From bd5d4c21e62ed739ab2950ec8b2c1a09116bb9a6 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 2 Oct 2005 15:34:20 +0000 Subject: [PATCH] More 3.0 Doc updates -- Error Messages are not yet complete git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2771 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Actions.xml | 7 +- Shorewall-docs2/ErrorMessages.xml | 501 ++++++++++-------- Shorewall-docs2/bridge.xml | 13 +- .../starting_and_stopping_shorewall.xml | 8 +- 4 files changed, 286 insertions(+), 243 deletions(-) diff --git a/Shorewall-docs2/Actions.xml b/Shorewall-docs2/Actions.xml index bf0bad2c8..55b26a260 100644 --- a/Shorewall-docs2/Actions.xml +++ b/Shorewall-docs2/Actions.xml @@ -15,7 +15,7 @@ - 2005-09-12 + 2005-10-02 2005 @@ -159,6 +159,11 @@ Reject:REJECT #Common Action for REJECT policy
Defining your own Actions + Before defining a new action, you should evaluate whether your goal + can be best accomplished using an action or a + macro. See this + article for details. + To define a new action: diff --git a/Shorewall-docs2/ErrorMessages.xml b/Shorewall-docs2/ErrorMessages.xml index 7df03feb7..0b476228a 100644 --- a/Shorewall-docs2/ErrorMessages.xml +++ b/Shorewall-docs2/ErrorMessages.xml @@ -15,7 +15,7 @@ - 2005-04-10 + 2005-10-02 2004 @@ -50,71 +50,100 @@ Some error messages are produced by the /sbin/shorewall utility. These messages are detailed in this section. - - - ERROR: <label> must specify a simple file name: - <name> + + + ERROR: <label> must specify a simple file name: + <name> - + This means that you have specified a restore file name with a "/". Restore files must be simple file names with no slashes. - - + + - - ERROR: Shorewall is not properly installed + + ERROR: Shorewall is not properly installed - + The files /usr/share/shorewall/firewall and/or /usr/share/shorewall/version do not exist. - - + + - - ERROR: <file name> exists and is not a saved - Shorewall configuration + + ERROR: <file name> exists and is not a saved Shorewall + configuration - + The named file in /var/lib/shorewall exists but is not executable. - - + + - - ERROR: Reserved file name: <file name> + + ERROR: Reserved file name: <file name> - + You have specified either save or restore-base as the name of a restore file -- those names are reserved for use by Shorewall. - - + + - - ERROR: Currently-running Configuration Not - Saved + + ERROR: Currently-running Configuration Not Saved - + During processing of a shorewall save command, the iptables-save command failed. - - + + - - ERROR: /var/lib/shorewall/restore-base does not - exist + + ERROR: /var/lib/shorewall/restore-base does not exist - + The shorewall start and shorewall restart commands create a file called /var/lib/shorewall/restore-base which forms the basis for creating a restore file using shorewall save. This error message is issued when shorewall save is not able to find that file. - - - + + + + + ERROR: The program specified in IPTABLES does not exist or is + not executable + + + The IPTABLES option in + /etc/shorewall/shorewall.conf specifies a file + that is not executable. + + + + + ERROR: Can't find iptables executable + + + There is no executable file named "iptables" in any directory + in $PATH. + + + + + ERROR: The program specified in SHOREWALL_SHELL does not exist + or is not executable + + + The SHOREWALL_SHELL option in + /etc/shorewall/shorewall.conf names does not + name an executable file. + + +
@@ -125,141 +154,138 @@ and changing the Netfilter configuration. Some of the error messages generated by this program are listed below. - - - ERROR: Invalid zone definition for zone - <zone> + + + ERROR: Invalid zone definition for zone <zone> - + The zone named in the message is defined to be associated with an interface in /etc/shorewall/interfaces yet it also has an entry for that same interface in /etc/shorewall/hosts. - - + + - - ERROR: Invalid zone (<zone>) in record - "<record>" + + ERROR: Invalid zone (<zone>) in record + "<record>" - + The zone named in the ZONE column of the listed record from /etc/shorewall/interfaces or /etc/shorewall/hosts is not defined in /etc/shorewall/zones. - - + + - - ERROR: Duplicate Interface <interface> + + ERROR: Duplicate Interface <interface> - + The named interface has two entries in /etc/shorewall/interfaces. - - + + - - ERROR: Invalid Interface Name: - <interface> + + ERROR: Invalid Interface Name: <interface> - + The interface name contains a colon (":") or is "+". If the name includes a ":", you probably need to read this article. - - + + - - ERROR: Unknown interface (<interface>) in record - "<record>" + + ERROR: Unknown interface (<interface>) in record + "<record>" - + The <interface> name listed in the <record> from /etc/shorewall/hosts was not defined in /etc/shorewall/interfaces. - - + + - - ERROR: Bridged interfaces may not be defined in - /etc/shorewall/interfaces: - <interface>[:<address>] + + ERROR: Bridged interfaces may not be defined in + /etc/shorewall/interfaces: <interface>[:<address>] - + The named interface appears in /etc/shorewall/hosts and appears as a bridge port (after a colon) but is also defined in /etc/shorewall/interfaces. - - + + - - ERROR: Your kernel and/or iptables does not support policy - match: ipsec + + ERROR: Your kernel and/or iptables does not support policy + match: ipsec - + You have specified the ipsec option in an /etc/shorewall/hosts record but your kernel and/or iptables is missing policy match support. That support in turn requires a set of ipsec-netfilter patches in order to work correctly. - - + + - - ERROR: Undefined zone <zone> + + ERROR: Undefined zone <zone> - + The named zone appears in the /etc/shorewall/policy file but not in the /etc/shorewall/zones file. - - + + - - ERROR: Can't determine the IP address of - <interface> + + ERROR: Can't determine the IP address of + <interface> - + You have specified DETECT_DNAT_ADDRS=Yes in /etc/shorewall/shorewall.conf and Shorewall is unablee to determine the IP address of the named <interface>. Be sure that the interface is started before starting Shorewall or set DETECT_DNAT_ADDRS=No. - - + + - - ERROR: Invalid gateway zone (<zone>) -- Tunnel - "<record> + + ERROR: Invalid gateway zone (<zone>) -- Tunnel + "<record> - + The listed <zone> name appears in the GATEWAY ZONE column of the listed <record> from /etc/shorewall/tunnels but is not defined in /etc/shorewall/zones. - - + + - - ERROR: Your kernel and/or iptables does not support policy - match + + ERROR: Your kernel and/or iptables does not support policy + match - + Your /etc/shorewall/ipsec file is non-empty but your kernel and/or iptables do not include policy match support. That support in turn requires a set of ipsec-netfilter patches in order to work correctly. - - + + - - ERROR: No hosts on <interface> have the maclist - option specified + + ERROR: No hosts on <interface> have the maclist option + specified - + The named <interface> appears in a record in /etc/shorewall/maclist yet that interface's record in /etc/shorewall/interfaces @@ -267,131 +293,130 @@ and no record in /etc/shorewall/hosts that names that interface includes the maclist option. - - + + - - ERROR: Interface <interface> must be up before - Shorewall can start + + ERROR: Interface <interface> must be up before Shorewall + can start - + You have specified the maclist option for this interface but the command ip list show <interface> fails. - - + + - - ERROR: Unknown interface <interface> + + ERROR: Unknown interface <interface> - + The interface appears in a configuration file but is not defined in /etc/shorewall/interfaces. - - + + - - ERROR: BRIDGING=Yes requires Physdev Match support in your - Kernel and iptables + + ERROR: BRIDGING=Yes requires Physdev Match support in your + Kernel and iptables - + You have set BRIDGING=Yes in /etc/shorewall/shorewall.conf but it appears that your kernel and/or iptables do not have physdev match support. - - + + - - ERROR: Unknown interface <interface> in rule: - "<rule>" + + ERROR: Unknown interface <interface> in rule: + "<rule>" - + You have BRIDGING=No in /etc/shorewall/shorewall.conf and the <interface> given in a rule does not match an entry in /etc/shorewall/interfaces. - - + + - - ERROR: SNAT may no longer be specified in a DNAT rule; use - /etc/shorewall/masq instead + + ERROR: SNAT may no longer be specified in a DNAT rule; use + /etc/shorewall/masq instead - + In earlier Shorewall versions, the ORIGINAL DEST column allowed following the original destination IP address with ":" and an address to use as the source of the forwarded connection request. Now that /etc/shorewall/masq supports qualification of SNAT rules by protocol and port, this feature is no longer required and has been deimplemented. - - + + - - ERROR: "Invalid Source in rule "<rule>" + + ERROR: "Invalid Source in rule "<rule>" - + The SOURCE column has the firewall zone name immediately followed by "!". This syntax is use to exclude a subzone and Shorewall currently doesn't support subzones of the firewall zone. - - + + - - ERROR: Rule "<rule>" - Destination may not be - specified by MAC Address + + ERROR: Rule "<rule>" - Destination may not be specified by + MAC Address - + Netfilter (and hence Shorewall) does not allow qualification of a rule by destination source IP address. - - + + - - ERROR: Destination interface not allowed with - <action> + + ERROR: Destination interface not allowed with + <action> - + The named <action> will be ACCEPT+ or NONAT. These actions are inforced in part in the PREROUTING nat chain where the destination interface is not yet known (because the packet has not yet been routed). As a result, the DESTINATION column may not contain an interface name. - - + + - - ERROR: Only DNAT and REDIRECT rules may specify destination - mapping; rule "<rule>" + + ERROR: Only DNAT and REDIRECT rules may specify destination + mapping; rule "<rule>" - + The <rule> specifies a server address that is different from the ORIGINAL DEST address and/or it specifies a server port that is different from the destination port but the ACTION is neither DNAT[-] nor REJECT[-]. - - + + - - ERROR: Empty source zone or qualifier: rule - "<rule>" + + ERROR: Empty source zone or qualifier: rule + "<rule>" - + The SOURCE column is of one of the forms <zone>:, :<qualifier> or :. - - + + - - ERROR: Exclude list only allowed with DNAT or - REDIRECT + + ERROR: Exclude list only allowed with DNAT or REDIRECT - + In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the form <zone>:<net1>!<net2>. @@ -399,78 +424,76 @@ <zone> zone except for <net2>. This syntax is not available with other ACTIONs. - - + + - - ERROR: Invalid use of a user-qualification: rule - "<rule>" + + ERROR: Invalid use of a user-qualification: rule + "<rule>" - + The USER/GROUP column may only have and entry if the SOURCE is the firewall zone. - - + + - - ERROR: Empty destination zone or qualifier: rule - "<rule>" + + ERROR: Empty destination zone or qualifier: rule + "<rule>" - + The DEST column is of one of the forms <zone>:, :<qualifier> or :. - - + + - - ERROR: Undefined Client Zone in rule - "<rule>" + + ERROR: Undefined Client Zone in rule "<rule>" - + The zone given in the SOURCE column was not defined in /etc/shorewall/zones. - - + + - - ERROR: Undefined Server Zone in rule - "<rule>" + + ERROR: Undefined Server Zone in rule "<rule>" - + The zone given in the DEST column was not defined in /etc/shorewall/zones. - - + + - - ERROR: Rules may not override a NONE policy: rule - "<rule>" + + ERROR: Rules may not override a NONE policy: rule + "<rule>" - + If the policy from zone z1 to zone z2 is NONE that means that Shorewall sets up no infrastructure to handle traffic from z1 to z2. Consequently, you cannot have any rules that control traffic from z1 to z2. - - + + - - ERROR: Invalid Action in rule "<rule>" + + ERROR: Invalid Action in rule "<rule>" - + The ACTION column contains an action that is not one of the built-in actions and it is not defined in /etc/shorewall/actions or in /usr/share/shorewall/actions.std. - - + + - - ERROR: Unable to determine the routes through interface - <interface> + + ERROR: Unable to determine the routes through interface + <interface> - + You have specified <interface> in the SUBNET column of /etc/shorewall/masq which means that Shorewall is supposed to determine the network(s) routed @@ -479,21 +502,21 @@ failed. This usually means that you are trying to start Shorewall before the <interface> is brought up. - - + + - - ERROR: No appropriate chain for zone <z1> to zone - <z2> + + ERROR: No appropriate chain for zone <z1> to zone + <z2> - + There is no policy defined in /etc/shorewall/policy for connections from zone <z1> to zone <z2>. - - - + + +
@@ -502,31 +525,41 @@ This sections describes some of the more common warnings generated by Shorewall. - - - Warning: default route ignored on interface - <interface> + + + Warning: default route ignored on interface + <interface> - + This means that the interface named in the SUBNET column of /etc/shorewall/masq has the default route. This almost always means that you have the contents of the INTERFACE and SUBNET columns reversed. - - + + - - Warning: Zone <zone> is empty + + Warning: Zone <zone> is empty - + This warning alerts you to the fact tha <zone> is defined in /etc/shorewall/zones but has no corresponding entries in /etc/shorewall/interfaces or in /etc/shorewall/hosts. - - - + + + + + WARNING: Shorewall startup is disabled. To enable startup, set + STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf + + + If you need help understanding that warning message then you + probably need to take up another hobby or line of work. + + +
diff --git a/Shorewall-docs2/bridge.xml b/Shorewall-docs2/bridge.xml index 3a226de50..8e67690a4 100755 --- a/Shorewall-docs2/bridge.xml +++ b/Shorewall-docs2/bridge.xml @@ -15,7 +15,7 @@ - 2005-09-30 + 2005-10-02 2004 @@ -69,8 +69,13 @@ - A router cannot forward broadcast packets while a bridge - can. + In most configurations, routers don't forward broadcast packets + while a bridges do. + + + Section 4 of RFC 1812 describes the conditions under which a + router may or must forward broadcasts. +
@@ -172,7 +177,7 @@ configuration information may be found at http://bridge.sf.net. - Unfortunately, Linux distributions don't have good bridge + Unfortunately, many Linux distributions don't have good bridge configuration tools and the network configuration GUIs don't detect the presence of bridge devices. Here is an excerpt from a Debian /etc/network/interfaces file for a two-port bridge diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index 06eca7e4d..551abe99a 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2005-09-11 + 2005-10-04 2004 @@ -222,7 +222,7 @@ Shorewall startup is disabled by default. Once you have configured your firewall, you can enable startup by editing /etc/shorewall/shorewall.conf and setting - STARTUP_ENABLED=Yes.. Note: Users of the .deb package must also + STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather edit /etc/default/shorewall and set startup=1. @@ -343,8 +343,8 @@ CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall - The above is the setting that I use and it allows me to place all of - my user-defined 'action.' files in The above is the setting that I once used to allow me to place all + of my user-defined 'action.' files in /etc/shorewall/actiondir.