forked from extern/shorewall_code
Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code
This commit is contained in:
commit
bf26c1790c
@ -50,7 +50,7 @@
|
||||
</itemizedlist>
|
||||
|
||||
<para>The new structure is enabled by sectioning the accounting file in a
|
||||
manner similar to the <ulink url="manpages/shorewall-rules.html">rules
|
||||
manner similar to the <ulink url="/manpages/shorewall-rules.html">rules
|
||||
file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
|
||||
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
||||
role="bold">FORWARD</emphasis> and must appear in that order (although any
|
||||
@ -295,7 +295,7 @@
|
||||
the iptaccount utility are only available when <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
|
||||
is installed. See <ulink
|
||||
url="http://www.shorewall.net/Accounting.html#perIP">http://www.shorewall.net/Accounting.html#perIP</ulink>
|
||||
url="/Accounting.html#perIP">http://www.shorewall.net/Accounting.html#perIP</ulink>
|
||||
for additional information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -788,14 +788,14 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
|
||||
url="/Accounting.html">http://www.shorewall.net/Accounting.html
|
||||
</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
|
||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
|
@ -24,7 +24,7 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file allows you to define new ACTIONS for use in rules (see
|
||||
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
|
||||
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>). You define
|
||||
the iptables rules to be performed in an ACTION in
|
||||
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
|
||||
|
||||
@ -58,7 +58,7 @@
|
||||
target that is supported by your iptables but is not directly
|
||||
supported by Shorewall. The action may be used as the rule
|
||||
target in an INLINE rule in <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
|
||||
in which the <emphasis role="bold">builtin</emphasis> can be
|
||||
@ -147,7 +147,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
|
||||
url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
|
||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
|
@ -44,7 +44,7 @@
|
||||
(if your kernel and iptables contain iprange match support) or ipset
|
||||
name prefaced by "+" (if your kernel supports ipset match).
|
||||
Exclusion (<ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
|
||||
supported.</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
@ -98,7 +98,7 @@
|
||||
interface that has the 'blacklist' option set. So to block traffic
|
||||
from your local network to an internet host, you had to specify
|
||||
<option>blacklist</option> on your internal interface in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
|
||||
@ -106,7 +106,7 @@
|
||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
||||
<ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5):</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -182,10 +182,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
|
@ -27,13 +27,13 @@
|
||||
|
||||
<para>Rules in this file are applied depending on the setting of
|
||||
BLACKLISTNEWONLY in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). If
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
|
||||
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
||||
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
||||
connections in the NEW and INVALID states.</para>
|
||||
|
||||
<para>The format of rules in this file is the same as the format of rules
|
||||
in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The
|
||||
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>. The
|
||||
difference in the two files lies in the ACTION (first) column.</para>
|
||||
|
||||
<variablelist>
|
||||
@ -69,7 +69,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then
|
||||
the macro expands to <emphasis
|
||||
role="bold">blacklog</emphasis>.</para>
|
||||
</listitem>
|
||||
@ -77,7 +77,7 @@
|
||||
<listitem>
|
||||
<para>Otherwise it expands to the action specified for
|
||||
BLACKLIST_DISPOSITION in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
@ -88,10 +88,10 @@
|
||||
|
||||
<listitem>
|
||||
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf </ulink>(5).
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5).
|
||||
Logs, audits (if specified) and applies the
|
||||
BLACKLIST_DISPOSITION specified in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -166,7 +166,7 @@
|
||||
<listitem>
|
||||
<para>queues matching packets to a back end logging daemon via
|
||||
a netlink socket then continues to the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -205,7 +205,7 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
in /usr/share/shorewall/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -237,7 +237,7 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
/usr/share/shorewall/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -267,13 +267,13 @@
|
||||
<para>Actions specifying logging may be followed by a log tag (a
|
||||
string of alphanumeric characters) which is appended to the string
|
||||
generated by the LOGPREFIX (in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>For the remaining columns, see <ulink
|
||||
url="shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -313,10 +313,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
|
||||
|
@ -266,7 +266,7 @@
|
||||
|
||||
<para>This error message may be eliminated by adding
|
||||
<replaceable>target</replaceable> as a builtin action in <ulink
|
||||
url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -344,7 +344,7 @@
|
||||
<replaceable>interface</replaceable> is an interface to that zone,
|
||||
and <replaceable>address-list</replaceable> is a comma-separated
|
||||
list of addresses (may contain exclusion - see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
(5)).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
|
||||
@ -365,7 +365,7 @@
|
||||
<para>Where <replaceable>interface</replaceable> is an interface to
|
||||
that zone, and <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
(5)).</para>
|
||||
|
||||
<para>COMMENT is only allowed in format 1; the remainder of the line
|
||||
@ -381,7 +381,7 @@
|
||||
<listitem>
|
||||
<para>where <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
|
||||
<ulink url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -532,7 +532,7 @@ DROP:PO - 1.2.3.4
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -88,7 +88,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
|
||||
<para>In most contexts, ipset names can be used as an
|
||||
<replaceable>address-or-range</replaceable>. Beginning with Shorewall
|
||||
4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
|
||||
url="shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
|
||||
url="/manpages/shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
|
||||
of these lists when used in an exclusion are as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
@ -29,7 +29,7 @@
|
||||
|
||||
<para>The order of entries in this file is not significant in determining
|
||||
zone composition. Rather, the order that the zones are declared in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
|
||||
in which the records in this file are interpreted.</para>
|
||||
|
||||
<warning>
|
||||
@ -39,7 +39,7 @@
|
||||
|
||||
<warning>
|
||||
<para>If you have an entry for a zone and interface in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
|
||||
not include any entries in this file for that same (zone, interface)
|
||||
pair.</para>
|
||||
</warning>
|
||||
@ -53,7 +53,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name of a zone declared in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5). You may not
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). You may not
|
||||
list the firewall zone in this column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -67,7 +67,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name of an interface defined in the <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
|
||||
followed by a colon (":") and a comma-separated list whose elements
|
||||
are either:</para>
|
||||
|
||||
@ -102,7 +102,7 @@
|
||||
<blockquote>
|
||||
<para>You may also exclude certain hosts through use of an
|
||||
<emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -123,7 +123,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Check packets arriving on this port against the <ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -145,7 +145,7 @@
|
||||
<listitem>
|
||||
<para>The zone does not have an entry for this interface
|
||||
in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
@ -169,7 +169,7 @@
|
||||
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
||||
that if the zone named in the ZONE column is specified as an
|
||||
IPSEC zone in the <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5) file
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5) file
|
||||
then you do NOT need to specify the 'ipsec' option
|
||||
here.</para>
|
||||
</listitem>
|
||||
@ -181,7 +181,7 @@
|
||||
<listitem>
|
||||
<para>Connection requests from these hosts are compared
|
||||
against the contents of <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an Ethernet
|
||||
NIC or equivalent and must be up before Shorewall is
|
||||
started.</para>
|
||||
@ -212,7 +212,7 @@
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
logging, the packets are dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -274,7 +274,7 @@ vpn ppp+:192.168.3.0/24</programlisting></para>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
|
@ -145,8 +145,8 @@
|
||||
|
||||
<para>On a laptop with both Ethernet and wireless interfaces, you will
|
||||
want to make both interfaces optional and set the REQUIRE_INTERFACE option
|
||||
to Yes in <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5) or
|
||||
<ulink url="../Manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf </ulink>(5) or
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5). This causes the firewall to remain stopped until at least one of the
|
||||
interfaces comes up.</para>
|
||||
</refsect1>
|
||||
|
@ -71,7 +71,7 @@
|
||||
in this column.</para>
|
||||
|
||||
<para>If the interface serves multiple zones that will be defined in
|
||||
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||
the <ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
||||
file, you should place "-" in this column.</para>
|
||||
|
||||
<para>If there are multiple interfaces to the same zone, you must
|
||||
@ -97,7 +97,7 @@ loc eth2 -</programlisting>
|
||||
<para>Logical name of interface. Each interface may be listed only
|
||||
once in this file. You may NOT specify the name of a "virtual"
|
||||
interface (e.g., eth0:0) here; see <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
||||
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
||||
If the <option>physical</option> option is not specified, then the
|
||||
logical name is also the name of the actual interface.</para>
|
||||
|
||||
@ -111,7 +111,7 @@ loc eth2 -</programlisting>
|
||||
<para>When using Shorewall versions before 4.1.4, care must be
|
||||
exercised when using wildcards where there is another zone that uses
|
||||
a matching specific interface. See <ulink
|
||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
||||
discussion of this problem.</para>
|
||||
|
||||
<para>Shorewall allows '+' as an interface name.</para>
|
||||
@ -154,7 +154,7 @@ loc eth2 -</programlisting>
|
||||
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
|
||||
'lo' interface, then that zone must be defined as type
|
||||
<option>local</option> in <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -268,7 +268,7 @@ loc eth2 -</programlisting>
|
||||
<listitem>
|
||||
<para>Checks packets arriving on this interface against the
|
||||
<ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.13:</para>
|
||||
@ -279,7 +279,7 @@ loc eth2 -</programlisting>
|
||||
ZONES column, then the behavior is as if <emphasis
|
||||
role="bold">blacklist</emphasis> had been specified in the
|
||||
IN_OPTIONS column of <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -348,7 +348,7 @@ loc eth2 -</programlisting>
|
||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
||||
firewall/bridging</ulink>, then you need to include
|
||||
DHCP-specific rules in <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||
DHCP uses UDP ports 67 and 68.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@ -421,7 +421,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<blockquote>
|
||||
<para>This option may also be enabled globally in the <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
file.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
@ -433,7 +433,7 @@ loc eth2 -</programlisting>
|
||||
<listitem>
|
||||
<para>Connection requests from this interface are compared
|
||||
against the contents of <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an Ethernet
|
||||
NIC and must be up before Shorewall is started.</para>
|
||||
</listitem>
|
||||
@ -472,7 +472,7 @@ loc eth2 -</programlisting>
|
||||
<para>Defines the zone as <firstterm>dynamic</firstterm>.
|
||||
Requires ipset match support in your iptables and kernel. See
|
||||
<ulink
|
||||
url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
||||
url="/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
||||
for further information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -486,7 +486,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
logging, the packets are dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -527,7 +527,7 @@ loc eth2 -</programlisting>
|
||||
refers to the name given in this option. It is useful when you
|
||||
want to specify the same wildcard port name on two or more
|
||||
bridges. See <ulink
|
||||
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
||||
url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
||||
|
||||
<para>If the <emphasis>interface</emphasis> name is a wildcard
|
||||
name (ends with '+'), then the physical
|
||||
@ -547,7 +547,7 @@ loc eth2 -</programlisting>
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
||||
Do NOT use this option if you are employing Proxy ARP through
|
||||
entries in <ulink
|
||||
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
|
||||
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
|
||||
This option is intended solely for use with Proxy ARP
|
||||
sub-networking as described at: <ulink
|
||||
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
||||
@ -626,12 +626,12 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>This option can also be enabled globally via the
|
||||
ROUTE_FILTER option in the <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<important>
|
||||
<para>If ROUTE_FILTER=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), or if
|
||||
your distribution sets net.ipv4.conf.all.rp_filter=1 in
|
||||
<filename>/etc/sysctl.conf</filename>, then setting
|
||||
<emphasis role="bold">routefilter</emphasis>=0 in an
|
||||
@ -653,14 +653,14 @@ loc eth2 -</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If USE_DEFAULT_RT=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||
the interface is listed in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If there is an entry for the interface in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5)
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5)
|
||||
that doesn't specify the <option>balance</option>
|
||||
option.</para>
|
||||
</listitem>
|
||||
@ -800,7 +800,7 @@ loc eth2 -</programlisting>
|
||||
<listitem>
|
||||
<para>Incoming requests from this interface may be remapped
|
||||
via UPNP (upnpd). See <ulink
|
||||
url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
|
||||
url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -915,7 +915,7 @@ net ppp0 -</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
|
||||
|
@ -79,7 +79,7 @@
|
||||
specified, matching packets must match all of the listed sets.</para>
|
||||
|
||||
<para>For information about set lists and exclusion, see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||
|
@ -27,8 +27,8 @@
|
||||
associated IP addresses to be allowed to use the specified interface. The
|
||||
feature is enabled by using the <emphasis role="bold">maclist</emphasis>
|
||||
option in the <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
|
||||
url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
|
||||
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
|
||||
file.</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
@ -45,7 +45,7 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
||||
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
|
||||
also allowed). If specified, the
|
||||
<replaceable>log-level</replaceable> causes packets matching the
|
||||
rule to be logged at that level.</para>
|
||||
@ -101,10 +101,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
|
||||
url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -24,13 +24,13 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
||||
replace <ulink url="shorewall-mangle.html">shorewall-rules(5)</ulink>.
|
||||
replace <ulink url="/manpages/shorewall-mangle.html">shorewall-rules(5)</ulink>.
|
||||
This file is only processed by the compiler if:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>); or</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>); or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -44,14 +44,14 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
@ -104,7 +104,7 @@
|
||||
<para>Unless otherwise specified for the particular
|
||||
<replaceable>command</replaceable>, the default chain is PREROUTING
|
||||
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>, and FORWARD
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and FORWARD
|
||||
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
@ -159,11 +159,11 @@
|
||||
<para>When using Shorewall's built-in traffic shaping tool,
|
||||
the <emphasis>major</emphasis> class is the device number (the
|
||||
first device in <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
is major class 1, the second device is major class 2, and so
|
||||
on) and the <emphasis>minor</emphasis> class is the class's
|
||||
MARK value in <ulink
|
||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
||||
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
||||
preceded by the number 1 (MARK 1 corresponds to minor class
|
||||
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
|
||||
to minor class 122, etc.).</para>
|
||||
@ -297,7 +297,7 @@
|
||||
specified at the end of the rule. If the target is not one
|
||||
known to Shorewall, then it must be defined as a builtin
|
||||
action in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The following rules are equivalent:</para>
|
||||
@ -310,7 +310,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
||||
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
||||
third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
@ -443,7 +443,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
<para>This error message may be eliminated by adding the
|
||||
<replaceable>target</replaceable> as a builtin action in
|
||||
<ulink
|
||||
url="shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -485,7 +485,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||
equal proportions. If no mask is specified, then ( 2 **
|
||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -586,7 +586,7 @@ Normal-Service => 0x00</programlisting>
|
||||
<listitem>
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a tproxy provider to be defined in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - neither is
|
||||
required:</para>
|
||||
@ -712,7 +712,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -749,7 +749,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -784,7 +784,7 @@ Normal-Service => 0x00</programlisting>
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -1177,16 +1177,16 @@ Normal-Service => 0x00</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||
|
@ -35,9 +35,9 @@
|
||||
<para>If you have more than one ISP link, adding entries to this file
|
||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||
through a particular link. You must use entries in <ulink
|
||||
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
|
||||
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
|
||||
entries in <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
|
||||
that.</para>
|
||||
</warning>
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
|
||||
comma-separated list of interface names. This is usually your
|
||||
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
|
||||
and a <emphasis>digit</emphasis> to indicate that you want the alias
|
||||
added with that name (e.g., eth0:0). This will allow the alias to be
|
||||
displayed with ifconfig. <emphasis role="bold">That is the only use
|
||||
@ -63,17 +63,17 @@
|
||||
Shorewall configuration.</emphasis></para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
<para>Where <ulink
|
||||
url="http://www.shorewall.net/4.4/MultiISP.html#Shared">more that
|
||||
url="/4.4/MultiISP.html#Shared">more that
|
||||
one internet provider share a single interface</ulink>, the provider
|
||||
is specified by including the provider name or number in
|
||||
parentheses:</para>
|
||||
@ -88,7 +88,7 @@
|
||||
addresses to indicate that you only want to change the source IP
|
||||
address for packets being sent to those particular destinations.
|
||||
Exclusion is allowed (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
|
||||
are ipset names preceded by a plus sign '+';</para>
|
||||
|
||||
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
|
||||
@ -99,7 +99,7 @@
|
||||
|
||||
<para>Normally Masq/SNAT rules are evaluated after those for
|
||||
one-to-one NAT (defined in <ulink
|
||||
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
|
||||
rule to be applied before one-to-one NAT rules, prefix the interface
|
||||
name with "+":</para>
|
||||
|
||||
@ -109,7 +109,7 @@
|
||||
|
||||
<para>This feature should only be required if you need to insert
|
||||
rules in this file that preempt entries in <ulink
|
||||
url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
|
||||
|
||||
<para>Comments may be attached to Netfilter rules generated from
|
||||
entries in this file through the use of COMMENT lines. These lines
|
||||
@ -174,7 +174,7 @@
|
||||
<listitem>
|
||||
<para>If you specify an address here, SNAT will be used and this
|
||||
will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
|
||||
in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) then
|
||||
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
|
||||
Shorewall will automatically add this address to the INTERFACE named
|
||||
in the first column.</para>
|
||||
|
||||
@ -689,7 +689,7 @@
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>, then these
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then these
|
||||
rules may be specified as follows:</para>
|
||||
|
||||
<programlisting>/etc/shorewall/masq:
|
||||
@ -713,7 +713,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
|
||||
|
@ -32,7 +32,7 @@
|
||||
|
||||
<para>The <filename>modules</filename> file is used when
|
||||
LOAD_HELPERS_ONLY=No in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(8); the
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8); the
|
||||
<filename>helpers</filename> file is used when
|
||||
LOAD_HELPERS_ONLY=Yes</para>
|
||||
|
||||
@ -50,7 +50,7 @@
|
||||
<para>The <replaceable>modulename</replaceable> names a kernel module
|
||||
(without suffix). Shorewall will search for modules based on your
|
||||
MODULESDIR and MODULE_SUFFIX settings in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(8). The
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
|
||||
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
|
||||
installed) or to insmod.</para>
|
||||
|
||||
|
@ -29,9 +29,9 @@
|
||||
<warning>
|
||||
<para>If all you want to do is simple port forwarding, do NOT use this
|
||||
file. See <ulink
|
||||
url="../FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
|
||||
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.
|
||||
Also, in many cases, Proxy ARP (<ulink
|
||||
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
|
||||
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) is a better
|
||||
solution that one-to-one NAT.</para>
|
||||
</warning>
|
||||
|
||||
@ -72,7 +72,7 @@
|
||||
<listitem>
|
||||
<para>Interfaces that have the <emphasis
|
||||
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||
Shorewall will automatically add the EXTERNAL address to this
|
||||
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
|
||||
name with ":" and a <emphasis>digit</emphasis> to indicate that you
|
||||
@ -83,12 +83,12 @@
|
||||
</emphasis></para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
@ -143,10 +143,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/NAT.htm">http://shorewall.net/NAT.htm</ulink></para>
|
||||
url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -24,7 +24,7 @@
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a
|
||||
<para>In <ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), a
|
||||
zone may be declared to be a sub-zone of one or more other zones using the
|
||||
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
||||
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
||||
@ -32,7 +32,7 @@
|
||||
firewall zone.</para>
|
||||
|
||||
<para>Where zones are nested, the CONTINUE policy in <ulink
|
||||
url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
|
||||
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
|
||||
are within multiple zones to be managed under the rules of all of these
|
||||
zones.</para>
|
||||
</refsect1>
|
||||
@ -74,7 +74,7 @@
|
||||
under rules where the source zone is net. It is important that this policy
|
||||
be listed BEFORE the next policy (net to all). You can have this policy
|
||||
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
|
@ -81,7 +81,7 @@
|
||||
<listitem>
|
||||
<para>Network in CIDR format (e.g., 192.168.1.0/24). Beginning with
|
||||
Shorewall 4.4.24, <ulink
|
||||
url="shorewall-exclusion.html">exclusion</ulink> is
|
||||
url="/manpages/shorewall-exclusion.html">exclusion</ulink> is
|
||||
supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -93,12 +93,12 @@
|
||||
<listitem>
|
||||
<para>The name of a network interface. The interface must be defined
|
||||
in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
</listitem>
|
||||
@ -147,7 +147,7 @@
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -189,10 +189,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
|
||||
url="/netmap.html">http://www.shorewall.net/netmap.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -26,7 +26,7 @@
|
||||
<para>Assign any shell variables that you need in this file. The file is
|
||||
always processed by <filename>/bin/sh</filename> or by the shell specified
|
||||
through SHOREWALL_SHELL in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
|
||||
shell capabilities may be used.</para>
|
||||
|
||||
<para>It is suggested that variable names begin with an upper case letter
|
||||
@ -40,7 +40,7 @@
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">Any option from <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
|
||||
|
||||
<member><emphasis role="bold">COMMAND</emphasis></member>
|
||||
|
||||
@ -107,7 +107,7 @@ NET_BCAST=130.252.100.255
|
||||
NET_OPTIONS=routefilter,norfc1918</programlisting>
|
||||
|
||||
<para>Example <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
|
||||
@ -129,7 +129,7 @@ net eth0 130.252.100.255 routefilter,norfc1918</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
||||
url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>This file defines the high-level policy for connections between
|
||||
zones defined in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
||||
|
||||
<important>
|
||||
<para>The order of entries in this file is important</para>
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+".</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
@ -84,7 +84,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||
"all+", another bport zone associated with the same bridge, or it
|
||||
must be an ipv4 zone that is associated with only the same
|
||||
@ -118,7 +118,7 @@
|
||||
<listitem>
|
||||
<para>The word "None" or "none". This causes any default action
|
||||
defined in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
||||
omitted for this policy.</para>
|
||||
</listitem>
|
||||
|
||||
@ -191,7 +191,7 @@
|
||||
might also match (where the source or destination zone in
|
||||
those rules is a superset of the SOURCE or DEST in this
|
||||
policy). See <ulink
|
||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -231,7 +231,7 @@
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||
|
||||
<para>For a description of log levels, see <ulink
|
||||
url="http://www.shorewall.net/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>If you don't want to log but need to specify the following
|
||||
column, place "-" here.</para>
|
||||
@ -327,7 +327,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -77,11 +77,11 @@
|
||||
|
||||
<listitem>
|
||||
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
|
||||
direct packets to this provider.</para>
|
||||
|
||||
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
|
||||
must be a multiple of 256 between 256 and 65280 or their hexadecimal
|
||||
equivalents (0x0100 and 0xff00 with the low-order byte of the value
|
||||
being zero). Otherwise, the value must be between 1 and 255. Each
|
||||
@ -101,7 +101,7 @@
|
||||
previously listed provider. You may select only certain entries from
|
||||
the table to copy by using the COPY column below. This column should
|
||||
contain a dash ("-') when USE_DEFAULT_RT=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -112,7 +112,7 @@
|
||||
<listitem>
|
||||
<para>The name of the network interface to the provider. Must be
|
||||
listed in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
|
||||
general, that interface should not have the
|
||||
<option>proxyarp</option> option specified unless
|
||||
<option>loose</option> is given in the OPTIONS column of this
|
||||
@ -177,7 +177,7 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
||||
defaults to the setting of the TRACK_PROVIDERS option in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).
|
||||
If you set TRACK_PROVIDERS=Yes and want to override that
|
||||
setting for an individual provider, then specify
|
||||
<option>notrack</option> (see below).</para>
|
||||
@ -241,7 +241,7 @@
|
||||
and configured with an IPv4 address then ignore this provider.
|
||||
If not specified, the value of the <option>optional</option>
|
||||
option for the INTERFACE in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>
|
||||
is assumed. Use of that option is preferred to this one,
|
||||
unless an <replaceable>address</replaceable> is provider in
|
||||
the INTERFACE column.</para>
|
||||
@ -300,7 +300,7 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
|
||||
action in shorewall-mangle(5). See <ulink
|
||||
url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
||||
url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
||||
When specified, the MARK, DUPLICATE and GATEWAY columns should
|
||||
be empty, INTERFACE should be set to 'lo' and
|
||||
<option>tproxy</option> should be the only OPTION. Only one
|
||||
@ -416,10 +416,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -132,10 +132,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
|
||||
url="/ProxyARP.htm">http://www.shorewall.net/ProxyARP.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -34,7 +34,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name or number of a provider defined in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink> (5).
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5).
|
||||
Beginning with Shorewall 4.5.14, you may also enter
|
||||
<option>main</option> in this column to add routes to the main
|
||||
routing table.</para>
|
||||
@ -73,7 +73,7 @@
|
||||
<listitem>
|
||||
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
|
||||
given, then the INTERFACE specified for the PROVIDER in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink> (5). This
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink> (5). This
|
||||
column must be omitted if <option>blackhole</option>,
|
||||
<option>prohibit</option> or <option>unreachable</option> is
|
||||
specified in the GATEWAY column.</para>
|
||||
@ -92,7 +92,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file is deprecated in favor of the <ulink
|
||||
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||
url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>This file is used to define the hosts that are accessible when the
|
||||
@ -84,7 +84,7 @@
|
||||
themselves. Beginning with Shorewall 4.4.9, this option is
|
||||
automatically set if <emphasis
|
||||
role="bold">routeback</emphasis> is specified in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5) or if the rules compiler detects that the interface is a
|
||||
bridge.</para>
|
||||
</listitem>
|
||||
@ -176,7 +176,7 @@
|
||||
<para>The <emphasis role="bold">source</emphasis> and <emphasis
|
||||
role="bold">dest</emphasis> options work best when used in conjunction
|
||||
with ADMINISABSENTMINDED=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</note>
|
||||
</refsect1>
|
||||
|
||||
@ -210,10 +210,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>Entries in this file cause traffic to be routed to one of the
|
||||
providers listed in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
@ -181,10 +181,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>Entries in this file govern connection establishment by defining
|
||||
exceptions to the policies laid out in <ulink
|
||||
url="shorewall-policy.html">shorewall-policy</ulink>(5). By default,
|
||||
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5). By default,
|
||||
subsequent requests and responses are automatically allowed using
|
||||
connection tracking. For any particular (source,dest) pair of zones, the
|
||||
rules are evaluated in the order in which they appear in this file and the
|
||||
@ -87,7 +87,7 @@
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the RELATED_DISPOSITION (<ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -103,7 +103,7 @@
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the INVALID_DISPOSITION (<ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -119,7 +119,7 @@
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the UNTRACKED_DISPOSITION (<ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -145,7 +145,7 @@
|
||||
|
||||
<warning>
|
||||
<para>If you specify FASTACCEPT=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
|
||||
role="bold">ALL, ESTABLISHED</emphasis> and <emphasis
|
||||
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||
|
||||
@ -224,7 +224,7 @@
|
||||
<listitem>
|
||||
<para>like ACCEPT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -234,7 +234,7 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
in /usr/share/shorewall/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -329,11 +329,11 @@
|
||||
<para>Do not process any of the following rules for this
|
||||
(source zone,destination zone). If the source and/or
|
||||
destination IP address falls into a zone defined later in
|
||||
<ulink url="shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||
<ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||
or in a parent zone of the source or destination zones, then
|
||||
this connection request will be passed to the rules defined
|
||||
for that (those) zone(s). See <ulink
|
||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -344,7 +344,7 @@
|
||||
<listitem>
|
||||
<para>like CONTINUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -414,7 +414,7 @@
|
||||
<listitem>
|
||||
<para>like DROP but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -445,7 +445,7 @@
|
||||
INLINE(ACCEPT)). Otherwise, you can include it after the
|
||||
semicolon. In this case, you must declare the target as a
|
||||
builtin action in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
|
||||
<para>Some considerations when using INLINE:</para>
|
||||
|
||||
@ -490,7 +490,7 @@
|
||||
<para>This error message may be eliminated by adding the
|
||||
<replaceable>target</replaceable> as a builtin action in
|
||||
<ulink
|
||||
url="shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -536,7 +536,7 @@
|
||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||
back end logging daemon via a netlink socket then continues to
|
||||
the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>Similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
@ -565,7 +565,7 @@
|
||||
<listitem>
|
||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -596,7 +596,7 @@
|
||||
<listitem>
|
||||
<para>like QUEUE but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -615,7 +615,7 @@
|
||||
<listitem>
|
||||
<para>like REJECT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -649,7 +649,7 @@
|
||||
<para>Added in Shorewall 4.5.10. Queues matching packets to a
|
||||
back end logging daemon via a netlink socket then continues to
|
||||
the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>Similar to<emphasis role="bold">
|
||||
LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
|
||||
@ -671,7 +671,7 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
/usr/share/shorewall/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -702,7 +702,7 @@
|
||||
<para>Actions specifying logging may be followed by a log tag (a
|
||||
string of alphanumeric characters) which is appended to the string
|
||||
generated by the LOGPREFIX (in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
|
||||
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
||||
the log prefix generated by the LOGPREFIX setting.</para>
|
||||
@ -732,7 +732,7 @@
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic.</para>
|
||||
@ -751,7 +751,7 @@
|
||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||
<ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||
@ -791,7 +791,7 @@
|
||||
firewall interface can be specified by an ampersand ('&')
|
||||
followed by the logical name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
@ -801,14 +801,14 @@
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||
Kernel.</para>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
@ -906,7 +906,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Location of Server. May be a zone declared in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
|
||||
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
||||
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
||||
<emphasis role="bold">none</emphasis>.</para>
|
||||
@ -914,7 +914,7 @@
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic.</para>
|
||||
@ -926,7 +926,7 @@
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||
Kernel.</para>
|
||||
@ -941,7 +941,7 @@
|
||||
affected. When <emphasis role="bold">all+</emphasis> is used,
|
||||
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
|
||||
exclusion is supported -- see see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
@ -976,7 +976,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Restriction: MAC addresses are not allowed (this is a
|
||||
Netfilter restriction).</para>
|
||||
@ -1002,7 +1002,7 @@
|
||||
firewall interface can be specified by an ampersand ('&')
|
||||
followed by the logical name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The <replaceable>port</replaceable> that the server is
|
||||
@ -1079,7 +1079,7 @@
|
||||
interpreted as the destination icmp-type(s). ICMP types may be
|
||||
specified as a numeric type, a numeric type and code separated by a
|
||||
slash (e.g., 3/4), or a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
|
||||
listed.</para>
|
||||
|
||||
@ -1186,7 +1186,7 @@
|
||||
firewall interface can be specified by an ampersand ('&')
|
||||
followed by the logical name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>For other actions, this column may be included and may contain
|
||||
@ -1204,10 +1204,10 @@
|
||||
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
|
||||
addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
|
||||
See <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>See <ulink
|
||||
url="../PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
|
||||
url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
|
||||
for an example of using an entry in this column with a user-defined
|
||||
action rule.</para>
|
||||
</listitem>
|
||||
@ -1577,7 +1577,7 @@
|
||||
</simplelist>
|
||||
|
||||
<para>If the HELPERS option is specified in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then any module
|
||||
specified in this column must be listed in the HELPERS
|
||||
setting.</para>
|
||||
</listitem>
|
||||
@ -1706,21 +1706,21 @@
|
||||
example:</para>
|
||||
|
||||
<para><ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(8):<programlisting> #ZONE TYPE OPTIONS
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5):<programlisting> #ZONE TYPE OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
dmz ipv4
|
||||
loc ipv4</programlisting></para>
|
||||
|
||||
<para><ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5):<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
net ppp0
|
||||
loc eth1 detect
|
||||
dmz eth2 detect
|
||||
- ppp+ # Addresses are assigned from 192.168.3.0/24</programlisting></para>
|
||||
|
||||
<para><ulink
|
||||
url="shorewall-hosts.html">shorewall-host</ulink>(8):<programlisting> #ZONE HOST(S) OPTIONS
|
||||
url="/manpages/shorewall-hosts.html">shorewall-host</ulink>(5):<programlisting> #ZONE HOST(S) OPTIONS
|
||||
loc ppp+:192.168.3.0/24</programlisting></para>
|
||||
|
||||
<para>rules:</para>
|
||||
@ -1816,7 +1816,7 @@
|
||||
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5):</para>
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5):</para>
|
||||
|
||||
<programlisting> #ACTION OPTIONS
|
||||
SECCTX builtin</programlisting>
|
||||
@ -1835,13 +1835,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
||||
url="/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final secmark
|
||||
for each packet will be the one assigned by the LAST rule that
|
||||
matches.</para>
|
||||
@ -182,7 +182,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Addresses may be specified using an ipset name preceded by
|
||||
'+'.</para>
|
||||
@ -213,7 +213,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Addresses may be specified using an ipset name preceded by
|
||||
'+'.</para>
|
||||
@ -251,7 +251,7 @@
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -411,7 +411,7 @@ RESTORE I:ER</programlisting>
|
||||
url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -153,10 +153,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -125,7 +125,7 @@
|
||||
<para>You may specify the interface number rather than the interface
|
||||
name. If the <emphasis role="bold">classify</emphasis> option is
|
||||
given for the interface in <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
|
||||
you must also specify an interface class (an integer that must be
|
||||
unique within classes associated with this interface). If the
|
||||
classify option is not given, you may still specify a
|
||||
@ -139,12 +139,12 @@
|
||||
|
||||
<para>Please note that you can only use interface names in here that
|
||||
have a bandwidth defined in the <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>Normally, all classes defined here are sub-classes of a root
|
||||
class that is implicitly defined from the entry in <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
|
||||
can establish a class hierarchy by specifying a
|
||||
<emphasis>parent</emphasis> class -- the number of a class that you
|
||||
have previously defined. The sub-class may borrow unused bandwidth
|
||||
@ -159,11 +159,11 @@
|
||||
<listitem>
|
||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||
range 1-255. You set mark values in the <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) file,
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) file,
|
||||
marking the traffic you want to fit in the classes defined in here.
|
||||
Must be specified as '-' if the <emphasis
|
||||
role="bold">classify</emphasis> option is given for the interface in
|
||||
<ulink url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
<ulink url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
and you are running Shorewall 4.5.5 or earlier.</para>
|
||||
|
||||
<para>You can use the same marks for different interfaces.</para>
|
||||
@ -417,7 +417,7 @@
|
||||
of the class. So the total RATE represented by an entry with
|
||||
'occurs' will be the listed RATE multiplied by
|
||||
<emphasis>number</emphasis>. For additional information, see
|
||||
<ulink url="shorewall-mangle.html">tcrules</ulink>
|
||||
<ulink url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -762,10 +762,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>tc-hfsc(7)</para>
|
||||
|
||||
|
@ -104,7 +104,7 @@
|
||||
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
||||
listed only once in this file. You may NOT specify the name of an
|
||||
alias (e.g., eth0:0) here; see <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
||||
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
||||
|
||||
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
||||
ppp interfaces, you need to put them all in here!</para>
|
||||
@ -151,7 +151,7 @@
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
@ -171,7 +171,7 @@
|
||||
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
|
||||
This is the maximum speed your connection can handle. It is also the
|
||||
speed you can refer as "full" if you define the tc classes in <ulink
|
||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
||||
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
||||
Outgoing traffic above this rate will be dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -195,7 +195,7 @@
|
||||
<para><option>classify</option> ― When specified, Shorewall will not
|
||||
generate tc or Netfilter rules to classify traffic based on packet
|
||||
marks. You must do all classification using CLASSIFY rules in <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5).</para>
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5).</para>
|
||||
|
||||
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
|
||||
Bucket</firstterm> queuing discipline. This is the default.</para>
|
||||
@ -283,10 +283,10 @@
|
||||
<para>tc-hfsc (7)</para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
|
||||
|
@ -70,10 +70,10 @@
|
||||
<listitem>
|
||||
<para>The name or number of an <returnvalue>interface</returnvalue>
|
||||
defined in <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
followed by a <replaceable>class</replaceable> number defined for
|
||||
that interface in <ulink
|
||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
|
||||
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -99,7 +99,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -318,16 +318,16 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>This file lists the interfaces that are subject to simple traffic
|
||||
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
||||
file:</para>
|
||||
@ -162,7 +162,7 @@
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
|
@ -25,12 +25,12 @@
|
||||
|
||||
<para>This file is used to specify the priority of traffic for simple
|
||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
|
||||
each packet is determined by the <emphasis role="bold">last</emphasis>
|
||||
entry that the packet matches. If a packet doesn't match any entry in this
|
||||
file, then its priority will be determined by its TOS field. The default
|
||||
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
||||
in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<programlisting>TOS Bits Means Linux Priority BAND
|
||||
------------------------------------------------------------
|
||||
@ -63,7 +63,7 @@
|
||||
<para>Classifies matching traffic as High Priority (1), Medium
|
||||
Priority (2) or Low Priority (3). For those interfaces listed in
|
||||
<ulink
|
||||
url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
|
||||
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
|
||||
Priority 2 traffic will be deferred so long and there is Priority 1
|
||||
traffic queued and Priority 3 traffic will be deferred so long as
|
||||
there is Priority 1 or Priority 2 traffic to send.</para>
|
||||
@ -151,7 +151,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>prio(8), shorewall(8), shorewall-accounting(5),
|
||||
shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
|
||||
|
@ -28,14 +28,14 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
||||
@ -123,7 +123,7 @@
|
||||
|
||||
<para>- Otherwise, the chain is determined by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||
included for completeness and affects neither traffic shaping
|
||||
@ -203,7 +203,7 @@
|
||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||
equal proportions. If no mask is specified, then ( 2 **
|
||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
|
||||
<para>May optionally be followed by <emphasis
|
||||
role="bold">:P</emphasis>, <emphasis
|
||||
@ -231,7 +231,7 @@
|
||||
|
||||
<para>- Otherwise, the chain is determined by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||
included for completeness and affects neither traffic shaping
|
||||
@ -311,11 +311,11 @@
|
||||
<para>When using Shorewall's built-in traffic shaping tool, the
|
||||
<emphasis>major</emphasis> class is the device number (the first
|
||||
device in <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
|
||||
major class 1, the second device is major class 2, and so on)
|
||||
and the <emphasis>minor</emphasis> class is the class's MARK
|
||||
value in <ulink
|
||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
||||
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
|
||||
preceded by the number 1 (MARK 1 corresponds to minor class 11,
|
||||
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
|
||||
minor class 122, etc.).</para>
|
||||
@ -487,7 +487,7 @@
|
||||
[<replaceable>option</replaceable>] ...") after any matches
|
||||
specified at the end of the rule. If the target is not one known
|
||||
to Shorewall, then it must be defined as a builtin action in
|
||||
<ulink url="shorewall-actions.html">shorewall-actions</ulink>
|
||||
<ulink url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The following rules are equivalent:</para>
|
||||
@ -500,7 +500,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> then the
|
||||
third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
@ -724,7 +724,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - only the first
|
||||
(mark) is required:</para>
|
||||
@ -733,7 +733,7 @@ Normal-Service => 0x00</programlisting>
|
||||
<listitem>
|
||||
<para><replaceable>mark</replaceable> - the MARK value
|
||||
corresponding to the local provider in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -758,7 +758,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a tproxy provider to be defined in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - neither is
|
||||
required:</para>
|
||||
@ -862,7 +862,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -879,7 +879,7 @@ Normal-Service => 0x00</programlisting>
|
||||
<para>An interface name. May not be used in the PREROUTING chain
|
||||
(:P in the mark column or no chain qualifier and
|
||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
|
||||
url="/manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
|
||||
interface name may be optionally followed by a colon (":") and
|
||||
an IP address list.</para>
|
||||
</listitem>
|
||||
@ -899,7 +899,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -934,7 +934,7 @@ Normal-Service => 0x00</programlisting>
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -1317,16 +1317,16 @@ Normal-Service => 0x00</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
||||
<ulink url="shorewall-mangle.html">shorewall-mangle</ulink> (5).</para>
|
||||
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink> (5).</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
@ -167,7 +167,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -27,7 +27,7 @@
|
||||
encrypted) traffic to pass between the Shorewall system and a remote
|
||||
gateway. Traffic flowing through the tunnel is handled using the normal
|
||||
zone/policy/rule mechanism. See <ulink
|
||||
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
for details.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
@ -143,7 +143,7 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||
may be given. Exclusion (<ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
|
||||
not supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -281,7 +281,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -45,14 +45,14 @@
|
||||
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
|
||||
as zone names. The maximum length of a zone name is determined by
|
||||
the setting of the LOGFORMAT option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). With the
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). With the
|
||||
default LOGFORMAT, zone names can be at most 5 characters
|
||||
long.</para>
|
||||
|
||||
<blockquote>
|
||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||
explained in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink> (5), the default
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5), the default
|
||||
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
||||
%s is replaced by the chain name and the second is replaced by the
|
||||
disposition.</para>
|
||||
@ -97,7 +97,7 @@
|
||||
(sub)zone name by ":" and a comma-separated list of the parent
|
||||
zones. The parent zones must have been declared in earlier records
|
||||
in this file. See <ulink
|
||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
@ -110,7 +110,7 @@ c:a,b ipv4</programlisting>
|
||||
<para>Currently, Shorewall uses this information to reorder the zone
|
||||
list so that parent zones appear after their subzones in the list.
|
||||
The IMPLICIT_CONTINUE option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) can also create
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) can also create
|
||||
implicit CONTINUE policies to/from the subzone.</para>
|
||||
|
||||
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
||||
@ -137,7 +137,7 @@ c:a,b ipv4</programlisting>
|
||||
the column. Communication with some zone hosts may be
|
||||
encrypted. Encrypted hosts are designated using the 'ipsec'
|
||||
option in <ulink
|
||||
url="shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
|
||||
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -180,7 +180,7 @@ c:a,b ipv4</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
||||
Linux-vserver guests. The zone contents must be defined in
|
||||
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink>
|
||||
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Vserver zones are implicitly handled as subzones of the
|
||||
@ -208,7 +208,7 @@ c:a,b ipv4</programlisting>
|
||||
$FW rules are defined, they are placed in a chain named
|
||||
${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' )
|
||||
depending on the ZONE2ZONE setting in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -290,12 +290,12 @@ c:a,b ipv4</programlisting>
|
||||
<para>When specified in the IN_OPTIONS column, causes all
|
||||
traffic from this zone to be passed against the <emphasis
|
||||
role="bold">src</emphasis> entries in <ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5).</para>
|
||||
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>When specified in the OUT_OPTIONS column, causes all
|
||||
traffic to this zone to be passed against the <emphasis
|
||||
role="bold">dst</emphasis> entries in s<ulink
|
||||
url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
|
||||
url="/manpages/shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>Specifying this option in the OPTIONS column is
|
||||
equivalent to entering it in both of the IN_OPTIONS and
|
||||
@ -310,7 +310,7 @@ c:a,b ipv4</programlisting>
|
||||
<para>Added in Shorewall 4.5.9. May only be specified in the
|
||||
OPTIONS column and indicates that only a single ipset should
|
||||
be created for this zone if it has multiple dynamic entries in
|
||||
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5).
|
||||
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
|
||||
Without this option, a separate ipset is created for each
|
||||
interface.</para>
|
||||
</listitem>
|
||||
@ -354,7 +354,7 @@ c:a,b ipv4</programlisting>
|
||||
<listitem>
|
||||
<para>sets the MSS field in TCP packets. If you supply this
|
||||
option, you should also set FASTACCEPT=No in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) to insure
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) to insure
|
||||
that both the SYN and SYN,ACK packets have their MSS field
|
||||
adjusted.</para>
|
||||
</listitem>
|
||||
@ -427,10 +427,10 @@ c:a,b ipv4</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
||||
url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -183,7 +183,7 @@
|
||||
<para>If you set the value of either option to "None" then no
|
||||
default action will be used and the default action or macro must be
|
||||
specified in <ulink
|
||||
url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
|
||||
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5).</para>
|
||||
|
||||
<para>You can pass <replaceable>parameters</replaceable> to the
|
||||
specified action (e.g.,
|
||||
@ -204,7 +204,7 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
|
||||
is enabled (see <ulink
|
||||
url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
|
||||
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
|
||||
not specified or set to the empty value, ACCOUNTING=Yes is
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
@ -219,7 +219,7 @@
|
||||
<para>Added in Shorewall 4.4.20. This setting determines which
|
||||
Netfilter table the accounting rules are added in. By default,
|
||||
ACCOUNTING_TABLE=filter is assumed. See also <ulink
|
||||
url="shorewall-accounting.html">shorewall-accounting</ulink>(5).</para>
|
||||
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -230,7 +230,7 @@
|
||||
<listitem>
|
||||
<para>This parameter determines whether Shorewall automatically adds
|
||||
the external address(es) in <ulink
|
||||
url="shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
|
||||
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis> then Shorewall automatically adds these
|
||||
aliases. If it is set to <emphasis role="bold">No</emphasis> or
|
||||
@ -256,7 +256,7 @@
|
||||
<listitem>
|
||||
<para>This parameter determines whether Shorewall automatically adds
|
||||
the SNAT ADDRESS in <ulink
|
||||
url="shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
|
||||
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
|
||||
is set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis> then Shorewall automatically adds these
|
||||
addresses. If it is set to <emphasis role="bold">No</emphasis> or
|
||||
@ -283,10 +283,10 @@
|
||||
<para>The value of this variable affects Shorewall's stopped state.
|
||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
||||
listed in <ulink
|
||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
|
||||
in addition to traffic to/from addresses in <ulink
|
||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
|
||||
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
|
||||
connections that were active when Shorewall stopped continue to work
|
||||
and all new connections from the firewall system itself are allowed.
|
||||
If this variable is not set or is given the empty value then
|
||||
@ -350,13 +350,13 @@
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Modify <ulink
|
||||
url="shorewall-conntrack.html">shorewall-conntrack</ulink>
|
||||
url="/manpages/shorewall-conntrack.html">shorewall-conntrack</ulink>
|
||||
(5) to only apply helpers where they are required; or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the appropriate helper in the HELPER column in
|
||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||
<ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<note>
|
||||
@ -427,10 +427,10 @@
|
||||
|
||||
<para>The BLACKLIST_DISPOSITION setting has no effect on entries in
|
||||
the BLACKLIST section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5). It
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). It
|
||||
determines the disposition of packets sent to the <emphasis
|
||||
role="bold">blacklog</emphasis> target of <ulink
|
||||
url="shorewall-blrules.html">shorewall-blrules </ulink>(5).</para>
|
||||
url="/manpages/shorewall-blrules.html">shorewall-blrules </ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -447,7 +447,7 @@
|
||||
hosts are not logged. The setting determines the log level of
|
||||
packets sent to the <emphasis role="bold">blacklog</emphasis> target
|
||||
of <ulink
|
||||
url="shorewall-blrules.html">shorewall-blrules</ulink>(5).</para>
|
||||
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -463,9 +463,9 @@
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections and for packets in the INVALID connection state (such as
|
||||
TCP SYN,ACK when there has been no corresponding SYN). That includes
|
||||
entries in the <ulink url="???">shorewall-blrules</ulink> (5) file
|
||||
entries in the <ulink url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) file
|
||||
and in the BLACKLIST section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
@ -534,7 +534,7 @@
|
||||
/etc/shorewall/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
|
||||
specified, CLEAR_TC=Yes is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -669,7 +669,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Install, configure and start <ulink
|
||||
url="../IPv6Support.html">Shorewall6</ulink>.</para>
|
||||
url="/IPv6Support.html">Shorewall6</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -789,7 +789,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
||||
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
||||
or RELATED sections of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||
|
||||
<note>
|
||||
<para>FASTACCEPT=Yes is incompatible with
|
||||
@ -820,7 +820,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
||||
directory containing the <firstterm>GeoIP Match</firstterm>
|
||||
database. See <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
If not specified, the default value is
|
||||
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
||||
location of the little-endian database.</para>
|
||||
@ -907,7 +907,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<para>Prior to version 3.2.0, it was not possible to use connection
|
||||
marking in <ulink
|
||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
|
||||
a multi-ISP configuration that uses the track option.</para>
|
||||
|
||||
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
|
||||
@ -990,11 +990,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<para>Subzones are defined by following their name with ":" and a
|
||||
list of parent zones (in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
|
||||
you want to have a set of special rules for the subzone and if a
|
||||
connection doesn't match any of those subzone-specific rules then
|
||||
you want the parent zone rules and policies to be applied; see
|
||||
<ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
|
||||
<ulink url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
|
||||
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
||||
|
||||
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
||||
@ -1011,9 +1011,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||
url="shorewall6-rules.html">shorewall-rules(5)</ulink>, a semicolon
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a semicolon
|
||||
separates column-oriented specifications on the left from <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
|
||||
url="/configuration_file_basics.htm#Pairs">alternative
|
||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||
specified, the specifications on the right are interpreted as if
|
||||
INLINE had been specified in the ACTION column. If not specified or
|
||||
@ -1029,7 +1029,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
INVALID packets through the NEW section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||
packet in INVALID state fails to match any rule in the INVALID
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
@ -1044,7 +1044,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
|
||||
do not match any rule in the INVALID section of <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
@ -1117,7 +1117,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>This option indicates that zone-related ipsec information is
|
||||
found in the zones file (<ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)). The option
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). The option
|
||||
indicates to the compiler that this is not a legacy configuration
|
||||
where the ipsec information was contained in a separate file. The
|
||||
value of this option must not be changed and the option must not be
|
||||
@ -1255,7 +1255,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
you do not enable martian logging for all interfaces, you may still
|
||||
enable it for individual interfaces using the <emphasis
|
||||
role="bold">logmartians</emphasis> interface option in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
|
||||
<para>The value <emphasis role="bold">Keep</emphasis> causes
|
||||
Shorewall to ignore the option. If the option is set to <emphasis
|
||||
@ -1263,7 +1263,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
interfaces. If the option is set to <emphasis
|
||||
role="bold">No</emphasis>, then martian logging is disabled on all
|
||||
interfaces except those specified in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1351,7 +1351,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||
If not assigned or if assigned an empty value, /var/log/messages is
|
||||
assumed. For further information, see <ulink
|
||||
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1378,7 +1378,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<note>
|
||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||
length of zone names. See <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1546,9 +1546,9 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>The performance of configurations with a large numbers of
|
||||
entries in <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
|
||||
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
|
||||
improved by setting the MACLIST_TTL variable in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>If your iptables and kernel support the "Recent Match" (see
|
||||
the output of "shorewall check" near the top), you can cache the
|
||||
@ -1557,7 +1557,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<para>When a new connection arrives from a 'maclist' interface, the
|
||||
packet passes through then list of entries for that interface in
|
||||
<ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
<ulink url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
there is a match then the source IP address is added to the 'Recent'
|
||||
set for that interface. Subsequent connection attempts from that IP
|
||||
address occurring within $MACLIST_TTL seconds will be accepted
|
||||
@ -1763,7 +1763,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<para>When combined with route filtering (ROUTE_FILTER=Yes or
|
||||
<option>routefilter</option> in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)),
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)),
|
||||
this option ensures that packets with an RFC1918 source address are
|
||||
only accepted from interfaces having known routes to networks using
|
||||
such addresses.</para>
|
||||
@ -1772,7 +1772,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
<option>blackhole</option>, <option>unreachable</option> or
|
||||
<option>prohibit</option> to set the type of route to be created.
|
||||
See <ulink
|
||||
url="http://www.shorewall.net/MultiISP.html#null_routing">http://www.shorewall.net/MultiISP.html#null_routing</ulink>.</para>
|
||||
url="/MultiISP.html#null_routing">http://www.shorewall.net/MultiISP.html#null_routing</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1794,7 +1794,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Optimization category 1 - Traditionally, Shorewall has
|
||||
created rules for <ulink
|
||||
url="../ScalabilityAndPerformance.html">the complete matrix of
|
||||
url="/ScalabilityAndPerformance.html">the complete matrix of
|
||||
host groups defined by the zones, interfaces and hosts
|
||||
files</ulink>. Any traffic that didn't correspond to an element
|
||||
of that matrix was rejected in one of the built-in chains. When
|
||||
@ -2104,7 +2104,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
||||
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
||||
section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||
section of <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5). Concern about the safety of this practice resulted in the
|
||||
addition of this option. When a packet in RELATED state fails to
|
||||
match any rule in the RELATED section, the packet is disposed of
|
||||
@ -2120,7 +2120,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
||||
do not match any rule in the RELATED section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||
this level. The default value is empty which means no logging is
|
||||
performed.</para>
|
||||
</listitem>
|
||||
@ -2203,7 +2203,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
||||
at least one optional interface must be up in order for the firewall
|
||||
to be in the started state. Intended to be used with the <ulink
|
||||
url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
|
||||
url="/manpages/shorewall-init.html">Shorewall Init Package</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2266,8 +2266,8 @@ INLINE - - - ; -j REJECT
|
||||
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP
|
||||
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
|
||||
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
|
||||
url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
|
||||
url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
|
||||
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
|
||||
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) are processed
|
||||
then are re-added later. This is done to help ensure that the
|
||||
addresses can be added with the specified labels but can have the
|
||||
undesirable side effect of causing routes to be quietly deleted.
|
||||
@ -2299,14 +2299,14 @@ INLINE - - - ; -j REJECT
|
||||
interfaces. If the option is set to <emphasis
|
||||
role="bold">No</emphasis>, then route filtering is disabled on all
|
||||
interfaces except those specified in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
|
||||
<important>
|
||||
<para>If you need to disable route filtering on any interface,
|
||||
then you must set ROUTE_FILTER=No then set routefilter=1 or
|
||||
routefilter=2 on those interfaces where you want route filtering.
|
||||
See <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
for additional details.</para>
|
||||
</important>
|
||||
</listitem>
|
||||
@ -2321,7 +2321,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.5.7. Determines the disposition of
|
||||
packets entering from interfaces the <option>rpfilter</option>
|
||||
option (see <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
|
||||
Packets disposed of by this option are those whose response packets
|
||||
would not be sent through the same interface receiving the
|
||||
packet.</para>
|
||||
@ -2374,7 +2374,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Determines the disposition of
|
||||
packets matching the <option>sfilter</option> option (see <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
||||
<option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
@ -2390,7 +2390,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added on Shorewall 4.4.20. Determines the logging of packets
|
||||
matching the <option>sfilter</option> option (see <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
of <firstterm>hairpin</firstterm> packets on interfaces without the
|
||||
<option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
@ -2421,7 +2421,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
||||
causes smurf packets (see the nosmurfs option in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
|
||||
be dropped. A_DROP causes the packets to be audited prior to being
|
||||
dropped and requires AUDIT_TARGET support in the kernel and
|
||||
iptables.</para>
|
||||
@ -2435,7 +2435,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Specifies the logging level for smurf packets (see the
|
||||
nosmurfs option in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
|
||||
set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
||||
logged.</para>
|
||||
</listitem>
|
||||
@ -2524,8 +2524,8 @@ INLINE - - - ; -j REJECT
|
||||
|
||||
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
|
||||
simple traffic shaping using <ulink
|
||||
url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
|
||||
and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
|
||||
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
|
||||
and <ulink url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
|
||||
enabled.</para>
|
||||
|
||||
<para>If you set TC_ENABLED=Internal or internal or leave the option
|
||||
@ -2552,7 +2552,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Normally, Shorewall tries to protect users from themselves by
|
||||
preventing PREROUTING and OUTPUT tcrules from being applied to
|
||||
packets that have been marked by the 'track' option in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
|
||||
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
|
||||
Shorewall will not include these cautionary checks.</para>
|
||||
@ -2566,7 +2566,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
|
||||
TOS field to priority bands. See <ulink
|
||||
url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
|
||||
url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
|
||||
<emphasis>map</emphasis> consists of 16 space-separated digits with
|
||||
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
|
||||
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
|
||||
@ -2589,7 +2589,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Determines the disposition of TCP packets that fail the checks
|
||||
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
|
||||
option (see <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
|
||||
must have a value of ACCEPT (accept the packet), REJECT (send an RST
|
||||
response) or DROP (ignore the packet). If not set or if set to the
|
||||
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
||||
@ -2621,13 +2621,13 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
||||
<option>track</option> option to be assumed on all providers defined
|
||||
in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5). May
|
||||
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5). May
|
||||
be overridden on an individual provider through use of the
|
||||
<option>notrack</option> option. The default value is 'No'.</para>
|
||||
|
||||
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
||||
also simplifies PREROUTING rules in <ulink
|
||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
||||
Previously, when TC_EXPERT=No, packets arriving through 'tracked'
|
||||
provider interfaces were unconditionally passed to the PREROUTING
|
||||
tcrules. This was done so that tcrules could reset the packet mark
|
||||
@ -2669,7 +2669,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
UNTRACKED packets through the NEW section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). When a
|
||||
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
@ -2684,7 +2684,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
||||
do not match any rule in the UNTRACKED section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
|
||||
this level. The default value is empty which means no logging is
|
||||
performed.</para>
|
||||
</listitem>
|
||||
@ -2708,7 +2708,7 @@ INLINE - - - ; -j REJECT
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Both the DUPLICATE and the COPY columns in <ulink
|
||||
url="shorewall-providers.html">providers</ulink>(5) file must
|
||||
url="/manpages/shorewall-providers.html">providers</ulink>(5) file must
|
||||
remain empty (or contain "-").</para>
|
||||
</listitem>
|
||||
|
||||
@ -2725,7 +2725,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Packets are sent through the main routing table by a rule
|
||||
with priority 999. In <ulink
|
||||
url="shorewall-routing_rules.html">routing_rules</ulink>(5), the
|
||||
url="/manpages/shorewall-routing_rules.html">routing_rules</ulink>(5), the
|
||||
range 1-998 may be used for inserting rules that bypass the main
|
||||
table.</para>
|
||||
</listitem>
|
||||
|
@ -730,7 +730,7 @@
|
||||
|
||||
<para>The <option>trace</option> and <option>debug</option> options are
|
||||
used for debugging. See <ulink
|
||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
||||
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
||||
|
||||
<para>The nolock <option>option</option> prevents the command from
|
||||
attempting to acquire the Shorewall lockfile. It is useful if you need to
|
||||
@ -742,7 +742,7 @@
|
||||
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
||||
options are omitted, the amount of output is determined by the setting of
|
||||
the VERBOSITY parameter in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
|
||||
role="bold">v</emphasis> adds one to the effective verbosity and each
|
||||
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
||||
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
||||
@ -770,7 +770,7 @@
|
||||
|
||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||
defined in the <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||
elements are host or network addresses.<caution>
|
||||
<para>The <command>add</command> command is not very robust. If
|
||||
@ -784,7 +784,7 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
||||
single ipset to handle entries for multiple interfaces. When that
|
||||
option is specified for a zone, the <command>add</command> command
|
||||
has the alternative syntax in which the
|
||||
@ -839,7 +839,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -912,7 +912,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -925,13 +925,13 @@
|
||||
|
||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||
defined in the <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||
elements are a host or network address.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
|
||||
single ipset to handle entries for multiple interfaces. When that
|
||||
option is specified for a zone, the <command>delete</command>
|
||||
command has the alternative syntax in which the
|
||||
@ -954,7 +954,7 @@
|
||||
any optional network interface. <replaceable>interface</replaceable>
|
||||
may be either the logical or physical name of the interface. The
|
||||
command removes any routes added from <ulink
|
||||
url="shorewall-routes.html">shorewall-routes</ulink>(5) and any
|
||||
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and any
|
||||
traffic shaping configuration for the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1001,7 +1001,7 @@
|
||||
may be either the logical or physical name of the interface. The
|
||||
command sets <filename>/proc</filename> entries for the interface,
|
||||
adds any route specified in <ulink
|
||||
url="shorewall-routes.html">shorewall-routes</ulink>(5) and installs
|
||||
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and installs
|
||||
the interface's traffic shaping configuration, if any.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1037,7 +1037,7 @@
|
||||
<para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
|
||||
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
|
||||
given then the file specified by RESTOREFILE in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) is
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) is
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1148,7 +1148,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1159,7 +1159,7 @@
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be logged then discarded. Logging occurs at the log level
|
||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1168,7 +1168,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Monitors the log file specified by the LOGFILE option in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
|
||||
produces an audible alarm when new Shorewall messages are logged.
|
||||
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
||||
address of each packet source to be displayed if that information is
|
||||
@ -1188,7 +1188,7 @@
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be logged then rejected. Logging occurs at the log level
|
||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1238,7 +1238,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
||||
and causes Shorewall to look in the given
|
||||
@ -1306,7 +1306,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1348,7 +1348,7 @@
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
||||
<option>-f</option> and <option>-c</option>are present, the result
|
||||
is determined by the option that appears last.</para>
|
||||
|
||||
@ -1360,7 +1360,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1375,7 +1375,7 @@
|
||||
role="bold">shorewall save</emphasis>; if no
|
||||
<emphasis>filename</emphasis> is given then Shorewall will be
|
||||
restored from the file specified by the RESTOREFILE option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1437,7 +1437,7 @@
|
||||
role="bold">shorewall -f start</emphasis> commands. If
|
||||
<emphasis>filename</emphasis> is not given then the state is saved
|
||||
in the file specified by the RESTOREFILE option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1564,7 +1564,7 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.17. Displays the per-IP
|
||||
accounting counters (<ulink
|
||||
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
|
||||
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1575,7 +1575,7 @@
|
||||
<listitem>
|
||||
<para>Displays the last 20 Shorewall messages from the log
|
||||
file specified by the LOGFILE option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). The
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
|
||||
<emphasis role="bold">-m</emphasis> option causes the MAC
|
||||
address of each packet source to be displayed if that
|
||||
information is available.</para>
|
||||
@ -1690,14 +1690,14 @@
|
||||
Shorewall will look in that <emphasis>directory</emphasis> first for
|
||||
configuration files. If <emphasis role="bold">-f</emphasis> is
|
||||
specified, the saved configuration specified by the RESTOREFILE
|
||||
option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
option in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
will be restored if that saved configuration exists and has been
|
||||
modified more recently than the files in /etc/shorewall. When
|
||||
<emphasis role="bold">-f</emphasis> is given, a
|
||||
<replaceable>directory</replaceable> may not be specified.</para>
|
||||
|
||||
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
|
||||
added to <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||
added to <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||
When LEGACY_FASTSTART=No, the modification times of files in
|
||||
/etc/shorewall are compared with that of /var/lib/shorewall/firewall
|
||||
(the compiled script that last started/restarted the
|
||||
@ -1713,7 +1713,7 @@
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
||||
<option>-f</option> and <option>-c</option>are present, the result
|
||||
is determined by the option that appears last.</para>
|
||||
|
||||
@ -1725,7 +1725,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1735,12 +1735,12 @@
|
||||
<listitem>
|
||||
<para>Stops the firewall. All existing connections, except those
|
||||
listed in <ulink
|
||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
or permitted by the ADMINISABSENTMINDED option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
|
||||
The only new traffic permitted through the firewall is from systems
|
||||
listed in <ulink
|
||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
or by ADMINISABSENTMINDED.</para>
|
||||
|
||||
<para>If <option>-f</option> is given, the command will be processed
|
||||
@ -1814,13 +1814,13 @@
|
||||
|
||||
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||
and causes legacy blacklisting rules (<ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
|
||||
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
|
||||
be converted to entries in the blrules file (<ulink
|
||||
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
|
||||
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
|
||||
blacklist keyword is removed from <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
|
||||
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
|
||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
|
||||
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink> (5). The
|
||||
unmodified files are saved with a .bak suffix.</para>
|
||||
|
||||
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
|
||||
@ -1834,7 +1834,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>For a description of the other options, see the <emphasis
|
||||
role="bold">check</emphasis> command above.</para>
|
||||
@ -1880,7 +1880,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
|
||||
<para>shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -50,7 +50,7 @@
|
||||
</itemizedlist>
|
||||
|
||||
<para>The new structure is enabled by sectioning the accounting file in a
|
||||
manner similar to the <ulink url="manpages/shorewall-rules.html">rules
|
||||
manner similar to the <ulink url="/manpages6/shorewall6-rules.html">rules
|
||||
file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
|
||||
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
||||
role="bold">FORWARD</emphasis> and must appear in that order (although any
|
||||
@ -824,14 +824,14 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
|
||||
url="/Accounting.html">http://www.shorewall.net/Accounting.html
|
||||
</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
|
@ -24,7 +24,7 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file allows you to define new ACTIONS for use in rules (see
|
||||
<ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink>). You define
|
||||
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You define
|
||||
the ip6tables rules to be performed in an ACTION in
|
||||
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
|
||||
|
||||
@ -58,7 +58,7 @@
|
||||
target that is supported by your ip6tables but is not directly
|
||||
supported by Shorewall. The action may be used as the rule
|
||||
target in an INLINE rule in <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
|
||||
in which the <emphasis role="bold">builtin</emphasis> can be
|
||||
@ -146,7 +146,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
|
||||
url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
|
@ -26,7 +26,7 @@
|
||||
<para>The blacklist file is used to perform static blacklisting by source
|
||||
address (IP or MAC), or by application. The use of this file is deprecated
|
||||
in favor of <ulink
|
||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
|
||||
with Shorewall 4.5.7, the blacklist file is no longer installed. Existing
|
||||
blacklist files can be converted to a corresponding blrules file using the
|
||||
<command>shorewall6 update -b</command> command.</para>
|
||||
@ -47,7 +47,7 @@
|
||||
(if your kernel and ip6tables contain iprange match support) or
|
||||
ipset name prefaced by "+" (if your kernel supports ipset match).
|
||||
Exclusion (<ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
|
||||
supported.</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
@ -101,7 +101,7 @@
|
||||
interface that has the 'blacklist' option set. So to block traffic
|
||||
from your local network to an internet host, you had to specify
|
||||
<option>blacklist</option> on your internal interface in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
|
||||
@ -109,7 +109,7 @@
|
||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
||||
<ulink
|
||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5):</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -145,12 +145,12 @@
|
||||
|
||||
<para>When a packet arrives on an interface that has the <emphasis
|
||||
role="bold">blacklist</emphasis> option specified in <ulink
|
||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5), its
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5), its
|
||||
source IP address and MAC address is checked against this file and
|
||||
disposed of according to the <emphasis
|
||||
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
||||
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf</ulink>(5). If <emphasis
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If <emphasis
|
||||
role="bold">PROTOCOL</emphasis> or <emphasis
|
||||
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
||||
are supplied, only packets matching the protocol (and one of the ports if
|
||||
@ -197,10 +197,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
|
@ -28,13 +28,13 @@
|
||||
|
||||
<para>Rules in this file are applied depending on the setting of
|
||||
BLACKLISTNEWONLY in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf</ulink>(5). If
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
||||
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
||||
connections in the NEW and INVALID states.</para>
|
||||
|
||||
<para>The format of rules in this file is the same as the format of rules
|
||||
in <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>. The
|
||||
in <ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
|
||||
difference in the two files lies in the ACTION (first) column.</para>
|
||||
|
||||
<variablelist>
|
||||
@ -70,7 +70,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
||||
then the macro expands to <emphasis
|
||||
role="bold">blacklog</emphasis>.</para>
|
||||
</listitem>
|
||||
@ -78,7 +78,7 @@
|
||||
<listitem>
|
||||
<para>Otherwise it expands to the action specified for
|
||||
BLACKLIST_DISPOSITION in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
@ -89,10 +89,10 @@
|
||||
|
||||
<listitem>
|
||||
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf </ulink>(5).
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf </ulink>(5).
|
||||
Logs, audits (if specified) and applies the
|
||||
BLACKLIST_DISPOSITION specified in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -167,7 +167,7 @@
|
||||
<listitem>
|
||||
<para>queues matching packets to a back end logging daemon via
|
||||
a netlink socket then continues to the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -206,7 +206,7 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||
in /usr/share/shorewall6/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -238,7 +238,7 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
||||
/usr/share/shorewall6/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -268,13 +268,13 @@
|
||||
<para>Actions specifying logging may be followed by a log tag (a
|
||||
string of alphanumeric characters) which is appended to the string
|
||||
generated by the LOGPREFIX (in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>For the remaining columns, see <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -314,10 +314,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
|
@ -266,7 +266,7 @@
|
||||
|
||||
<para>This error message may be eliminated by adding
|
||||
<replaceable>target</replaceable> as a builtin action in <ulink
|
||||
url="manpages/shorewall-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -336,7 +336,7 @@
|
||||
<replaceable>interface</replaceable> is an interface to that zone,
|
||||
and <replaceable>address-list</replaceable> is a comma-separated
|
||||
list of addresses (may contain exclusion - see <ulink
|
||||
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
(5)).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
|
||||
@ -357,7 +357,7 @@
|
||||
<para>Where <replaceable>interface</replaceable> is an interface to
|
||||
that zone, and <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
|
||||
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
(5)).</para>
|
||||
|
||||
<para>COMMENT is only allowed in format 1; the remainder of the line
|
||||
@ -373,7 +373,7 @@
|
||||
<listitem>
|
||||
<para>where <replaceable>address-list</replaceable> is a
|
||||
comma-separated list of addresses (may contain exclusion - see
|
||||
<ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
|
||||
<ulink url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -534,7 +534,7 @@ DROP:PO - 2001:1.2.3::4
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -29,7 +29,7 @@
|
||||
|
||||
<para>The order of entries in this file is not significant in determining
|
||||
zone composition. Rather, the order that the zones are declared in <ulink
|
||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5) determines the
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) determines the
|
||||
order in which the records in this file are interpreted.</para>
|
||||
|
||||
<warning>
|
||||
@ -39,7 +39,7 @@
|
||||
|
||||
<warning>
|
||||
<para>If you have an entry for a zone and interface in <ulink
|
||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5) then do
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) then do
|
||||
not include any entries in this file for that same (zone, interface)
|
||||
pair.</para>
|
||||
</warning>
|
||||
@ -55,7 +55,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name of a zone declared in <ulink
|
||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5). You may not
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5). You may not
|
||||
list the firewall zone in this column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -68,7 +68,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name of an interface defined in the <ulink
|
||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
file followed by a colon (":") and a comma-separated list whose
|
||||
elements are either:</para>
|
||||
|
||||
@ -105,7 +105,7 @@
|
||||
<blockquote>
|
||||
<para>You may also exclude certain hosts through use of an
|
||||
<emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -125,7 +125,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Check packets arriving on this port against the <ulink
|
||||
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -137,7 +137,7 @@
|
||||
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
|
||||
that if the zone named in the ZONE column is specified as an
|
||||
IPSEC zone in the <ulink
|
||||
url="shorewall-zones.html">shorewall6-zones</ulink>(5) file
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5) file
|
||||
then you do NOT need to specify the 'ipsec' option
|
||||
here.</para>
|
||||
</listitem>
|
||||
@ -195,7 +195,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
|
@ -71,7 +71,7 @@
|
||||
zone in this column.</para>
|
||||
|
||||
<para>If the interface serves multiple zones that will be defined in
|
||||
the <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
the <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
file, you should place "-" in this column.</para>
|
||||
|
||||
<para>If there are multiple interfaces to the same zone, you must
|
||||
@ -88,7 +88,7 @@ loc eth2 -</programlisting>
|
||||
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
|
||||
'lo' interface, then that zone must be defined as type
|
||||
<option>local</option> in <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -102,7 +102,7 @@ loc eth2 -</programlisting>
|
||||
<para>Logical name of interface. Each interface may be listed only
|
||||
once in this file. You may NOT specify the name of a "virtual"
|
||||
interface (e.g., eth0:0) here; see <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
||||
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
||||
If the <option>physical</option> option is not specified, then the
|
||||
logical name is also the name of the actual interface.</para>
|
||||
|
||||
@ -115,7 +115,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>Care must be exercised when using wildcards where there is
|
||||
another zone that uses a matching specific interface. See <ulink
|
||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
|
||||
discussion of this problem.</para>
|
||||
|
||||
<para>Shorewall6 allows '+' as an interface name.</para>
|
||||
@ -199,7 +199,7 @@ loc eth2 -</programlisting>
|
||||
<listitem>
|
||||
<para>Check packets arriving on this interface against the
|
||||
<ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.13:</para>
|
||||
@ -210,7 +210,7 @@ loc eth2 -</programlisting>
|
||||
ZONES column, then the behavior is as if <emphasis
|
||||
role="bold">blacklist</emphasis> had been specified in the
|
||||
IN_OPTIONS column of <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -270,16 +270,16 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>the interface is a <ulink
|
||||
url="../SimpleBridge.html">simple bridge</ulink> with a
|
||||
url="/SimpleBridge.html">simple bridge</ulink> with a
|
||||
DHCP server on one port and DHCP clients on another
|
||||
port.</para>
|
||||
|
||||
<note>
|
||||
<para>If you use <ulink
|
||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
||||
url="/bridge-Shorewall-perl.html">Shorewall-perl for
|
||||
firewall/bridging</ulink>, then you need to include
|
||||
DHCP-specific rules in <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||
DHCP uses UDP ports 546 and 547.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@ -349,7 +349,7 @@ loc eth2 -</programlisting>
|
||||
<para>Added in Shorewall 4.4.21. Defines the zone as
|
||||
<firstterm>dynamic</firstterm>. Requires ipset match support
|
||||
in your iptables and kernel. See <ulink
|
||||
url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
||||
url="/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
||||
for further information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -389,7 +389,7 @@ loc eth2 -</programlisting>
|
||||
refers to the name given in this option. It is useful when you
|
||||
want to specify the same wildcard port name on two or more
|
||||
bridges. See <ulink
|
||||
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
||||
url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
||||
|
||||
<para>If the <emphasis>interface</emphasis> name is a wildcard
|
||||
name (ends with '+'), then the physical
|
||||
@ -630,7 +630,7 @@ dmz eth2 -</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
|
||||
|
@ -78,7 +78,7 @@
|
||||
specified, matching packets must match all of the listed sets.</para>
|
||||
|
||||
<para>For information about set lists and exclusion, see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||
|
@ -27,8 +27,8 @@
|
||||
associated IPv6 addresses to be allowed to use the specified interface.
|
||||
The feature is enabled by using the <emphasis
|
||||
role="bold">maclist</emphasis> option in the <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
|
||||
<ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
|
||||
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
||||
configuration file.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
@ -43,7 +43,7 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
|
||||
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
|
||||
is also allowed). If specified, the
|
||||
<replaceable>log-level</replaceable> causes packets matching the
|
||||
rule to be logged at that level.</para>
|
||||
@ -99,10 +99,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
|
||||
url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -25,13 +25,13 @@
|
||||
|
||||
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
||||
replace <ulink
|
||||
url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>. This file is
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink>. This file is
|
||||
only processed by the compiler if:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
|
||||
<ulink url="shorewall.conf.html">shorewall6.conf(5)</ulink>);
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>);
|
||||
or</para>
|
||||
</listitem>
|
||||
|
||||
@ -46,14 +46,14 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
@ -106,7 +106,7 @@
|
||||
<para>Unless otherwise specified for the particular
|
||||
<replaceable>command</replaceable>, the default chain is PREROUTING
|
||||
when MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink>, and FORWARD
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, and FORWARD
|
||||
when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
@ -161,11 +161,11 @@
|
||||
<para>When using Shorewall's built-in traffic shaping tool,
|
||||
the <emphasis>major</emphasis> class is the device number (the
|
||||
first device in <ulink
|
||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
is major class 1, the second device is major class 2, and so
|
||||
on) and the <emphasis>minor</emphasis> class is the class's
|
||||
MARK value in <ulink
|
||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
||||
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
||||
preceded by the number 1 (MARK 1 corresponds to minor class
|
||||
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
|
||||
to minor class 122, etc.).</para>
|
||||
@ -299,7 +299,7 @@
|
||||
specified at the end of the rule. If the target is not one
|
||||
known to Shorewall, then it must be defined as a builtin
|
||||
action in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The following rules are equivalent:</para>
|
||||
@ -312,7 +312,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
|
||||
third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
@ -445,7 +445,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
<para>This error message may be eliminated by adding the
|
||||
<replaceable>target</replaceable> as a builtin action in
|
||||
<ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -487,7 +487,7 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||
equal proportions. If no mask is specified, then ( 2 **
|
||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -588,7 +588,7 @@ Normal-Service => 0x00</programlisting>
|
||||
<listitem>
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a tproxy provider to be defined in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - neither is
|
||||
required:</para>
|
||||
@ -714,7 +714,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -731,7 +731,7 @@ Normal-Service => 0x00</programlisting>
|
||||
<para>An interface name. May not be used in the PREROUTING chain
|
||||
(:P in the mark column or no chain qualifier and
|
||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="shorewall6.conf">shorewall6.conf</ulink> (5)). The
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)). The
|
||||
interface name may be optionally followed by a colon (":") and
|
||||
an IP address list.</para>
|
||||
</listitem>
|
||||
@ -751,7 +751,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -786,7 +786,7 @@ Normal-Service => 0x00</programlisting>
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -1146,16 +1146,16 @@ Normal-Service => 0x00</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
|
||||
|
@ -35,9 +35,9 @@
|
||||
<para>If you have more than one ISP link, adding entries to this file
|
||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||
through a particular link. You must use entries in <ulink
|
||||
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) or
|
||||
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) or
|
||||
PREROUTING entries in <ulink
|
||||
url="shorewall6-mangle.html">shorewall-tcrules</ulink>(5) to do
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to do
|
||||
that.</para>
|
||||
</warning>
|
||||
|
||||
@ -56,17 +56,17 @@
|
||||
internet interface.</para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
For example, <filename class="devicefile">ppp0</filename> in this
|
||||
file will match a <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
<para>Where <ulink
|
||||
url="http://www.shorewall.net/4.4/MultiISP.html#Shared">more that
|
||||
url="/4.4/MultiISP.html#Shared">more that
|
||||
one internet provider share a single interface</ulink>, the provider
|
||||
is specified by including the provider name or number in
|
||||
parentheses:</para>
|
||||
@ -81,7 +81,7 @@
|
||||
addresses to indicate that you only want to change the source IP
|
||||
address for packets being sent to those particular destinations.
|
||||
Exclusion is allowed (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
|
||||
are ipset names preceded by a plus sign '+'.</para>
|
||||
|
||||
<para>Comments may be attached to Netfilter rules generated from
|
||||
@ -545,7 +545,7 @@
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink>, then these
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then these
|
||||
rules may be specified as follows:</para>
|
||||
|
||||
<programlisting>/etc/shorewall/masq:
|
||||
|
@ -30,7 +30,7 @@
|
||||
<para>These files specify which kernel modules shorewall6 will load before
|
||||
trying to determine your ip6tables/kernel's capabilities. The
|
||||
<filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(8); the
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5); the
|
||||
<filename>helpers</filename> file is used when
|
||||
LOAD_HELPERS_ONLY=Yes.</para>
|
||||
|
||||
@ -48,7 +48,7 @@
|
||||
<para>The <replaceable>modulename</replaceable> names a kernel module
|
||||
(without suffix). shorewall6 will search for modules based on your
|
||||
MODULESDIR and MODULE_SUFFIX settings in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(8). The
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
|
||||
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
|
||||
installed) or to insmod.</para>
|
||||
|
||||
|
@ -24,7 +24,7 @@
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>In <ulink url="shorewall-zones.html">shorewall6-zones</ulink>(5), a
|
||||
<para>In <ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a
|
||||
zone may be declared to be a sub-zone of one or more other zones using the
|
||||
above syntax. The <replaceable>child-zone</replaceable> may be neither the
|
||||
firewall zone nor a vserver zone. The firewall zone may not appear as a
|
||||
@ -32,7 +32,7 @@
|
||||
firewall zone.</para>
|
||||
|
||||
<para>Where zones are nested, the CONTINUE policy in <ulink
|
||||
url="shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
|
||||
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
|
||||
that are within multiple zones to be managed under the rules of all of
|
||||
these zones.</para>
|
||||
</refsect1>
|
||||
@ -74,7 +74,7 @@
|
||||
under rules where the source zone is net. It is important that this policy
|
||||
be listed BEFORE the next policy (net to all). You can have this policy
|
||||
generated for you automatically by using the IMPLICIT_CONTINUE option in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
||||
|
||||
|
@ -82,7 +82,7 @@
|
||||
<listitem>
|
||||
<para>Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in
|
||||
Shorewall6 4.4.24, <ulink
|
||||
url="shorewall6-exclusion.html">exclusion</ulink> is
|
||||
url="/manpages6/shorewall6-exclusion.html">exclusion</ulink> is
|
||||
supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -94,12 +94,12 @@
|
||||
<listitem>
|
||||
<para>The name of a network interface. The interface must be defined
|
||||
in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
For example, <filename class="devicefile">ppp0</filename> in this
|
||||
file will match a <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(8)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
</listitem>
|
||||
@ -147,7 +147,7 @@
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -188,9 +188,9 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
|
||||
url="/netmap.html">http://www.shorewall.net/netmap.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -26,7 +26,7 @@
|
||||
<para>Assign any shell variables that you need in this file. The file is
|
||||
always processed by <filename>/bin/sh</filename> or by the shell specified
|
||||
through SHOREWALL_SHELL in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
|
||||
of shell capabilities may be used.</para>
|
||||
|
||||
<para>It is suggested that variable names begin with an upper case letter
|
||||
@ -40,7 +40,7 @@
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">Any option from <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5)</emphasis></member>
|
||||
|
||||
<member><emphasis role="bold">COMMAND</emphasis></member>
|
||||
@ -107,7 +107,7 @@
|
||||
NET_OPTIONS=dhcp,nosmurfs</programlisting>
|
||||
|
||||
<para>Example <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
|
||||
@ -129,7 +129,7 @@ net eth0 - dhcp,nosmurfs</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
||||
url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>This file defines the high-level policy for connections between
|
||||
zones defined in <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
|
||||
<important>
|
||||
<para>The order of entries in this file is important</para>
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
|
||||
"all+".</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
@ -84,7 +84,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW, "all" or
|
||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||
"all+", another bport zone associated with the same bridge, or it
|
||||
must be an ipv4 zone that is associated with only the same
|
||||
@ -118,7 +118,7 @@
|
||||
<listitem>
|
||||
<para>The word "None" or "none". This causes any default action
|
||||
defined in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
|
||||
omitted for this policy.</para>
|
||||
</listitem>
|
||||
|
||||
@ -191,7 +191,7 @@
|
||||
might also match (where the source or destination zone in
|
||||
those rules is a superset of the SOURCE or DEST in this
|
||||
policy). See <ulink
|
||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||
for additional information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -231,7 +231,7 @@
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||
|
||||
<para>For a description of log levels, see <ulink
|
||||
url="http://www.shorewall.net/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
|
||||
url="/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
|
||||
|
||||
<para>If you don't want to log but need to specify the following
|
||||
column, place "-" here.</para>
|
||||
@ -327,7 +327,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -77,11 +77,11 @@
|
||||
|
||||
<listitem>
|
||||
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
|
||||
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink> file to
|
||||
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file to
|
||||
direct packets to this provider.</para>
|
||||
|
||||
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink>, then the
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then the
|
||||
value must be a multiple of 256 between 256 and 65280 or their
|
||||
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
|
||||
of the value being zero). Otherwise, the value must be between 1 and
|
||||
@ -110,7 +110,7 @@
|
||||
<listitem>
|
||||
<para>The name of the network interface to the provider. Must be
|
||||
listed in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>.</para>
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -190,7 +190,7 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.4.3, <option>track</option>
|
||||
defaults to the setting of the TRACK_PROVIDERS option in
|
||||
<ulink url="shorwewall6.conf.html">shorewall6.conf</ulink>
|
||||
<ulink url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5). If you set TRACK_PROVIDERS=Yes and want to override that
|
||||
setting for an individual provider, then specify
|
||||
<option>notrack</option> (see below).</para>
|
||||
@ -238,7 +238,7 @@
|
||||
and configured with an IPv4 address then ignore this provider.
|
||||
If not specified, the value of the <option>optional</option>
|
||||
option for the INTERFACE in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>
|
||||
is assumed. Use of that option is preferred to this one,
|
||||
unless an <replaceable>address</replaceable> is provider in
|
||||
the INTERFACE column.</para>
|
||||
@ -275,7 +275,7 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
|
||||
action in shorewall-tcrules(5). See <ulink
|
||||
url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
||||
url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
|
||||
When specified, the MARK, DUPLICATE and GATEWAY columns should
|
||||
be empty, INTERFACE should be set to 'lo' and
|
||||
<option>tproxy</option> should be the only OPTION. Only one
|
||||
@ -389,10 +389,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -133,7 +133,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
|
||||
|
@ -34,7 +34,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The name or number of a provider defined in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink> (5).
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink> (5).
|
||||
Beginning with Shorewall 4.5.14, you may also enter
|
||||
<option>main</option> in this column to add routes to the main
|
||||
routing table.</para>
|
||||
@ -73,7 +73,7 @@
|
||||
<listitem>
|
||||
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
|
||||
given, then the INTERFACE specified for the PROVIDER in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
|
||||
(5).This column must be omitted if <option>blackhole</option>,
|
||||
<option>prohibit</option> or <option>unreachable</option> is
|
||||
specified in the GATEWAY column.</para>
|
||||
@ -92,7 +92,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file is deprecated in favor of the <ulink
|
||||
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
||||
url="/manpages6/shorewall6-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>This file is used to define the hosts that are accessible when the
|
||||
@ -80,7 +80,7 @@
|
||||
themselves. Beginning with Shorewall 4.4.9, this option is
|
||||
automatically set if <emphasis
|
||||
role="bold">routeback</emphasis> is specified in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5) or if the rules compiler detects that the interface is a
|
||||
bridge.</para>
|
||||
</listitem>
|
||||
@ -149,7 +149,7 @@
|
||||
<para>The <emphasis role="bold">source</emphasis> and <emphasis
|
||||
role="bold">dest</emphasis> options work best when used in conjunction
|
||||
with ADMINISABSENTMINDED=Yes in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</note>
|
||||
</refsect1>
|
||||
|
||||
@ -181,10 +181,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>Entries in this file cause traffic to be routed to one of the
|
||||
providers listed in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
@ -164,7 +164,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>Entries in this file govern connection establishment by defining
|
||||
exceptions to the policies laid out in <ulink
|
||||
url="shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
|
||||
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
|
||||
subsequent requests and responses are automatically allowed using
|
||||
connection tracking. For any particular (source,dest) pair of zones, the
|
||||
rules are evaluated in the order in which they appear in this file and the
|
||||
@ -80,7 +80,7 @@
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the RELATED_DISPOSITION (<ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -96,7 +96,7 @@
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the INVALID_DISPOSITION (<ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -112,7 +112,7 @@
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the UNTRACKED_DISPOSITION (<ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -137,7 +137,7 @@
|
||||
|
||||
<warning>
|
||||
<para>If you specify FASTACCEPT=Yes in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
|
||||
role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||
|
||||
@ -197,7 +197,7 @@
|
||||
<listitem>
|
||||
<para>like ACCEPT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -207,7 +207,7 @@
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||
in /usr/share/shorewall/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -302,11 +302,11 @@
|
||||
<para>Do not process any of the following rules for this
|
||||
(source zone,destination zone). If the source and/or
|
||||
destination IP address falls into a zone defined later in
|
||||
<ulink url="shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
||||
<ulink url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
||||
or in a parent zone of the source or destination zones, then
|
||||
this connection request will be passed to the rules defined
|
||||
for that (those) zone(s). See <ulink
|
||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
||||
for additional information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -317,7 +317,7 @@
|
||||
<listitem>
|
||||
<para>like CONTINUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -388,7 +388,7 @@
|
||||
<listitem>
|
||||
<para>like DROP but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -419,7 +419,7 @@
|
||||
INLINE(ACCEPT)). Otherwise, you can include it after the
|
||||
semicolon. In this case, you must declare the target as a
|
||||
builtin action in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
|
||||
<para>Some considerations when using INLINE:</para>
|
||||
|
||||
@ -464,7 +464,7 @@
|
||||
<para>This error message may be eliminated by adding the
|
||||
<replaceable>target</replaceable> as a builtin action in
|
||||
<ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -510,7 +510,7 @@
|
||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||
back end logging daemon via a netlink socket then continues to
|
||||
the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
|
||||
<para>Similar to<emphasis role="bold">
|
||||
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
|
||||
@ -539,7 +539,7 @@
|
||||
<listitem>
|
||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -571,7 +571,7 @@
|
||||
<listitem>
|
||||
<para>like QUEUE but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -613,7 +613,7 @@
|
||||
<listitem>
|
||||
<para>like REJECT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -629,7 +629,7 @@
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
/usr/share/shorewall/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -660,7 +660,7 @@
|
||||
<para>Actions specifying logging may be followed by a log tag (a
|
||||
string of alphanumeric characters) which is appended to the string
|
||||
generated by the LOGPREFIX (in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
|
||||
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
||||
the log prefix generated by the LOGPREFIX setting.</para>
|
||||
@ -688,7 +688,7 @@
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). This
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). This
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic.</para>
|
||||
@ -707,7 +707,7 @@
|
||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||
<ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||
@ -740,7 +740,7 @@
|
||||
firewall interface can be specified by an ampersand ('&')
|
||||
followed by the logical name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
@ -750,7 +750,7 @@
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||
Kernel.</para>
|
||||
@ -761,7 +761,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
@ -856,7 +856,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Location of Server. May be a zone declared in <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
|
||||
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
||||
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
||||
<emphasis role="bold">none</emphasis>.</para>
|
||||
@ -864,18 +864,18 @@
|
||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
||||
<replaceable>zone-list </replaceable>which consists of a
|
||||
comma-separated list of zones declared in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5). Ths
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic. Beginning with Shorewall-4.4.13,
|
||||
exclusion is supported -- see see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
||||
firewall interface can be specified by an ampersand ('&')
|
||||
followed by the logical name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
@ -885,7 +885,7 @@
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||
Kernel.</para>
|
||||
@ -925,7 +925,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>Restriction: MAC addresses are not allowed (this is a
|
||||
Netfilter restriction).</para>
|
||||
@ -1024,7 +1024,7 @@
|
||||
interpreted as the destination icmp-type(s). ICMP types may be
|
||||
specified as a numeric type, a numeric type and code separated by a
|
||||
slash (e.g., 3/4), or a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
|
||||
listed.</para>
|
||||
|
||||
@ -1559,7 +1559,7 @@
|
||||
</simplelist>
|
||||
|
||||
<para>If the HELPERS option is specified in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), then any module
|
||||
specified in this column must be listed in the HELPERS
|
||||
setting.</para>
|
||||
</listitem>
|
||||
@ -1654,7 +1654,7 @@
|
||||
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5):</para>
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5):</para>
|
||||
|
||||
<programlisting> #ACTION OPTIONS
|
||||
SECCTX builtin</programlisting>
|
||||
@ -1673,10 +1673,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-blrules(5), shorewall6-hosts(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final secmark
|
||||
for each packet will be the one assigned by the LAST rule that
|
||||
matches.</para>
|
||||
@ -182,7 +182,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -210,7 +210,7 @@
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -245,7 +245,7 @@
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -412,7 +412,7 @@ RESTORE I:ER</programlisting>
|
||||
url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
|
@ -153,10 +153,10 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
|
@ -125,7 +125,7 @@
|
||||
<para>You may specify either the interface number or the interface
|
||||
name. If the <emphasis role="bold">classify</emphasis> option is
|
||||
given for the interface in <ulink
|
||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
|
||||
then you must also specify an interface class (an integer that must
|
||||
be unique within classes associated with this interface).</para>
|
||||
|
||||
@ -134,13 +134,13 @@
|
||||
|
||||
<para>Please note that you can only use interface names in here that
|
||||
have a bandwidth defined in the <ulink
|
||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>Normally, all classes defined here are sub-classes of a root
|
||||
class (class number 1) that is implicitly defined from the entry in
|
||||
<ulink
|
||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
|
||||
can establish a class hierarchy by specifying a
|
||||
<emphasis>parent</emphasis> class -- the number of a class that you
|
||||
have previously defined. The sub-class may borrow unused bandwidth
|
||||
@ -155,12 +155,12 @@
|
||||
<listitem>
|
||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||
range 1-255. You set mark values in the <ulink
|
||||
url="shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file,
|
||||
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5) file,
|
||||
marking the traffic you want to fit in the classes defined in here.
|
||||
Must be specified as '-' if the <emphasis
|
||||
role="bold">classify</emphasis> option is given for the interface in
|
||||
<ulink
|
||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
|
||||
you are running Shorewall 4.5 5 or earlier.</para>
|
||||
|
||||
<para>You can use the same marks for different interfaces.</para>
|
||||
@ -718,10 +718,10 @@
|
||||
<para>tc-red(8)</para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -104,7 +104,7 @@
|
||||
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
||||
listed only once in this file. You may NOT specify the name of an
|
||||
alias (e.g., eth0:0) here; see <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
||||
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
||||
|
||||
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
||||
ppp interfaces, you need to put them all in here!</para>
|
||||
@ -152,7 +152,7 @@
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
@ -172,7 +172,7 @@
|
||||
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
|
||||
This is the maximum speed your connection can handle. It is also the
|
||||
speed you can refer as "full" if you define the tc classes in <ulink
|
||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).
|
||||
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).
|
||||
Outgoing traffic above this rate will be dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -196,7 +196,7 @@
|
||||
<para><option>classify</option> ― When specified, Shorewall will not
|
||||
generate tc or Netfilter rules to classify traffic based on packet
|
||||
marks. You must do all classification using CLASSIFY rules in <ulink
|
||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).</para>
|
||||
|
||||
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
|
||||
Bucket</firstterm> queuing discipline. This is the default.</para>
|
||||
@ -285,7 +285,7 @@
|
||||
<para>tc-hfsc (7)</para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
|
||||
|
@ -70,10 +70,10 @@
|
||||
<listitem>
|
||||
<para>The name or number of an <returnvalue>interface</returnvalue>
|
||||
defined in <ulink
|
||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
followed by a <replaceable>class</replaceable> number defined for
|
||||
that interface in <ulink
|
||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -312,13 +312,13 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para></para>
|
||||
</refsect1>
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>This file lists the interfaces that are subject to simple traffic
|
||||
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
||||
file:</para>
|
||||
@ -162,7 +162,7 @@
|
||||
may be configured instead. Rate-estimated filters should be used
|
||||
with Ethernet adapters that have Generic Receive Offload enabled by
|
||||
default. See <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq97a">Shorewall FAQ
|
||||
url="/FAQ.htm#faq97a">Shorewall FAQ
|
||||
97a</ulink>.</para>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with
|
||||
|
@ -25,12 +25,12 @@
|
||||
|
||||
<para>This file is used to specify the priority band of traffic for simple
|
||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
|
||||
of each packet is determined by the <emphasis role="bold">last</emphasis>
|
||||
entry that the packet matches. If a packet doesn't match any entry in this
|
||||
file, then its priority will be determined by its TOS field. The default
|
||||
mapping is as follows but can be changed by setting the TC_PRIOMAP option
|
||||
in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
in <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<programlisting>TOS Bits Means Linux Priority BAND
|
||||
------------------------------------------------------------
|
||||
@ -63,7 +63,7 @@
|
||||
<para>Classifies matching traffic as High Priority (1), Medium
|
||||
Priority (2) or Low Priority (3). For those interfaces listed in
|
||||
<ulink
|
||||
url="shorewall6-tcinterfaces.html">shorewall6-tcinterfaces</ulink>(5),
|
||||
url="/manpages6/shorewall6-tcinterfaces.html">shorewall6-tcinterfaces</ulink>(5),
|
||||
Priority 2 traffic will be deferred so long and there is Priority 1
|
||||
traffic queued and Priority 3 traffic will be deferred so long as
|
||||
there is Priority 1 or Priority 2 traffic to send.</para>
|
||||
|
@ -28,14 +28,14 @@
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall6/providers be sure to read the restrictions at <ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
||||
@ -123,7 +123,7 @@
|
||||
|
||||
<para>- Otherwise, the chain is determined by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||
included for completeness and affects neither traffic shaping
|
||||
@ -203,7 +203,7 @@
|
||||
then the assigned mark values are 0x200, 0x300 and 0x400 in
|
||||
equal proportions. If no mask is specified, then ( 2 **
|
||||
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
|
||||
<para>May optionally be followed by <emphasis
|
||||
role="bold">:P</emphasis>, <emphasis
|
||||
@ -231,7 +231,7 @@
|
||||
|
||||
<para>- Otherwise, the chain is determined by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||
included for completeness and affects neither traffic shaping
|
||||
@ -317,11 +317,11 @@
|
||||
<para>When using Shorewall6's built-in traffic shaping tool, the
|
||||
<emphasis>major</emphasis> class is the device number (the first
|
||||
device in <ulink
|
||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
is major class 1, the second device is major class 2, and so on)
|
||||
and the <emphasis>minor</emphasis> class is the class's MARK
|
||||
value in <ulink
|
||||
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
||||
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
|
||||
preceded by the number 1 (MARK 1 corresponds to minor class 11,
|
||||
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
|
||||
minor class 122, etc.).</para>
|
||||
@ -517,7 +517,7 @@
|
||||
[<replaceable>option</replaceable>] ...") after any matches
|
||||
specified at the end of the rule. If the target is not one known
|
||||
to Shorewall, then it must be defined as a builtin action in
|
||||
<ulink url="shorewall6-actions.html">shorewall6-actions</ulink>
|
||||
<ulink url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The following rules are equivalent:</para>
|
||||
@ -529,7 +529,7 @@ INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
|
||||
INLINE eth0 - ; -p tcp -j MARK --set-mark 2</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink> then the
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then the
|
||||
third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
@ -653,7 +653,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - only the first
|
||||
(mark) is required:</para>
|
||||
@ -662,7 +662,7 @@ Normal-Service => 0x00</programlisting>
|
||||
<listitem>
|
||||
<para><replaceable>mark</replaceable> - the MARK value
|
||||
corresponding to the local provider in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -687,7 +687,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - only the first
|
||||
(mark) is required:</para>
|
||||
@ -747,7 +747,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -777,7 +777,7 @@ Normal-Service => 0x00</programlisting>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -812,7 +812,7 @@ Normal-Service => 0x00</programlisting>
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
@ -1214,16 +1214,16 @@ Normal-Service => 0x00</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
|
||||
|
@ -25,7 +25,7 @@
|
||||
|
||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
||||
<ulink url="shorewall6-mangle.html">shorewall6-mangle</ulink>
|
||||
<ulink url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
@ -166,7 +166,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -27,7 +27,7 @@
|
||||
encrypted) traffic to pass between the Shorewall6 system and a remote
|
||||
gateway. Traffic flowing through the tunnel is handled using the normal
|
||||
zone/policy/rule mechanism. See <ulink
|
||||
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
for details.</para>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
@ -138,7 +138,7 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||
may be given. Exclusion (<ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
|
||||
is not supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -240,7 +240,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -44,14 +44,14 @@
|
||||
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
|
||||
names. The maximum length of a zone name is determined by the
|
||||
setting of the LOGFORMAT option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
|
||||
default LOGFORMAT, zone names can be at most 5 characters
|
||||
long.</para>
|
||||
|
||||
<blockquote>
|
||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||
explained in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf</ulink> (5), the default
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5), the default
|
||||
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
|
||||
%s is replaced by the chain name and the second is replaced by the
|
||||
disposition.</para>
|
||||
@ -95,7 +95,7 @@
|
||||
follow the (sub)zone name by ":" and a comma-separated list of the
|
||||
parent zones. The parent zones must have been declared in earlier
|
||||
records in this file. See <ulink
|
||||
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
|
||||
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
|
||||
additional information.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
@ -108,7 +108,7 @@ c:a,b ipv6</programlisting>
|
||||
<para>Currently, Shorewall6 uses this information to reorder the
|
||||
zone list so that parent zones appear after their subzones in the
|
||||
list. The IMPLICIT_CONTINUE option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
|
||||
create implicit CONTINUE policies to/from the subzone.</para>
|
||||
|
||||
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
|
||||
@ -135,7 +135,7 @@ c:a,b ipv6</programlisting>
|
||||
the column. Communication with some zone hosts may be
|
||||
encrypted. Encrypted hosts are designated using the 'ipsec'
|
||||
option in <ulink
|
||||
url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -178,7 +178,7 @@ c:a,b ipv6</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
|
||||
Linux-vserver guests. The zone contents must be defined in
|
||||
<ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>
|
||||
<ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Vserver zones are implicitly handled as subzones of the
|
||||
@ -206,7 +206,7 @@ c:a,b ipv6</programlisting>
|
||||
$FW rules are defined, they are placed in a chain named
|
||||
${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' )
|
||||
depending on the ZONE2ZONE setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -288,12 +288,12 @@ c:a,b ipv6</programlisting>
|
||||
<para>When specified in the IN_OPTIONS column, causes all
|
||||
traffic from this zone to be passed against the <emphasis
|
||||
role="bold">src</emphasis> entries in <ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>When specified in the OUT_OPTIONS column, causes all
|
||||
traffic to this zone to be passed against the <emphasis
|
||||
role="bold">dst</emphasis> entries in s<ulink
|
||||
url="shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>Specifying this option in the OPTIONS column is
|
||||
equivalent to entering it in both of the IN_OPTIONS and
|
||||
@ -309,7 +309,7 @@ c:a,b ipv6</programlisting>
|
||||
OPTIONS column and indicates that only a single ipset should
|
||||
be created for this zone if it has multiple dynamic entries in
|
||||
<ulink
|
||||
url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).
|
||||
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5).
|
||||
Without this option, a separate ipset is created for each
|
||||
interface.</para>
|
||||
</listitem>
|
||||
@ -353,7 +353,7 @@ c:a,b ipv6</programlisting>
|
||||
<listitem>
|
||||
<para>sets the MSS field in TCP packets. If you supply this
|
||||
option, you should also set FASTACCEPT=No in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) to
|
||||
insure that both the SYN and SYN,ACK packets have their MSS
|
||||
field adjusted.</para>
|
||||
</listitem>
|
||||
@ -426,10 +426,10 @@ c:a,b ipv6</programlisting>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
||||
url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -171,7 +171,7 @@
|
||||
<para>If you set the value of either option to "None" then no
|
||||
default action will be used and the default action or macro must be
|
||||
specified in <ulink
|
||||
url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
|
||||
|
||||
<para>You can pass <replaceable>parameters</replaceable> to the
|
||||
specified action or macro (e.g.,
|
||||
@ -192,7 +192,7 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting
|
||||
is enabled (see <ulink
|
||||
url="shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).
|
||||
url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).
|
||||
If not specified or set to the empty value, ACCOUNTING=Yes is
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
@ -207,7 +207,7 @@
|
||||
<para>Added in Shorewall 4.4.20. This setting determines which
|
||||
Netfilter table the accounting rules are added in. By default,
|
||||
ACCOUNTING_TABLE=filter is assumed. See also <ulink
|
||||
url="shorewall-accounting.html">shorewall-accounting</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -219,11 +219,11 @@
|
||||
<para>The value of this variable affects Shorewall6's stopped state.
|
||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
||||
listed in <ulink
|
||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
is accepted when Shorewall6 is stopped. When
|
||||
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
|
||||
<ulink
|
||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
|
||||
connections that were active when Shorewall6 stopped continue to
|
||||
work and all new connections from the firewall system itself are
|
||||
allowed. If this variable is not set or is given the empty value
|
||||
@ -280,13 +280,13 @@
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Modify <ulink
|
||||
url="shorewall-conntrack.html">shorewall6-conntrack</ulink>
|
||||
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>
|
||||
(5) to only apply helpers where they are required; or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the appropriate helper in the HELPER column in
|
||||
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<note>
|
||||
@ -357,7 +357,7 @@
|
||||
a value or if you assign an empty value then DROP is assumed. The
|
||||
setting determines the disposition of packets sent to the <emphasis
|
||||
role="bold">blacklog</emphasis> target of <ulink
|
||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -374,7 +374,7 @@
|
||||
hosts are not logged. The setting determines the log level of
|
||||
packets sent to the <emphasis role="bold">blacklog</emphasis> target
|
||||
of <ulink
|
||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -391,11 +391,11 @@
|
||||
connections, for packets in the INVALID connection state (such as a
|
||||
TCP SYN,ACK when there has been no corresponding SYN), and for
|
||||
packets that are UNTRACKED due to entries in <ulink
|
||||
url="shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
|
||||
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
|
||||
This includes entries in the <ulink
|
||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
|
||||
and in the BLACKLIST section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
@ -464,13 +464,13 @@
|
||||
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5). If not
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5). If not
|
||||
specified, CLEAR_TC=No is assumed.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you also run Shorewall and if you have
|
||||
TC_ENABLED=Internal in your <ulink
|
||||
url="../manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
||||
url="/manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
||||
then you will want CLEAR_TC=No in this file.</para>
|
||||
</warning>
|
||||
</listitem>
|
||||
@ -678,7 +678,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
||||
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
||||
or RELATED sections of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||
|
||||
<note>
|
||||
<para>FASTACCEPT=Yes is incompatible with
|
||||
@ -709,7 +709,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
||||
directory containing the <firstterm>GeoIP Match</firstterm>
|
||||
database. See <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
If not specified, the default value is
|
||||
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
||||
location of the little-endian database.</para>
|
||||
@ -861,11 +861,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<para>Subzones are defined by following their name with ":" and a
|
||||
list of parent zones (in <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5)). Normally,
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)). Normally,
|
||||
you want to have a set of special rules for the subzone and if a
|
||||
connection doesn't match any of those subzone-specific rules then
|
||||
you want the parent zone rules and policies to be applied; see
|
||||
<ulink url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
|
||||
<ulink url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5).
|
||||
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
|
||||
|
||||
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
|
||||
@ -882,9 +882,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
|
||||
separates column-oriented specifications on the left from <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
|
||||
url="/configuration_file_basics.htm#Pairs">alternative
|
||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||
specified, the specifications on the right are interpreted as if
|
||||
INLINE had been specified in the ACTION column. If not specified or
|
||||
@ -900,7 +900,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
INVALID packets through the NEW section of <ulink
|
||||
url="shorewall6-rules.html">shorewall-rules</ulink> (5). When a
|
||||
url="/manpages6/shorewall6-rules.html">shorewall-rules</ulink> (5). When a
|
||||
packet in INVALID state fails to match any rule in the INVALID
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
@ -915,7 +915,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
|
||||
do not match any rule in the INVALID section of <ulink
|
||||
url="manpages/shorewall6-rules.html">shorewall-rules</ulink> (5) are
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
@ -1205,7 +1205,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<note>
|
||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||
length of zone names. See <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1373,9 +1373,9 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>The performance of configurations with a large numbers of
|
||||
entries in <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
|
||||
url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5) can be
|
||||
improved by setting the MACLIST_TTL variable in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>If your iptables and kernel support the "Recent Match" (see
|
||||
the output of "shorewall check" near the top), you can cache the
|
||||
@ -1384,7 +1384,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<para>When a new connection arrives from a 'maclist' interface, the
|
||||
packet passes through then list of entries for that interface in
|
||||
<ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
<ulink url="/manpages6/shorewall6-maclist.html">shorewall6-maclist</ulink>(5). If
|
||||
there is a match then the source IP address is added to the 'Recent'
|
||||
set for that interface. Subsequent connection attempts from that IP
|
||||
address occurring within $MACLIST_TTL seconds will be accepted
|
||||
@ -1555,7 +1555,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Optimization category 1 - Traditionally, Shorewall has
|
||||
created rules for <ulink
|
||||
url="../ScalabilityAndPerformance.html">the complete matrix of
|
||||
url="/ScalabilityAndPerformance.html">the complete matrix of
|
||||
host groups defined by the zones, interfaces and hosts
|
||||
files</ulink>. Any traffic that didn't correspond to an element
|
||||
of that matrix was rejected in one of the built-in chains. When
|
||||
@ -1860,7 +1860,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
<para>Added in Shorewall 4.4.27. Shorewall has traditionally
|
||||
ACCEPTed RELATED packets that don't match any rule in the RELATED
|
||||
section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
|
||||
about the safety of this practice resulted in the addition of this
|
||||
option. When a packet in RELATED state fails to match any rule in
|
||||
the RELATED section, the packet is disposed of based on this
|
||||
@ -1876,7 +1876,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Packets in the related state that
|
||||
do not match any rule in the RELATED section of <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall6-rules</ulink> (5) are
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
@ -1959,7 +1959,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
|
||||
at least one optional interface must be up in order for the firewall
|
||||
to be in the started state. Intended to be used with the <ulink
|
||||
url="../Manpages/shorewall-init.html">Shorewall Init
|
||||
url="/manpages/shorewall-init.html">Shorewall Init
|
||||
Package</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2003,7 +2003,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.5.7. Determines the disposition of
|
||||
packets entering from interfaces with the <option>rpfilter</option>
|
||||
option (see <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)).
|
||||
Packets disposed of by this option are those whose response packets
|
||||
would not be sent through the same interface receiving the
|
||||
packet.</para>
|
||||
@ -2040,7 +2040,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. The default setting is DROP which
|
||||
causes smurf packets (see the nosmurfs option in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)) to
|
||||
be dropped. A_DROP causes the packets to be audited prior to being
|
||||
dropped and requires AUDIT_TARGET support in the kernel and
|
||||
ip6tables.</para>
|
||||
@ -2054,7 +2054,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Specifies the logging level for smurf packets (see the
|
||||
nosmurfs option in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)).
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)).
|
||||
If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
|
||||
logged.</para>
|
||||
</listitem>
|
||||
@ -2068,7 +2068,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Determines the disposition of
|
||||
packets matching the <option>sfilter</option> option (see <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
@ -2084,7 +2084,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added on Shorewall 4.4.20. Determines the logging of packets
|
||||
matching the <option>sfilter</option> option (see <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||
and of <firstterm>hairpin</firstterm> packets on interfaces without
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
@ -2187,13 +2187,13 @@ INLINE - - - ; -j REJECT
|
||||
<filename>tcdevices</filename> and <filename>tcclasses</filename>
|
||||
files. This allows the compiler to have access to your Shorewall
|
||||
traffic shaping configuration so that it can validate CLASSIFY rules
|
||||
in <ulink url="shorewall-tcrules.html">shorewall6-tcrules</ulink>
|
||||
in <ulink url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<warning>
|
||||
<para>If you also run Shorewall and if you have
|
||||
TC_ENABLED=Internal in your <ulink
|
||||
url="../manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
||||
url="/manpages/shorewall.conf.html">shorewall-conf</ulink>(5),
|
||||
then you will want TC_ENABLED=No or TC_ENABLED=Shared in this
|
||||
file.</para>
|
||||
</warning>
|
||||
@ -2208,7 +2208,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Normally, Shorewall6 tries to protect users from themselves by
|
||||
preventing PREROUTING and OUTPUT tcrules from being applied to
|
||||
packets that have been marked by the 'track' option in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
|
||||
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
|
||||
Shorewall6 will not include these cautionary checks.</para>
|
||||
@ -2222,7 +2222,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
|
||||
TOS field to priority bands. See <ulink
|
||||
url="shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
|
||||
url="/manpages6/shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
|
||||
<emphasis>map</emphasis> consists of 16 space-separated digits with
|
||||
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
|
||||
Linux priority 1, and 3 to Linux Priority 2. The first entry gives
|
||||
@ -2245,7 +2245,7 @@ INLINE - - - ; -j REJECT
|
||||
<para>Determines the disposition of TCP packets that fail the checks
|
||||
enabled by the <emphasis role="bold">tcpflags</emphasis> interface
|
||||
option (see <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
|
||||
and must have a value of ACCEPT (accept the packet), REJECT (send an
|
||||
RST response) or DROP (ignore the packet). If not set or if set to
|
||||
the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
|
||||
@ -2273,20 +2273,20 @@ INLINE - - - ; -j REJECT
|
||||
<para>Added in Shorewall 4.4.3. When set to Yes, causes the
|
||||
<option>track</option> option to be assumed on all providers defined
|
||||
in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5). May
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5). May
|
||||
be overridden on an individual provider through use of the
|
||||
<option>notrack</option> option. The default value is 'No'.</para>
|
||||
|
||||
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
|
||||
also simplifies PREROUTING rules in <ulink
|
||||
url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
||||
Previously, when TC_EXPERT=No, packets arriving through 'tracked'
|
||||
provider interfaces were unconditionally passed to the PREROUTING
|
||||
tcrules. This was done so that tcrules could reset the packet mark
|
||||
to zero, thus allowing the packet to be routed using the 'main'
|
||||
routing table. Using the main table allowed dynamic routes (such as
|
||||
those added for VPNs) to be effective. The <ulink
|
||||
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
|
||||
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
|
||||
created to provide a better alternative to clearing the packet mark.
|
||||
As a consequence, passing these packets to PREROUTING complicates
|
||||
things without providing any real benefit. Beginning with Shorewall
|
||||
@ -2322,7 +2322,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
|
||||
UNTRACKED packets through the NEW section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
|
||||
packet in UNTRACKED state fails to match any rule in the UNTRACKED
|
||||
section, the packet is disposed of based on this setting. The
|
||||
default value is CONTINUE for compatibility with earlier
|
||||
@ -2337,7 +2337,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
|
||||
do not match any rule in the UNTRACKED section of <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
|
||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5) are
|
||||
logged at this level. The default value is empty which means no
|
||||
logging is performed.</para>
|
||||
</listitem>
|
||||
@ -2362,7 +2362,7 @@ INLINE - - - ; -j REJECT
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Both the DUPLICATE and the COPY columns in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5)
|
||||
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
|
||||
file must remain empty (or contain "-").</para>
|
||||
</listitem>
|
||||
|
||||
@ -2379,7 +2379,7 @@ INLINE - - - ; -j REJECT
|
||||
<listitem>
|
||||
<para>Packets are sent through the main routing table by a rule
|
||||
with priority 999. In <ulink
|
||||
url="shorewall6-routing_rules.html">shorewall6-routing_rules</ulink>(5),
|
||||
url="/manpages6/shorewall6-routing_rules.html">shorewall6-routing_rules</ulink>(5),
|
||||
the range 1-998 may be used for inserting rules that bypass the
|
||||
main table.</para>
|
||||
</listitem>
|
||||
|
@ -647,7 +647,7 @@
|
||||
|
||||
<para>The <option>trace</option> and <option>debug</option> options are
|
||||
used for debugging. See <ulink
|
||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
||||
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
||||
|
||||
<para>The nolock <option>option</option> prevents the command from
|
||||
attempting to acquire the Shorewall6 lockfile. It is useful if you need to
|
||||
@ -659,7 +659,7 @@
|
||||
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
||||
options are omitted, the amount of output is determined by the setting of
|
||||
the VERBOSITY parameter in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
|
||||
role="bold">v</emphasis> adds one to the effective verbosity and each
|
||||
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
||||
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
||||
@ -687,7 +687,7 @@
|
||||
|
||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||
defined in the <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||
elements are host or network addresses.<caution>
|
||||
<para>The <command>add</command> command is not very robust. If
|
||||
@ -701,7 +701,7 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||
single ipset to handle entries for multiple interfaces. When that
|
||||
option is specified for a zone, the <command>add</command> command
|
||||
has the alternative syntax in which the
|
||||
@ -756,7 +756,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -822,7 +822,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -836,13 +836,13 @@
|
||||
|
||||
<para>The <emphasis>interface</emphasis> argument names an interface
|
||||
defined in the <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
||||
elements are a host or network address.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
||||
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)) allows a
|
||||
single ipset to handle entries for multiple interfaces. When that
|
||||
option is specified for a zone, the <command>delete</command>
|
||||
command has the alternative syntax in which the
|
||||
@ -865,7 +865,7 @@
|
||||
any optional network interface. <replaceable>interface</replaceable>
|
||||
may be either the logical or physical name of the interface. The
|
||||
command removes any routes added from <ulink
|
||||
url="shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
|
||||
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and any
|
||||
traffic shaping configuration for the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -912,7 +912,7 @@
|
||||
may be either the logical or physical name of the interface. The
|
||||
command sets <filename>/proc</filename> entries for the interface,
|
||||
adds any route specified in <ulink
|
||||
url="shorewall6-routes.html">shorewall6-routes</ulink>(5) and
|
||||
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5) and
|
||||
installs the interface's traffic shaping configuration, if
|
||||
any.</para>
|
||||
</listitem>
|
||||
@ -949,7 +949,7 @@
|
||||
<para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
|
||||
/var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
|
||||
given then the file specified by RESTOREFILE in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) is
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1032,7 +1032,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1043,7 +1043,7 @@
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be logged then discarded. Logging occurs at the log level
|
||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1052,7 +1052,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Monitors the log file specified by the LOGFILE option in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5) and
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
|
||||
produces an audible alarm when new Shorewall6 messages are logged.
|
||||
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
||||
address of each packet source to be displayed if that information is
|
||||
@ -1072,7 +1072,7 @@
|
||||
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
||||
to be logged then rejected. Logging occurs at the log level
|
||||
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1124,7 +1124,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
||||
and causes Shorewall to look in the given
|
||||
@ -1184,7 +1184,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1229,7 +1229,7 @@
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||
<option>-f</option> and <option>-c </option>are present, the result
|
||||
is determined by the option that appears last.</para>
|
||||
|
||||
@ -1241,7 +1241,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1256,7 +1256,7 @@
|
||||
role="bold">shorewall6 save</emphasis>; if no
|
||||
<emphasis>filename</emphasis> is given then Shorewall6 will be
|
||||
restored from the file specified by the RESTOREFILE option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1318,7 +1318,7 @@
|
||||
role="bold">shorewall6 -f start</emphasis> commands. If
|
||||
<emphasis>filename</emphasis> is not given then the state is saved
|
||||
in the file specified by the RESTOREFILE option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1445,7 +1445,7 @@
|
||||
<listitem>
|
||||
<para>Displays the last 20 Shorewall6 messages from the log
|
||||
file specified by the LOGFILE option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). The
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
|
||||
<emphasis role="bold">-m</emphasis> option causes the MAC
|
||||
address of each packet source to be displayed if that
|
||||
information is available.</para>
|
||||
@ -1537,7 +1537,7 @@
|
||||
for configuration files. If <emphasis role="bold">-f</emphasis> is
|
||||
specified, the saved configuration specified by the RESTOREFILE
|
||||
option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) will be
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) will be
|
||||
restored if that saved configuration exists and has been modified
|
||||
more recently than the files in /etc/shorewall6. When <emphasis
|
||||
role="bold">-f</emphasis> is given, a
|
||||
@ -1545,7 +1545,7 @@
|
||||
|
||||
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
|
||||
was added to <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When
|
||||
LEGACY_FASTSTART=No, the modification times of files in
|
||||
/etc/shorewall6 are compared with that of
|
||||
/var/lib/shorewall6/firewall (the compiled script that last
|
||||
@ -1557,7 +1557,7 @@
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). When both
|
||||
<option>-f</option> and <option>-c </option>are present, the result
|
||||
is determined by the option that appears last.</para>
|
||||
|
||||
@ -1569,7 +1569,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1579,12 +1579,12 @@
|
||||
<listitem>
|
||||
<para>Stops the firewall. All existing connections, except those
|
||||
listed in <ulink
|
||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
or permitted by the ADMINISABSENTMINDED option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5), are taken
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5), are taken
|
||||
down. The only new traffic permitted through the firewall is from
|
||||
systems listed in <ulink
|
||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
or by ADMINISABSENTMINDED.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1652,13 +1652,13 @@
|
||||
|
||||
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||
and causes legacy blacklisting rules (<ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
|
||||
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
|
||||
to be converted to entries in the blrules file (<ulink
|
||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
|
||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
|
||||
blacklist keyword is removed from <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
|
||||
url="shorewall6-interfaces.html">shorewall-interfaces</ulink> (5)
|
||||
and <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
|
||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5)
|
||||
and <ulink url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
||||
The unmodified files are saved with a .bak suffix.</para>
|
||||
|
||||
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
|
||||
@ -1672,7 +1672,7 @@
|
||||
warning message to be issued if the line current line contains
|
||||
alternative input specifications following a semicolon (";"). Such
|
||||
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
|
||||
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
|
||||
<para>For a description of the other options, see the <emphasis
|
||||
role="bold">check</emphasis> command above.</para>
|
||||
@ -1712,7 +1712,7 @@
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
|
||||
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
|
@ -77,7 +77,11 @@
|
||||
|
||||
<member><ulink
|
||||
url="manpages/shorewall-blacklist.html">blacklist</ulink> - Static
|
||||
blacklisting.</member>
|
||||
blacklisting (deprecated)</member>
|
||||
|
||||
<member><ulink
|
||||
url="manpages/shorewall-blrules.html">blrules</ulink> - shorewall
|
||||
Blacklist file.</member>
|
||||
|
||||
<member><ulink
|
||||
url="manpages/shorewall-conntrack.html">conntrack</ulink> - Specify
|
||||
|
@ -70,6 +70,10 @@
|
||||
url="manpages6/shorewall6-blacklist.html">blacklist</ulink> - Static
|
||||
blacklisting (deprecated)</member>
|
||||
|
||||
<member><ulink
|
||||
url="manpages6/shorewall6-blrules.html">blrules</ulink> - shorewall6
|
||||
Blacklist file.</member>
|
||||
|
||||
<member><ulink
|
||||
url="manpages6/shorewall6-conntrack.html">conntrack</ulink> - Specify
|
||||
helpers for connections or exempt certain traffic from netfilter
|
||||
@ -90,10 +94,10 @@
|
||||
<member><ulink url="manpages6/shorewall6-maclist.html">maclist</ulink>
|
||||
- Define MAC verification.</member>
|
||||
|
||||
<member><ulink url="manpages6/shorewall-mangle.html">mangle</ulink> -
|
||||
<member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
|
||||
Supercedes tcrules and describes packet/connection marking.</member>
|
||||
|
||||
<member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
|
||||
<member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
|
||||
Define Masquerade/SNAT</member>
|
||||
|
||||
<member><ulink url="manpages6/shorewall6-modules.html">modules</ulink>
|
||||
|
Loading…
Reference in New Issue
Block a user