holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add a new FAQ; remove 'Added in' from rules manpage

Browse Source
This commit is contained in:
Tom Eastep 2009-06-02 08:21:52 -07:00
parent a953c1af46
commit b82dad8843
2 changed files with 34 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/FAQ.xml
View File

@ -20,7 +20,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001-2008</year>
<year>2001-2009</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -498,6 +498,24 @@ REDIRECT net 22 tcp 9022</programlisting>
you use a REDIRECT rule.</para>
</section>
<section id="faq8">
<title>(FAQ 8) I have several external IP addresses and use
/etc/shorewall/nat to associate them with systems in my DMZ. When I add
a DNAT rule, say for ports 80 and 443, Shorewall redirects connections
on those ports for all of my addresses. How can I restrict DNAT to only
a single address?</title>
<para><emphasis role="bold">Answer</emphasis>: Specify the external
address that you want to redirect in the ORIGINAL DEST column.</para>
<para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
DNAT net net:192.168.4.22 tcp 80,443 - <emphasis
role="bold">206.124.146.178</emphasis></programlisting>
</section>
<section id="faq38">
<title>(FAQ 38) Where can I find more information about DNAT?</title>

31
manpages/shorewall-rules.xml
View File

@ -1071,18 +1071,17 @@
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
of simultaneous connections from each individual host to
<replaceable>limit</replaceable> connections. Requires connlimit
match in your kernel and iptables. While the limit is only checked
on rules specifying CONNLIMIT, the number of current connections is
calculated over all current connections from the SOURCE host. By
default, the limit is applied to each host but can be made to apply
to networks of hosts by specifying a
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
specifies the width of a VLSM mask to be applied to the source
address; the number of current connections is then taken over all
hosts in the subnet
<para>May be used to limit the number of simultaneous connections
from each individual host to <replaceable>limit</replaceable>
connections. Requires connlimit match in your kernel and iptables.
While the limit is only checked on rules specifying CONNLIMIT, the
number of current connections is calculated over all current
connections from the SOURCE host. By default, the limit is applied
to each host but can be made to apply to networks of hosts by
specifying a <replaceable>mask</replaceable>. The
<replaceable>mask</replaceable> specifies the width of a VLSM mask
to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
When<option> !</option> is specified, the rule matches when the
number of connection exceeds the
@ -1095,10 +1094,10 @@
<emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the rule
to a particular time period each day, to particular days of the week
or month, or to a range defined by dates and times. Requires time
match support in your kernel and iptables.</para>
<para>May be used to limit the rule to a particular time period each
day, to particular days of the week or month, or to a range defined
by dates and times. Requires time match support in your kernel and
iptables.</para>
<para><replaceable>timeelement</replaceable> may be:</para>