diff --git a/Shorewall-docs/ProxyARP.xml b/Shorewall-docs/ProxyARP.xml index 0a5607cb9..656401a51 100644 --- a/Shorewall-docs/ProxyARP.xml +++ b/Shorewall-docs/ProxyARP.xml @@ -2,6 +2,8 @@
+ + Proxy ARP @@ -30,8 +32,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -99,7 +101,7 @@ I've used an RFC1918 IP address for eth1 - that IP address is - irrelevant. + irrelevant. The lower systems (130.252.100.18 and 130.252.100.19) should have @@ -128,7 +130,7 @@ A reading of TCP/IP Illustrated, Vol 1 by Stevens revealsCourtesy of Bradey Honsinger - that a "gratuitous" ARP packet should cause the ISP's + that a gratuitous ARP packet should cause the ISP's router to refresh their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC address for its own IP; in addition to ensuring that the IP address isn't a duplicate... @@ -143,14 +145,14 @@ Which is, of course, exactly what you want to do when you switch a host from being exposed to the Internet to behind Shorewall using proxy ARP (or one-to-one NAT for that matter). Happily enough, recent - versions of Redhat's iputils package include "arping", - whose "-U" flag does just that: + versions of Redhat's iputils package include arping, + whose -U flag does just that: arping -U -I <net if> <newly proxied IP> arping -U -I eth0 66.58.99.83 # for example Stevens goes on to mention that not all systems respond - correctly to gratuitous ARPs, but googling for "arping -U" + correctly to gratuitous ARPs, but googling for arping -U seems to support the idea that it works most of the time. To use arping with Proxy ARP in the above example, you would diff --git a/Shorewall-docs/Shorewall_Doesnt.xml b/Shorewall-docs/Shorewall_Doesnt.xml index e5ce41dae..0a4e7f15f 100755 --- a/Shorewall-docs/Shorewall_Doesnt.xml +++ b/Shorewall-docs/Shorewall_Doesnt.xml @@ -2,6 +2,8 @@
+ + Some Things that Shorewall Cannot Do @@ -24,8 +26,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -38,8 +40,8 @@ - Act as a "Personal Firewall" that allows internet access - by application. + Act as a Personal Firewall that allows internet + access by application. diff --git a/Shorewall-docs/Shorewall_Squid_Usage.xml b/Shorewall-docs/Shorewall_Squid_Usage.xml index 444632b71..907a91307 100644 --- a/Shorewall-docs/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs/Shorewall_Squid_Usage.xml @@ -2,6 +2,8 @@
+ + Using Shorewall with Squid @@ -26,8 +28,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -607,8 +609,8 @@ chkconfig --level 35 iptables on Assume that Squid is running in zone SZ and listening on port SP; all web sites that are to be accessed through Squid are in the - 'net' zone. Then for each zone Z that needs access to the Squid - server: + net zone. Then for each zone Z that needs access to the + Squid server: /etc/shorewall/rules @@ -670,7 +672,7 @@ chkconfig --level 35 iptables on Squid on the firewall listening on port 8080 with access from the - 'loc' zone: + loc zone:
/etc/shorewall/rulesACTIONSOURCE