Updates for Shorewall-2.0.0-Beta2 and aftermath

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1148 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/Documentation.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-03</pubdate>
+    <pubdate>2004-02-15</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -292,8 +292,10 @@
         action.template</ulink></term>
 
         <listitem>
-          <para>files in /etc/shorewall that allow you to define your own
+          <para>files in <filename class="directory">/etc/shorewall</filename>
-          actions for rules in <link linkend="Rules">/etc/shorewall/rules</link>.</para>
+          and <filename class="directory">/usr/share/shorewall</filename>
+          respectively that allow you to define your own actions for rules in
+          <filename><link linkend="Rules">/etc/shorewall/rules</link></filename>.</para>
         </listitem>
       </varlistentry>
 
@@ -301,7 +303,7 @@
         <term>actions.std and action.*</term>
 
         <listitem>
-          <para>files in <filename class="directory">/etc/shorewall</filename>
+          <para>files in <filename class="directory">/usr/share/shorewall</filename>
           that define the actions included as a standard part of Shorewall.</para>
         </listitem>
       </varlistentry>

Shorewall-docs2/Documentation_Index.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-02-15</pubdate>
 
     <copyright>
       <year>2001-2004</year>

Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-02-15</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -238,37 +238,24 @@ ACCEPT     net        loc:192.168.1.3   tcp       22</programlisting></para>
       <example>
         <title>Local interface eth1 interfaces to 192.168.1.0/24 and
         192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
-        eth1:0 is 192.168.20.254. You want to simply route all requests
+        eth1:0 is 192.168.20.254. You simply want your firewall to route
-        between the two subnetworks.</title>
+        between these two subnetworks.</title>
 
-        <variablelist>
+        <para>This example applies to Shorewall 1.4.2 and later.</para>
-          <varlistentry>
-            <term>If you are running Shorewall 1.4.1 or Later</term>
 
-            <listitem>
+        <para>In <filename>/etc/shorewall/zones</filename>:</para>
-              <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-              <programlisting>#ZONE  INTERFACE   BROADCAST                     OPTIONS
+        <programlisting>#ZONE        DISPLAY              DESCRIPTION
--      eth1        192.168.1.255,192.168.20.255</programlisting>
+loc          Local                Local Zone
+</programlisting>
 
-              <para>In /etc<filename>/shorewall/hosts</filename>:</para>
+        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
 
-              <note>
+        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-                <para>You do NOT need any entry in /etc/shorewall/policy as
+log         eth1       192.168.1.255,192.168.20.255   <emphasis role="bold">routeback</emphasis>   </programlisting>
-                Shorewall 1.4.1 and later releases default to allowing
-                intra-zone traffic.</para>
-              </note>
-            </listitem>
-          </varlistentry>
 
-          <varlistentry>
+        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
-            <term>If you are running Shorewall 1.4.0 or earlier</term>
+        ACCEPT rules for the traffic that you want to permit.</para>
-
-            <listitem>
-              <para>See the Shorewall 1.4 documentation.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
       </example>
 
       <example>
@@ -278,20 +265,18 @@ ACCEPT     net        loc:192.168.1.3   tcp       22</programlisting></para>
         separate zones and control the access between them (the users of the
         systems do not have administrative privileges).</title>
 
+        <para>This example applies to Shorewall 1.4.2 and later.</para>
+
         <para>In <filename>/etc/shorewall/zones</filename>:</para>
 
         <programlisting>#ZONE        DISPLAY              DESCRIPTION
 loc          Local                Local Zone 1
 loc2         Local2               Local Zone 2</programlisting>
 
-        <para>In <filename>/etc/shorewall/interfaces</filename>:<note
+        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
-        id="multiple_subnets-ex2-n1"><para>If you are running Shorewall 1.3.10
-        or earlier then you must specify the <emphasis role="bold">multi</emphasis>
-        option.</para></note></para>
 
         <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
--           eth1       192.168.1.255,192.168.20.255   <xref
+-           eth1       192.168.1.255,192.168.20.255   </programlisting>
-linkend="multiple_subnets-ex2-n1" /></programlisting>
 
         <para>In <filename>/etc/shorewall/hosts</filename>:</para>
 

Shorewall-docs2/User_defined_Actions.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-08</pubdate>
+    <pubdate>2004-02-14</pubdate>
 
     <copyright>
       <year>2003-2004</year>
@@ -65,9 +65,9 @@
 
     <listitem>
       <para>Once you have defined your new action name (ActionName), then copy
-      /etc/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
+      /usr/share/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
       (for example, if your new action name is <quote>Foo</quote> then copy
-      <filename>/etc/shorewall/action.template</filename> to
+      <filename>/usr/share/shorewall/action.template</filename> to
       <filename>/etc/shorewall/action.Foo</filename>).</para>
     </listitem>
 
@@ -227,12 +227,23 @@
      ACCEPT</programlisting></para>
 
   <para>Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of
-  defined actions. These defined actions are listed in <filename>/etc/shorewall/actions.std</filename>.
+  defined actions. These defined actions are listed in <filename>/usr/share/shorewall/actions.std</filename>.</para>
-  To ensure that all of these actions are included in the configuration, the
-  <filename>/etc/shorewall/actions</filename> file released with Shorewall
-  contains <quote><command>INCLUDE /etc/shorewall/actions.std</command></quote>.</para>
 
-  <para>The <filename>/etc/shorewall/actions.std</filename> file includes the
+  <para>The <filename>/usr/share/shorewall/actions.std</filename> file
-  common actions <quote>Drop</quote> for DROP policies and <quote>Reject</quote>
+  includes the common actions <quote>Drop</quote> for DROP policies and
-  for REJECT policies.</para>
+  <quote>Reject</quote> for REJECT policies.</para>
+
+  <para><filename>/usr/share/shorewall/actions.std</filename> is processed
+  before <filename>/etc/shorewall/actions</filename> and if you have any
+  actions defined with the same name as one in <filename>/usr/share/shorewall/actions.std</filename>,
+  your version in <filename class="directory">/etc/shorewall</filename> will
+  be the one used. So if you wish to modify a standard action, simply copy the
+  associated action file from <filename class="directory">/usr/share/shorewall
+  </filename>to <filename class="directory">/etc/shorewall and modify</filename>
+  it to suit your needs. The next <command>shorewall restart</command> will
+  cause your action to be installed in place of the standard one. In
+  particular, if you want to modify the common actions <quote>Drop</quote> or
+  <quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
+  <filename>Action.Reject</filename> to <filename class="directory">/etc/shorewall</filename>
+  and modify that copy as desired.</para>
 </article>

Shorewall-docs2/configuration_file_basics.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-03</pubdate>
+    <pubdate>2004-02-15</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -78,8 +78,9 @@
     - disable Explicit Congestion Notification (ECN - RFC 3168) to remote
     hosts or networks.</para></listitem><listitem><para><filename>/etc/shorewall/accounting</filename>
     - define IP traffic accounting rules</para></listitem><listitem><para><filename>/etc/shorewall/actions</filename>
-    and <filename>/etc/shorewall/action.template</filename> - define your own
+    and <filename>/usr/share/shorewall/action.template</filename> - define
-    actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and later).</para></listitem><listitem><para><filename>/etc/shorewall/actions.std</filename>
+    your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and
+    later).</para></listitem><listitem><para><filename>/etc/shorewall/actions.std</filename>
     - Actions defined by Shorewall. Included using the <link linkend="INCLUDE">INCLUDE
     command</link> by <filename>/etc/shorewall/actions</filename>.</para></listitem><listitem><para><filename>/etc/shorewall/actions.*</filename>
     - Details of actions defined by Shorewall.</para></listitem></itemizedlist></para>

Shorewall-docs2/myfiles.xml

@@ -47,7 +47,7 @@
 
     <caution>
       <para>The configuration shown here corresponds to Shorewall version
-      2.0.0-Beta1. It may use features not available in earlier Shorewall
+      2.0.0-Beta2. It may use features not available in earlier Shorewall
       releases.</para>
     </caution>
 
@@ -347,18 +347,7 @@ gre                     net     $TEXAS
 
       <blockquote>
         <programlisting>#ACTION
-DropSMB             #Silently Drops Microsoft SMB Traffic
-RejectSMB           #Silently Reject Microsoft SMB Traffic
-DropUPnP            #Silently Drop UPnP Probes
-RejectAuth          #Silently Reject Auth
-DropPing            #Silently Drop Ping
-DropDNSrep          #Silently Drop DNS Replies
-AllowPing           #Accept Ping
-
 Mirrors             #Accept traffic from the Shorewall Mirror sites
-
-MyDrop:DROP         #My DROP common action
-MyReject:REJECT     #My REJECT common action
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
       </blockquote>
     </section>
@@ -379,11 +368,11 @@ ACCEPT   $MIRRORS
     </section>
 
     <section>
-      <title>action.MyDrop</title>
+      <title>/etc/shorewall/action.Drop</title>
 
       <blockquote>
         <para>This is my common action for the DROP policy. It is like the
-        standard <emphasis role="bold">Reject</emphasis> action except that it
+        standard <emphasis role="bold">Drop</emphasis> action except that it
         allows <quote>Ping</quote>.</para>
 
         <programlisting>#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
@@ -399,12 +388,13 @@ DropDNSrep</programlisting>
     </section>
 
     <section>
-      <title>action.MyReject</title>
+      <title>/etc/shorewall/action.Reject</title>
 
       <blockquote>
         <para>This is my common action for the REJECT policy. It is like the
-        standard <emphasis role="bold">Drop</emphasis> action except that it
+        standard <emphasis role="bold">Reject</emphasis> action except that it
-        allows <quote>Ping</quote>.</para>
+        allows <quote>Ping</quote> and contains one rule that guards against
+        log flooding by broken software running in my local zone.</para>
 
         <programlisting>#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
 #                                         PORT(S)   PORT(S)     LIMIT        GROUP

Shorewall-docs2/upgrade_issues.xml

@@ -65,7 +65,7 @@
 
     <itemizedlist>
       <listitem>
-        <para> The &#39;dropunclean&#39; and &#39;logunclean&#39; interface
+        <para>The &#39;dropunclean&#39; and &#39;logunclean&#39; interface
         options are no longer supported. If either option is specified in
         <filename>/etc/shorewall/interfaces</filename>, a threatening message
         will be generated.</para>
@@ -73,27 +73,30 @@
 
       <listitem>
         <para>The NAT_BEFORE_RULES option has been removed from
-        <filename>shorewall.conf</filename>. The behavior of Shorewall 2 is as
+        <filename>shorewall.conf</filename>. The behavior of Shorewall 2.0 is
-        if NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
+        as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT
-        now always take precidence over one-to-one NAT specifications.</para>
+        rules now always take precidence over one-to-one NAT specifications.</para>
       </listitem>
 
       <listitem>
         <para>The default value for the ALL INTERFACES column in
-        /etc/shorewall/nat has changed. In Shorewall 1, if the column was left
+        <filename>/etc/shorewall/nat</filename> has changed. In Shorewall 1.*,
-        empty, a value of &#34;Yes&#34; was assumed. This has been changed so
+        if the column was left empty, a value of &#34;Yes&#34; was assumed.
-        that a value of &#34;No&#34; is now assumed.</para>
+        This has been changed so that a value of &#34;No&#34; is now assumed.</para>
       </listitem>
 
       <listitem>
-        <para> The following files don&#39;t exist in Shorewall 2: </para>
+        <para>The following files don&#39;t exist in Shorewall 2.0:</para>
 
         <simplelist>
-          <member><filename>/etc/shorewall2/common.def</filename></member>
+          <member><filename>/etc/shorewall/common.def</filename></member>
 
-          <member><filename>/etc/shorewall2/common</filename></member>
+          <member><filename>/etc/shorewall/common</filename></member>
 
-          <member><filename>/etc/shorewall2/icmpdef</filename></member>
+          <member><filename>/etc/shorewall/icmpdef</filename></member>
+
+          <member><filename>/etc/shorewall/action.template</filename> (moved
+          to <filename>/usr/share/shorewall/action.template</filename>)</member>
         </simplelist>
 
         <para>The <filename>/etc/shorewall/action</filename> file now allows
@@ -101,9 +104,9 @@
         particular policy type by following the action name with &#34;:&#34;
         and the policy (DROP, REJECT or ACCEPT).</para>
 
-        <para>The file /etc/shorewall/actions.std has been added to define
+        <para>The file /usr/share/shorewall/actions.std has been added to
-        those actions that are released as part of Shorewall 2. In that file
+        define those actions that are released as part of Shorewall 2.0 In
-        are two actions as follows:</para>
+        that file are two actions as follows:</para>
 
         <simplelist>
           <member>Drop:DROP</member>
@@ -119,15 +122,12 @@
         that &#34;Reject&#34; REJECTs SMB traffic while &#34;Drop&#34;
         silently drops such traffic.</para>
 
-        <para>As described above, Shorewall2 allows a common action for ACCEPT
+        <para>As described above, Shorewall allows a common action for ACCEPT
         policies but does not specify such an action in the default
         configuration.</para>
 
-        <para><emphasis role="bold">If you have an existing
+        <para>For more information see the <ulink
-        /etc/shorewall/actions file then you MUST add &#34;INCLUDE
+        url="User_defined_Actions.html">User-defined Action Page</ulink>.</para>
-        /etc/shorewall/actions.std&#34; to that file or you must create your
-        own common actions for DROP and REJECT <ulink
-        url="myfiles.html#Actions">as I have done in my own setup.</ulink></emphasis></para>
       </listitem>
 
       <listitem>
@@ -136,7 +136,7 @@
         file. Similar functionality is now available using user-defined
         actions.</para>
 
-        <para>Now, action files created by copying <filename>/etc/shorewall/action.template</filename>
+        <para>Now, action files created by copying <filename>/usr/share/shorewall/action.template</filename>
         may now specify a USER and or GROUP name/id in the final column just
         like in the rules file (see below). It is thus possible to create
         actions that control traffic from a list of users and/or groups.</para>