More fixes to 'rules' man page

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5009 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

manpages/shorewall-rules.xml

@@ -21,11 +21,11 @@
   <refsect1>
     <title>Description</title>
 
-    <para>Rules in this file govern connection establishment. Subsequent
+    <para>Rules in this file govern connection establishment. By default,
-    requests and responses are automatically allowed using connection
+    subsequent requests and responses are automatically allowed using
-    tracking. For any particular (source,dest) pair of zones, the rules are
+    connection tracking. For any particular (source,dest) pair of zones, the
-    evaluated in the order in which they appear in this file and the first
+    rules are evaluated in the order in which they appear in this file and the
-    terminating match is the one that determines the disposition of the
+    first terminating match is the one that determines the disposition of the
     request. All rules are terminating except LOG and QUEUE rules.</para>
 
     <para>In most places where an IP address or subnet is allowed, you can
@@ -415,13 +415,14 @@
 
           <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
           role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
-          specified, clients may be further restricted to a list of subnets
+          specified, clients may be further restricted to a list of networks
-          and/or hosts by appending ":" and a comma-separated list of subnets
+          and/or hosts by appending ":" and a comma-separated list of network
-          and/or hosts. Hosts may be specified by IP or MAC address; mac
+          and/or host addresses. Hosts may be specified by IP or MAC address;
-          addresses must begin with "~" and must use "-" as a
+          mac addresses must begin with "~" and must use "-" as a
           separator.</para>
 
-          <para>Hosts may be specified as an IP address range using the syntax
+          <para>Hosts may also be specified as an IP address range using the
+          syntax
           <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
           This requires that your kernel and iptables contain iprange match
           support. If your kernel and iptables have ipset match support then
@@ -515,9 +516,8 @@
         role="bold">all</emphasis>[<emphasis
         role="bold">+</emphasis>][<emphasis
         role="bold">-</emphasis>]}<emphasis
-        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}]</term>
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
 
         <listitem>
           <para>Location of Server. May be a zone defined in
@@ -538,8 +538,9 @@
 
           <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
           role="bold">+</emphasis>] is specified, the server may be further
-          restricted to a particular subnet, host or interface by appending
+          restricted to a particular network, host or interface by appending
-          ":" and the subnet, host or interface. See above.</para>
+          ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>
 
           <para>You may exclude certain hosts from the set already defined
           through use of an <emphasis>exclusion</emphasis> (see
@@ -547,7 +548,8 @@
 
           <para>Restrictions:</para>
 
-          <para>1. MAC addresses are not allowed.</para>
+          <para>1. MAC addresses are not allowed (this is a Netfilter
+          restriction).</para>
 
           <para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
           addresses are allowed; no FQDNs or subnet addresses are
@@ -703,25 +705,25 @@
       <varlistentry>
         <term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) —
         [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
           role="bold">-</emphasis>] or <emphasis
           role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
-          then if included and different from the IP address given in the
+          then if this column is included and is different from the IP address
-          <emphasis role="bold">SERVER</emphasis> column, this is an address
+          given in the <emphasis role="bold">SERVER</emphasis> column, then
-          on some interface on the firewall and connections to that address
+          connections destined for that address will be forwarded to the IP
-          will be forwarded to the IP and port specified in the <emphasis
+          and port specified in the <emphasis role="bold">DEST</emphasis>
-          role="bold">DEST</emphasis> column.</para>
+          column.</para>
 
           <para>A comma-separated list of addresses may also be used. This is
-          usually most useful with the <emphasis
+          most useful with the <emphasis role="bold">REDIRECT</emphasis>
-          role="bold">REDIRECT</emphasis> target where you want to redirect
+          target where you want to redirect traffic destined for particular
-          traffic destined for particular set of hosts. Finally, if the list
+          set of hosts. Finally, if the list of addresses begins with "!"
-          of addresses begins with "!" then the rule will be followed only if
+          (<emphasis>exclusion</emphasis>) then the rule will be followed only
-          the original destination address in the connection request does not
+          if the original destination address in the connection request does
-          match any of the addresses listed.</para>
+          not match any of the addresses listed.</para>
 
           <para>For other actions, this column may be included and may contain
           one or more addresses (host or network) separated by commas. Address
@@ -733,6 +735,12 @@
           role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
           addresses should not begin with "!".</para>
 
+          <para>It is also possible to specify a set of addresses then exclude
+          part of those addresses. For example, <emphasis
+          role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
+          addresses 192.168.1.0-182.168.1.15 and
+          192.168.1.32-192.168.1.255.</para>
+
           <para>See http://shorewall.net/PortKnocking.html for an example of
           using an entry in this column with a user-defined action
           rule.</para>