From ae60b56f41e16aef7e2a96416613ce0608eb5a0a Mon Sep 17 00:00:00 2001 From: judas_iscariote Date: Mon, 19 Sep 2005 19:27:22 +0000 Subject: [PATCH] more updates for v3.. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2713 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/three-interface.xml | 59 +++++++++++++++-------------- 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 2aa4e1729..bcd47bd9a 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2005-09-12 + 2005-09-19 2002-2005 @@ -34,6 +34,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + +
Introduction @@ -340,13 +347,13 @@ $FW net ACCEPT to the computer using a cross-over cable). - Do not connect the internal and external interface to the same hub - or switch except for testing AND you are running Shorewall version 1.4.7 - or later. When using these recent versions, you can test using this kind - of configuration if you specify the arp_filter option in - /etc/shorewall/interfaces for all interfaces - connected to the common hub/switch. Using such a setup with a production - firewall is strongly recommended against. + Do NOT connect the internal and external + interface to the same hub or switch except for testing. You + can test using this kind of configuration if you specify the arp_filter + option in /etc/shorewall/interfaces for all + interfaces connected to the common hub/switch. Using such a setup with a production firewall is strongly + recommended against. @@ -732,19 +739,16 @@ DNS/ACCEPT dmz $FW Run name server on DMZ DNS/ACCEPT loc dmz:10.10.11.1 DNS/ACCEPT $FW dmz:10.10.11.1 - In the rules shown above, AllowDNS is an example of a - defined action. Shorewall includes a number of - defined actions and you can add your - own. To see the list of actions included with your version of - Shorewall, look in the file - /usr/share/shorewall/actions.std. Those actions that - accept connection requests have names that begin with - Allow. + In the rules shown above, DNS/ACCEPT is an example of + a defined macro. Shorewall includes a number of + defined macros and you can add your own. + To see the list of macros included with your version of Shorewall, look in + the file /usr/share/shorewall/actions.std. - You don't have to use defined actions when coding a rule in + You don't have to use defined macros when coding a rule in /etc/shorewall/rules; the generated Netfilter ruleset is slightly more efficient if you code your rules directly rather than - using defined actions. The first example above (name server on the + using defined macros. The first example above (name server on the firewall) could also have been coded as follows: #ACTION SOURCE DEST PROTO DEST PORT(S) @@ -753,8 +757,8 @@ ACCEPT loc $FW udp 53 ACCEPT dmz $FW tcp 53 ACCEPT dmz $FW udp 53 - In cases where Shorewall doesn't include a defined action to meet - your needs, you can either define the action yourself or you can simply + In cases where Shorewall doesn't include a defined macro to meet + your needs, you can either define the macro yourself or you can simply code the appropriate rules directly.
@@ -775,7 +779,7 @@ SSH/ACCEPT loc dmz Those rules allow you to run connect to those servers from your local systems. If you wish to enable other connections between your systems, the - general format for using a defined action is: #ACTION SOURCE DEST PROTO DEST PORT(S) + general format for using a defined macro is: #ACTION SOURCE DEST PROTO DEST PORT(S) <macro> <source zone> <destination zone> The general format when not using a defined action @@ -892,17 +896,16 @@ ACCEPT net $FW tcp 80 The installation procedure - configures your system to start Shorewall at system boot but beginning - with Shorewall version 1.3.9 startup is disabled so that your system won't - try to start Shorewall before configuration is complete. Once you have - completed configuration of your firewall, you can enable Shorewall startup - by removing the file /etc/shorewall/startup_disabled. - + configures your system to start Shorewall at system boot but startup is + disabled so that your system won't try to start Shorewall before + configuration is complete. Once you have completed configuration of your + firewall, you can enable Shorewall startup by removing the file + /etc/shorewall/startup_disabled. Users of the .deb package must edit /etc/default/shorewall and set startup=1. - Users running Shorewall 2.1.3 or later should edit + You should edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes. The firewall is started using the shorewall