounting rules are placed in a chain called accounting
+ and can thus be displayed using shorewall[-lite] show
+ accounting
. All traffic passing into, out of, or through the
+ firewall traverses the accounting chain including traffic that will later
+ be rejected by interface options such as tcpflags
and
+ maclist
. If your kernel doesn't support the connection
+ tracking match extension (Kernel 2.4.21) then some traffic rejected under
+ norfc1918
will not traverse the accounting chain.
The columns in the accounting file are as follows:
@@ -76,7 +76,7 @@
<chain> - The name of a chain;
Shorewall will create the chain automatically if it doesn't
- already exist. Causes a jump to this chain will be generated from
+ already exist. A jump to this chain will be generated from
the chain specified by the CHAIN column. If the name of the chain
is followed by :COUNT
then a COUNT rule matching
this entry will automatically be added to <chain>. Chain
@@ -113,25 +113,26 @@
DESTINATION - Packet
- Destination Format the same as the SOURCE column.
+ Destination. Format the same as the SOURCE column.
- PROTOCOL - A protocol name
- (from /etc/protocols), a protocol number or
- "ipp2p". For "ipp2p", your kernel and iptables must have ipp2p match
- support from Netfilter
+ PROTOCOL - A protocol name (from
+ /etc/protocols), a protocol number or
+ ipp2p
. For ipp2p
, your kernel and
+ iptables must have ipp2p match support from Netfilter
Patch_o_matic_ng.
DEST PORT - Destination Port
number. Service name from /etc/services or port
- number. May only be specified if the protocol is TCP or UDP (6 or 17).
- If the PROTOCOL is "ipp2p", then this column is interpreted as an
- ipp2p option without the leading "--" (default "ipp2p"). For a list of
- value ipp2p options, as root type iptables -m ipp2p
- --help.
+ number. May only be specified if the protocol is TCP or UDP (6 or
+ 17). If the PROTOCOL is ipp2p
, then this column is
+ interpreted as an ipp2p option without the leading --
+ (default ipp2p
). For a list of value ipp2p options, as
+ root type iptables -m ipp2p --help.
@@ -145,23 +146,23 @@
only be non-empty if the CHAIN is OUTPUT. The column may
contain:
- [!][<user name or number>][:<group name or number>][+<program name>]
+ [!][<user name or number>][:<group name or number>][+<program name>]
When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
<user> and/or <group> specified (or is NOT running under
- that id if "!" is given).
+ that id if !
is given).
Examples:
joe #program must be run by joe
- :kids #program must be run by a member of the 'kids'
- group.
+ :kids #program must be run by a member of the
+ kids
group.
- !:kids #program must not be run by a member of the 'kids'
- group
+ !:kids #program must not be run by a member of the
+ kids
group
+upnpd #program named upnpd (This feature was removed from
Netfilter in kernel version 2.6.14).
@@ -170,12 +171,13 @@
MARK - Only count packets with
- particular mark values.[!]<value>[/<mask>][:C]Defines
- a test on the existing packet or connection mark. The rule will match
- only if the test returns true.
+ particular mark values.
+ [!]<value>[/<mask>][:C]
+ Defines a test on the existing packet or connection mark. The rule will
+ match only if the test returns true.
If you don’t want to define a test but need to specify anything
- in the following columns, place a "-" in this field.
+ in the following columns, place a -
in this field.
! — Inverts the test (not equal)
<value> — Value of the packet or connection
@@ -192,14 +194,14 @@
In all columns except ACTION and CHAIN, the values
- -
,any
and all
are treated as
+ -
, any
and all
are treated as
wild-cards.
The accounting rules are evaluated in the Netfilter
filter
table. This is the same environment where the
rules
file rules are evaluated and in this environment,
DNAT has already occurred in inbound packets and SNAT has not yet occurred
- on outbound ones.
+ on outbound packets.
Accounting rules are not stateful -- each rule only handles traffic
in one direction. For example, if eth0 is your Internet interface, and you
@@ -222,9 +224,9 @@
web:COUNT - eth1 eth0 tcp - 443
DONE web
- Now shorewall show web
(or "shorewall-lite show web"
- for Shorewall Lite users) will give you a breakdown of your web
- traffic:
+ Now shorewall show web (or shorewall-lite
+ show web for Shorewall Lite users) will give you a breakdown
+ of your web traffic:
[root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
@@ -251,9 +253,9 @@
COUNT web eth0 eth1
COUNT web eth1 eth0
- Now shorewall show web
(or "shorewall-lite show web"
- for Shorewall Lite users) simply gives you a breakdown by input and
- output:
+ Now shorewall show web (or shorewall-lite
+ show web for Shorewall Lite users) simply gives you a
+ breakdown by input and output:
[root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
@@ -343,7 +345,7 @@
- If the CHAIN column contains '-', then:
+ If the CHAIN column contains -
, then:
diff --git a/docs/Actions.xml b/docs/Actions.xml
index c13fc58a5..71b23bf5f 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -97,9 +97,10 @@ ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
If you wish to modify one of the standard actions, do not modify
- the definition in /usr/share/shorewall. Rather, copy the file to
- /etc/shorewall (or somewhere
- else on your CONFIG_PATH) and modify the copy.
+ the definition in /usr/share/shorewall. Rather, copy the
+ file to /etc/shorewall (or
+ somewhere else on your CONFIG_PATH) and modify the copy.
Standard Actions were largely replaced by macros in Shorewall 3.0 and later major
@@ -108,9 +109,11 @@ ACCEPT - - tcp 135,139,445
User-defined Actions. These actions are created by end-users.
- They are listed in the file /etc/shorewall/actions and are defined in
- action.* files in /etc/shorewall or in another directory listed in
- your CONFIG_PATH (defined in /etc/shorewall/actions and are defined in
+ action.* files in /etc/shorewall or in another directory
+ listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf).
@@ -148,22 +151,20 @@ ACCEPT - - tcp 135,139,445
AUTH protocol of client authentication
AUTH is actually pretty silly on today's Internet but it's
amazing how many servers still employ it.
-
+ .
Shorewall supports default actions for the ACCEPT, REJECT, DROP,
QUEUE and NFQUEUE policies. These default actions are specified in the
- /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
- REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options
- respectively. Policies whose default is set to a value of "none" have no
- default action.
+ /etc/shorewall/shorewall.conf file using the
+ ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
+ NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
+ value of none
have no default action.
-
-
- In addition, the default specified in /etc/shorewall/shorewall.conf
- may be overridden by specifying a different default in the POLICY column
- of In addition, the default specified in
+ /etc/shorewall/shorewall.conf may be overridden by
+ specifying a different default in the POLICY column of /etc/shorewall/policy.
@@ -177,15 +178,17 @@ ACCEPT - - tcp 135,139,445
Limiting Per-IP Connection Rate
- Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' action. Limit is invoked with a comma-separated
- list in place of a logging tag. The list has three elements:
+ Beginning with Shorewall 3.0.4, Shorewall has a Limit
+ action. Limit is invoked with a
+ comma-separated list in place of a logging tag. The list has three
+ elements:
- The name of a 'recent' set; you select the set name which must
- conform to the rules for a valid chain name. Different rules that
- specify the same set name will use the same set of counters.
+ The name of a recent
set; you select the set name
+ which must conform to the rules for a valid chain name. Different
+ rules that specify the same set name will use the same set of
+ counters.
@@ -200,9 +203,9 @@ ACCEPT - - tcp 135,139,445
Connections that exceed the specified rate are dropped.
- For example,to use a recent set name of SSHA, and to limiting SSH to 3 per minute, use this
- entry in /etc/shorewall/rules:
+ For example, to use a recent set name of SSHA, and to limit SSH connections to 3 per minute,
+ use this entry in /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:none:SSHA,3,60 net $FW tcp 22
@@ -218,12 +221,12 @@ Limit:info:SSHA,3,60 net $FW tcp 22
- The log level. If you don't want to log, specify "none".
+ The log level. If you don't want to log, specify none
.
- The name of the recent set that you want to use ("SSHA" in this
- example).
+ The name of the recent set that you want to use
+ (SSHA
in this example).
@@ -246,7 +249,7 @@ Limit:info:SSHA,3,60 net $FW tcp 22
The file
- /usr/share/shorewall/action.Limit is
+ /usr/share/shorewall/action. Limit is
empty.
@@ -324,9 +327,9 @@ add_rule $chainref, '-j ACCEPT';
Add a line to
- /etc/shorewall/actions that
+ /etc/shorewall/actions that
names your new action. Action names must be valid shell variable names
- ((must begin with a letter and be composed of letters, digits and
+ (must begin with a letter and be composed of letters, digits and
underscore characters) as well as valid Netfilter chain names. If you
intend to log from the action, the name must have a maximum of 11
characters. It is recommended that the name you select for a new
@@ -335,8 +338,8 @@ add_rule $chainref, '-j ACCEPT';
The name of the action may be optionally followed by a colon
(:
) and ACCEPT, DROP or REJECT. When this is done, the
- named action will become the default action for
- policies of type ACCEPT, DROP or REJECT respectively. The default
+ named action will become the default action for
+ policies of type ACCEPT, DROP or REJECT, respectively. The default
action is applied immediately before the policy is enforced (before
any logging is done under that policy) and is used mainly to suppress
logging of uninteresting traffic which would otherwise clog your logs.
@@ -350,7 +353,7 @@ add_rule $chainref, '-j ACCEPT';
Once you have defined your new action name (ActionName), then
- copy /usr/share/shorewall/action.template to
+ copy /usr/share/shorewall/action.template to
/etc/shorewall/action.ActionName (for example, if
your new action name is Foo
then copy
/usr/share/shorewall/action.template to
@@ -362,7 +365,8 @@ add_rule $chainref, '-j ACCEPT';
- Columns in the action.template file are as follows:
+ Columns in the action.template file are as
+ follows:
@@ -392,7 +396,7 @@ add_rule $chainref, '-j ACCEPT';
SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
- by IP or MAC address; mac addresses must begin with ~
+ by IP or MAC address; MAC addresses must begin with ~
and must use -
as a separator.
Alternatively, clients may be specified by interface name. For
@@ -426,9 +430,9 @@ add_rule $chainref, '-j ACCEPT';
A port range is expressed as <low
port>:<high port>.
- This column is ignored if PROTO = "all", but must be entered if
- any of the following fields are supplied. In that case, it is
- suggested that this field contain -
.
+ This column is ignored if PROTO = all
, but must be
+ entered if any of the following fields are supplied. In that case, it
+ is suggested that this field contain -
.
If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
@@ -454,7 +458,8 @@ add_rule $chainref, '-j ACCEPT';
names, port numbers or port ranges.
If you don't want to restrict client ports but need to specify
- any of the following fields, then place "-" in this column.
+ any of the subsequent fields, then place -
in this
+ column.
If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
@@ -536,7 +541,7 @@ add_rule $chainref, '-j ACCEPT';
rule will match only if the test returns true.
If you don’t want to define a test but need to specify anything
- in the following columns, place a "-" in this field.
+ in the subsequent columns, place a -
in this field.
! — Inverts the test (not equal)
<value> — Value of the packet
@@ -552,7 +557,8 @@ add_rule $chainref, '-j ACCEPT';
- Omitted column entries should be entered using a dash ("-").
+ Omitted column entries should be entered using a dash
+ (-
).
Example:
@@ -563,7 +569,8 @@ add_rule $chainref, '-j ACCEPT';
LogAndAccept # LOG and ACCEPT a connectionNote: If your
/etc/shorewall/actions file doesn't have an
- indication where to place the comment, put the '#' in column 21.
+ indication where to place the comment, put the #
in column
+ 21.
/etc/shorewall/action.LogAndAccept LOG:info
ACCEPT
@@ -607,8 +614,8 @@ bar:info
#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug $FW net
- Logging in the invoke 'foo' action will be as if foo had been
- defined as:
+ Logging in the invoke foo
action will be as if foo
+ had been defined as:
#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
@@ -616,8 +623,9 @@ bar:info
- If you follow the log level with "!" then logging will be set at
- that level for all rules recursively invoked by the action.
+ If you follow the log level with !
then logging
+ will be set at that level for all rules recursively invoked by the
+ action.
Example:
@@ -632,8 +640,8 @@ bar:info
#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug! $FW net
- Logging in the invoke 'foo' action will be as if foo had been
- defined as:
+ Logging in the invoke foo
action will be as if foo
+ had been defined as:
#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
@@ -641,8 +649,8 @@ bar:debug
- If you define an action 'acton' and you have an
- /etc/shorewall/acton script then when that script is
+ If you define an action acton
and you have an
+ /etc/shorewall/acton script, when that script is
invoked, the following three variables will be set for use by the
script:
@@ -670,19 +678,20 @@ bar:debug
#ACTION SOURCE DEST
acton:info:test $FW net
- Your /etc/shorewall/acton file will be run with:
+ Your /etc/shorewall/acton file will be run
+ with:
- $CHAIN="%acton1"
+ $CHAIN=%acton1
- $LEVEL="info"
+ $LEVEL=info
- $TAG="test"
+ $TAG=test
@@ -714,8 +723,8 @@ acton:info:test $FW net
Creating an Action using an Extension Script
There may be cases where you wish to create a chain with rules that
- can't be constructed using the tools defined in the action.template. In
- that case, you can use an action.template. In that case, you can use an extension script.
If you actually need an action to drop broadcast packets, use
the dropBcast standard action rather than create