holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Documentation updates for 2.2.0 Beta 8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1822 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-11 16:02:59 +00:00
parent 1be6dd76b0
commit de16aad85b
2 changed files with 76 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-11-26</pubdate>
<pubdate>2004-12-11</pubdate>
<copyright>
<year>2001-2004</year>
@ -2582,6 +2582,35 @@ eth0 eth1 206.124.146.176</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>DROPINVALID</term>
<listitem>
<para>(Added at version 2.2.0) — Recent 2.6 kernels include code
that evaluates TCP packets based on TCP Window analysis. This can
cause packets that were previously classified as NEW or ESTABLISHED
to be classified as INVALID.</para>
<para>The new kernel code can be disabled by including this command
in your <ulink
url="shorewall_extension_scripts.htm">/etc/shorewall/init</ulink>
file:</para>
<programlisting>echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</programlisting>
<para>Additional kernel logging about INVALID TCP packets may be
obtained by adding this command to /etc/shorewall/init:</para>
<programlisting>echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid</programlisting>
<para>Traditionally, Shorewall has dropped INVALID TCP packets
early. The DROPINVALID option allows INVALID packets to be passed
through the normal rules chains by setting DROPINVALID=No. If not
specified or if specified as empty (e.g., DROPINVALID="") then
DROPINVALID=Yes is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>LOGALLNEW</term>

55
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-11-27</pubdate>
<pubdate>2004-12-11</pubdate>
<copyright>
<year>2004</year>
@ -367,11 +367,29 @@
<term>add</term>
<listitem>
<para><command>shorewall add &lt;interface&gt;[:&lt;bridge
port&gt;][:&lt;host&gt;] &lt;zone&gt;</command></para>
<para><command>shorewall add &lt;interface&gt;[:&lt;host-list&gt;] …
&lt;zone&gt;</command></para>
<para>Adds a host or subnet to a dynamic zone usually used with
VPN's.</para>
<para>A &lt;host-list&gt; is a comma-separated list whose entries
are:</para>
<itemizedlist>
<listitem>
<para>A host or network address</para>
</listitem>
<listitem>
<para>The name of a bridge port</para>
</listitem>
<listitem>
<para>The name of a bridge port followed by a colon (":") and a
host or network address.</para>
</listitem>
</itemizedlist>
<para>Adds an interface (and list of hosts if included) to a dynamic
zone usually used with VPN's.</para>
<para>Note that there was no provision in the syntax for specifying
a <ulink url="bridge.html">bridge</ulink> port prior to Shorewall
@ -448,11 +466,30 @@
<term>delete</term>
<listitem>
<para><command>shorewall delete &lt;interface&gt;[:&lt;bridge
port&gt;][:&lt;host&gt;] &lt;zone&gt;</command></para>
<para><command>shorewall delete
&lt;interface&gt;[:&lt;host-list&gt;] …
&lt;zone&gt;</command></para>
<para>Deletes the specified interface (and host if included) from
the specified zone.</para>
<para>A &lt;host-list&gt; is a comma-separated list whose entries
are:</para>
<itemizedlist>
<listitem>
<para>A host or network address</para>
</listitem>
<listitem>
<para>The name of a bridge port</para>
</listitem>
<listitem>
<para>The name of a bridge port followed by a colon (":") and a
host or network address.</para>
</listitem>
</itemizedlist>
<para>Deletes the specified interface (and host list if included)
from the specified zone.</para>
<para>Note that there was no provision in the syntax for specifying
a <ulink url="bridge.html">bridge</ulink> port prior to Shorewall