holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Some more 3.2.0 Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3893 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-05-07 15:13:32 +00:00
parent 0e62b7338f
commit d31e897793
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/Documentation.xml
View File

@ -1426,17 +1426,16 @@ DNAT net loc:192.168.1.5 tcp www
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
... ...
DNAT sam $FW tcp ssh ACCEPT+ sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh DNAT net loc:192.168.1.3 tcp ssh
...</programlisting> ...</programlisting>
<para>The first rule allows Sam SSH access to the firewall. The second <para>The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those rule says that any clients from the net zone with the exception of those
in the <quote>sam</quote> zone should have their connection port in the <quote>sam</quote> zone should have their connection port
forwarded to 192.168.1.3. If you need to exclude more than one zone in forwarded to 192.168.1.3. If you need to exclude more than one zone,
this way, you can list the zones separated by commas (e.g., simply use multiple ACCEPT+ rules. This technique also may be used when
net!sam,joe,fred). This technique also may be used when the ACTION is the ACTION is REDIRECT.</para>
REDIRECT.</para>
</section> </section>
</section> </section>
@ -1697,11 +1696,16 @@ DNAT net loc:192.168.1.3 tcp ssh
url="Shorewall_and_Kazaa.html">Kazaa filtering</ulink>.</para> url="Shorewall_and_Kazaa.html">Kazaa filtering</ulink>.</para>
<note> <note>
<para>When the protocol specified in the PROTO column is TCP <para>With Shorewall versions prior to 3.2.0, when the
protocol specified in the PROTO column is TCP
(<quote>tcp</quote>, <quote>TCP</quote> or (<quote>tcp</quote>, <quote>TCP</quote> or
<quote>6</quote>), Shorewall will only pass connection <quote>6</quote>), Shorewall will only pass connection
requests (SYN packets) to user space. This is for requests (SYN packets) to user space. This is for
compatibility with ftwall.</para> compatibility with ftwall.</para>
<para>With Shorewall version 3.2.0 and later, this special
treatment no longer applies. Rather, use tcp:syn in the
PROTOCOL column to acheive this behavior.</para>
</note> </note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1779,11 +1783,7 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
<listitem> <listitem>
<para>Describes the source hosts to which the rule applies.. The <para>Describes the source hosts to which the rule applies.. The
contents of this field must begin with the name of a zone defined in contents of this field must begin with the name of a zone defined in
/etc/shorewall/zones, $FW, <quote>all</quote> or "none". If the /etc/shorewall/zones, $FW, <quote>all</quote> or "none".</para>
ACTION is DNAT or REDIRECT, sub-zones may be excluded from the rule
by following the initial zone name with <quote>!</quote> and a
comma-separated list of those sub-zones to be excluded. There is an
<link linkend="Exclude">example</link> above.</para>
<para>If the source is "none" then the rule is ignored. This is most <para>If the source is "none" then the rule is ignored. This is most
commonly used with <ulink commonly used with <ulink