diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index f83f5eb7a..71bbc8362 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -15,7 +15,7 @@
- 2004-02-03
+ 2004-02-152001-2004
@@ -292,8 +292,10 @@
action.template
- files in /etc/shorewall that allow you to define your own
- actions for rules in /etc/shorewall/rules.
+ files in /etc/shorewall
+ and /usr/share/shorewall
+ respectively that allow you to define your own actions for rules in
+ /etc/shorewall/rules.
@@ -301,7 +303,7 @@
actions.std and action.*
- files in /etc/shorewall
+ files in /usr/share/shorewall
that define the actions included as a standard part of Shorewall.
diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml
index f1447d121..6536d10a8 100644
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@@ -15,7 +15,7 @@
- 2004-02-04
+ 2004-02-152001-2004
diff --git a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
index d78c5da12..9ab8eda45 100644
--- a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
+++ b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
@@ -15,7 +15,7 @@
- 2004-02-04
+ 2004-02-152001-2004
@@ -238,37 +238,24 @@ ACCEPT net loc:192.168.1.3 tcp 22
Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
- eth1:0 is 192.168.20.254. You want to simply route all requests
- between the two subnetworks.
+ eth1:0 is 192.168.20.254. You simply want your firewall to route
+ between these two subnetworks.
-
-
- If you are running Shorewall 1.4.1 or Later
+ This example applies to Shorewall 1.4.2 and later.
-
- In /etc/shorewall/interfaces:
+ In /etc/shorewall/zones:
- #ZONE INTERFACE BROADCAST OPTIONS
-- eth1 192.168.1.255,192.168.20.255
+ #ZONE DISPLAY DESCRIPTION
+loc Local Local Zone
+
- In /etc/shorewall/hosts:
+ In /etc/shorewall/interfaces:
-
- You do NOT need any entry in /etc/shorewall/policy as
- Shorewall 1.4.1 and later releases default to allowing
- intra-zone traffic.
-
-
-
+ #ZONE INTERFACE BROADCAST OPTIONS
+log eth1 192.168.1.255,192.168.20.255 routeback
-
- If you are running Shorewall 1.4.0 or earlier
-
-
- See the Shorewall 1.4 documentation.
-
-
-
+ In /etc/shorewall/rules, simply specify
+ ACCEPT rules for the traffic that you want to permit.
@@ -278,20 +265,18 @@ ACCEPT net loc:192.168.1.3 tcp 22
separate zones and control the access between them (the users of the
systems do not have administrative privileges).
+ This example applies to Shorewall 1.4.2 and later.
+
In /etc/shorewall/zones:#ZONE DISPLAY DESCRIPTION
loc Local Local Zone 1
loc2 Local2 Local Zone 2
- In /etc/shorewall/interfaces:If you are running Shorewall 1.3.10
- or earlier then you must specify the multi
- option.
+ In /etc/shorewall/interfaces:#ZONE INTERFACE BROADCAST OPTIONS
-- eth1 192.168.1.255,192.168.20.255
+- eth1 192.168.1.255,192.168.20.255
In /etc/shorewall/hosts:
diff --git a/Shorewall-docs2/User_defined_Actions.xml b/Shorewall-docs2/User_defined_Actions.xml
index 60f9d212c..8ae1b7085 100755
--- a/Shorewall-docs2/User_defined_Actions.xml
+++ b/Shorewall-docs2/User_defined_Actions.xml
@@ -15,7 +15,7 @@
- 2004-02-08
+ 2004-02-142003-2004
@@ -65,9 +65,9 @@
Once you have defined your new action name (ActionName), then copy
- /etc/shorewall/action.template to /etc/shorewall/action.ActionName
+ /usr/share/shorewall/action.template to /etc/shorewall/action.ActionName
(for example, if your new action name is Foo then copy
- /etc/shorewall/action.template to
+ /usr/share/shorewall/action.template to
/etc/shorewall/action.Foo).
@@ -227,12 +227,23 @@
ACCEPT
Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of
- defined actions. These defined actions are listed in /etc/shorewall/actions.std.
- To ensure that all of these actions are included in the configuration, the
- /etc/shorewall/actions file released with Shorewall
- contains INCLUDE /etc/shorewall/actions.std.
+ defined actions. These defined actions are listed in /usr/share/shorewall/actions.std.
- The /etc/shorewall/actions.std file includes the
- common actions Drop for DROP policies and Reject
- for REJECT policies.
+ The /usr/share/shorewall/actions.std file
+ includes the common actions Drop for DROP policies and
+ Reject for REJECT policies.
+
+ /usr/share/shorewall/actions.std is processed
+ before /etc/shorewall/actions and if you have any
+ actions defined with the same name as one in /usr/share/shorewall/actions.std,
+ your version in /etc/shorewall will
+ be the one used. So if you wish to modify a standard action, simply copy the
+ associated action file from /usr/share/shorewall
+ to /etc/shorewall and modify
+ it to suit your needs. The next shorewall restart will
+ cause your action to be installed in place of the standard one. In
+ particular, if you want to modify the common actions Drop or
+ Reject, simply copy action.Drop or
+ Action.Reject to /etc/shorewall
+ and modify that copy as desired.
\ No newline at end of file
diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml
index 1bd18bf4f..c7517f41e 100644
--- a/Shorewall-docs2/configuration_file_basics.xml
+++ b/Shorewall-docs2/configuration_file_basics.xml
@@ -15,7 +15,7 @@
- 2004-02-03
+ 2004-02-152001-2004
@@ -78,8 +78,9 @@
- disable Explicit Congestion Notification (ECN - RFC 3168) to remote
hosts or networks./etc/shorewall/accounting
- define IP traffic accounting rules/etc/shorewall/actions
- and /etc/shorewall/action.template - define your own
- actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and later)./etc/shorewall/actions.std
+ and /usr/share/shorewall/action.template - define
+ your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and
+ later)./etc/shorewall/actions.std
- Actions defined by Shorewall. Included using the INCLUDE
command by /etc/shorewall/actions./etc/shorewall/actions.*
- Details of actions defined by Shorewall.
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index 3498bb602..52a2ba4bd 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -47,7 +47,7 @@
The configuration shown here corresponds to Shorewall version
- 2.0.0-Beta1. It may use features not available in earlier Shorewall
+ 2.0.0-Beta2. It may use features not available in earlier Shorewall
releases.
@@ -347,18 +347,7 @@ gre net $TEXAS
#ACTION
-DropSMB #Silently Drops Microsoft SMB Traffic
-RejectSMB #Silently Reject Microsoft SMB Traffic
-DropUPnP #Silently Drop UPnP Probes
-RejectAuth #Silently Reject Auth
-DropPing #Silently Drop Ping
-DropDNSrep #Silently Drop DNS Replies
-AllowPing #Accept Ping
-
Mirrors #Accept traffic from the Shorewall Mirror sites
-
-MyDrop:DROP #My DROP common action
-MyReject:REJECT #My REJECT common action
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
This is my common action for the DROP policy. It is like the
- standard Reject action except that it
+ standard Drop action except that it
allows Ping.#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
@@ -399,12 +388,13 @@ DropDNSrep
- action.MyReject
+ /etc/shorewall/action.Reject
This is my common action for the REJECT policy. It is like the
- standard Drop action except that it
- allows Ping.
+ standard Reject action except that it
+ allows Ping and contains one rule that guards against
+ log flooding by broken software running in my local zone.
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml
index 5932e2071..4f00200a2 100644
--- a/Shorewall-docs2/upgrade_issues.xml
+++ b/Shorewall-docs2/upgrade_issues.xml
@@ -65,7 +65,7 @@
- The 'dropunclean' and 'logunclean' interface
+ The 'dropunclean' and 'logunclean' interface
options are no longer supported. If either option is specified in
/etc/shorewall/interfaces, a threatening message
will be generated.
@@ -73,27 +73,30 @@
The NAT_BEFORE_RULES option has been removed from
- shorewall.conf. The behavior of Shorewall 2 is as
- if NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
- now always take precidence over one-to-one NAT specifications.
+ shorewall.conf. The behavior of Shorewall 2.0 is
+ as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT
+ rules now always take precidence over one-to-one NAT specifications.The default value for the ALL INTERFACES column in
- /etc/shorewall/nat has changed. In Shorewall 1, if the column was left
- empty, a value of "Yes" was assumed. This has been changed so
- that a value of "No" is now assumed.
+ /etc/shorewall/nat has changed. In Shorewall 1.*,
+ if the column was left empty, a value of "Yes" was assumed.
+ This has been changed so that a value of "No" is now assumed.
- The following files don't exist in Shorewall 2:
+ The following files don't exist in Shorewall 2.0:
- /etc/shorewall2/common.def
+ /etc/shorewall/common.def
- /etc/shorewall2/common
+ /etc/shorewall/common
- /etc/shorewall2/icmpdef
+ /etc/shorewall/icmpdef
+
+ /etc/shorewall/action.template (moved
+ to /usr/share/shorewall/action.template)The /etc/shorewall/action file now allows
@@ -101,9 +104,9 @@
particular policy type by following the action name with ":"
and the policy (DROP, REJECT or ACCEPT).
- The file /etc/shorewall/actions.std has been added to define
- those actions that are released as part of Shorewall 2. In that file
- are two actions as follows:
+ The file /usr/share/shorewall/actions.std has been added to
+ define those actions that are released as part of Shorewall 2.0 In
+ that file are two actions as follows:Drop:DROP
@@ -119,15 +122,12 @@
that "Reject" REJECTs SMB traffic while "Drop"
silently drops such traffic.
- As described above, Shorewall2 allows a common action for ACCEPT
+ As described above, Shorewall allows a common action for ACCEPT
policies but does not specify such an action in the default
configuration.
- If you have an existing
- /etc/shorewall/actions file then you MUST add "INCLUDE
- /etc/shorewall/actions.std" to that file or you must create your
- own common actions for DROP and REJECT as I have done in my own setup.
+ For more information see the User-defined Action Page.
@@ -136,7 +136,7 @@
file. Similar functionality is now available using user-defined
actions.
- Now, action files created by copying /etc/shorewall/action.template
+ Now, action files created by copying /usr/share/shorewall/action.template
may now specify a USER and or GROUP name/id in the final column just
like in the rules file (see below). It is thus possible to create
actions that control traffic from a list of users and/or groups.