diff --git a/Shorewall-docs2/ports.xml b/Shorewall-docs2/ports.xml
index 900f34532..d897173ae 100644
--- a/Shorewall-docs2/ports.xml
+++ b/Shorewall-docs2/ports.xml
@@ -51,14 +51,14 @@
Shorewall distribution contains a library of user-defined macros
that allow for easily allowing or blocking a particular application.
- Check your /usr/share/shorewall/actions.std file
- for a list of macros in your distribution. If you find what you need,
- you simply use the action in a rule. For example, to allow DNS queries
+ ls /usr/share/shorewall/macro.*
+ for the list of macros in your distribution. If you find what you need,
+ you simply use the macro in a rule. For example, to allow DNS queries
from the dmz zone to the net zone:
#ACTION SOURCE DESTINATION
-DNS/ACCEPT dmz net
+DNS/ACCEPT dmz net
@@ -70,12 +70,12 @@ DNS/ACCEPT dmz net
Example: You want to port forward FTP from the net to your server
at 192.168.1.4 in your DMZ. The FTP section below gives you:
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/ACCEPT <source> <destination>
You would code your rule as follows:
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/DNAT net dmz:192.168.1.4
@@ -84,19 +84,20 @@ FTP/DNAT net dmz:192.168.1.4
Auth (identd)
- Now,It's 21 Century ,
- don't use identd in production anymore.
+ It is now the 21st
+ Century ; don't use identd in production
+ anymore.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-Auth/ACCEPT <source> <destination>
+Auth/ACCEPT <source> <destination>
DNS
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-DNS/ACCEPT <source> <destination>
+DNS/ACCEPT <source> <destination>
Note that if you are setting up a DNS server that supports recursive
resolution, the server is the <destination> for
@@ -106,7 +107,7 @@ DNS/ACCEPT <source> <destination&g
a public DNS server in your DMZ that supports recursive resolution for
local clients then you would need:
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNS/ACCEPT all dmz
DNS/ACCEPT dmz net
@@ -157,7 +158,7 @@ DNAT net loc:192.168.1.4 tcp 4711
FTP
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/ACCEPT <source> <destination>
Look here for much more
@@ -186,13 +187,14 @@ FTP/ACCEPT <source> <destination>
Your loc->net policy is ACCEPT
- Gnutella/DNAT net loc:192.168.1.4
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+Gnutella/DNAT net loc:192.168.1.4
ICQ/AIM
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ICQ/ACCEPT <source> net
@@ -205,7 +207,7 @@ ICQ/ACCEPT <source> net
SSL
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
IMAP/ACCEPT <source> <destination> #Secure & Unsecure IMAP
@@ -235,14 +237,14 @@ ACCEPT <z1>:<list of client IPs>
NTP (Network Time Protocol)
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
NTP/ACCEPT <source> <destination>
PCAnywhere
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
PCA/ACCEPT <source> <destination>
@@ -256,7 +258,7 @@ PCA/ACCEPT <source> <destination>
TCP Port 110 (Secure Pop3 is TCP Port 995)
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
POP3/ACCEPT <source> <destination> # Secure & Unsecure Pop3
@@ -274,14 +276,14 @@ ACCEPT <source> <destination>
rdate
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Rdate/ACCEPT <source> <destination>
rsync
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Rsync/ACCEPT <source> <destination>
@@ -295,7 +297,7 @@ SSH/ACCEPT <source> <destination>
SMB/NMB (Samba/Windows Browsing/File Sharing)
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SMB/ACCEPT <source> <destination>
SMB/ACCEPT <destination> <source>
@@ -313,14 +315,14 @@ ACCEPT <source> <destination>
SNMP
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SNMP/ACCEPT <source> <destination>
Telnet
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Telnet/ACCEPT <source> <destination>
@@ -344,7 +346,7 @@ ACCEPT <source> <destination>
Traceroute
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Trcrt/ACCEPT <source> <destination> #Good for 10 hops
UDP traceroute uses ports 33434 through 33434+<max number of
@@ -363,7 +365,7 @@ ACCEPT fw ...
Usenet (NNTP)
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
NNTP/ACCEPT <source> <destination>
TCP Port 119
@@ -385,7 +387,7 @@ ACCEPT <source> <destination>Vncserver to Vncviewer in listen mode -- TCP port 5500.
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
VNCL/ACCEPT <source> <destination>
@@ -404,7 +406,7 @@ VNCL/ACCEPT <source> <destination&g
Web Access
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT <source> <destination> #Insecure HTTP& Secure HTTP
@@ -434,6 +436,16 @@ ACCEPT <apps> <chooser
Revision History
+
+ 1.17
+
+ 2005-09-20
+
+ TE
+
+ More 3.0 Updates
+
+
1.16
diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml
index f8ba4ca0c..9b9b01823 100644
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@@ -308,21 +308,18 @@ all all REJECT info
Enabling other Connections
- Shorewall includes a collection of actions that can be used to
- quickly allow or deny services. You can find a list of the actions
- included in your version of Shorewall in the file
- /usr/share/shorewall/actions.std.
-
- Those actions that allow a connection begin with
- Allow
.
+ Shorewall includes a collection of macros that can be used to
+ quickly allow or deny services. You can find a list of the macros included
+ in your version of Shorewall using the command ls
+ /usr/share/shorewall/macro.*.
If you wish to enable connections from the internet to your firewall
- and you find an appropriate Allow
action in
- /etc/shorewall/actions.std, the general format of a
- rule in /etc/shorewall/rules is:
+ and you find an appropriate macro in
+ /etc/shorewall/macro.*, the general format of a rule
+ in /etc/shorewall/rules is:
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-<action> net $FW
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+<macro>/ACCEPT net $FW
You want to run a Web Server and a IMAP Server on your firewall
@@ -334,10 +331,9 @@ IMAP/ACCEPT net $FW
You may also choose to code your rules directly without using the
- pre-defined actions. This will be necessary in the event that there is not
- a pre-defined action that meets your requirements. In that case the
- general format of a rule in /etc/shorewall/rules
- is:
+ pre-defined macros. This will be necessary in the event that there is not
+ a pre-defined macro that meets your requirements. In that case the general
+ format of a rule in /etc/shorewall/rules is:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW <protocol> <port>
@@ -433,6 +429,16 @@ SSH/ACCEPT net $FW
Revision History
+
+ 2.0
+
+ 2005-09-12
+
+ TE
+
+ More 3.0 Updates
+
+
1.9