diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml
new file mode 100644
index 000000000..1e12aa330
--- /dev/null
+++ b/manpages/shorewall-accounting.xml
@@ -0,0 +1,244 @@
+
+
+
+ shorewall-accounting
+
+ 5
+
+
+
+ accounting
+
+ Shorewall Accounting file
+
+
+
+
+ /etc/shorewall/accounting
+
+
+
+
+ Description
+
+ Accounting rules exist simply to count packets and bytes in
+ categories that you define in this file. You may display these rules and
+ their packet and byte counters using the shorewall show
+ accounting command.
+
+ The columns in the file are as follows.
+
+
+
+ ACTION
+
+
+ What to do when a matching packet is found.
+
+
+
+ COUNT
+
+
+ Simply count the match and continue with the next
+ rule
+
+
+
+
+ DONE
+
+
+ Count the match and don't attempt to match any other
+ accounting rules in the chain specified in the CHAIN column.
+
+
+
+
+ chain:COUNT
+
+
+ Where chain is the name of a chain.
+ Shorewall will create the chain automatically if it doesn't
+ already exist. Causes a jump to that chain. If :COUNT is included, a counting rule
+ matching this record will be added to
+ chain
+
+
+
+
+
+
+
+ CHAIN
+
+
+ The name of a chain. If specified as - the accounting chain is assumed. This is the
+ chain where the accounting rule is added. The chain will be created
+ if it doesn't already exist.
+
+
+
+
+ SOURCE
+
+
+ Packet Source.
+
+ The name of an interface, an address (host or net) or an
+ interface name followed by ":" and a host or net address.
+
+
+
+
+ DESTINATION
+
+
+ Packet Destination.
+
+ Format same as SOURCE
+ column.
+
+
+
+
+ PROTOCOL
+
+
+ A protocol name (from protocols(5)), a protocol number,
+ ipp2p, ipp2p:udp or ipp2p:all
+
+
+
+
+ DEST PORT(S)
+
+
+ Destination Port number. If the PROTOCOL is ipp2p then this column must contain an ipp2p
+ option ("iptables -m ipp2p --help") without the leading "--". If no
+ option is given in this column, "ipp2p" is assumed.
+
+ Service name from services(5) or port
+ number. May only be specified if the protocol is
+ tcp or udp (6 or 17).
+
+ You may place a comma-separated list of port numbers in this
+ column if your kernel and iptables include multiport match
+ support.
+
+
+
+
+ SOURCE PORT(S)
+
+
+ Source Port Service name from services(5) or port
+ number. May only be specified if the protocol is TCP or
+ UDP (6 or 17).
+
+ You may place a comma-separated list of port numbers in this
+ column if your kernel and iptables include multiport match
+ support.
+
+
+
+
+ USER/GROUP
+
+
+ This column may only be non-empty if the SOURCE is the firewall itself.
+
+ The column may contain:
+
+ [!][user name or number][:group
+ name or number][+program
+ name]
+
+ When this column is non-empty, the rule applies only if the
+ program generating the output is running under the effective
+ user and/or group
+ specified (or is NOT running under that id if "!" is given).
+
+ Examples:
+
+
+
+ joe
+
+
+ program must be run by joe
+
+
+
+
+ :kids
+
+
+ program must be run by a member of the 'kids'
+ group
+
+
+
+
+ !:kids
+
+
+ program must not be run by a member of the 'kids'
+ group
+
+
+
+
+ +upnpd
+
+
+ #program named upnpd
+
+
+ The ability to specify a program name was removed from
+ Netfilter in kernel version 2.6.14.
+
+
+
+
+
+
+
+
+ In all of the above columns except ACTION and CHAIN,
+ the values -, any and all may be
+ used as wildcards. Omitted trailing columns are also treated as
+ wildcards.
+
+
+
+ FILES
+
+ /etc/shorewall/accounting
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-actions.xml b/manpages/shorewall-actions.xml
new file mode 100644
index 000000000..e2f00f468
--- /dev/null
+++ b/manpages/shorewall-actions.xml
@@ -0,0 +1,55 @@
+
+
+
+ shorewall-actions
+
+ 5
+
+
+
+ actions
+
+ Shorewall action declaration file
+
+
+
+
+ /etc/shorewall/actions
+
+
+
+
+ Description
+
+ This file allows you to define new ACTIONS for use in rules (see
+ shorewall-rules(5)). You define the iptables rules to be performed in an
+ ACTION in /etc/shorewall/action.action-name.
+
+ ACTION names should begin with an upper-case letter to distinguish
+ them from Shorewall-generated chain names and they must meet the
+ requirements of a Netfilter chain. If you intend to log from the action
+ then the name must be no longer than 11 character in length. Names must
+ also meet the requirements for a Bourne Shell identifier (must begin with
+ a letter and be composed of letters, digits and underscore
+ characters).
+
+
+
+ FILES
+
+ /etc/shorewall/actions
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml
new file mode 100644
index 000000000..5585e2d15
--- /dev/null
+++ b/manpages/shorewall-blacklist.xml
@@ -0,0 +1,128 @@
+
+
+
+ shorewall-blacklist
+
+ 5
+
+
+
+ blacklist
+
+ Shorewall Blacklist file
+
+
+
+
+ /etc/shorewall/blacklist
+
+
+
+
+ Description
+
+ The blacklist file is used to perform static blacklisting. You can
+ blacklist by source address (IP or MAC), or by application.
+
+ The columns in the file are as follows.
+
+
+
+ ADDRESS/SUBNET
+
+
+ Host address, network address, MAC address, IP address range
+ (if your kernel and iptables contain iprange match support) or ipset
+ name prefaced by "+" (i your kernel supports ipset match).
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+ A dash ("-") in this column means that any source address will
+ match. This is useful if you want to blacklist a particular
+ application.
+
+
+
+
+ PROTOCOL (Optional)
+
+
+ If specified, must be a protocol number or a protocol name
+ from protocols(5).
+
+
+
+
+ PORTS (Optional)
+
+
+ May only be specified if the protocol is TCP (6) or UDP (17).
+ A comma-separated list of destination port numbers or service names
+ from services(5).
+
+
+
+
+ When a packet arrives on an interface that has the blacklist option specified in
+ shorewall-interfaces(5), its source IP address and MAC address is checked
+ against this file and disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall.conf(5).
+ If PROTOCOL or PROTOCOL and PORTS
+ are supplied, only packets matching the protocol (and one of the ports if
+ PORTS supplied) are blocked.
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ To block DNS queries from address 192.0.2.126:
+
+ #ADDRESS/SUBNET PROTOCOL PORT
+ 192.0.2.126 udp 53
+
+
+
+
+ Example 2:
+
+
+ To block some of the nuisance applicataion:
+
+ #ADDRESS/SUBNET PROTOCOL PORT
+ - udp 1024:1033,1434
+ - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/blacklist
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-template.xml b/manpages/shorewall-template.xml
index 6f1b31a87..5585e2d15 100644
--- a/manpages/shorewall-template.xml
+++ b/manpages/shorewall-template.xml
@@ -1,62 +1,128 @@
- shorewall-
+ shorewall-blacklist
5
- file
+ blacklist
- Shorewall file
+ Shorewall Blacklist file
- /etc/shorewall/
+ /etc/shorewall/blacklist
Description
+ The blacklist file is used to perform static blacklisting. You can
+ blacklist by source address (IP or MAC), or by application.
+
The columns in the file are as follows.
- COLUMN 1
+ ADDRESS/SUBNET
-
+ Host address, network address, MAC address, IP address range
+ (if your kernel and iptables contain iprange match support) or ipset
+ name prefaced by "+" (i your kernel supports ipset match).
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+ A dash ("-") in this column means that any source address will
+ match. This is useful if you want to blacklist a particular
+ application.
+
+
+
+
+ PROTOCOL (Optional)
+
+
+ If specified, must be a protocol number or a protocol name
+ from protocols(5).
+
+
+
+
+ PORTS (Optional)
+
+
+ May only be specified if the protocol is TCP (6) or UDP (17).
+ A comma-separated list of destination port numbers or service names
+ from services(5).
+
+
+
+
+ When a packet arrives on an interface that has the blacklist option specified in
+ shorewall-interfaces(5), its source IP address and MAC address is checked
+ against this file and disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall.conf(5).
+ If PROTOCOL or PROTOCOL and PORTS
+ are supplied, only packets matching the protocol (and one of the ports if
+ PORTS supplied) are blocked.
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ To block DNS queries from address 192.0.2.126:
+
+ #ADDRESS/SUBNET PROTOCOL PORT
+ 192.0.2.126 udp 53
+
+
+
+
+ Example 2:
+
+
+ To block some of the nuisance applicataion:
+
+ #ADDRESS/SUBNET PROTOCOL PORT
+ - udp 1024:1033,1434
+ - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
-
- Example
-
-
-
-
FILES
- /etc/shorewall/
+ /etc/shorewall/blacklist
See ALSO
shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
- shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
- shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
- shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
- shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
- shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
- shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
- shorewall-zones(5)
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
\ No newline at end of file