More fixes to 'rules' man page

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5009 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-11-26 18:45:23 +00:00 · 2006-11-26 18:45:23 +00:00 · f2eb6f71e4
commit f2eb6f71e4
parent 5bf8474f8f
1 changed files with 36 additions and 28 deletions
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -21,11 +21,11 @@
  <refsect1>
    <title>Description</title>

-    <para>Rules in this file govern connection establishment. Subsequent
-    requests and responses are automatically allowed using connection
-    tracking. For any particular (source,dest) pair of zones, the rules are
-    evaluated in the order in which they appear in this file and the first
-    terminating match is the one that determines the disposition of the
+    <para>Rules in this file govern connection establishment. By default,
+    subsequent requests and responses are automatically allowed using
+    connection tracking. For any particular (source,dest) pair of zones, the
+    rules are evaluated in the order in which they appear in this file and the
+    first terminating match is the one that determines the disposition of the
    request. All rules are terminating except LOG and QUEUE rules.</para>

    <para>In most places where an IP address or subnet is allowed, you can
@ -415,13 +415,14 @@

          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
-          specified, clients may be further restricted to a list of subnets
-          and/or hosts by appending ":" and a comma-separated list of subnets
-          and/or hosts. Hosts may be specified by IP or MAC address; mac
-          addresses must begin with "~" and must use "-" as a
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
          separator.</para>

-          <para>Hosts may be specified as an IP address range using the syntax
+          <para>Hosts may also be specified as an IP address range using the
+          syntax
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
          This requires that your kernel and iptables contain iprange match
          support. If your kernel and iptables have ipset match support then
@ -515,9 +516,8 @@
        role="bold">all</emphasis>[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
-        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
-        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
+        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}]</term>

        <listitem>
          <para>Location of Server. May be a zone defined in
@ -538,8 +538,9 @@

          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>] is specified, the server may be further
-          restricted to a particular subnet, host or interface by appending
-          ":" and the subnet, host or interface. See above.</para>
+          restricted to a particular network, host or interface by appending
+          ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>

          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see
@ -547,7 +548,8 @@

          <para>Restrictions:</para>

-          <para>1. MAC addresses are not allowed.</para>
+          <para>1. MAC addresses are not allowed (this is a Netfilter
+          restriction).</para>

          <para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
          addresses are allowed; no FQDNs or subnet addresses are
@ -703,25 +705,25 @@
      <varlistentry>
        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) —
        [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>

        <listitem>
          <para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
          role="bold">-</emphasis>] or <emphasis
          role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
-          then if included and different from the IP address given in the
-          <emphasis role="bold">SERVER</emphasis> column, this is an address
-          on some interface on the firewall and connections to that address
-          will be forwarded to the IP and port specified in the <emphasis
-          role="bold">DEST</emphasis> column.</para>
+          then if this column is included and is different from the IP address
+          given in the <emphasis role="bold">SERVER</emphasis> column, then
+          connections destined for that address will be forwarded to the IP
+          and port specified in the <emphasis role="bold">DEST</emphasis>
+          column.</para>

          <para>A comma-separated list of addresses may also be used. This is
-          usually most useful with the <emphasis
-          role="bold">REDIRECT</emphasis> target where you want to redirect
-          traffic destined for particular set of hosts. Finally, if the list
-          of addresses begins with "!" then the rule will be followed only if
-          the original destination address in the connection request does not
-          match any of the addresses listed.</para>
+          most useful with the <emphasis role="bold">REDIRECT</emphasis>
+          target where you want to redirect traffic destined for particular
+          set of hosts. Finally, if the list of addresses begins with "!"
+          (<emphasis>exclusion</emphasis>) then the rule will be followed only
+          if the original destination address in the connection request does
+          not match any of the addresses listed.</para>

          <para>For other actions, this column may be included and may contain
          one or more addresses (host or network) separated by commas. Address
@ -733,6 +735,12 @@
          role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
          addresses should not begin with "!".</para>

+          <para>It is also possible to specify a set of addresses then exclude
+          part of those addresses. For example, <emphasis
+          role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
+          addresses 192.168.1.0-182.168.1.15 and
+          192.168.1.32-192.168.1.255.</para>
+
          <para>See http://shorewall.net/PortKnocking.html for an example of
          using an entry in this column with a user-defined action
          rule.</para>