holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update SUBSYSLOCK documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9452 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-18 16:48:34 +00:00
parent 70a16e2212
commit ece5bd4c72
8 changed files with 194 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/standalone.xml
View File

@ -266,8 +266,8 @@ net ipv4</programlisting>
action</ulink> defined for the policy in
<filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
performed before the policy is applied. The purpose of the common action is
two-fold:</para>
performed before the policy is applied. The purpose of the common action
is two-fold:</para>
<itemizedlist>
<listitem>
@ -582,6 +582,11 @@ SSH/ACCEPT net $FW </programlisting>
<varname>STARTUP_ENABLED=Yes.</varname></para>
</important>
<para>While you are editing <filename>shorewall.conf</filename>, it is a
good idea to check the value of the SUBSYSLOCK option. You can find a
description of this option by typing 'man shorewall.conf' at a shell
prompt and searching for SUBSYSLOCK.</para>
<para>The firewall is started using the <quote><command>shorewall
start</command></quote> command and stopped using
<quote><command>shorewall stop</command></quote>. When the firewall is

44
docs/three-interface.xml
View File

@ -286,11 +286,11 @@ dmz ipv4</programlisting>Zone names are defined in
If no rule in that file matches the connection request then the first
policy in <filename>/etc/shorewall/policy</filename> that matches the
request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
url="shorewall_extension_scripts.htm">common action</ulink> defined for
the policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
performed before the action is applied. The purpose of the common action is
two-fold:</para>
performed before the action is applied. The purpose of the common action
is two-fold:</para>
<itemizedlist>
<listitem>
@ -615,13 +615,10 @@ root@lists:~# </programlisting>
<imagedata fileref="images/dmz2.png" />
</imageobject>
<caption>
<para>The default gateway for the DMZ computers would be <systemitem
class="ipaddress">10.10.11.254</systemitem> and the default gateway
for the Local computers would be <systemitem
class="ipaddress">10.10.10.254</systemitem>.</para>
<warning>
<caption><para>The default gateway for the DMZ computers would be
<systemitem class="ipaddress">10.10.11.254</systemitem> and the
default gateway for the Local computers would be <systemitem
class="ipaddress">10.10.10.254</systemitem>.</para> <warning>
<para>Your ISP might assign your external interface an RFC 1918
address. If that address is in the <systemitem
class="ipaddress">10.10.10.0/24</systemitem> subnet then you will
@ -629,8 +626,7 @@ root@lists:~# </programlisting>
and if it is in the <systemitem
class="ipaddress">10.10.11.0/24</systemitem> subnet then you will
need to select a different RFC 1918 subnet for your DMZ.</para>
</warning>
</caption>
</warning></caption>
</mediaobject>
</figure>
</section>
@ -648,10 +644,9 @@ root@lists:~# </programlisting>
look as if the firewall itself is initiating the connection. This is
necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the Internet).
When the firewall receives a return packet, it rewrites the destination
address back to 10.10.10.1 and forwards the packet on to local computer
1.</para>
address is reserved by RFC 1918 can't be routed across the Internet). When
the firewall receives a return packet, it rewrites the destination address
back to 10.10.10.1 and forwards the packet on to local computer 1.</para>
<para>On Linux systems, the above process is often referred to as IP
Masquerading and you will also see the term Source Network Address
@ -1086,10 +1081,17 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>Users of the <filename>.deb</filename> package must edit
<filename>/etc/default/shorewall</filename> and set
<varname>startup=1</varname>.</para>
</important>The firewall is started using the <command>shorewall
start</command> command and stopped using <command>shorewall
stop</command>. When the firewall is stopped, routing is enabled on those
hosts that have an entry in <ulink
</important></para>
<para>While you are editing <filename>shorewall.conf</filename>, it is a
good idea to check the value of the SUBSYSLOCK option. You can find a
description of this option by typing 'man shorewall.conf' at a shell
prompt and searching for SUBSYSLOCK </para>
<para>The firewall is started using the <command>shorewall start</command>
command and stopped using <command>shorewall stop</command>. When the
firewall is stopped, routing is enabled on those hosts that have an entry
in <ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
A running firewall may be restarted using the <command>shorewall
restart</command> command. If you want to totally remove any trace of

15
docs/two-interface.xml
View File

@ -269,11 +269,11 @@ loc ipv4</programlisting>Zones are defined in the <ulink
first policy in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
that matches the request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
url="shorewall_extension_scripts.htm">common action</ulink> defined for
the policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
performed before the action is applied. The purpose of the common action is
two-fold:</para>
performed before the action is applied. The purpose of the common action
is two-fold:</para>
<itemizedlist>
<listitem>
@ -1002,7 +1002,12 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<para>Users of the .deb package must edit <filename
class="directory">/etc/default/</filename><filename>shorewall</filename>
and set <varname>startup=1</varname>.</para>
</important> The firewall is started using the <quote><command>shorewall
</important> While you are editing <filename>shorewall.conf</filename>,
it is a good idea to check the value of the SUBSYSLOCK option. You can
find a description of this option by typing 'man shorewall.conf' at a
shell prompt and searching for SUBSYSLOCK.</para>
<para>The firewall is started using the <quote><command>shorewall
start</command></quote> command and stopped using
<quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in <filename

106
manpages/shorewall-notrack.xml
View File

@ -3,62 +3,124 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-</refentrytitle>
<refentrytitle>shorewall6-notrack</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>file</refname>
<refname>notrack</refname>
<refpurpose>Shorewall file</refpurpose>
<refpurpose>shorewall6 notrack file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/</command>
<command>/etc/shorewall6/notrack</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The notrack file is used to exempt certain traffic from Netfilter
connection tracking. Traffic matching entries in this fill will not be
tracked.</para>
<para>The file was added in shorewall6-perl 4.2.7 and is not supported by
shorewall6-shell or by earlier versions of shorewall6-perl.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term>COLUMN 1</term>
<term>SOURCE
<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>
<listitem>
<para></para>
<para>where <replaceable>zone</replaceable> is the name of a zone,
<replaceable>interface</replaceable> is an interface to that zone,
and <replaceable>address-list</replaceable> is a comma-separated
list of addresses (may contain exclusion - see <ulink
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST [<replaceable>address-list</replaceable>]</term>
<listitem>
<para>where <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PROTO
<replaceable>protocol-name-or-number</replaceable></term>
<listitem>
<para>A protocol name from <filename>/etc/protocols</filename> or a
protocol number.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST PORT(S) - port-number/service-name-list</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE PORT(S) - port-number/service-name-list</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>USER/GROUP
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
<listitem>
<para>May only be specified if the SOURCE
<replaceable>zone</replaceable> is $FW. Specifies the effective user
id and or group id of the process sending the traffic.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<para></para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/</para>
<para>/etc/shorewall6/notrack</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

56
manpages/shorewall-routestopped.xml
View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-routestopped</refentrytitle>
@ -127,9 +129,55 @@
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>notrack</term>
<listitem>
<para>The traffic will be exempted from conntection
tracking.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>PROTO (Optional)
<replaceable>protocol-name-or-number</replaceable></term>
<listitem>
<para>Only available with Shorewall-perl 4.2.7 and later.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST PORT(S) (Optional)
<replaceable>service-name/port-number-list</replaceable></term>
<listitem>
<para>Only available with Shorewall-perl 4.2.7 and later. A
comma-separated list of port numbers and/or service names from
<filename>/etc/services</filename>. May also include port ranges of
the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE PORT(S) (Optional)
<replaceable>service-name/port-number-list</replaceable></term>
<listitem>
<para>Only available with Shorewall-perl 4.2.7 and later. A
comma-separated list of port numbers and/or service names from
<filename>/etc/services</filename>. May also include port ranges of
the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>
</varlistentry>
</variablelist>
<note>
@ -148,11 +196,13 @@
<term>Example 1:</term>
<listitem>
<programlisting> #INTERFACE HOST(S) OPTIONS
<programlisting> #INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE
# PORT(S) PORT(S)
eth2 192.168.1.0/24
eth0 192.0.2.44
br0 - routeback
eth3 - source</programlisting>
eth3 - source
eth4 - notrack 41</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -179,4 +229,4 @@
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>
</refentry>

6
manpages/shorewall.conf.xml
View File

@ -1480,9 +1480,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>This parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when it
stops. Creating and removing this file allows Shorewall to work with
your distribution's initscripts. For RedHat, this should be set to
/var/lock/subsys/shorewall. For Debian, the value is
/var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
your distribution's initscripts. For RedHat and OpenSuSE, this
should be set to /var/lock/subsys/shorewall. For Debian, the value
is /var/lock/shorewall and in LEAF it is /var/run/shorwall.</para>
</listitem>
</varlistentry>

13
manpages/shorewall.xml
View File

@ -1306,6 +1306,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">raw</emphasis></term>
<listitem>
<para>Displays the Netfilter raw table using the command
<emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
<emphasis role="bold">-x</emphasis> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tc</emphasis></term>

2
manpages6/shorewall6.conf.xml
View File

@ -1030,7 +1030,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
stops. Creating and removing this file allows Shorewall6 to work
with your distribution's initscripts. For RedHat, this should be set
to /var/lock/subsys/shorewall6. For Debian, the value is
/var/state/shorewall6 and in LEAF it is /var/run/shorwall.</para>
/var/lock/shorewall6 and in LEAF it is /var/run/shorwall.</para>
</listitem>
</varlistentry>