diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml
index c6d48cd18..301e75aa6 100644
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -163,8 +163,7 @@ httpd_accel_uses_host_header on
In /etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
-# PORT(S) DEST
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - !206.124.146.177
@@ -177,8 +176,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
If needed, you may just add the additional hosts/networks to the
ORIGINAL DEST column in your REDIRECT rule.
- /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
-# PORT(S) DEST
+ /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24
People frequently ask How can I exclude certain
@@ -188,8 +186,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
from the proxy. Your rules would then be:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
-# PORT(S) DEST
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT $FW net tcp www
REDIRECT loc:!192.168.1.5,192.168.1.33\
3128 tcp www - !206.124.146.177,130.252.100.0/24
@@ -215,8 +212,7 @@ gateway:/etc/shorewall#
role="bold">(squid) is running under the proxy user Id. We add these rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
-# PORT(S) DEST LIMIT GROUP
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
ACCEPT $FW net tcp www
REDIRECT $FW 3128 tcp www - - - !proxy
@@ -242,18 +238,16 @@ Squid 1 202 - eth1 192.168.1.3 loose,no
In /etc/shorewall/mangle add:
- #ACTION SOURCE DEST PROTO DEST
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80
If you are still using a tcrules file, you should consider
switching to using a mangle file (shorewall update
- -t (shorewall update on
- Shorewall 5.0 and later) will do that for you). Corresponding
+ -t (shorewall update on Shorewall 5.0
+ and later) will do that for you). Corresponding
/etc/shorewall/tcrules entries are:
- #MARK SOURCE DEST PROTO DEST
-# PORT(S)
+ #MARK SOURCE DEST PROTO DPORT
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80
@@ -261,8 +255,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80
In /etc/shorewall/interfaces
:
- #ZONE INTERFACE BROADCAST OPTIONS
-loc eth1 detect routeback,routefilter=0,logmartians=0
+ #ZONE INTERFACE OPTIONS
+loc eth1 routeback,routefilter=0,logmartians=0
@@ -294,8 +288,7 @@ loc eth1 detect routeback,routefilter=0,
In /etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
-# PORT(S) DEST
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177
@@ -316,8 +309,7 @@ Squid 1 202 - eth2 192.0.2.177 loose,no
In /etc/shorewall/mangle add:
- #ACTION SOURCE DEST PROTO DEST
-# PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
MARK(202):P eth1 0.0.0.0/0 tcp 80
Corresponding /etc/shorewall/tcrules entries are:
@@ -331,8 +323,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80
In /etc/shorewall/interfaces
:
- #ZONE INTERFACE BROADCAST OPTIONS
-loc eth2 detect routefilter=0,logmartians=0
+ #ZONE INTERFACE OPTIONS
+loc eth2 routefilter=0,logmartians=0
@@ -363,7 +355,7 @@ loc eth2 detect routefilter=0,logmartian
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80,443
@@ -371,7 +363,7 @@ ACCEPT SZ net tcp 80,443
Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:
- /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S)
+ /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 8080
ACCEPT $FW net tcp 80,443
@@ -406,8 +398,8 @@ ACCEPT $FW net tcp 80,443
/etc/shorewall/interfaces:
- #ZONE INTERFACE BROADCAST OPTIONS
-- lo - -
+ #ZONE INTERFACE OPTIONS
+- lo -
/etc/shorewall/providers:
@@ -422,17 +414,13 @@ Tproxy 1 - - lo - tproxy/etc/shorewall/mangle (assume loc interface is
eth1 and net interface is eth0):
- #ACTION SOURCE DEST PROTO DEST SOURCE
-# PORT(S) PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT SPORT
DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80
- Corresponding /etc/shorewall/tcrules
- are:
+ Corresponding /etc/shorewall/mangle are:
- FORMAT 2
-#MARK SOURCE DEST PROTO DEST SOURCE
-# PORT(S) PORT(S)
+ #MARK SOURCE DEST PROTO DPORT SPORT
DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80
@@ -445,16 +433,14 @@ TPROXY(3129) eth1 0.0.0.0/0 tcp 80
on port 80, then you need to exclude it from TPROXY. Suppose that your
web server listens on 192.0.2.144; then:
- FORMAT 2
-#MARK SOURCE DEST PROTO DEST SOURCE
-# PORT(S) PORT(S)
+ #MARK SOURCE DEST PROTO DPORT SPORT
DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 !192.0.2.144 tcp 80 -
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW tcp 80
ACCEPT $FW net tcp 80