From e97d6880c375136a4618f0d638cfe24418eb85de Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 13 Jul 2002 14:59:45 +0000 Subject: [PATCH] Update to reflect 1.3.4 Features git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@133 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 4 +++- Samples/one-interface/shorewall.conf | 31 ++++++++++++++++++++++++++++ Samples/three-interfaces/interfaces | 4 +++- Samples/two-interfaces/interfaces | 4 +++- 4 files changed, 40 insertions(+), 3 deletions(-) diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 2db92d9b9..caabfcc7a 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -48,7 +48,9 @@ # requests. 'filterping' takes # precedence over 'noping' if both are # given. -# routestopped - When the firewall is stopped, allow +# routestopped - (Deprecated -- use +# /etc/shorewall/routestopped) +# When the firewall is stopped, allow # and route traffic to and from this # interface. # norfc1918 - This interface should not receive diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 8b6ea7fe1..c9d0affdd 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -228,4 +228,35 @@ NAT_BEFORE_RULES=Yes MULTIPORT=No +# DNAT IP Address Detection +# +# Normally when Shorewall encounters the following rule: +# +# DNAT net loc:192.168.1.3 tcp 80 +# +# it will forward TCP port 80 connections from the net to 192.168.1.3 +# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is +# convenient for two reasons: +# +# a) If the the network interface has a dynamic IP address, the +# firewall configuration will work even when the address +# changes. +# +# b) It saves having to configure the IP address in the rule +# while still allowing the firewall to be started before the +# internet interface is brought up. +# +# This default behavior can also have a negative effect. If the +# internet interface has more than one IP address then the above +# rule will forward connection requests on all of these addresses; +# that may not be what is desired. +# +# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply +# only if the original destination address is the primary IP address of +# one of the interfaces associated with the source zone. Note that this +# requires all interfaces to the source zone to be up when the firewall +# is [re]started. + +DETECT_DNAT_IPADDRS=No + #LAST LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 6f390cd33..66e76340b 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -48,7 +48,9 @@ # requests. 'filterping' takes # precedence over 'noping' if both are # given. -# routestopped - When the firewall is stopped, allow +# routestopped - (Deprecated -- use +# /etc/shorewall/routestopped) +# When the firewall is stopped, allow # and route traffic to and from this # interface. # norfc1918 - This interface should not receive diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index e1ffd9d88..3ed25b066 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -48,7 +48,9 @@ # requests. 'filterping' takes # precedence over 'noping' if both are # given. -# routestopped - When the firewall is stopped, allow +# routestopped - (Deprecated -- use +# /etc/shorewall/routestopped) +# When the firewall is stopped, allow # and route traffic to and from this # interface. # norfc1918 - This interface should not receive