Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2019-03-01 16:47:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall"
Fri Mar 1 16:47:59 2019 rev:106 rq:680054 version:5.2.3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2019-02-25 17:56:41.286322354 +0100
+++ /work/SRC/openSUSE:Factory/.shorewall.new.28833/shorewall.changes 2019-03-01 16:48:05.925783784 +0100
@@ -1,0 +2,11 @@
+Wed Feb 27 15:52:39 UTC 2019 - Bruno Friedmann
+
+- Update to bugfix minor 5.2.3.1 release
+ + An issue in the implementation of policy file zone exclusion,
+ released in 5.2.3 has been resolved. In the original release,
+ if more than one zone was excluded then the following error was
+ raised:
+ ERROR: 'all' is not allowed in a source zone list
+ etc/shorewall/policy (line ...)
+
+-------------------------------------------------------------------
Old:
----
shorewall-5.2.3.tar.bz2
shorewall-core-5.2.3.tar.bz2
shorewall-docs-html-5.2.3.tar.bz2
shorewall-init-5.2.3.tar.bz2
shorewall-lite-5.2.3.tar.bz2
shorewall6-5.2.3.tar.bz2
shorewall6-lite-5.2.3.tar.bz2
New:
----
shorewall-5.2.3.1.tar.bz2
shorewall-core-5.2.3.1.tar.bz2
shorewall-docs-html-5.2.3.1.tar.bz2
shorewall-init-5.2.3.1.tar.bz2
shorewall-lite-5.2.3.1.tar.bz2
shorewall6-5.2.3.1.tar.bz2
shorewall6-lite-5.2.3.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.YAhEGA/_old 2019-03-01 16:48:06.933783404 +0100
+++ /var/tmp/diff_new_pack.YAhEGA/_new 2019-03-01 16:48:06.937783403 +0100
@@ -24,7 +24,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: shorewall
-Version: 5.2.3
+Version: 5.2.3.1
Release: 0
Summary: An iptables-based firewall for Linux systems
License: GPL-2.0-only
++++++ shorewall-5.2.3.tar.bz2 -> shorewall-5.2.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/Perl/Shorewall/Config.pm new/shorewall-5.2.3.1/Perl/Shorewall/Config.pm
--- old/shorewall-5.2.3/Perl/Shorewall/Config.pm 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/Perl/Shorewall/Config.pm 2019-02-26 18:58:36.000000000 +0100
@@ -851,7 +851,7 @@
TC_SCRIPT => '',
EXPORT => 0,
KLUDGEFREE => '',
- VERSION => "5.2.3",
+ VERSION => "5.2.3.1",
CAPVERSION => 50200 ,
BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/Perl/Shorewall/Rules.pm new/shorewall-5.2.3.1/Perl/Shorewall/Rules.pm
--- old/shorewall-5.2.3/Perl/Shorewall/Rules.pm 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/Perl/Shorewall/Rules.pm 2019-02-26 18:58:36.000000000 +0100
@@ -836,11 +836,15 @@
my ( $intrazone, $clientlist, $serverlist );
- if ( $clientlist = ( $clients =~ /,/ ) ) {
+ if ( $clients =~ /^all(\+)?!/ ) {
+ $intrazone = $1;
+ } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
$intrazone = ( $clients =~ s/\+$// );
}
- if ( $serverlist = ( $servers =~ /,/ ) ) {
+ if ( $servers =~ /^all(\+)?!/ ) {
+ $intrazone = $1;
+ } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
$intrazone ||= ( $servers =~ s/\+$// );
}
@@ -857,7 +861,7 @@
}
}
} else {
- process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+ process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/changelog.txt new/shorewall-5.2.3.1/changelog.txt
--- old/shorewall-5.2.3/changelog.txt 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/changelog.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,3 +1,9 @@
+Changes in 5.2.3.1
+
+1) Update release documents.
+
+2) Correct issue with policy file zone exclusion.
+
Changes in 5.2.3 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/configure new/shorewall-5.2.3.1/configure
--- old/shorewall-5.2.3/configure 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/configure 2019-02-26 18:58:36.000000000 +0100
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.2.3
+VERSION=5.2.3.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/configure.pl new/shorewall-5.2.3.1/configure.pl
--- old/shorewall-5.2.3/configure.pl 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/configure.pl 2019-02-26 18:58:36.000000000 +0100
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.2.3'
+ VERSION => '5.2.3.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/install.sh new/shorewall-5.2.3.1/install.sh
--- old/shorewall-5.2.3/install.sh 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/install.sh 2019-02-26 18:58:36.000000000 +0100
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=5.2.3
+VERSION=5.2.3.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/known_problems.txt new/shorewall-5.2.3.1/known_problems.txt
--- old/shorewall-5.2.3/known_problems.txt 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/known_problems.txt 2019-02-26 18:58:36.000000000 +0100
@@ -12,3 +12,11 @@
such routes. Beginning with Shorewall6 5.0.15, the generated script
uses a "delete..add.." sequence on these routes rather than a
single "replace" command.
+
+4) If more than one zone is excluded in a policy file entry, an error
+ similar to the following is raised:
+
+ ERROR: 'all' is not allowed in a source zone list
+ /etc/shorewall/policy (line 8)
+
+ Corrected in Shorewall 5.2.3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/releasenotes.txt new/shorewall-5.2.3.1/releasenotes.txt
--- old/shorewall-5.2.3/releasenotes.txt 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/releasenotes.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 2 . 3
+ S H O R E W A L L 5 . 2 . 3 . 1
-------------------------------
- F E B R U A R Y 1 5 , 2 0 1 9
+ F E B R U A R Y 2 6 , 2 0 1 9
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,8 +14,20 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Previously, to prevent a helper kernel module from being loaded, it
- was necessary to list both its current name and its
+5.2.3.1
+
+1) An issue in the implementation of policy file zone exclusion,
+ released in 5.2.3 has been resolved. In the original release,
+ if more than one zone was excluded, then the following error was
+ raised:
+
+ ERROR: 'all' is not allowed in a source zone list
+ etc/shorewall/policy (line ...)
+
+5.2.3
+
+1) To prevent a helper kernel module from being loaded, it was
+ previously necessary to list both its current name and its
pre-kernel-2.6.20 name in the DONT_LOAD option in
/etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
from being loaded, it was necessary to also list ip_conntrack_sip
@@ -60,9 +72,7 @@
4) The LOAD_HELPERS_ONLY option has been removed from
shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
- LOAD_HELPERS_ONLY=Yes had been specified. As part of this change,
- the pre-kernel 2.6.20 modules have been removed from the helpers
- file.
+ LOAD_HELPERS_ONLY=Yes had been specified.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/shorewall.spec new/shorewall-5.2.3.1/shorewall.spec
--- old/shorewall-5.2.3/shorewall.spec 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/shorewall.spec 2019-02-26 18:58:36.000000000 +0100
@@ -1,6 +1,6 @@
%define name shorewall
%define version 5.2.3
-%define release 0base
+%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -155,6 +155,8 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Samples
%changelog
+* Tue Feb 26 2019 Tom Eastep tom@shorewall.net
+- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0base
* Wed Feb 06 2019 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-5.2.3/uninstall.sh new/shorewall-5.2.3.1/uninstall.sh
--- old/shorewall-5.2.3/uninstall.sh 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-5.2.3.1/uninstall.sh 2019-02-26 18:58:36.000000000 +0100
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.2.3
+VERSION=5.2.3.1
usage() # $1 = exit status
{
++++++ shorewall-core-5.2.3.tar.bz2 -> shorewall-core-5.2.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/changelog.txt new/shorewall-core-5.2.3.1/changelog.txt
--- old/shorewall-core-5.2.3/changelog.txt 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/changelog.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,3 +1,9 @@
+Changes in 5.2.3.1
+
+1) Update release documents.
+
+2) Correct issue with policy file zone exclusion.
+
Changes in 5.2.3 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/configure new/shorewall-core-5.2.3.1/configure
--- old/shorewall-core-5.2.3/configure 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/configure 2019-02-26 18:58:36.000000000 +0100
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.2.3
+VERSION=5.2.3.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/configure.pl new/shorewall-core-5.2.3.1/configure.pl
--- old/shorewall-core-5.2.3/configure.pl 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/configure.pl 2019-02-26 18:58:36.000000000 +0100
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.2.3'
+ VERSION => '5.2.3.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/install.sh new/shorewall-core-5.2.3.1/install.sh
--- old/shorewall-core-5.2.3/install.sh 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/install.sh 2019-02-26 18:58:36.000000000 +0100
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=5.2.3
+VERSION=5.2.3.1
PRODUCT=shorewall-core
Product="Shorewall Core"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/known_problems.txt new/shorewall-core-5.2.3.1/known_problems.txt
--- old/shorewall-core-5.2.3/known_problems.txt 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/known_problems.txt 2019-02-26 18:58:36.000000000 +0100
@@ -12,3 +12,11 @@
such routes. Beginning with Shorewall6 5.0.15, the generated script
uses a "delete..add.." sequence on these routes rather than a
single "replace" command.
+
+4) If more than one zone is excluded in a policy file entry, an error
+ similar to the following is raised:
+
+ ERROR: 'all' is not allowed in a source zone list
+ /etc/shorewall/policy (line 8)
+
+ Corrected in Shorewall 5.2.3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/releasenotes.txt new/shorewall-core-5.2.3.1/releasenotes.txt
--- old/shorewall-core-5.2.3/releasenotes.txt 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/releasenotes.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 2 . 3
+ S H O R E W A L L 5 . 2 . 3 . 1
-------------------------------
- F E B R U A R Y 1 5 , 2 0 1 9
+ F E B R U A R Y 2 6 , 2 0 1 9
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,8 +14,20 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Previously, to prevent a helper kernel module from being loaded, it
- was necessary to list both its current name and its
+5.2.3.1
+
+1) An issue in the implementation of policy file zone exclusion,
+ released in 5.2.3 has been resolved. In the original release,
+ if more than one zone was excluded, then the following error was
+ raised:
+
+ ERROR: 'all' is not allowed in a source zone list
+ etc/shorewall/policy (line ...)
+
+5.2.3
+
+1) To prevent a helper kernel module from being loaded, it was
+ previously necessary to list both its current name and its
pre-kernel-2.6.20 name in the DONT_LOAD option in
/etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
from being loaded, it was necessary to also list ip_conntrack_sip
@@ -60,9 +72,7 @@
4) The LOAD_HELPERS_ONLY option has been removed from
shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
- LOAD_HELPERS_ONLY=Yes had been specified. As part of this change,
- the pre-kernel 2.6.20 modules have been removed from the helpers
- file.
+ LOAD_HELPERS_ONLY=Yes had been specified.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/shorewall-core.spec new/shorewall-core-5.2.3.1/shorewall-core.spec
--- old/shorewall-core-5.2.3/shorewall-core.spec 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/shorewall-core.spec 2019-02-26 18:58:36.000000000 +0100
@@ -1,6 +1,6 @@
%define name shorewall-core
%define version 5.2.3
-%define release 0base
+%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -69,6 +69,8 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
+* Tue Feb 26 2019 Tom Eastep tom@shorewall.net
+- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0base
* Wed Feb 06 2019 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.3/uninstall.sh new/shorewall-core-5.2.3.1/uninstall.sh
--- old/shorewall-core-5.2.3/uninstall.sh 2019-02-11 23:48:19.000000000 +0100
+++ new/shorewall-core-5.2.3.1/uninstall.sh 2019-02-26 18:58:36.000000000 +0100
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.2.3
+VERSION=5.2.3.1
PRODUCT=shorewall-core
Product="Shorewall Core"
++++++ shorewall-docs-html-5.2.3.tar.bz2 -> shorewall-docs-html-5.2.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/6to4.htm new/shorewall-docs-html-5.2.3.1/6to4.htm
--- old/shorewall-docs-html-5.2.3/6to4.htm 2019-02-11 23:50:55.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/6to4.htm 2019-02-26 19:01:08.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#FeetWet">Getting your Feet Wet with IPv6, by Tom Eastep</a></span></dt><dd><dl><dt><span class="section"><a href="#idm30">Configuring IPv6 using my script</a></span></dt><dt><span class="section"><a href="#idm100">Configuring IPv6 the Debian Way</a></span></dt><dt><span class="section"><a href="#idm137">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#idm143">Configuring Shorewall6</a></span></dt></dl></dd><dt><span class="section"><a href="#SixInFour">6in4 Tunnel</a></span></dt><dt><span class="section"><a href="#Tunnel6to4">Connecting two IPv6 Networks, by Eric de Thouars</a></span></dt></dl></div><p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#FeetWet">Getting your Feet Wet with IPv6, by Tom Eastep</a></span></dt><dd><dl><dt><span class="section"><a href="#idm30">Configuring IPv6 using my script</a></span></dt><dt><span class="section"><a href="#idm100">Configuring IPv6 the Debian Way</a></span></dt><dt><span class="section"><a href="#idm137">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#idm143">Configuring Shorewall6</a></span></dt></dl></dd><dt><span class="section"><a href="#SixInFour">6in4 Tunnel</a></span></dt><dt><span class="section"><a href="#Tunnel6to4">Connecting two IPv6 Networks, by Eric de Thouars</a></span></dt></dl></div><p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure. It can also allow you
to experiment with IPv6 even if your ISP doesn't provide IPv6
connectivity.</p><p>More information on Linux and IPv6 can be found in the <a class="ulink" href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO" target="_top">Linux IPv6 HOWTO</a>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Accounting.html new/shorewall-docs-html-5.2.3.1/Accounting.html
--- old/shorewall-docs-html-5.2.3/Accounting.html 2019-02-11 23:50:56.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Accounting.html 2019-02-26 19:01:08.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Basics">Accounting Basics</a></span></dt><dt><span class="section"><a href="#Bridge">Accounting with Bridges</a></span></dt><dt><span class="section"><a href="#idm89">Sectioned Accounting Rules</a></span></dt><dt><span class="section"><a href="#Collectd">Integrating Shorewall Accounting with Collectd</a></span></dt><dt><span class="section"><a href="#perIP">Per-IP Accounting</a></span></dt><dt><span class="section"><a href="#nfacct">Accounting using nfacct</a></span></dt><dt><span class="section"><a href="#idm248">Preserving Counters over Restart and Reboot</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Basics">Accounting Basics</a></span></dt><dt><span class="section"><a href="#Bridge">Accounting with Bridges</a></span></dt><dt><span class="section"><a href="#idm89">Sectioned Accounting Rules</a></span></dt><dt><span class="section"><a href="#Collectd">Integrating Shorewall Accounting with Collectd</a></span></dt><dt><span class="section"><a href="#perIP">Per-IP Accounting</a></span></dt><dt><span class="section"><a href="#nfacct">Accounting using nfacct</a></span></dt><dt><span class="section"><a href="#idm248">Preserving Counters over Restart and Reboot</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release</strong></span>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Basics"></a>Accounting Basics</h2></div></div></div><p>Shorewall accounting rules are described in the file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Actions.html new/shorewall-docs-html-5.2.3.1/Actions.html
--- old/shorewall-docs-html-5.2.3/Actions.html 2019-02-11 23:50:56.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Actions.html 2019-02-26 19:01:09.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">What are Shorewall Actions?</a></span></dt><dt><span class="section"><a href="#Default">Policy Actions (Formerly Default Actions)</a></span></dt><dt><span class="section"><a href="#Defining">Defining your own Actions</a></span></dt><dd><dl><dt><span class="section"><a href="#idm198">Shorewall 5.0.0 and Later.</a></span></dt><dt><span class="section"><a href="#idm227">Mangle Actions</a></span></dt></dl></dd><dt><span class="section"><a href="#Logging">Actions and Logging</a></span></dt><dt><span class="section"><a href="#Embedded">Using Embedded Perl in an Action</a></span></dt><dt><span class="section"><a href="#Extension">Creating an Action using an Extension Script (deprecated in favor
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">What are Shorewall Actions?</a></span></dt><dt><span class="section"><a href="#Default">Policy Actions (Formerly Default Actions)</a></span></dt><dt><span class="section"><a href="#Defining">Defining your own Actions</a></span></dt><dd><dl><dt><span class="section"><a href="#idm198">Shorewall 5.0.0 and Later.</a></span></dt><dt><span class="section"><a href="#idm227">Mangle Actions</a></span></dt></dl></dd><dt><span class="section"><a href="#Logging">Actions and Logging</a></span></dt><dt><span class="section"><a href="#Embedded">Using Embedded Perl in an Action</a></span></dt><dt><span class="section"><a href="#Extension">Creating an Action using an Extension Script (deprecated in favor
of BEGIN PERL ... END PERL)</a></span></dt><dt><span class="section"><a href="#Limit">Limiting Per-IP Connection Rate using the Limit Action</a></span></dt><dd><dl><dt><span class="section"><a href="#LimitImp">How Limit is Implemented</a></span></dt></dl></dd><dt><span class="section"><a href="#idm507">Mangle Actions</a></span></dt><dt><span class="section"><a href="#idm538">SNAT Actions</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Anatomy.html new/shorewall-docs-html-5.2.3.1/Anatomy.html
--- old/shorewall-docs-html-5.2.3/Anatomy.html 2019-02-11 23:50:57.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Anatomy.html 2019-02-26 19:01:10.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Products">Products</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin">/sbin ($SBINDIR)</a></span></dt><dt><span class="section"><a href="#share-shorewall">/usr/share/shorewall (${SHAREDIR}/shorewall)</a></span></dt><dt><span class="section"><a href="#shorewall">/etc/shorewall (${CONFDIR}/shorewall)</a></span></dt><dt><span class="section"><a href="#init">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Products">Products</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin">/sbin ($SBINDIR)</a></span></dt><dt><span class="section"><a href="#share-shorewall">/usr/share/shorewall (${SHAREDIR}/shorewall)</a></span></dt><dt><span class="section"><a href="#shorewall">/etc/shorewall (${CONFDIR}/shorewall)</a></span></dt><dt><span class="section"><a href="#init">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</a></span></dt><dt><span class="section"><a href="#var">/var/lib/shorewall (${VARLIB}/shorewall)</a></span></dt></dl></dd><dt><span class="section"><a href="#Shorewall-perl">Shorewall6</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin6">/sbin ($SBINDIR)</a></span></dt><dt><span class="section"><a href="#share-shorewall6">/usr/share/shorewall6 (${SHAREDIR}/shorewall6)</a></span></dt><dt><span class="section"><a href="#etc-shorewall6">/etc/shorewall6 (${CONFDIR}/shorewall6)</a></span></dt><dt><span class="section"><a href="#init6">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</a></span></dt><dt><span class="section"><a href="#var-shorewall6">/var/lib/shorewall6 (${VARLIB}/shorewall6)</a></span></dt></dl></dd><dt><span class="section"><a href="#Shorewall-lite">Shorewall-lite</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin-lite">/sbin ($SBINDIR)</a></span></dt><dt><span class="section"><a href="#init-lite">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</a></span></dt><dt><span class="section"><a href="#shorewall-lite">/etc/shorewall-lite (${CONFDIR}/shorewall-lite)</a></span></dt><dt><span class="section"><a href="#share-lite">/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite)</a></span></dt><dt><span class="section"><a href="#var-lite">/var/lib/shorewall-lite (${VARLIB}/shorewall-lite)</a></span></dt></dl></dd><dt><span class="section"><a href="#Shorewall6-lite">Shorewall6-lite</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin-lite6">/sbin</a></span></dt><dt><span class="section"><a href="#init-6lite">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Anatomy_ru.html new/shorewall-docs-html-5.2.3.1/Anatomy_ru.html
--- old/shorewall-docs-html-5.2.3/Anatomy_ru.html 2019-02-11 23:50:57.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Anatomy_ru.html 2019-02-26 19:01:09.000000000 +0100
@@ -1,2 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Анатомия Shorewall 4.0</title><link rel="stylesheet" type="text/css" href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Анатомия Shorewall 4.0</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2007 Thomas M. Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation: Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке <span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Products">Продукты</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall-common</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin">/sbin</a></span></dt><dt><span class="section"><a href="#share-shorewall">/usr/share/shorewall</a></span></dt><dt><span class="section"><a href="#shorewall">/etc/shorewall</a></span></dt><dt><span class="section"><a href="#init">/etc/init.d или /etc/rc.d (зависит от дистрибутива)</a></span></dt><dt><span class="section"><a href="#var">/var/lib/shorewall</a></span></dt></dl></dd><dt><span class="section"><a href="#Shorewall-shell">Shorewall-shell</a></span></dt><dt><span class="section"><a href="#Shorewall-perl">Shorewall-perl</a></span></dt><dt><span class="section"><a href="#Shorewall-lite">Shorewall-lite</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin-lite">/sbin</a></span></dt><dt><span class="section"><a href="#init-lite">/etc/init.d или /etc/rc.d (зависит от дистрибутива)</a></span></dt><dt><span class="section"><a href="#shorewall-lite">/etc/shorewall-lite</a></span></dt><dt><span class="section"><a href="#share-lite">/usr/share/shorewall-lite</a></span></dt><dt><span class="section"><a href="#var-lite">/var/lib/shorewall-lite</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Products"></a>Продукты</h2></div></div></div><p>В состав Shorewall 4.0 входят следующие четыре пакета. </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p><span class="bold"><strong>Shorewall-common</strong></span>. Этот пакет необходимо установить хотя бы в одной системе в вашей сети. В этой системе также должны быть установлены Shorewall-shell и/или Shorewall-perl. </p></li><li class="listitem"><p><span class="bold"><strong>Shorewall-shell</strong></span>. Этот пакет содержит прежний компилятор конфигурации Shorewall, написанный на Bourne Shell. Этот компилятор работает в большинстве систем, но он медленный, и его сопровождение стало затруднительным.</p></li><li class="listitem"><p><span class="bold"><strong>Shorewall-perl</strong></span>. Этот компилятор заменяет Shorewall-shell и написан на языке Perl. Он работает на всех платформах Unix, поддерживающих Perl (включая Cygwin), и рекомендуется для всех систем, где Shorewall устанавливается заново. </p></li><li class="listitem"><p><span class="bold"><strong>Shorewall-lite</strong></span>. В Shorewall предусмотрена возможность централизованного управления несколькими системами файрволов. Для этого применяется пакет Shorewall lite. Полностью продукт Shorewall, включая Shorewall-shell и/или Shorewall-perl, устанавливается в центральной административной системе, где генерируются сценарии Shorewall. Эти сценарии копируются в системы файрволов, где они выполняются под управлением Shorewall-lite. </p></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall"></a>Shorewall-common</h2></div></div></div><p>Пакет Shorewall-common включает много файлов, которые устанавливаются в каталоги /<code class="filename">sbin</code>, <code class="filename">/usr/share/shorewall</code>, <code class="filename">/etc/shorewall</code>, <code class="filename">/etc/init.d</code> и <code class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="sbin"></a>/sbin</h3></div></div></div><p>Программа <code class="filename">/sbin/shorewall</code> взаимодействует с Shorewall. См. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8).</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="share-shorewall"></a>/usr/share/shorewall</h3></div></div></div><p>Здесь устанавливаются основные файлы Shorewall. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">action.template</code> - файл шаблонов для создания <a class="ulink" href="Actions.html" target="_top">действий</a>.</p></li><li class="listitem"><p><code class="filename">action.*</code> - стандартные действия Shorewall. </p></li><li class="listitem"><p><code class="filename">actions.std</code> - в этом файле перечислены стандартные действия. </p></li><li class="listitem"><p><code class="filename">configfiles</code> - в этом каталоге содержатся файлы конфигурации, при копировании которых создается <a class="ulink" href="CompiledPrograms.html#Lite" target="_top">каталог экспорта Shorewall-lite.</a></p></li><li class="listitem"><p><code class="filename"><code class="filename">configpath</code></code> - здесь содержится информация о путях, которая зависит от дистрибутива. </p></li><li class="listitem"><p><code class="filename">firewall</code> - эта программа обрабатывает команды <span class="command"><strong>add</strong></span> и <span class="command"><strong>delete</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)). Кроме того, она обрабатывает команды <span class="command"><strong>stop</strong></span> и <span class="command"><strong>clear</strong></span>, если в системе нет текущего скомпилированного сценария файрвола. </p></li><li class="listitem"><p><code class="filename">functions</code> - ссылка на <code class="filename">lib.base</code>, предусмотренная для совместимости с прежними версиями Shorewall.</p></li><li class="listitem"><p><code class="filename">init</code> - ссылка на сценарий инициализации (обычно это - <code class="filename">/etc/init.d/shorewall</code>).</p></li><li class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций оболочки, используемые другими программами. </p></li><li class="listitem"><p><code class="filename">macro.*</code> - стандартные <a class="ulink" href="Macros.html" target="_top">макросы</a> Shorewall.</p></li><li class="listitem"><p><code class="filename">modules</code> - файл, управляющий загрузкой модулей Netfilter ядра. Его можно переопределить в файле <code class="filename">/etc/shorewall/modules</code>.</p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall.</p></li><li class="listitem"><p><code class="filename">wait4ifup</code> - программа, которую могут использовать <a class="ulink" href="shorewall_extension_scripts.htm" target="_top">сценарии расширения</a> для ожидания готовности сетевого интерфейса. </p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="shorewall"></a>/etc/shorewall</h3></div></div></div><p>В этом каталоге содержатся файлы конфигурации, настраиваемые пользователем. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="init"></a>/etc/init.d или /etc/rc.d (зависит от дистрибутива)</h3></div></div></div><p>Здесь устанавливается сценарий инициализации. В зависимости от дистрибутива, он называется <code class="filename">shorewall</code> или <code class="filename">rc.firewall</code>.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="var"></a>/var/lib/shorewall</h3></div></div></div><p>Shorewall не устанавливает никаких файлов в этот каталог. Он используется для хранения данных во время выполнения. Этот каталог можно перенести командой <a class="ulink" href="manpages/shorewall-vardir.html" target="_top">shorewall-vardir</a>(5).</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">chains</code> - если в <a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5) задан DYNAMIC_ZONES=Yes, то в этом файле содержится информация для команд <span class="command"><strong>add</strong></span> и <span class="command"><strong>delete</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">.iptables-restore-input </code>- этот файл передается программе iptables-restore для инициализации файрвола в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modules</code> - содержимое файла модулей, использованного последними командами <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modulesdir</code> - параметр MODULESDIR (<a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5)) в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart.</strong></span></p></li><li class="listitem"><p><code class="filename">nat</code> - в этом файле (с неудачным именем) записаны IP-адреса, добавленные при включенных опциях ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code class="filename">proxyarp</code> - записи arp, добавленные элементами <a class="ulink" href="manpages/shorewall-proxyarp.html" target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code class="filename">.refresh</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restart</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>restart</strong></span>. </p></li><li class="listitem"><p><code class="filename">restore</code> - программа по умолчанию, выполняющая команды <span class="command"><strong>restore</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restore</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh, restart</strong></span> или <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">save</code> - файл, созданный командой <span class="command"><strong>save</strong></span> и используемый для восстановления динамического чёрного списка в ходе выполнения команд <span class="command"><strong>start/restart</strong></span>.</p></li><li class="listitem"><p><code class="filename">.start</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">state</code> - здесь записано текущее состояние файрвола. </p></li><li class="listitem"><p><code class="filename">zones</code> - здесь записано текущее состояние зон.</p></li></ul></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall-shell"></a>Shorewall-shell</h2></div></div></div><p>Все файлы продукта Shorewall-shell устанавливаются в каталоге /usr/share/<code class="filename">shorewall-shell</code>.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">compiler</code> - компилятор конфигурации (программа shell). </p></li><li class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций оболочки, используемые компилятором. Для уменьшения объема в встроенных системах могут быть установлены не все библиотеки. </p></li><li class="listitem"><p><code class="filename">prog.*</code> - фрагменты кода на shell, используемые компилятором. </p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall-perl"></a>Shorewall-perl</h2></div></div></div><p>Все файлы продукта Shorewall-perl устанавливаются в каталоге /usr/share/<code class="filename">shorewall-perl</code>.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">buildports.pl</code> - программа на Perl, которая компонует модуль Shorewall/Ports.pm во время установки. </p></li><li class="listitem"><p><code class="filename">compiler</code> - компилятор конфигурации (программа shell). </p></li><li class="listitem"><p><code class="filename">prog.*</code> - фрагменты кода на shell, используемые компилятором. </p></li><li class="listitem"><p><code class="filename">Shorewall</code> - каталог, содержащий модули Shorewall Perl, используемые компилятором. </p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall-lite"></a>Shorewall-lite</h2></div></div></div><p>Файлы Shorewall-lite устанавливаются в каталогах /<code class="filename">sbin</code>, <code class="filename">/usr/share/shorewall-lite</code>, /etc/<code class="filename">shorewall-lite</code>, <code class="filename">/etc/init.d</code> и <code class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="sbin-lite"></a>/sbin</h3></div></div></div><p>Программа <code class="filename">/sbin/shorewall-lite</code> взаимодействует с Shorewall lite. См. <a class="ulink" href="manpages/shorewall-lite.html" target="_top">shorewall-lite</a>(8).</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="init-lite"></a>/etc/init.d или /etc/rc.d (зависит от дистрибутива)</h3></div></div></div><p>Здесь устанавливается сценарий инициализации. В зависимости от дистрибутива, он называется <code class="filename">shorewall-lite</code> или <code class="filename">rc.firewall</code>.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="shorewall-lite"></a>/etc/shorewall-lite</h3></div></div></div><p>В этом каталоге содержатся файлы конфигурации, настраиваемые пользователем. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="share-lite"></a>/usr/share/shorewall-lite</h3></div></div></div><p>Здесь устанавливаются основные файлы Shorewall-lite. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename"><code class="filename">configpath</code></code> - здесь содержится информация о путях, которая зависит от дистрибутива. </p></li><li class="listitem"><p><code class="filename">functions</code> - ссылка на <code class="filename">lib.base</code>, предусмотренная для совместимости с прежними версиями Shorewall.</p></li><li class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций оболочки, используемые другими программами. Это копии соответствующих библиотек продукта Shorewall. </p></li><li class="listitem"><p><code class="filename">modules</code> - файл, управляющий загрузкой модулей Netfilter ядра. Его можно переопределить в файле <code class="filename">/etc/shorewall-lite/modules</code>.</p></li><li class="listitem"><p><code class="filename">shorecap</code> - программа, которая создает файл capabilities. См. <a class="ulink" href="CompiledPrograms.html#Lite" target="_top">документацию Shorewall-lite</a>.</p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall.</p></li><li class="listitem"><p><code class="filename">wait4ifup</code> - программа, которую могут использовать <a class="ulink" href="shorewall_extension_scripts.htm" target="_top">сценарии расширения</a> для ожидания готовности сетевого интерфейса. </p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="var-lite"></a>/var/lib/shorewall-lite</h3></div></div></div><p>Shorewall-lite не устанавливает никаких файлов в этот каталог. Он используется для хранения данных во время выполнения. Этот каталог можно перенести командой <a class="ulink" href="manpages/shorewall-lite-vardir.html" target="_top">shorewall-lite-vardir</a>(5).</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">firewall</code> - скомпилированный сценарий, который устанавливается командой load или reload, выполняемой в административной системе (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">firewall.conf</code> - дайджест файла shorewall.conf, использованного для компиляции сценария файрвола в административной системе. </p></li></ul></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">.iptables-restore-input </code>- этот файл передается программе iptables-restore для инициализации файрвола в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall-lite.html" target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modules</code> - содержимое файла модулей, использованного последними командами <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall-lite.html" target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modulesdir</code> - параметр MODULESDIR (<a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5)) в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart.</strong></span></p></li><li class="listitem"><p><code class="filename">nat</code> - в этом файле (с неудачным именем) записаны IP-адреса, добавленные при включенных опциях ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code class="filename">proxyarp</code> - записи arp, добавленные элементами <a class="ulink" href="manpages/shorewall-proxyarp.html" target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code class="filename">.refresh</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restart</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>restart</strong></span>. </p></li><li class="listitem"><p><code class="filename">restore</code> - программа по умолчанию, выполняющая команды <span class="command"><strong>restore</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restore</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh, restart</strong></span> или <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">save</code> - файл, созданный командой <span class="command"><strong>save</strong></span> и используемый для восстановления динамического чёрного списка в ходе выполнения команд <span class="command"><strong>start/restart</strong></span>.</p></li><li class="listitem"><p><code class="filename">.start</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">state</code> - здесь записано текущее состояние файрвола. </p></li><li class="listitem"><p><code class="filename">zones</code> - здесь записано текущее состояние зон.</p></li></ul></div></div></div></div></body></html>
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Анатомия Shorewall 4.0</title><link rel="stylesheet" type="text/css" href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Анатомия Shorewall 4.0</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2007 Thomas M. Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation: Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке <span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Products">Продукты</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall-common</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin">/sbin</a></span></dt><dt><span class="section"><a href="#share-shorewall">/usr/share/shorewall</a></span></dt><dt><span class="section"><a href="#shorewall">/etc/shorewall</a></span></dt><dt><span class="section"><a href="#init">/etc/init.d или /etc/rc.d (зависит от дистрибутива)</a></span></dt><dt><span class="section"><a href="#var">/var/lib/shorewall</a></span></dt></dl></dd><dt><span class="section"><a href="#Shorewall-shell">Shorewall-shell</a></span></dt><dt><span class="section"><a href="#Shorewall-perl">Shorewall-perl</a></span></dt><dt><span class="section"><a href="#Shorewall-lite">Shorewall-lite</a></span></dt><dd><dl><dt><span class="section"><a href="#sbin-lite">/sbin</a></span></dt><dt><span class="section"><a href="#init-lite">/etc/init.d или /etc/rc.d (зависит от дистрибутива)</a></span></dt><dt><span class="section"><a href="#shorewall-lite">/etc/shorewall-lite</a></span></dt><dt><span class="section"><a href="#share-lite">/usr/share/shorewall-lite</a></span></dt><dt><span class="section"><a href="#var-lite">/var/lib/shorewall-lite</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Products"></a>Продукты</h2></div></div></div><p>В состав Shorewall 4.0 входят следующие четыре пакета. </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p><span class="bold"><strong>Shorewall-common</strong></span>. Этот пакет необходимо установить хотя бы в одной системе в вашей сети. В этой системе также должны быть установлены Shorewall-shell и/или Shorewall-perl. </p></li><li class="listitem"><p><span class="bold"><strong>Shorewall-shell</strong></span>. Этот пакет содержит прежний компилятор конфигурации Shorewall, написанный на Bourne Shell. Этот компилятор работает в большинстве систем, но он медленный, и его сопровождение стало затруднительным.</p></li><li class="listitem"><p><span class="bold"><strong>Shorewall-perl</strong></span>. Этот компилятор заменяет Shorewall-shell и написан на языке Perl. Он работает на всех платформах Unix, поддерживающих Perl (включая Cygwin), и рекомендуется для всех систем, где Shorewall устанавливается заново. </p></li><li class="listitem"><p><span class="bold"><strong>Shorewall-lite</strong></span>. В Shorewall предусмотрена возможность централизованного управления несколькими системами файрволов. Для этого применяется пакет Shorewall lite. Полностью продукт Shorewall, включая Shorewall-shell и/или Shorewall-perl, устанавливается в центральной административной системе, где генерируются сценарии Shorewall. Эти сценарии копируются в системы файрволов, где они выполняются под управлением Shorewall-lite. </p></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall"></a>Shorewall-common</h2></div></div></div><p>Пакет Shorewall-common включает много файлов, которые устанавливаются в каталоги /<code class="filename">sbin</code>, <code class="filename">/usr/share/shorewall</code>, <code class="filename">/etc/shorewall</code>, <code class="filename">/etc/init.d</code> и <code class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="sbin"></a>/sbin</h3></div></div></div><p>Программа <code class="filename">/sbin/shorewall</code> взаимодействует с Shorewall. См. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8).</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="share-shorewall"></a>/usr/share/shorewall</h3></div></div></div><p>Здесь устанавливаются основные файлы Shorewall. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">action.template</code> - файл шаблонов для создания <a class="ulink" href="Actions.html" target="_top">действий</a>.</p></li><li class="listitem"><p><code class="filename">action.*</code> - стандартные действия Shorewall. </p></li><li class="listitem"><p><code class="filename">actions.std</code> - в этом файле перечислены стандартные действия. </p></li><li class="listitem"><p><code class="filename">configfiles</code> - в этом каталоге содержатся файлы конфигурации, при копировании которых создается <a class="ulink" href="CompiledPrograms.html#Lite" target="_top">каталог экспорта Shorewall-lite.</a></p></li><li class="listitem"><p><code class="filename"><code class="filename">configpath</code></code> - здесь содержится информация о путях, которая зависит от дистрибутива. </p></li><li class="listitem"><p><code class="filename">firewall</code> - эта программа обрабатывает команды <span class="command"><strong>add</strong></span> и <span class="command"><strong>delete</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)). Кроме того, она обрабатывает команды <span class="command"><strong>stop</strong></span> и <span class="command"><strong>clear</strong></span>, если в системе нет текущего скомпилированного сценария файрвола. </p></li><li class="listitem"><p><code class="filename">functions</code> - ссылка на <code class="filename">lib.base</code>, предусмотренная для совместимости с прежними версиями Shorewall.</p></li><li class="listitem"><p><code class="filename">init</code> - ссылка на сценарий инициализации (обычно это - <code class="filename">/etc/init.d/shorewall</code>).</p></li><li class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций оболочки, используемые другими программами. </p></li><li class="listitem"><p><code class="filename">macro.*</code> - стандартные <a class="ulink" href="Macros.html" target="_top">макросы</a> Shorewall.</p></li><li class="listitem"><p><code class="filename">modules</code> - файл, управляющий загрузкой модулей Netfilter ядра. Его можно переопределить в файле <code class="filename">/etc/shorewall/modules</code>.</p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall.</p></li><li class="listitem"><p><code class="filename">wait4ifup</code> - программа, которую могут использовать <a class="ulink" href="shorewall_extension_scripts.htm" target="_top">сценарии расширения</a> для ожидания готовности сетевого интерфейса. </p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="shorewall"></a>/etc/shorewall</h3></div></div></div><p>В этом каталоге содержатся файлы конфигурации, настраиваемые пользователем. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="init"></a>/etc/init.d или /etc/rc.d (зависит от дистрибутива)</h3></div></div></div><p>Здесь устанавливается сценарий инициализации. В зависимости от дистрибутива, он называется <code class="filename">shorewall</code> или <code class="filename">rc.firewall</code>.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="var"></a>/var/lib/shorewall</h3></div></div></div><p>Shorewall не устанавливает никаких файлов в этот каталог. Он используется для хранения данных во время выполнения. Этот каталог можно перенести командой <a class="ulink" href="manpages/shorewall-vardir.html" target="_top">shorewall-vardir</a>(5).</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">chains</code> - если в <a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5) задан DYNAMIC_ZONES=Yes, то в этом файле содержится информация для команд <span class="command"><strong>add</strong></span> и <span class="command"><strong>delete</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">.iptables-restore-input </code>- этот файл передается программе iptables-restore для инициализации файрвола в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modules</code> - содержимое файла модулей, использованного последними командами <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modulesdir</code> - параметр MODULESDIR (<a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5)) в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart.</strong></span></p></li><li class="listitem"><p><code class="filename">nat</code> - в этом файле (с неудачным именем) записаны IP-адреса, добавленные при включенных опциях ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code class="filename">proxyarp</code> - записи arp, добавленные элементами <a class="ulink" href="manpages/shorewall-proxyarp.html" target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code class="filename">.refresh</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restart</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>restart</strong></span>. </p></li><li class="listitem"><p><code class="filename">restore</code> - программа по умолчанию, выполняющая команды <span class="command"><strong>restore</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restore</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh, restart</strong></span> или <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">save</code> - файл, созданный командой <span class="command"><strong>save</strong></span> и используемый для восстановления динамического чёрного списка в ходе выполнения команд <span class="command"><strong>start/restart</strong></span>.</p></li><li class="listitem"><p><code class="filename">.start</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">state</code> - здесь записано текущее состояние файрвола. </p></li><li class="listitem"><p><code class="filename">zones</code> - здесь записано текущее состояние зон.</p></li></ul></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall-shell"></a>Shorewall-shell</h2></div></div></div><p>Все файлы продукта Shorewall-shell устанавливаются в каталоге /usr/share/<code class="filename">shorewall-shell</code>.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">compiler</code> - компилятор конфигурации (программа shell). </p></li><li class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций оболочки, используемые компилятором. Для уменьшения объема в встроенных системах могут быть установлены не все библиотеки. </p></li><li class="listitem"><p><code class="filename">prog.*</code> - фрагменты кода на shell, используемые компилятором. </p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall-perl"></a>Shorewall-perl</h2></div></div></div><p>Все файлы продукта Shorewall-perl устанавливаются в каталоге /usr/share/<code class="filename">shorewall-perl</code>.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">buildports.pl</code> - программа на Perl, которая компонует модуль Shorewall/Ports.pm во время установки. </p></li><li class="listitem"><p><code class="filename">compiler</code> - компилятор конфигурации (программа shell). </p></li><li class="listitem"><p><code class="filename">prog.*</code> - фрагменты кода на shell, используемые компилятором. </p></li><li class="listitem"><p><code class="filename">Shorewall</code> - каталог, содержащий модули Shorewall Perl, используемые компилятором. </p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Shorewall-lite"></a>Shorewall-lite</h2></div></div></div><p>Файлы Shorewall-lite устанавливаются в каталогах /<code class="filename">sbin</code>, <code class="filename">/usr/share/shorewall-lite</code>, /etc/<code class="filename">shorewall-lite</code>, <code class="filename">/etc/init.d</code> и <code class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="sbin-lite"></a>/sbin</h3></div></div></div><p>Программа <code class="filename">/sbin/shorewall-lite</code> взаимодействует с Shorewall lite. См. <a class="ulink" href="manpages/shorewall-lite.html" target="_top">shorewall-lite</a>(8).</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="init-lite"></a>/etc/init.d или /etc/rc.d (зависит от дистрибутива)</h3></div></div></div><p>Здесь устанавливается сценарий инициализации. В зависимости от дистрибутива, он называется <code class="filename">shorewall-lite</code> или <code class="filename">rc.firewall</code>.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="shorewall-lite"></a>/etc/shorewall-lite</h3></div></div></div><p>В этом каталоге содержатся файлы конфигурации, настраиваемые пользователем. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="share-lite"></a>/usr/share/shorewall-lite</h3></div></div></div><p>Здесь устанавливаются основные файлы Shorewall-lite. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename"><code class="filename">configpath</code></code> - здесь содержится информация о путях, которая зависит от дистрибутива. </p></li><li class="listitem"><p><code class="filename">functions</code> - ссылка на <code class="filename">lib.base</code>, предусмотренная для совместимости с прежними версиями Shorewall.</p></li><li class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций оболочки, используемые другими программами. Это копии соответствующих библиотек продукта Shorewall. </p></li><li class="listitem"><p><code class="filename">modules</code> - файл, управляющий загрузкой модулей Netfilter ядра. Его можно переопределить в файле <code class="filename">/etc/shorewall-lite/modules</code>.</p></li><li class="listitem"><p><code class="filename">shorecap</code> - программа, которая создает файл capabilities. См. <a class="ulink" href="CompiledPrograms.html#Lite" target="_top">документацию Shorewall-lite</a>.</p></li><li class="listitem"><p><code class="filename">version</code> - файл, в котором указана текущая установленная версия Shorewall.</p></li><li class="listitem"><p><code class="filename">wait4ifup</code> - программа, которую могут использовать <a class="ulink" href="shorewall_extension_scripts.htm" target="_top">сценарии расширения</a> для ожидания готовности сетевого интерфейса. </p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="var-lite"></a>/var/lib/shorewall-lite</h3></div></div></div><p>Shorewall-lite не устанавливает никаких файлов в этот каталог. Он используется для хранения данных во время выполнения. Этот каталог можно перенести командой <a class="ulink" href="manpages/shorewall-lite-vardir.html" target="_top">shorewall-lite-vardir</a>(5).</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">firewall</code> - скомпилированный сценарий, который устанавливается командой load или reload, выполняемой в административной системе (см. <a class="ulink" href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code class="filename">firewall.conf</code> - дайджест файла shorewall.conf, использованного для компиляции сценария файрвола в административной системе. </p></li></ul></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><code class="filename">.iptables-restore-input </code>- этот файл передается программе iptables-restore для инициализации файрвола в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall-lite.html" target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modules</code> - содержимое файла модулей, использованного последними командами <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart</strong></span> (см. <a class="ulink" href="manpages/shorewall-lite.html" target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code class="filename">.modulesdir</code> - параметр MODULESDIR (<a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5)) в ходе выполнения последней команды <span class="command"><strong>start</strong></span> или <span class="command"><strong>restart.</strong></span></p></li><li class="listitem"><p><code class="filename">nat</code> - в этом файле (с неудачным именем) записаны IP-адреса, добавленные при включенных опциях ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink" href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code class="filename">proxyarp</code> - записи arp, добавленные элементами <a class="ulink" href="manpages/shorewall-proxyarp.html" target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code class="filename">.refresh</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restart</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>restart</strong></span>. </p></li><li class="listitem"><p><code class="filename">restore</code> - программа по умолчанию, выполняющая команды <span class="command"><strong>restore</strong></span>. </p></li><li class="listitem"><p><code class="filename">.restore</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>refresh, restart</strong></span> или <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">save</code> - файл, созданный командой <span class="command"><strong>save</strong></span> и используемый для восстановления динамического чёрного списка в ходе выполнения команд <span class="command"><strong>start/restart</strong></span>.</p></li><li class="listitem"><p><code class="filename">.start</code> - программа, которая выполнила последнюю успешную команду <span class="command"><strong>start</strong></span>. </p></li><li class="listitem"><p><code class="filename">state</code> - здесь записано текущее состояние файрвола. </p></li><li class="listitem"><p><code class="filename">zones</code> - здесь записано текущее состояние зон.</p></li></ul></div></div></div></div></body></html>
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Anti-Spoofing.html new/shorewall-docs-html-5.2.3.1/Anti-Spoofing.html
--- old/shorewall-docs-html-5.2.3/Anti-Spoofing.html 2019-02-11 23:50:58.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Anti-Spoofing.html 2019-02-26 19:01:10.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm20">The <span class="emphasis"><em>routefilter</em></span> Interface Option</a></span></dt><dt><span class="section"><a href="#idm37">Hairpin Filtering</a></span></dt><dt><span class="section"><a href="#idm45">The <span class="emphasis"><em>rpfilter</em></span> Interface Option</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p><em class="firstterm">Spoofing</em> is the practice of sending packets
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm20">The <span class="emphasis"><em>routefilter</em></span> Interface Option</a></span></dt><dt><span class="section"><a href="#idm37">Hairpin Filtering</a></span></dt><dt><span class="section"><a href="#idm45">The <span class="emphasis"><em>rpfilter</em></span> Interface Option</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p><em class="firstterm">Spoofing</em> is the practice of sending packets
with a forged source address in an attempt to circumvent security
measures. Shorewall supports a variety of measures to counter spoofing
attacks.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm20"></a>The <span class="emphasis"><em>routefilter</em></span> Interface Option</h2></div></div></div><p>This <a class="ulink" href="???" target="_top">shorewall-interfaces</a> (5) option was
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Audit.html new/shorewall-docs-html-5.2.3.1/Audit.html
--- old/shorewall-docs-html-5.2.3/Audit.html 2019-02-11 23:50:58.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Audit.html 2019-02-26 19:01:10.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Background</a></span></dt><dt><span class="section"><a href="#idm49">Shorewall Support</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Background</h2></div></div></div><p>In early 2011, Thomas Graf submitted a set of patches to the
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Background</a></span></dt><dt><span class="section"><a href="#idm49">Shorewall Support</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Background</h2></div></div></div><p>In early 2011, Thomas Graf submitted a set of patches to the
Netfilter development list that implemented an AUDIT rule target. This is
from the initial submittal:</p><div class="blockquote"><blockquote class="blockquote"><p>This patch adds a new netfilter target which creates audit records
for packets traversing a certain chain. It can be used to record packets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Build.html new/shorewall-docs-html-5.2.3.1/Build.html
--- old/shorewall-docs-html-5.2.3/Build.html 2019-02-11 23:51:00.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Build.html 2019-02-26 19:01:12.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm20">Git Taxonomy</a></span></dt><dd><dl><dt><span class="section"><a href="#idm26">trunk (clone of Code)</a></span></dt><dt><span class="section"><a href="#idm43">trunk/docs</a></span></dt><dt><span class="section"><a href="#idm46">tools (Clone of Tools)</a></span></dt><dt><span class="section"><a href="#idm58">web (Clone of Web)</a></span></dt><dt><span class="section"><a href="#idm61">release (Clone of Release)</a></span></dt></dl></dd><dt><span class="section"><a href="#idm64">Build Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#idm68">setversion</a></span></dt><dt><span class="section"><a href="#idm79">build45, build46 and build50</a></span></dt><dt><span class="section"><a href="#idm204">upload</a></span></dt><dt><span class="section"><a href="#idm257">install.sh files</a></span></dt></dl></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This information is provided primarily for Shorewall developers.
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm20">Git Taxonomy</a></span></dt><dd><dl><dt><span class="section"><a href="#idm26">trunk (clone of Code)</a></span></dt><dt><span class="section"><a href="#idm43">trunk/docs</a></span></dt><dt><span class="section"><a href="#idm46">tools (Clone of Tools)</a></span></dt><dt><span class="section"><a href="#idm58">web (Clone of Web)</a></span></dt><dt><span class="section"><a href="#idm61">release (Clone of Release)</a></span></dt></dl></dd><dt><span class="section"><a href="#idm64">Build Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#idm68">setversion</a></span></dt><dt><span class="section"><a href="#idm79">build45, build46 and build50</a></span></dt><dt><span class="section"><a href="#idm204">upload</a></span></dt><dt><span class="section"><a href="#idm257">install.sh files</a></span></dt></dl></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This information is provided primarily for Shorewall developers.
Users are expected to install from pre-built tarballs or packages.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm20"></a>Git Taxonomy</h2></div></div></div><p>The Shorewall Git tree at Sourceforge serves as the master
repository for Shorewall 4.4 and later versions. It is not possible to
simply export a directory from Git and run the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/CompiledPrograms.html new/shorewall-docs-html-5.2.3.1/CompiledPrograms.html
--- old/shorewall-docs-html-5.2.3/CompiledPrograms.html 2019-02-11 23:51:01.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/CompiledPrograms.html 2019-02-26 19:01:13.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span class="section"><a href="#idm177">Module Loading</a></span></dt><dt><span class="section"><a href="#Converting">Converting a system from Shorewall to Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span class="section"><a href="#Compile">The "shorewall compile" command</a></span></dt><dt><span class="section"><a href="#Shorecap">The /etc/shorewall/capabilities file and the shorecap
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span class="section"><a href="#idm177">Module Loading</a></span></dt><dt><span class="section"><a href="#Converting">Converting a system from Shorewall to Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span class="section"><a href="#Compile">The "shorewall compile" command</a></span></dt><dt><span class="section"><a href="#Shorecap">The /etc/shorewall/capabilities file and the shorecap
program</a></span></dt><dt><span class="section"><a href="#Running">Running compiled programs directly</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation appropriate for your
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ConnectionRate.html new/shorewall-docs-html-5.2.3.1/ConnectionRate.html
--- old/shorewall-docs-html-5.2.3/ConnectionRate.html 2019-02-11 23:51:02.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ConnectionRate.html 2019-02-26 19:01:14.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm42">Policy Rate Limiting</a></span></dt><dt><span class="section"><a href="#idm47">Rules Rate Limiting</a></span></dt><dt><span class="section"><a href="#idm51">Limit Action</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Introduction</h2></div></div></div><p>Shorewall supports several mechanisms for limiting connection rates.
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm42">Policy Rate Limiting</a></span></dt><dt><span class="section"><a href="#idm47">Rules Rate Limiting</a></span></dt><dt><span class="section"><a href="#idm51">Limit Action</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Introduction</h2></div></div></div><p>Shorewall supports several mechanisms for limiting connection rates.
These are described in the following sections.</p><p>Rates are expressed in terms of a <em class="firstterm">connections per unit
time</em> and a <code class="filename">burst</code>. An
<em class="firstterm">interval</em> is calculated by dividing the unit of time
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Docker.html new/shorewall-docs-html-5.2.3.1/Docker.html
--- old/shorewall-docs-html-5.2.3/Docker.html 2019-02-11 23:51:02.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Docker.html 2019-02-26 19:01:15.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Shorewall 5.0.5 and Earlier</a></span></dt><dt><span class="section"><a href="#idm20">Shorewall 5.0.6 and Later</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Shorewall 5.0.5 and Earlier</h2></div></div></div><p>Both Docker and Shorewall assume that they 'own' the iptables
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Shorewall 5.0.5 and Earlier</a></span></dt><dt><span class="section"><a href="#idm20">Shorewall 5.0.6 and Later</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Shorewall 5.0.5 and Earlier</h2></div></div></div><p>Both Docker and Shorewall assume that they 'own' the iptables
configuration. This leads to problems when Shorewall is restarted or
reloaded, because it drops all of the rules added by Docker. Fortunately,
the extensibility features in Shorewall allow users to <a class="ulink" href="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#" target="_top">create
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Documentation_Index.html new/shorewall-docs-html-5.2.3.1/Documentation_Index.html
--- old/shorewall-docs-html-5.2.3/Documentation_Index.html 2019-02-11 23:51:03.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Documentation_Index.html 2019-02-26 19:01:15.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Frequent">Frequently Used Articles</a></span></dt><dt><span class="section"><a href="#idm39">Documentation for Earlier Versions</a></span></dt><dt><span class="section"><a href="#Index">Index to the HOWTOs and Other Articles</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Frequent"></a>Frequently Used Articles</h2></div></div></div><div class="informaltable"><table class="informaltable" border="0"><colgroup><col /></colgroup><tbody><tr><td><a class="ulink" href="FAQ.htm" target="_top">FAQs</a></td></tr><tr><td><a class="ulink" href="Manpages.html" target="_top">IPv4 Manpages</a></td></tr><tr><td><a class="ulink" href="Manpages6.html" target="_top">IPv6 Manpages</a></td></tr><tr><td><a class="ulink" href="configuration_file_basics.htm" target="_top">Configuration
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Frequent">Frequently Used Articles</a></span></dt><dt><span class="section"><a href="#idm39">Documentation for Earlier Versions</a></span></dt><dt><span class="section"><a href="#Index">Index to the HOWTOs and Other Articles</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Frequent"></a>Frequently Used Articles</h2></div></div></div><div class="informaltable"><table class="informaltable" border="0"><colgroup><col /></colgroup><tbody><tr><td><a class="ulink" href="FAQ.htm" target="_top">FAQs</a></td></tr><tr><td><a class="ulink" href="Manpages.html" target="_top">IPv4 Manpages</a></td></tr><tr><td><a class="ulink" href="Manpages6.html" target="_top">IPv6 Manpages</a></td></tr><tr><td><a class="ulink" href="configuration_file_basics.htm" target="_top">Configuration
File Basics</a></td></tr><tr><td><a class="ulink" href="GettingStarted.html" target="_top">Beginner
Documentation</a></td></tr><tr><td><a class="ulink" href="troubleshoot.htm" target="_top">Troubleshooting</a></td></tr></tbody></table></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm39"></a>Documentation for Earlier Versions</h2></div></div></div><p><a class="ulink" href="4.6/Documentation_Index.html" target="_top">Shorewall 4.4/4.6
Documentation</a></p><p><a class="ulink" href="4.2/Documentation_Index.html" target="_top">Shorewall 4.0/4.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Dynamic.html new/shorewall-docs-html-5.2.3.1/Dynamic.html
--- old/shorewall-docs-html-5.2.3/Dynamic.html 2019-02-11 23:51:03.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Dynamic.html 2019-02-26 19:01:15.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Overview</a></span></dt><dt><span class="section"><a href="#idm23">Dynamic Zones</a></span></dt><dd><dl><dt><span class="section"><a href="#defining">Defining a Dynamic Zone</a></span></dt><dt><span class="section"><a href="#Adding">Adding a Host to a Dynamic Zone.</a></span></dt><dt><span class="section"><a href="#delete">Deleting a Host from a Dynamic Zone</a></span></dt><dt><span class="section"><a href="#listing">Listing the Contents of a Dynamic Zone</a></span></dt></dl></dd><dt><span class="section"><a href="#start-stop">Dynamic Zone Contents and Shorewall stop/start/restart</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Overview</h2></div></div></div><p>There is sometimes a need to be able to define a zone whose members
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Overview</a></span></dt><dt><span class="section"><a href="#idm23">Dynamic Zones</a></span></dt><dd><dl><dt><span class="section"><a href="#defining">Defining a Dynamic Zone</a></span></dt><dt><span class="section"><a href="#Adding">Adding a Host to a Dynamic Zone.</a></span></dt><dt><span class="section"><a href="#delete">Deleting a Host from a Dynamic Zone</a></span></dt><dt><span class="section"><a href="#listing">Listing the Contents of a Dynamic Zone</a></span></dt></dl></dd><dt><span class="section"><a href="#start-stop">Dynamic Zone Contents and Shorewall stop/start/restart</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Overview</h2></div></div></div><p>There is sometimes a need to be able to define a zone whose members
are unknown at compile-time. For example, you may wish to require
authentication of internal users before allowing them access to the
internet. When a user is authenticated, the user's IP address is added to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ECN.html new/shorewall-docs-html-5.2.3.1/ECN.html
--- old/shorewall-docs-html-5.2.3/ECN.html 2019-02-11 23:51:03.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ECN.html 2019-02-26 19:01:16.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#ecn">Explicit Congestion Notification (ECN)</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>2006-01-17. The ECN Netfilter target in some 2.6 Linux Kernels is
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#ecn">Explicit Congestion Notification (ECN)</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>2006-01-17. The ECN Netfilter target in some 2.6 Linux Kernels is
broken. Symptoms are that you will be unable to establish a TCP connection
to hosts defined in the /etc/shorewall/ecn file.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="ecn"></a>Explicit Congestion Notification (ECN)</h2></div></div></div><p>Explicit Congestion Notification (ECN) is described in RFC 3168 and
is a proposed Internet standard. Unfortunately, not all sites support ECN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Events.html new/shorewall-docs-html-5.2.3.1/Events.html
--- old/shorewall-docs-html-5.2.3/Events.html 2019-02-11 23:51:04.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Events.html 2019-02-26 19:01:16.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Overview</a></span></dt><dt><span class="section"><a href="#idm59">Details</a></span></dt><dd><dl><dt><span class="section"><a href="#SetEvent">SetEvent</a></span></dt><dt><span class="section"><a href="#ResetEvent">ResetEvent</a></span></dt><dt><span class="section"><a href="#IfEvent">IfEvent</a></span></dt><dt><span class="section"><a href="#ShowEvents">'show event' and 'show events' Commands</a></span></dt></dl></dd><dt><span class="section"><a href="#idm239">Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#idm241">Automatic Blacklisting</a></span></dt><dt><span class="section"><a href="#AutoBL">Generalized Automatic Blacklisting</a></span></dt><dd><dl><dt><span class="section"><a href="#idm262">AutoBL</a></span></dt></dl></dd><dt><span class="section"><a href="#idm309">Port Knocking</a></span></dt><dt><span class="section"><a href="#Stateful">Stateful Port Knocking (knock with a sequence of ports)</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article applies to Shorewall 4.5.19 and later and supersedes
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Overview</a></span></dt><dt><span class="section"><a href="#idm59">Details</a></span></dt><dd><dl><dt><span class="section"><a href="#SetEvent">SetEvent</a></span></dt><dt><span class="section"><a href="#ResetEvent">ResetEvent</a></span></dt><dt><span class="section"><a href="#IfEvent">IfEvent</a></span></dt><dt><span class="section"><a href="#ShowEvents">'show event' and 'show events' Commands</a></span></dt></dl></dd><dt><span class="section"><a href="#idm239">Examples</a></span></dt><dd><dl><dt><span class="section"><a href="#idm241">Automatic Blacklisting</a></span></dt><dt><span class="section"><a href="#AutoBL">Generalized Automatic Blacklisting</a></span></dt><dd><dl><dt><span class="section"><a href="#idm262">AutoBL</a></span></dt></dl></dd><dt><span class="section"><a href="#idm309">Port Knocking</a></span></dt><dt><span class="section"><a href="#Stateful">Stateful Port Knocking (knock with a sequence of ports)</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article applies to Shorewall 4.5.19 and later and supersedes
<a class="ulink" href="PortKnocking.html" target="_top">this article.</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm19"></a>Overview</h2></div></div></div><p>Shorewall events were introduced in Shorewall 4.5.19 and provide a
high-level interface to the Netfilter<em class="firstterm"> recent match</em>
capability. An event is actually a list of (IP address, timestamp) pairs,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/FAQ.htm new/shorewall-docs-html-5.2.3.1/FAQ.htm
--- old/shorewall-docs-html-5.2.3/FAQ.htm 2019-02-11 23:51:06.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/FAQ.htm 2019-02-26 19:01:18.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span class="quote">“<span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a>
- </span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Install">Installing Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#Howto">Where do I find Step by Step Installation and Configuration
+ </span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Install">Installing Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#Howto">Where do I find Step by Step Installation and Configuration
Instructions?</a></span></dt><dt><span class="section"><a href="#faq92">(FAQ 92) There are lots of Shorewall packages; which one(s) do I
install?</a></span></dt><dd><dl><dt><span class="section"><a href="#faq92a">(FAQ 92a) Someone once told me to install shorewall-perl;
anything to that?</a></span></dt></dl></dd><dt><span class="section"><a href="#faq37">(FAQ 37) I just installed Shorewall on Debian and the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/FAQ_fr.html new/shorewall-docs-html-5.2.3.1/FAQ_fr.html
--- old/shorewall-docs-html-5.2.3/FAQ_fr.html 2019-02-11 23:51:05.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/FAQ_fr.html 2019-02-26 19:01:17.000000000 +0100
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span class="quote">« <span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a>
- </span> »</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm35">Installation de Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#idm37">Où puis-je trouver des instructions d'installation et de
+ </span> »</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm35">Installation de Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#idm37">Où puis-je trouver des instructions d'installation et de
configuration pas à pas ?</a></span></dt><dt><span class="section"><a href="#faq37">(FAQ 37) Je viens d'installer Shorewall sur Debian et le
répertoire /etc/shorewall est vide!!!</a></span></dt><dt><span class="section"><a href="#faq44">(FAQ 44) Je n'arrive pas à installer ou mettre à jour le RPM -
J'ai le message d'erreur "error: failed dependencies:iproute is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/FTP.html new/shorewall-docs-html-5.2.3.1/FTP.html
--- old/shorewall-docs-html-5.2.3/FTP.html 2019-02-11 23:51:07.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/FTP.html 2019-02-26 19:01:19.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Protocol">FTP Protocol</a></span></dt><dt><span class="section"><a href="#Conntrack">Linux FTP connection-tracking</a></span></dt><dt><span class="section"><a href="#idm93">FTP with Kernel 3.5 and Later</a></span></dt><dt><span class="section"><a href="#Ports">FTP on Non-standard Ports</a></span></dt><dt><span class="section"><a href="#Rules">Rules</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Protocol">FTP Protocol</a></span></dt><dt><span class="section"><a href="#Conntrack">Linux FTP connection-tracking</a></span></dt><dt><span class="section"><a href="#idm93">FTP with Kernel 3.5 and Later</a></span></dt><dt><span class="section"><a href="#Ports">FTP on Non-standard Ports</a></span></dt><dt><span class="section"><a href="#Rules">Rules</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Protocol"></a>FTP Protocol</h2></div></div></div><p>FTP transfers involve two TCP connections. The first <span class="bold"><strong>control</strong></span> connection goes from the FTP client to port
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/FoolsFirewall.html new/shorewall-docs-html-5.2.3.1/FoolsFirewall.html
--- old/shorewall-docs-html-5.2.3/FoolsFirewall.html 2019-02-11 23:51:06.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/FoolsFirewall.html 2019-02-26 19:01:18.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Definition</a></span></dt><dt><span class="section"><a href="#idm26">Security Issue</a></span></dt><dt><span class="section"><a href="#idm30">ARP Roulette</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Definition</h2></div></div></div><p>Occasionally, we hear from someone who has cabled his firewall's
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Definition</a></span></dt><dt><span class="section"><a href="#idm26">Security Issue</a></span></dt><dt><span class="section"><a href="#idm30">ARP Roulette</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Definition</h2></div></div></div><p>Occasionally, we hear from someone who has cabled his firewall's
external and internal firewall interfaces to the same unmanaged switch (or
mis-configured managed switch). I call this configuration <em class="firstterm">The
Fool's Firewall</em>.</p><p>When the external interface supports broadcast, this configuration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/GenericTunnels.html new/shorewall-docs-html-5.2.3.1/GenericTunnels.html
--- old/shorewall-docs-html-5.2.3/GenericTunnels.html 2019-02-11 23:51:07.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/GenericTunnels.html 2019-02-26 19:01:19.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Bridged">Bridging two Masqueraded Networks</a></span></dt></dl></div><p>Shorewall includes built-in support for a wide range of VPN solutions.
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Bridged">Bridging two Masqueraded Networks</a></span></dt></dl></div><p>Shorewall includes built-in support for a wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support, you
can generally describe the tunneling software using <span class="quote">“<span class="quote">generic
tunnels</span>”</span>.</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Bridged"></a>Bridging two Masqueraded Networks</h2></div></div></div><p>Suppose that we have the following situation:</p><div><img src="images/TwoNets1.png" /></div><p>We want systems in the 192.168.1.0/24 subnetwork to be able to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/GettingStarted.html new/shorewall-docs-html-5.2.3.1/GettingStarted.html
--- old/shorewall-docs-html-5.2.3/GettingStarted.html 2019-02-11 23:51:07.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/GettingStarted.html 2019-02-26 19:01:19.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Do not attempt to install Shorewall on a
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Do not attempt to install Shorewall on a
remote system. You are virtually assured to lock yourself
out.</strong></span></p></div><p>Please read this short article first.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><a class="ulink" href="Introduction.html" target="_top">Introduction to
Shorewall</a></p></li></ul></div><p>Now, <a class="ulink" href="Install.htm" target="_top">install Shorewall</a>.</p><p>Next, read the QuickStart Guide that is appropriate for your
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Helpers.html new/shorewall-docs-html-5.2.3.1/Helpers.html
--- old/shorewall-docs-html-5.2.3/Helpers.html 2019-02-11 23:51:08.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Helpers.html 2019-02-26 19:01:20.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Helpers - Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm42">Helper Module Loading</a></span></dt><dt><span class="section"><a href="#idm58">Iptables and Helpers</a></span></dt></dl></dd><dt><span class="section"><a href="#idm113">Shorewall Support for Helpers</a></span></dt><dd><dl><dt><span class="section"><a href="#idm116">Module Loading</a></span></dt><dt><span class="section"><a href="#idm189">Iptables</a></span></dt><dt><span class="section"><a href="#idm201">Capabilities</a></span></dt></dl></dd><dt><span class="section"><a href="#idm217">Kernel >= 3.5 and Shorewall >= 4.5.7</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Helpers - Introduction</h2></div></div></div><p>There are a number of applications that create connections
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Helpers - Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm42">Helper Module Loading</a></span></dt><dt><span class="section"><a href="#idm58">Iptables and Helpers</a></span></dt></dl></dd><dt><span class="section"><a href="#idm113">Shorewall Support for Helpers</a></span></dt><dd><dl><dt><span class="section"><a href="#idm116">Module Loading</a></span></dt><dt><span class="section"><a href="#idm189">Iptables</a></span></dt><dt><span class="section"><a href="#idm201">Capabilities</a></span></dt></dl></dd><dt><span class="section"><a href="#idm217">Kernel >= 3.5 and Shorewall >= 4.5.7</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Helpers - Introduction</h2></div></div></div><p>There are a number of applications that create connections
dynamically between a client and server. These connections use temporary
TCP or UDP ports, so static configuration of firewall rules to allow those
connections would require a very lax firewall configuration. To deal with
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/IPIP.htm new/shorewall-docs-html-5.2.3.1/IPIP.htm
--- old/shorewall-docs-html-5.2.3/IPIP.htm 2019-02-11 23:51:10.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/IPIP.htm 2019-02-26 19:01:22.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Bridged">Bridging two Masqueraded Networks</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>GRE and IPIP Tunnels are insecure when used over the Internet; use
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Bridged">Bridging two Masqueraded Networks</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>GRE and IPIP Tunnels are insecure when used over the Internet; use
them at your own risk</p></div><p>GRE and IPIP tunneling with Shorewall can be used to bridge two
masqueraded networks.</p><p>The simple scripts described in the <em class="citetitle"><a class="ulink" href="http://ds9a.nl/lartc" target="_top">Linux Advanced Routing and Shaping
HOWTO</a></em> work fine with Shorewall. Shorewall also includes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/IPP2P.html new/shorewall-docs-html-5.2.3.1/IPP2P.html
--- old/shorewall-docs-html-5.2.3/IPP2P.html 2019-02-11 23:51:11.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/IPP2P.html 2019-02-26 19:01:23.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Scope">Scope</a></span></dt><dt><span class="section"><a href="#Example">Example:</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Scope">Scope</a></span></dt><dt><span class="section"><a href="#Example">Example:</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall includes support for the ipp2p match facility. This is a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/IPSEC-2.6.html new/shorewall-docs-html-5.2.3.1/IPSEC-2.6.html
--- old/shorewall-docs-html-5.2.3/IPSEC-2.6.html 2019-02-11 23:51:11.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/IPSEC-2.6.html 2019-02-26 19:01:23.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Shorwall and Kernel 2.6 IPsec</a></span></dt><dt><span class="section"><a href="#GwFw">IPsec Gateway on the Firewall System</a></span></dt><dt><span class="section"><a href="#RoadWarrior">Mobile System (Road Warrior)</a></span></dt><dt><span class="section"><a href="#RW-L2TP">Mobile System (Road Warrior) with Layer 2 Tunneling Protocol
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Shorwall and Kernel 2.6 IPsec</a></span></dt><dt><span class="section"><a href="#GwFw">IPsec Gateway on the Firewall System</a></span></dt><dt><span class="section"><a href="#RoadWarrior">Mobile System (Road Warrior)</a></span></dt><dt><span class="section"><a href="#RW-L2TP">Mobile System (Road Warrior) with Layer 2 Tunneling Protocol
(L2TP)</a></span></dt><dt><span class="section"><a href="#Transport">Transport Mode</a></span></dt><dt><span class="section"><a href="#ipcomp">IPCOMP</a></span></dt><dt><span class="section"><a href="#idm297">Using SNAT to Force Traffic over an IPsec Tunnel</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/IPSEC.htm new/shorewall-docs-html-5.2.3.1/IPSEC.htm
--- old/shorewall-docs-html-5.2.3/IPSEC.htm 2019-02-11 23:51:11.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/IPSEC.htm 2019-02-26 19:01:23.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span class="section"><a href="#Swans">Configuring FreeS/Wan and Derivatives Such as OpenS/Wan</a></span></dt><dt><span class="section"><a href="#GwFw">IPSec Gateway on the Firewall System</a></span></dt><dt><span class="section"><a href="#Hub">VPN Hub using Kernel 2.4</a></span></dt><dt><span class="section"><a href="#RoadWarrior">Mobile System (Road Warrior) Using Kernel 2.4</a></span></dt><dt><span class="section"><a href="#Dynamic">Dynamic RoadWarrior Zones</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span class="section"><a href="#Swans">Configuring FreeS/Wan and Derivatives Such as OpenS/Wan</a></span></dt><dt><span class="section"><a href="#GwFw">IPSec Gateway on the Firewall System</a></span></dt><dt><span class="section"><a href="#Hub">VPN Hub using Kernel 2.4</a></span></dt><dt><span class="section"><a href="#RoadWarrior">Mobile System (Road Warrior) Using Kernel 2.4</a></span></dt><dt><span class="section"><a href="#Dynamic">Dynamic RoadWarrior Zones</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>The information in this article is only applicable if you plan to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/IPv6Support.html new/shorewall-docs-html-5.2.3.1/IPv6Support.html
--- old/shorewall-docs-html-5.2.3/IPv6Support.html 2019-02-11 23:51:12.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/IPv6Support.html 2019-02-26 19:01:24.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm22">Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#idm25">Prerequisites</a></span></dt><dt><span class="section"><a href="#idm36">Packages</a></span></dt><dt><span class="section"><a href="#idm50">IPv4/IPv6 Interaction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm54">DISABLE_IPV6</a></span></dt><dt><span class="section"><a href="#idm58">TC_ENABLED</a></span></dt><dt><span class="section"><a href="#idm68">KEEP_RT_TABLES</a></span></dt><dt><span class="section"><a href="#idm89">6TO4</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#idm94">Shorewall6 Differences from Shorewall</a></span></dt><dt><span class="section"><a href="#idm247">Installing IPv6 Support</a></span></dt><dt><span class="section"><a href="#idm256">Shared Shorewall/Shorewall6 Configuration Files</a></span></dt><dt><span class="section"><a href="#idm260">More information about IPv6</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm22">Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#idm25">Prerequisites</a></span></dt><dt><span class="section"><a href="#idm36">Packages</a></span></dt><dt><span class="section"><a href="#idm50">IPv4/IPv6 Interaction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm54">DISABLE_IPV6</a></span></dt><dt><span class="section"><a href="#idm58">TC_ENABLED</a></span></dt><dt><span class="section"><a href="#idm68">KEEP_RT_TABLES</a></span></dt><dt><span class="section"><a href="#idm89">6TO4</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#idm94">Shorewall6 Differences from Shorewall</a></span></dt><dt><span class="section"><a href="#idm247">Installing IPv6 Support</a></span></dt><dt><span class="section"><a href="#idm256">Shared Shorewall/Shorewall6 Configuration Files</a></span></dt><dt><span class="section"><a href="#idm260">More information about IPv6</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm22"></a>Overview</h2></div></div></div><p>Beginning with Shorewall 4.2.4, support for firewalling IPv6 is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ISO-3661.html new/shorewall-docs-html-5.2.3.1/ISO-3661.html
--- old/shorewall-docs-html-5.2.3/ISO-3661.html 2019-02-11 23:51:12.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ISO-3661.html 2019-02-26 19:01:25.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm39">IPv4</a></span></dt><dt><span class="section"><a href="#idm42">IPv6</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm39">IPv4</a></span></dt><dt><span class="section"><a href="#idm42">IPv6</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
SOURCE and/or DEST IP addresses by their corresponding country. That is
done by specifying a comma-separated list of up to 15 ISO-3661 2-character
Country Codes enclosed in square brackets ('[...]') and prefixed by a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Install.htm new/shorewall-docs-html-5.2.3.1/Install.htm
--- old/shorewall-docs-html-5.2.3/Install.htm 2019-02-11 23:51:09.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Install.htm 2019-02-26 19:01:21.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Install_RPM">Install using RPM</a></span></dt><dt><span class="section"><a href="#Install_Tarball">Install using tarball</a></span></dt><dd><dl><dt><span class="section"><a href="#idm77">Versions 4.5.2 and Later</a></span></dt><dd><dl><dt><span class="section"><a href="#shorewallrc">Settings in a shorewallrc file</a></span></dt><dt><span class="section"><a href="#idm278">configure Script</a></span></dt><dt><span class="section"><a href="#idm322">Install for Packaging.</a></span></dt><dt><span class="section"><a href="#idm327">Install into a Sandbox</a></span></dt></dl></dd><dt><span class="section"><a href="#idm333">Versions 4.5.1 and Earlier</a></span></dt><dd><dl><dt><span class="section"><a href="#idm376">Executables in /usr and Perl Modules</a></span></dt><dt><span class="section"><a href="#Locations">Default Install Locations</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Debian">Install the .deb</a></span></dt><dt><span class="section"><a href="#Upgrade">General Notes about Upgrading Shorewall</a></span></dt><dt><span class="section"><a href="#Upgrade_RPM">Upgrade using RPM</a></span></dt><dt><span class="section"><a href="#Upgrade_Tarball">Upgrade using tarball</a></span></dt><dt><span class="section"><a href="#Upgrade_Deb">Upgrading the .deb</a></span></dt><dt><span class="section"><a href="#Config_Files">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#Uninstall">Uninstall/Fallback</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Install_RPM">Install using RPM</a></span></dt><dt><span class="section"><a href="#Install_Tarball">Install using tarball</a></span></dt><dd><dl><dt><span class="section"><a href="#idm77">Versions 4.5.2 and Later</a></span></dt><dd><dl><dt><span class="section"><a href="#shorewallrc">Settings in a shorewallrc file</a></span></dt><dt><span class="section"><a href="#idm278">configure Script</a></span></dt><dt><span class="section"><a href="#idm322">Install for Packaging.</a></span></dt><dt><span class="section"><a href="#idm327">Install into a Sandbox</a></span></dt></dl></dd><dt><span class="section"><a href="#idm333">Versions 4.5.1 and Earlier</a></span></dt><dd><dl><dt><span class="section"><a href="#idm376">Executables in /usr and Perl Modules</a></span></dt><dt><span class="section"><a href="#Locations">Default Install Locations</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Debian">Install the .deb</a></span></dt><dt><span class="section"><a href="#Upgrade">General Notes about Upgrading Shorewall</a></span></dt><dt><span class="section"><a href="#Upgrade_RPM">Upgrade using RPM</a></span></dt><dt><span class="section"><a href="#Upgrade_Tarball">Upgrade using tarball</a></span></dt><dt><span class="section"><a href="#Upgrade_Deb">Upgrading the .deb</a></span></dt><dt><span class="section"><a href="#Config_Files">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#Uninstall">Uninstall/Fallback</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are installing or upgrading to a version of Shorewall
earlier than Shorewall 4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Before attempting installation, I strongly urge you to read and
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Install_fr.html new/shorewall-docs-html-5.2.3.1/Install_fr.html
--- old/shorewall-docs-html-5.2.3/Install_fr.html 2019-02-11 23:51:09.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Install_fr.html 2019-02-26 19:01:21.000000000 +0100
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#Install_RPM">Installation avec un RPM</a></span></dt><dt><span class="section"><a href="#Install_Tarball">Installer avec le fichier tarball</a></span></dt><dt><span class="section"><a href="#idm169">Installer avec le .deb</a></span></dt><dt><span class="section"><a href="#Upgrade">Observations générales sur les mises à jour de Shorewall</a></span></dt><dt><span class="section"><a href="#Upgrade_RPM">Mise à jour avec un RPM</a></span></dt><dt><span class="section"><a href="#Upgrade_Tarball">Mise à niveau avec le tarball</a></span></dt><dt><span class="section"><a href="#Upgrade_Deb">Mettre à jour avec le .deb</a></span></dt><dt><span class="section"><a href="#LRP_Upgrade">Mettre à jour avec le .lrp</a></span></dt><dt><span class="section"><a href="#Config_Files">Configurer Shorewall</a></span></dt><dt><span class="section"><a href="#Uninstall">Désinstaller / Revenir à la version antérieure</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Si vous
+ License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#Install_RPM">Installation avec un RPM</a></span></dt><dt><span class="section"><a href="#Install_Tarball">Installer avec le fichier tarball</a></span></dt><dt><span class="section"><a href="#idm169">Installer avec le .deb</a></span></dt><dt><span class="section"><a href="#Upgrade">Observations générales sur les mises à jour de Shorewall</a></span></dt><dt><span class="section"><a href="#Upgrade_RPM">Mise à jour avec un RPM</a></span></dt><dt><span class="section"><a href="#Upgrade_Tarball">Mise à niveau avec le tarball</a></span></dt><dt><span class="section"><a href="#Upgrade_Deb">Mettre à jour avec le .deb</a></span></dt><dt><span class="section"><a href="#LRP_Upgrade">Mettre à jour avec le .lrp</a></span></dt><dt><span class="section"><a href="#Config_Files">Configurer Shorewall</a></span></dt><dt><span class="section"><a href="#Uninstall">Désinstaller / Revenir à la version antérieure</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Si vous
trouvez des erreurs ou si vous avez des améliorations à apporter à cette
traduction vous pouvez <a class="ulink" href="mailto:guy@posteurs.com" target="_top">me
contacter</a>.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Attention</h3><p><span class="bold"><strong>Cet article s'applique à Shorewall 3.0 et à
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Internals.html new/shorewall-docs-html-5.2.3.1/Internals.html
--- old/shorewall-docs-html-5.2.3/Internals.html 2019-02-11 23:51:09.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Internals.html 2019-02-26 19:01:22.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm19">History</a></span></dt><dt><span class="section"><a href="#idm28">Architecture</a></span></dt><dd><dl><dt><span class="section"><a href="#idm43">Build/Install Subsystem</a></span></dt><dt><span class="section"><a href="#idm53">CLI</a></span></dt><dt><span class="section"><a href="#idm74">Run-time Libraries</a></span></dt><dt><span class="section"><a href="#Compiler">Compiler</a></span></dt><dt><span class="section"><a href="#idm177">Configuration Files</a></span></dt></dl></dd><dt><span class="section"><a href="#idm180">The Generated Script</a></span></dt></dl></dd><dt><span class="section"><a href="#idm187">Compiler Internals</a></span></dt><dd><dl><dt><span class="section"><a href="#idm190">Modularization</a></span></dt><dt><span class="section"><a href="#idm194">Module Initialization</a></span></dt><dt><span class="section"><a href="#idm199">Module Dependence</a></span></dt><dt><span class="section"><a href="#idm203">Config Module</a></span></dt><dd><dl><dt><span class="section"><a href="#idm206">Pre-processor</a></span></dt><dt><span class="section"><a href="#idm315">Error and Progress Message Production</a></span></dt><dt><span class="section"><a href="#idm354">Script File Handling</a></span></dt></dl></dd></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>This document provides an overview of Shorewall internals. It is
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm19">History</a></span></dt><dt><span class="section"><a href="#idm28">Architecture</a></span></dt><dd><dl><dt><span class="section"><a href="#idm43">Build/Install Subsystem</a></span></dt><dt><span class="section"><a href="#idm53">CLI</a></span></dt><dt><span class="section"><a href="#idm74">Run-time Libraries</a></span></dt><dt><span class="section"><a href="#Compiler">Compiler</a></span></dt><dt><span class="section"><a href="#idm177">Configuration Files</a></span></dt></dl></dd><dt><span class="section"><a href="#idm180">The Generated Script</a></span></dt></dl></dd><dt><span class="section"><a href="#idm187">Compiler Internals</a></span></dt><dd><dl><dt><span class="section"><a href="#idm190">Modularization</a></span></dt><dt><span class="section"><a href="#idm194">Module Initialization</a></span></dt><dt><span class="section"><a href="#idm199">Module Dependence</a></span></dt><dt><span class="section"><a href="#idm203">Config Module</a></span></dt><dd><dl><dt><span class="section"><a href="#idm206">Pre-processor</a></span></dt><dt><span class="section"><a href="#idm315">Error and Progress Message Production</a></span></dt><dt><span class="section"><a href="#idm354">Script File Handling</a></span></dt></dl></dd></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>This document provides an overview of Shorewall internals. It is
intended to ease the task of approaching the Shorewall code base by
providing a roadmap of what you will find there.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idm19"></a>History</h3></div></div></div><p>Shorewall was originally written entirely in Bourne Shell. The
chief advantage of this approach was that virtually any platform
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Introduction.html new/shorewall-docs-html-5.2.3.1/Introduction.html
--- old/shorewall-docs-html-5.2.3/Introduction.html 2019-02-11 23:51:10.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Introduction.html 2019-02-26 19:01:22.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="Copyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#Glossary">Glossary</a></span></dt><dt><span class="section"><a href="#Shorewall">What is Shorewall?</a></span></dt></dl></dd><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Compile">Compile then Execute</a></span></dt><dt><span class="section"><a href="#Packages">Shorewall Packages</a></span></dt><dt><span class="section"><a href="#License">License</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>The information in this document applies only to 4.3 and later
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#Glossary">Glossary</a></span></dt><dt><span class="section"><a href="#Shorewall">What is Shorewall?</a></span></dt></dl></dd><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Compile">Compile then Execute</a></span></dt><dt><span class="section"><a href="#Packages">Shorewall Packages</a></span></dt><dt><span class="section"><a href="#License">License</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>The information in this document applies only to 4.3 and later
releases of Shorewall.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Glossary"></a>Glossary</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><a class="ulink" href="http://www.netfilter.org" target="_top">Netfilter</a> - the
packet filter facility built into the 2.4 and later Linux
kernels.</p></li><li class="listitem"><p>ipchains - the packet filter facility built into the 2.2 Linux
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/KVM.html new/shorewall-docs-html-5.2.3.1/KVM.html
--- old/shorewall-docs-html-5.2.3/KVM.html 2019-02-11 23:51:13.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/KVM.html 2019-02-26 19:01:25.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm29">Networking Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Kernel-mode Virtual Machines (<a class="ulink" href="http://kvm.qumranet.com/" target="_top">http://kvm.qumranet.com/</a>) is a
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm29">Networking Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Kernel-mode Virtual Machines (<a class="ulink" href="http://kvm.qumranet.com/" target="_top">http://kvm.qumranet.com/</a>) is a
virtualization platform that leverages the virtualization capabilities
available with current microprocessors from both
<span class="trademark">Intel</span>™ and <span class="trademark">AMD</span>™. For an
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/LXC.html new/shorewall-docs-html-5.2.3.1/LXC.html
--- old/shorewall-docs-html-5.2.3/LXC.html 2019-02-11 23:51:14.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/LXC.html 2019-02-26 19:01:26.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Background</a></span></dt><dt><span class="section"><a href="#idm21">Overview of a Working Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Background</h2></div></div></div><p>LXC (<a class="ulink" href="http://lxc.sourceforge.net/" target="_top">http://lxc.sourceforge.net/</a>) is
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Background</a></span></dt><dt><span class="section"><a href="#idm21">Overview of a Working Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Background</h2></div></div></div><p>LXC (<a class="ulink" href="http://lxc.sourceforge.net/" target="_top">http://lxc.sourceforge.net/</a>) is
a set of user-space tools for managing the container capabilities that
have been in the Linux Kernel since 2.6.27.</p><p>This short article describes how I've implemented LXC here at
shorewall.net, with emphasis on the networking and firewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Laptop.html new/shorewall-docs-html-5.2.3.1/Laptop.html
--- old/shorewall-docs-html-5.2.3/Laptop.html 2019-02-11 23:51:14.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Laptop.html 2019-02-26 19:01:26.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Overview</a></span></dt><dt><span class="section"><a href="#idm27">Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Overview</h2></div></div></div><p>Laptop computers generally have several network interfaces, one of
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Overview</a></span></dt><dt><span class="section"><a href="#idm27">Configuration</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Overview</h2></div></div></div><p>Laptop computers generally have several network interfaces, one of
which will be used at a time.</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Ethernet interface ‒ Used when the computer is on the desktop at
home or at work.</p></li><li class="listitem"><p>Wireless interface ‒ Used when the laptop is being used in a
cafe, train or airline terminal.</p></li><li class="listitem"><p>Point-to-point (PPP) interface ‒ Used when neither wired nor
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/LennyToSqueeze.html new/shorewall-docs-html-5.2.3.1/LennyToSqueeze.html
--- old/shorewall-docs-html-5.2.3/LennyToSqueeze.html 2019-02-11 23:51:14.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/LennyToSqueeze.html 2019-02-26 19:01:26.000000000 +0100
@@ -6,7 +6,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Introduction</a></span></dt><dt><span class="section"><a href="#Packages">Packaging Differences</a></span></dt><dt><span class="section"><a href="#Issues">Issues Most Likely to Cause Problems or Concerns</a></span></dt><dd><dl><dt><span class="section"><a href="#conf">shorewall.conf</a></span></dt><dt><span class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span class="section"><a href="#ipsec">/etc/shorewall/ipsec</a></span></dt><dt><span class="section"><a href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span class="section"><a href="#policy">/etc/shorewall/policy</a></span></dt><dt><span class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span class="section"><a href="#routestopped">/etc/shorewall/routestopped</a></span></dt><dt><span class="section"><a href="#tos">/etc/shorewall/tos</a></span></dt><dt><span class="section"><a href="#extension">Extension Scripts</a></span></dt><dt><span class="section"><a href="#ipsets">Ipsets</a></span></dt><dt><span class="section"><a href="#SimpleTC">Simple Traffic Shaping</a></span></dt></dl></dd><dt><span class="section"><a href="#Additional">Additional Sources of Information</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Introduction</h2></div></div></div><p>Debian Lenny includes Shorewall version 4.0.15 while Squeeze
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Introduction</a></span></dt><dt><span class="section"><a href="#Packages">Packaging Differences</a></span></dt><dt><span class="section"><a href="#Issues">Issues Most Likely to Cause Problems or Concerns</a></span></dt><dd><dl><dt><span class="section"><a href="#conf">shorewall.conf</a></span></dt><dt><span class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span class="section"><a href="#ipsec">/etc/shorewall/ipsec</a></span></dt><dt><span class="section"><a href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span class="section"><a href="#policy">/etc/shorewall/policy</a></span></dt><dt><span class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span class="section"><a href="#routestopped">/etc/shorewall/routestopped</a></span></dt><dt><span class="section"><a href="#tos">/etc/shorewall/tos</a></span></dt><dt><span class="section"><a href="#extension">Extension Scripts</a></span></dt><dt><span class="section"><a href="#ipsets">Ipsets</a></span></dt><dt><span class="section"><a href="#SimpleTC">Simple Traffic Shaping</a></span></dt></dl></dd><dt><span class="section"><a href="#Additional">Additional Sources of Information</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Introduction</h2></div></div></div><p>Debian Lenny includes Shorewall version 4.0.15 while Squeeze
includes Shorewall 4.4. Because there are significant differences between
the two product versions, some users may experience upgrade issues. This
article outlines those issues and offers advice for dealing with
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/MAC_Validation.html new/shorewall-docs-html-5.2.3.1/MAC_Validation.html
--- old/shorewall-docs-html-5.2.3/MAC_Validation.html 2019-02-11 23:51:15.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/MAC_Validation.html 2019-02-26 19:01:27.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Components">Components</a></span></dt><dt><span class="section"><a href="#maclist">/etc/shorewall/maclist</a></span></dt><dt><span class="section"><a href="#Examples">Examples</a></span></dt></dl></div><p>All traffic from an interface or from a subnet on an interface can be
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Components">Components</a></span></dt><dt><span class="section"><a href="#maclist">/etc/shorewall/maclist</a></span></dt><dt><span class="section"><a href="#Examples">Examples</a></span></dt></dl></div><p>All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore, each
MAC address may be optionally associated with one or more IP
addresses.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>MAC addresses are only visible within an
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Macros.html new/shorewall-docs-html-5.2.3.1/Macros.html
--- old/shorewall-docs-html-5.2.3/Macros.html 2019-02-11 23:51:15.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Macros.html 2019-02-26 19:01:27.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Overview of Shorewall Macros?</a></span></dt><dt><span class="section"><a href="#Defining">Defining your own Macros</a></span></dt><dd><dl><dt><span class="section"><a href="#idm112">Shorewall 5.0.0 and Later</a></span></dt><dt><span class="section"><a href="#idm116">Shorewall 4.4.16 and Later</a></span></dt><dt><span class="section"><a href="#idm129">Shorewall 4.4.15 and Earlier</a></span></dt></dl></dd><dt><span class="section"><a href="#Logging">Macros and Logging</a></span></dt><dt><span class="section"><a href="#ActionOrMacro">How do I know if I should create an Action or a Macro?</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Overview of Shorewall Macros?</a></span></dt><dt><span class="section"><a href="#Defining">Defining your own Macros</a></span></dt><dd><dl><dt><span class="section"><a href="#idm112">Shorewall 5.0.0 and Later</a></span></dt><dt><span class="section"><a href="#idm116">Shorewall 4.4.16 and Later</a></span></dt><dt><span class="section"><a href="#idm129">Shorewall 4.4.15 and Earlier</a></span></dt></dl></dd><dt><span class="section"><a href="#Logging">Macros and Logging</a></span></dt><dt><span class="section"><a href="#ActionOrMacro">How do I know if I should create an Action or a Macro?</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Overview"></a>Overview of Shorewall Macros?</h2></div></div></div><p>Shorewall macros allow a symbolic name to be associated with a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Manpages.html new/shorewall-docs-html-5.2.3.1/Manpages.html
--- old/shorewall-docs-html-5.2.3/Manpages.html 2019-02-11 23:51:16.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Manpages.html 2019-02-26 19:01:28.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Section5">Section 5 — Files and Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8 — Administrative Commands</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>These manpages are for Shorewall 5.0 and later only. They describe
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Section5">Section 5 — Files and Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8 — Administrative Commands</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>These manpages are for Shorewall 5.0 and later only. They describe
features and options not available on earlier releases. The manpages for
Shorewall 4.4-4.6 are available<a class="ulink" href="/manpages4/Manpages.html" target="_top">
here</a>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Section5"></a>Section 5 — Files and Concepts</h2></div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="ulink" href="manpages/shorewall-accounting.html" target="_top">accounting</a> - Define
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Manpages6.html new/shorewall-docs-html-5.2.3.1/Manpages6.html
--- old/shorewall-docs-html-5.2.3/Manpages6.html 2019-02-11 23:51:16.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Manpages6.html 2019-02-26 19:01:28.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Section5">Section 5 — Files and Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8 — Administrative Commands</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>These manpages are for Shorewall6 5.0 and later only. They describe
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Section5">Section 5 — Files and Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8 — Administrative Commands</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>These manpages are for Shorewall6 5.0 and later only. They describe
features and options not available on earlier releases.The manpages for
Shorewall 4.4-4.6 are available <a class="ulink" href="/manpages4/Manpages.html" target="_top">here</a>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Section5"></a>Section 5 — Files and Concepts</h2></div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="ulink" href="manpages6/shorewall6-accounting.html" target="_top">accounting</a> - Define
IP accounting rules.</td></tr><tr><td><a class="ulink" href="manpages6/shorewall6-actions.html" target="_top">actions</a>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ManualChains.html new/shorewall-docs-html-5.2.3.1/ManualChains.html
--- old/shorewall-docs-html-5.2.3/ManualChains.html 2019-02-11 23:51:16.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ManualChains.html 2019-02-26 19:01:28.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Example">Example</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>For Perl programmers, manual chains provide an alternative to
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Example">Example</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>For Perl programmers, manual chains provide an alternative to
Actions with extension scripts. Manual chains are chains which you create
and populate yourself using the low-level functions in
Shorewall::Chains.</p><p>Manual chains work in conjunction with the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/MultiISP.html new/shorewall-docs-html-5.2.3.1/MultiISP.html
--- old/shorewall-docs-html-5.2.3/MultiISP.html 2019-02-11 23:51:17.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/MultiISP.html 2019-02-26 19:01:29.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Support">Multiple Internet Connection Support</a></span></dt><dd><dl><dt><span class="section"><a href="#Overview">Overview</a></span></dt><dt><span class="section"><a href="#idm98">USE_DEFAULT_RT</a></span></dt><dt><span class="section"><a href="#providers">/etc/shorewall/providers File</a></span></dt><dt><span class="section"><a href="#Providers">What an entry in the Providers File Does</a></span></dt><dt><span class="section"><a href="#idm346">What an entry in the Providers File Does Not Do</a></span></dt><dt><span class="section"><a href="#masq">./etc/shorewall/masq (/etc/shorewall/snat) and Multi-ISP</a></span></dt><dt><span class="section"><a href="#Martians">Martians</a></span></dt><dt><span class="section"><a href="#Example1">Legacy Example</a></span></dt><dt><span class="section"><a href="#Example2">Example using USE_DEFAULT_RT=Yes</a></span></dt><dt><span class="section"><a href="#Applications">Routing a Particular Application Through a Specific
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Support">Multiple Internet Connection Support</a></span></dt><dd><dl><dt><span class="section"><a href="#Overview">Overview</a></span></dt><dt><span class="section"><a href="#idm98">USE_DEFAULT_RT</a></span></dt><dt><span class="section"><a href="#providers">/etc/shorewall/providers File</a></span></dt><dt><span class="section"><a href="#Providers">What an entry in the Providers File Does</a></span></dt><dt><span class="section"><a href="#idm346">What an entry in the Providers File Does Not Do</a></span></dt><dt><span class="section"><a href="#masq">./etc/shorewall/masq (/etc/shorewall/snat) and Multi-ISP</a></span></dt><dt><span class="section"><a href="#Martians">Martians</a></span></dt><dt><span class="section"><a href="#Example1">Legacy Example</a></span></dt><dt><span class="section"><a href="#Example2">Example using USE_DEFAULT_RT=Yes</a></span></dt><dt><span class="section"><a href="#Applications">Routing a Particular Application Through a Specific
Interface</a></span></dt><dt><span class="section"><a href="#PortForwarding">Port Forwarding</a></span></dt><dt><span class="section"><a href="#morethan2">More than 2 Providers</a></span></dt><dt><span class="section"><a href="#rtrules">/etc/shorewall/rtrules (formerly
/etc/shorewall/route_rules)</a></span></dt><dd><dl><dt><span class="section"><a href="#Routing_rules">Routing Rules</a></span></dt><dt><span class="section"><a href="#rtrules_columns">Columns in the rtrules file</a></span></dt><dt><span class="section"><a href="#idm548">Multi-ISP and VPN</a></span></dt><dt><span class="section"><a href="#Examples">Examples</a></span></dt></dl></dd><dt><span class="section"><a href="#Local">Applications running on the Firewall - making them use a
particular provider</a></span></dt><dt><span class="section"><a href="#routes">/etc/shorewall/routes File</a></span></dt><dt><span class="section"><a href="#null_routing">Null Routing</a></span></dt><dd><dl><dt><span class="section"><a href="#idm662">Null Routing Implementation in Shorewall</a></span></dt><dt><span class="section"><a href="#idm709">Important Points To Remember When Using Null Routing in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/MultiISP_ru.html new/shorewall-docs-html-5.2.3.1/MultiISP_ru.html
--- old/shorewall-docs-html-5.2.3/MultiISP_ru.html 2019-02-11 23:51:17.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/MultiISP_ru.html 2019-02-26 19:01:29.000000000 +0100
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall и подключение к Internet по нескольким каналам</title><link rel="stylesheet" type="text/css" href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Shorewall и подключение к Internet по нескольким каналам</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2005, 2006, 2007 Thomas M. Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation: Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm17"></a><p>Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке <span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Support">Поддержка нескольких соединений с Internet</a></span></dt><dd><dl><dt><span class="section"><a href="#Overview">Обзор</a></span></dt><dt><span class="section"><a href="#providers">Файл /etc/shorewall/providers</a></span></dt><dt><span class="section"><a href="#Providers">Какие функции выполняет запись в файле providers</a></span></dt><dt><span class="section"><a href="#Provider_Doesnt">Какие функции НЕ выполняет запись в файле providers</a></span></dt><dt><span class="section"><a href="#Martians">Марсианские пакеты</a></span></dt><dt><span class="section"><a href="#Example1">Пример</a></span></dt><dt><span class="section"><a href="#morethan2">Если провайдеров больше, чем 2</a></span></dt><dt><span class="section"><a href="#Local">Приложения, работающие в системе файрвола</a></span></dt><dt><span class="section"><a href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dd><dl><dt><span class="section"><a href="#Routing_rules">Правила маршрутизации</a></span></dt><dt><span class="section"><a href="#rtrules_columns">Файл rtrules</a></span></dt></dl></dd></dl></dd></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Вы должны <span class="bold"><strong> установить современный дистрибутив, который обновляется поставщиком</strong></span>, прежде чем пытаться настроить работу в этом режиме. Старые дистрибутивы не удовлетворяют минимальным требованиям, и вам потребуется перекомпилировать iptables, ядро и прочее программное обеспечение в системе. Если вы проигнорируете этот совет, <span class="bold"><strong>то <span class="bold"><strong>не </strong></span> рассчитывайте, что кто-либо сможет вам помочь.</strong></span>.</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Чтение только документации Shorewall не будет достаточным для понимания раскрываемых здесь тем. Shorewall упрощает работу с iptables, но разработчики Shorewall не имеют достаточных ресурсов, чтобы учить вас основам управляемой маршрутизации в Linux (равно как и пособие по вождению комбайна не учит правильно выращивать пшеницу). Скорее всего вам потребуется обратиться к следующим дополнительным источникам:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>LARTC HOWTO: <a class="ulink" href="http://www.lartc.org" target="_top">http://www.lartc.org</a></p></li><li class="listitem"><p>Вывод команды <span class="command"><strong>man ip</strong></span></p></li><li class="listitem"><p>Вывод команд <span class="command"><strong>ip route help</strong></span> и <span class="command"><strong>ip rule help</strong></span></p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Support"></a>Поддержка нескольких соединений с Internet</h2></div></div></div><p>Начиная с версии 2.3.2 в Shorewall реализована ограниченная поддержка нескольких соединений с Internet. Ниже описаны существующие ограничения:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Используется статическая конфигурация маршрутов. Поэтому не предусмотрены меры по защите от сбоя какого-либо из каналов связи с провайдером.</p></li><li class="listitem"><p>Изменения маршрутизации и очистка кэша маршрутов осуществляются при запуске <span class="bold"><strong>и при перезапуске Shorewall </strong></span> (если не указана опция "-n" для <span class="command"><strong>shorewall restart</strong></span>). Вообще говоря, в идеальном случае перезапуск пакетного фильтра никак не должен влиять на маршрутизацию.</p></li><li class="listitem"><p>В версиях Shorewall ниже 3.4.0 маршруты и правила маршрутизации, добавляемые при запуске, не удалялись полностью в ходе выполнения команд <span class="command"><strong>shorewall stop</strong></span>, <span class="command"><strong>shorewall clear</strong></span> или <span class="command"><strong>shorewall restart</strong></span>.</p></li></ul></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Overview"></a>Обзор</h3></div></div></div><p>Предположим, что система, в которой работает файрвол, подключена к двум провайдерам по двум интерфейсам Ethernet, как показано на рисунке.</p><div align="center"><table border="0" summary="manufactured viewport for HTML img" style="cellpadding: 0; cellspacing: 0;"><tr><td align="center" valign="middle"><img src="images/TwoISPs.png" align="middle" /></td></tr></table></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>eth0 подключен к ISP1. IP-адрес eth0 - это 206.124.146.176, и шлюз провайдера имеет IP-адрес 206.124.146.254.</p></li><li class="listitem"><p>eth1 подключен к ISP2. IP-адрес eth1 - это 130.252.99.27, и шлюз провайдера имеет IP-адрес 130.252.99.254.</p></li><li class="listitem"><p>eth2 подключен к локальной сети. У него может быть любой IP-адрес.</p></li></ul></div><p>Все эти <em class="firstterm">провайдеры </em> должны быть перечислены в файле <code class="filename">/etc/shorewall/providers</code>.</p><p>В записях в файле <code class="filename">/etc/shorewall/providers</code> можно указать, что для исходящих соединений должно быть включено распределение нагрузки по двум каналам связи с провайдерами. В записях в файле <code class="filename">/etc/shorewall/tcrules</code> можно указать, что некоторые исходящие соединения должны использовать определённый канал провайдера. Правила в файле <code class="filename">/etc/shorewall/tcrules</code> необязательны для того, чтобы настройка <code class="filename">/etc/shorewall/providers</code> работала, но необходимо указать уникальное значение MARK для каждого из провайдеров, чтобы Shorewall настроил правила маркировки.</p><p>Если задать опцию <span class="bold"><strong>track</strong></span> в файле <code class="filename">/etc/shorewall/providers</code>, то соединения из Internet будут автоматически маршрутизироваться обратно через правильный интерфейс на соответствующий шлюз провайдера. Это будет работать как в том случае, когда соединение обрабатывается самим файрволом, так и для соединений, маршрутизируемых или пробрасываемых к системам позади файрвола.</p><p>Shorewall настраивает маршрутизацию и обновляет файл <code class="filename">/etc/iproute2/rt_tables</code>, включая в него имена таблиц и их номера.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>При этом используются функции <a class="ulink" href="traffic_shaping.htm" target="_top">маркировки пакетов</a> для управления маршрутизацией. Как следствие этого возникают ограничения на записи в файле <code class="filename">/etc/shorewall/tcrules</code>:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Маркировка пакетов для целей управления трафиком не может осуществляться в цепочке PREROUTING для соединений с участием провайдеров, для которых задана опция 'track' (см. далее).</p></li><li class="listitem"><p>Нельзя использовать опции SAVE или RESTORE.</p></li><li class="listitem"><p>Нельзя использовать маркировку соединений.</p></li></ul></div></div><p>Файл <code class="filename">/etc/shorewall/providers</code> может также использоваться в других сценариях маршрутизации. В <a class="ulink" href="Shorewall_Squid_Usage.html" target="_top">документации по работе с Squid </a> приведены примеры.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="providers"></a>Файл /etc/shorewall/providers</h3></div></div></div><p>Далее описаны поля этого файла. Как и везде в файлах конфигурации Shorewall, укажите в поле для столбца "-", если не требуется задавать никакое значение.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">NAME</span></dt><dd><p>Имя провайдера. Должно начинаться с буквы и состоять из букв и цифр. Имя провайдера становится именем сгенерированной таблицы маршрутизации для этого провайдера.</p></dd><dt><span class="term">NUMBER</span></dt><dd><p>Число от 1 до 252. Оно будет номером таблицы маршрутизации для сгенерированной таблицы для этого провайдера.</p></dd><dt><span class="term">MARK</span></dt><dd><p>Метка, применяемая в файле /etc/shorewall/tcrules для направления пакетов через этого провайдера. Shorewall также помечает этой меткой соединения, которые входят через этого провайдера, и восстанавливает метку пакета в цепочке PREROUTING. Метка должна быть целым числом от 1 до 255.</p><p>Начиная с Shorewall версии 3.2.0 Beta 6, можно задать опцию HIGH_ROUTE_MARKS=Yes в файле <code class="filename">/etc/shorewall/shorewall.conf</code>. Это позволяет решить следующие задачи:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Использовать метки пакетов для управления трафиком, при условии что эти метки присваиваются в цепочке FORWARD.</p></li><li class="listitem"><p>Использовать значения меток > 255 для меток провайдера. Эти метки должны быть кратными 256 в диапазоне 256-65280 (в 16-ричном представлении 0x100 - 0xFF00, с нулевыми младшими 8 битами).</p></li></ul></div></dd><dt><span class="term">DUPLICATE</span></dt><dd><p>Имя или номер таблицы маршрутизации, которая будет продублирована. Можно указать 'main' или имя или номер ранее объявленного провайдера. Для большинства приложений здесь достаточно будет указать 'main'.</p></dd><dt><span class="term">INTERFACE</span></dt><dd><p>Имя интерфейса канала связи с провайдером.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>В реализации поддержки нескольких подключений с провайдерами Shorewall предполагается, что каждый провайдер подключен к собственному интерфейсу.</p></div></dd><dt><span class="term">GATEWAY</span></dt><dd><p>IP-адрес шлюза провайдера.</p><p>Здесь можно указать <span class="bold"><strong>detect</strong></span> для автоматического определения IP-адреса шлюза.</p><p><span class="bold"><strong>Совет:</strong></span> <span class="bold"><strong>"detect"</strong></span> следует указывать в том случае, если интерфейс из поля INTERFACE настраивается динамически по DHCP.</p></dd><dt><span class="term">OPTIONS</span></dt><dd><p>Список параметров через запятую, описанных ниже:</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">track</span></dt><dd><p>Если эта опция включена, то будут отслеживаться соединения, ВХОДЯЩИЕ через этот интерфейс, чтобы ответы могли маршрутизироваться обратно через этот же интерфейс.</p><p>Укажите 'track', если через этого провайдера к локальным серверам будут обращаться хосты из Internet. Вместе с 'track' всегда следует указывать опцию 'balance'.</p><p>Для работы с этой функцией ядро и iptables должны поддерживать цель CONNMARK и сравнение connmark. Расширение цели ROUTE не требуется.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>В iptables 1.3.1 есть ошибка в реализации CONNMARK и iptables-save/iptables-restore. Поэтому при настройке нескольких провайдеров команда <span class="command"><strong>shorewall restore</strong></span> может быть не выполнена. Если это имеет место, примените исправление iptables, доступное по адресу <a class="ulink" href="http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff" target="_top">http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff</a>.</p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Если используется файл <code class="filename">/etc/shorewall/providers</code> для настройки нескольких соединений с Internet, укажите опцию 'track', даже если в ней нет необходимости. Она помогает поддерживать длительные соединения, в которых могут быть долгие периоды отсутствия трафика.</p></div></dd><dt><span class="term">balance</span></dt><dd><p>Опция 'balance' позволяет распределять нагрузку исходящих потоков между несколькими провайдерами. Распределение нагрузки не будет идеальным, поскольку оно осуществляется посредством маршрутов, а маршруты кэшируются. При этом маршрут к хостам, к которым часто обращаются пользователи, будет проходить всегда через одного и того же провайдера.</p><p>По умолчанию всем провайдерам присваивается одинаковый вес (1). Вес конкретного провайдера можно изменить опцией <span class="emphasis"><em>balance</em></span> с "=" и весом (например, balance=2). Веса отражают относительную пропускную способность каналов связи с провайдером. Они должны быть небольшими числами, потому что ядро создает дополнительные маршруты для каждого приращения веса. </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Если файл <code class="filename">/etc/shorewall/providers</code> используется для настройки нескольких соединений с Internet, укажите опцию 'balance', даже если в ней нет необходимости. Для направления всего трафика через какого-либо определенного провайдера можно использовать файл <code class="filename">/etc/shorewall/tcrules</code>. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Если вы проигнорируете этот совет, то прочитайте <a class="ulink" href="FAQ.htm#faq57" target="_top">FAQ 57</a> и <a class="ulink" href="FAQ.htm#faq58" target="_top">FAQ 58</a>.</p></div></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Если указана опция 'balance', но весь трафик по-прежнему идёт через одного провайдера, то причина этого может состоять в том, что ядро не собрано с опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. У некоторых пользователей пересборка ядра с этой опцией помогла устранить неполадку.</p><p>Эта неполадка присутствует в ядре SuSE 10.0, и согласно <a class="ulink" href="https://bugzilla.novell.com/show_bug.cgi?id=190908" target="_top">в этом случае может возникать критическая ошибка ядра.</a> В SUSE 10.1 и SLES 10 опция CONFIG_IP_ROUTE_MULTIPATH_CACHED=n включена по умолчанию. Источник неполадки описан здесь: <a class="ulink" href="http://news.gmane.org/find-root.php?message_id=%3c00da01c5b35a%24b12b9860%241b00a8c0%40cruncher%3e" target="_top">несовместимость между исправлениями от LARTC и опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED.</a></p></div></dd><dt><span class="term">loose</span></dt><dd><p>Не включать правила маршрутизации, которые принудительно направляют через данный интерфейс трафик, исходный IP-адрес которого совпадает с адресом интерфейса канала с провайдером. Эта опция полезна для определения провайдеров, которые должны использоваться только при наличии соответствующей метки пакета. Эту опцию нельзя указывать совместно с <span class="bold"><strong>balance</strong></span>.</p></dd><dt><span class="term">optional (начиная с Shorewall 3.2.2)</span></dt><dd><p>Shorewall определит, работает ли этот интерфейс и настроен ли его IP-адрес. Если он не настроен, то будет показано предупреждение, а сам провайдер не будет включен.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Параметр 'optional' предназначен для определения состояния интерфейсов, которые могли бы вызвать сбой команды <span class="command"><strong>shorewall start</strong></span> или <span class="command"><strong>shorewall restart</strong></span> - однако даже если интерфейс находится в состоянии, в котором Shorewall может [пере]запуститься без ошибок, это не означает, что трафик может с гарантией проходить через этот интерфейс.</p></div></dd></dl></div><p>Для тех, кто окончательно запутался в том, что такое <span class="bold"><strong> track</strong></span> и <span class="bold"><strong>balance</strong></span>:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="bold"><strong>track</strong></span> управляет входящими соединениями.</p></li><li class="listitem"><p><span class="bold"><strong>balance</strong></span> управляет исходящими соединениями.</p></li></ul></div></dd><dt><span class="term">COPY</span></dt><dd><p>Если в поле DUPLICATE указана существующая таблица, то Shorewall копирует все маршруты, проходящие через интерфейс, указанный в столбце INTERFACE, а также через интерфейс, указанный в этом поле. В этом поле следует указать все интерфейсы в системе файрвола, исключая интерфейсы Internet, указанные в поле INTERFACE этого файла.</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Providers"></a>Какие функции выполняет запись в файле providers</h3></div></div></div><p>Добавление записи в файле providers приводит к созданию альтернативной таблицы маршрутизации. Помимо этого:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Если не указана опция <span class="bold"><strong>loose</strong></span>, то создается правило ip для каждого IP-адреса из поля INTERFACE, которое обеспечивает маршрутизацию трафика с этого адреса через соответствующую таблицу маршрутизации.</p></li><li class="listitem"><p>Если указана опция <span class="bold"><strong>track</strong></span>, то соединения, для которых хотя бы один пакет прошел на интерфейс, указанный в поле INTERFACE, получат метку соединения, заданную в поле MARK. В цепочке PREROUTING метка пакетов, имеющих метку соединения, будет задана равной метке соединения, и такие помеченные пакеты не будут подчиняться правилам для цепочки PREROUTING, заданным в файле <code class="filename">/etc/shorewall/tcrules</code>. Это обеспечивает маршрутизацию через правильный интерфейс для входящих соединений.</p></li><li class="listitem"><p>Если указана опция <span class="bold"><strong>balance</strong></span>, то Shorewall заменит маршрут по умолчанию с весом 100 в таблице маршрутизации 'main' маршрутом с распределением нагрузки между шлюзами, для которых опция <span class="bold"><strong>balance</strong></span> включена. Поэтому, если вы настраиваете маршруты по умолчанию, то укажите их вес меньше, чем 100, иначе маршрут, добавленный Shorewall, не будет иметь силы.</p></li></ol></div><p>Больше эти записи не делают <span class="bold"><strong>ничего</strong></span>. Вспомните основной принцип, описанный в <a class="ulink" href="Shorewall_and_Routing.html" target="_top">документации по маршрутизации Shorewall</a>:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Маршрутизация отвечает за то, куда направляются пакеты.</p></li><li class="listitem"><p>После того, как маршрут пакета определён, файрвол (Shorewall) определяет, разрешить ли отправку пакета по его маршруту.</p></li></ol></div><p>Итак, если вы хотите направить трафик через определённого провайдера, то <span class="emphasis"><em>необходимо </em></span>пометить этот трафик значением MARK провайдера в файле <code class="filename">/etc/shorewall/tcrules</code> и пометить пакет в цепочке PREROUTING; другим способом будет указание соответствующих правил в файле <code class="filename">/etc/shorewall/rtrules</code>.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a id="Undo"></a>Warning</h3><p>В Shorewall версий ниже 3.4.0 записи из файла <code class="filename">/etc/shorewall/providers</code> необратимо изменяют маршрутизацию системы, то есть эти изменения не отменяются при вызове команды <span class="command"><strong>shorewall stop</strong></span> или <span class="command"><strong>shorewall clear</strong></span>. Для того чтобы восстановить исходные маршруты, может потребоваться перезапустить сеть. Обычно это делает команда <span class="command"><strong>/etc/init.d/network restart</strong></span> или <span class="command"><strong>/etc/init.d/networking restart</strong></span>. Обратитесь к документации по сети вашего дистрибутива.</p><p>Дополнительные замечания:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Влияние изменений, вносимых Shorewall в таблицу маршрутизации, можно уменьшить, указав параметр <span class="emphasis"><em>metric</em></span> для каждого настраиваемого маршрута по умолчанию. Shorewall создаст маршрут по умолчанию с распределением нагрузки (если опция <span class="bold"><strong>balance</strong></span> включена для какого-либо из провайдеров), который не будет включать метрику и тем самым не будет заменять никакой существующий маршрут, для которого метрика отлична от нуля.</p></li><li class="listitem"><p>Опция <span class="command"><strong>-n</strong></span> команд <span class="command"><strong>shorewall restart</strong></span> и <span class="command"><strong>shorewall restore</strong></span> позволяет предотвратить изменение маршрутизации.</p></li><li class="listitem"><p>Файл <code class="filename">/etc/shorewall/stopped</code> можно также использовать для восстановления маршрутизации при остановке Shorewall. Когда система работает в обычной конфигурации маршрутизации (одна таблица), то ее содержимое можно сохранить следующим образом:</p><pre class="programlisting">ip route ls > routes</pre><p>Ниже приведен пример файла <code class="filename">routes</code> для моей системы:</p><pre class="programlisting">192.168.1.1 dev eth3 scope link
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall и подключение к Internet по нескольким каналам</title><link rel="stylesheet" type="text/css" href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Shorewall и подключение к Internet по нескольким каналам</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2005, 2006, 2007 Thomas M. Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation: Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm17"></a><p>Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке <span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Support">Поддержка нескольких соединений с Internet</a></span></dt><dd><dl><dt><span class="section"><a href="#Overview">Обзор</a></span></dt><dt><span class="section"><a href="#providers">Файл /etc/shorewall/providers</a></span></dt><dt><span class="section"><a href="#Providers">Какие функции выполняет запись в файле providers</a></span></dt><dt><span class="section"><a href="#Provider_Doesnt">Какие функции НЕ выполняет запись в файле providers</a></span></dt><dt><span class="section"><a href="#Martians">Марсианские пакеты</a></span></dt><dt><span class="section"><a href="#Example1">Пример</a></span></dt><dt><span class="section"><a href="#morethan2">Если провайдеров больше, чем 2</a></span></dt><dt><span class="section"><a href="#Local">Приложения, работающие в системе файрвола</a></span></dt><dt><span class="section"><a href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dd><dl><dt><span class="section"><a href="#Routing_rules">Правила маршрутизации</a></span></dt><dt><span class="section"><a href="#rtrules_columns">Файл rtrules</a></span></dt></dl></dd></dl></dd></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Вы должны <span class="bold"><strong> установить современный дистрибутив, который обновляется поставщиком</strong></span>, прежде чем пытаться настроить работу в этом режиме. Старые дистрибутивы не удовлетворяют минимальным требованиям, и вам потребуется перекомпилировать iptables, ядро и прочее программное обеспечение в системе. Если вы проигнорируете этот совет, <span class="bold"><strong>то <span class="bold"><strong>не </strong></span> рассчитывайте, что кто-либо сможет вам помочь.</strong></span>.</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Чтение только документации Shorewall не будет достаточным для понимания раскрываемых здесь тем. Shorewall упрощает работу с iptables, но разработчики Shorewall не имеют достаточных ресурсов, чтобы учить вас основам управляемой маршрутизации в Linux (равно как и пособие по вождению комбайна не учит правильно выращивать пшеницу). Скорее всего вам потребуется обратиться к следующим дополнительным источникам:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>LARTC HOWTO: <a class="ulink" href="http://www.lartc.org" target="_top">http://www.lartc.org</a></p></li><li class="listitem"><p>Вывод команды <span class="command"><strong>man ip</strong></span></p></li><li class="listitem"><p>Вывод команд <span class="command"><strong>ip route help</strong></span> и <span class="command"><strong>ip rule help</strong></span></p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Support"></a>Поддержка нескольких соединений с Internet</h2></div></div></div><p>Начиная с версии 2.3.2 в Shorewall реализована ограниченная поддержка нескольких соединений с Internet. Ниже описаны существующие ограничения:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Используется статическая конфигурация маршрутов. Поэтому не предусмотрены меры по защите от сбоя какого-либо из каналов связи с провайдером.</p></li><li class="listitem"><p>Изменения маршрутизации и очистка кэша маршрутов осуществляются при запуске <span class="bold"><strong>и при перезапуске Shorewall </strong></span> (если не указана опция "-n" для <span class="command"><strong>shorewall restart</strong></span>). Вообще говоря, в идеальном случае перезапуск пакетного фильтра никак не должен влиять на маршрутизацию.</p></li><li class="listitem"><p>В версиях Shorewall ниже 3.4.0 маршруты и правила маршрутизации, добавляемые при запуске, не удалялись полностью в ходе выполнения команд <span class="command"><strong>shorewall stop</strong></span>, <span class="command"><strong>shorewall clear</strong></span> или <span class="command"><strong>shorewall restart</strong></span>.</p></li></ul></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Overview"></a>Обзор</h3></div></div></div><p>Предположим, что система, в которой работает файрвол, подключена к двум провайдерам по двум интерфейсам Ethernet, как показано на рисунке.</p><div align="center"><table border="0" summary="manufactured viewport for HTML img" style="cellpadding: 0; cellspacing: 0;"><tr><td align="center" valign="middle"><img src="images/TwoISPs.png" align="middle" /></td></tr></table></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>eth0 подключен к ISP1. IP-адрес eth0 - это 206.124.146.176, и шлюз провайдера имеет IP-адрес 206.124.146.254.</p></li><li class="listitem"><p>eth1 подключен к ISP2. IP-адрес eth1 - это 130.252.99.27, и шлюз провайдера имеет IP-адрес 130.252.99.254.</p></li><li class="listitem"><p>eth2 подключен к локальной сети. У него может быть любой IP-адрес.</p></li></ul></div><p>Все эти <em class="firstterm">провайдеры </em> должны быть перечислены в файле <code class="filename">/etc/shorewall/providers</code>.</p><p>В записях в файле <code class="filename">/etc/shorewall/providers</code> можно указать, что для исходящих соединений должно быть включено распределение нагрузки по двум каналам связи с провайдерами. В записях в файле <code class="filename">/etc/shorewall/tcrules</code> можно указать, что некоторые исходящие соединения должны использовать определённый канал провайдера. Правила в файле <code class="filename">/etc/shorewall/tcrules</code> необязательны для того, чтобы настройка <code class="filename">/etc/shorewall/providers</code> работала, но необходимо указать уникальное значение MARK для каждого из провайдеров, чтобы Shorewall настроил правила маркировки.</p><p>Если задать опцию <span class="bold"><strong>track</strong></span> в файле <code class="filename">/etc/shorewall/providers</code>, то соединения из Internet будут автоматически маршрутизироваться обратно через правильный интерфейс на соответствующий шлюз провайдера. Это будет работать как в том случае, когда соединение обрабатывается самим файрволом, так и для соединений, маршрутизируемых или пробрасываемых к системам позади файрвола.</p><p>Shorewall настраивает маршрутизацию и обновляет файл <code class="filename">/etc/iproute2/rt_tables</code>, включая в него имена таблиц и их номера.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>При этом используются функции <a class="ulink" href="traffic_shaping.htm" target="_top">маркировки пакетов</a> для управления маршрутизацией. Как следствие этого возникают ограничения на записи в файле <code class="filename">/etc/shorewall/tcrules</code>:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Маркировка пакетов для целей управления трафиком не может осуществляться в цепочке PREROUTING для соединений с участием провайдеров, для которых задана опция 'track' (см. далее).</p></li><li class="listitem"><p>Нельзя использовать опции SAVE или RESTORE.</p></li><li class="listitem"><p>Нельзя использовать маркировку соединений.</p></li></ul></div></div><p>Файл <code class="filename">/etc/shorewall/providers</code> может также использоваться в других сценариях маршрутизации. В <a class="ulink" href="Shorewall_Squid_Usage.html" target="_top">документации по работе с Squid </a> приведены примеры.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="providers"></a>Файл /etc/shorewall/providers</h3></div></div></div><p>Далее описаны поля этого файла. Как и везде в файлах конфигурации Shorewall, укажите в поле для столбца "-", если не требуется задавать никакое значение.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">NAME</span></dt><dd><p>Имя провайдера. Должно начинаться с буквы и состоять из букв и цифр. Имя провайдера становится именем сгенерированной таблицы маршрутизации для этого провайдера.</p></dd><dt><span class="term">NUMBER</span></dt><dd><p>Число от 1 до 252. Оно будет номером таблицы маршрутизации для сгенерированной таблицы для этого провайдера.</p></dd><dt><span class="term">MARK</span></dt><dd><p>Метка, применяемая в файле /etc/shorewall/tcrules для направления пакетов через этого провайдера. Shorewall также помечает этой меткой соединения, которые входят через этого провайдера, и восстанавливает метку пакета в цепочке PREROUTING. Метка должна быть целым числом от 1 до 255.</p><p>Начиная с Shorewall версии 3.2.0 Beta 6, можно задать опцию HIGH_ROUTE_MARKS=Yes в файле <code class="filename">/etc/shorewall/shorewall.conf</code>. Это позволяет решить следующие задачи:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Использовать метки пакетов для управления трафиком, при условии что эти метки присваиваются в цепочке FORWARD.</p></li><li class="listitem"><p>Использовать значения меток > 255 для меток провайдера. Эти метки должны быть кратными 256 в диапазоне 256-65280 (в 16-ричном представлении 0x100 - 0xFF00, с нулевыми младшими 8 битами).</p></li></ul></div></dd><dt><span class="term">DUPLICATE</span></dt><dd><p>Имя или номер таблицы маршрутизации, которая будет продублирована. Можно указать 'main' или имя или номер ранее объявленного провайдера. Для большинства приложений здесь достаточно будет указать 'main'.</p></dd><dt><span class="term">INTERFACE</span></dt><dd><p>Имя интерфейса канала связи с провайдером.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>В реализации поддержки нескольких подключений с провайдерами Shorewall предполагается, что каждый провайдер подключен к собственному интерфейсу.</p></div></dd><dt><span class="term">GATEWAY</span></dt><dd><p>IP-адрес шлюза провайдера.</p><p>Здесь можно указать <span class="bold"><strong>detect</strong></span> для автоматического определения IP-адреса шлюза.</p><p><span class="bold"><strong>Совет:</strong></span> <span class="bold"><strong>"detect"</strong></span> следует указывать в том случае, если интерфейс из поля INTERFACE настраивается динамически по DHCP.</p></dd><dt><span class="term">OPTIONS</span></dt><dd><p>Список параметров через запятую, описанных ниже:</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">track</span></dt><dd><p>Если эта опция включена, то будут отслеживаться соединения, ВХОДЯЩИЕ через этот интерфейс, чтобы ответы могли маршрутизироваться обратно через этот же интерфейс.</p><p>Укажите 'track', если через этого провайдера к локальным серверам будут обращаться хосты из Internet. Вместе с 'track' всегда следует указывать опцию 'balance'.</p><p>Для работы с этой функцией ядро и iptables должны поддерживать цель CONNMARK и сравнение connmark. Расширение цели ROUTE не требуется.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>В iptables 1.3.1 есть ошибка в реализации CONNMARK и iptables-save/iptables-restore. Поэтому при настройке нескольких провайдеров команда <span class="command"><strong>shorewall restore</strong></span> может быть не выполнена. Если это имеет место, примените исправление iptables, доступное по адресу <a class="ulink" href="http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff" target="_top">http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff</a>.</p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Если используется файл <code class="filename">/etc/shorewall/providers</code> для настройки нескольких соединений с Internet, укажите опцию 'track', даже если в ней нет необходимости. Она помогает поддерживать длительные соединения, в которых могут быть долгие периоды отсутствия трафика.</p></div></dd><dt><span class="term">balance</span></dt><dd><p>Опция 'balance' позволяет распределять нагрузку исходящих потоков между несколькими провайдерами. Распределение нагрузки не будет идеальным, поскольку оно осуществляется посредством маршрутов, а маршруты кэшируются. При этом маршрут к хостам, к которым часто обращаются пользователи, будет проходить всегда через одного и того же провайдера.</p><p>По умолчанию всем провайдерам присваивается одинаковый вес (1). Вес конкретного провайдера можно изменить опцией <span class="emphasis"><em>balance</em></span> с "=" и весом (например, balance=2). Веса отражают относительную пропускную способность каналов связи с провайдером. Они должны быть небольшими числами, потому что ядро создает дополнительные маршруты для каждого приращения веса. </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Если файл <code class="filename">/etc/shorewall/providers</code> используется для настройки нескольких соединений с Internet, укажите опцию 'balance', даже если в ней нет необходимости. Для направления всего трафика через какого-либо определенного провайдера можно использовать файл <code class="filename">/etc/shorewall/tcrules</code>. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Если вы проигнорируете этот совет, то прочитайте <a class="ulink" href="FAQ.htm#faq57" target="_top">FAQ 57</a> и <a class="ulink" href="FAQ.htm#faq58" target="_top">FAQ 58</a>.</p></div></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Если указана опция 'balance', но весь трафик по-прежнему идёт через одного провайдера, то причина этого может состоять в том, что ядро не собрано с опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. У некоторых пользователей пересборка ядра с этой опцией помогла устранить неполадку.</p><p>Эта неполадка присутствует в ядре SuSE 10.0, и согласно <a class="ulink" href="https://bugzilla.novell.com/show_bug.cgi?id=190908" target="_top">в этом случае может возникать критическая ошибка ядра.</a> В SUSE 10.1 и SLES 10 опция CONFIG_IP_ROUTE_MULTIPATH_CACHED=n включена по умолчанию. Источник неполадки описан здесь: <a class="ulink" href="http://news.gmane.org/find-root.php?message_id=%3c00da01c5b35a%24b12b9860%241b00a8c0%40cruncher%3e" target="_top">несовместимость между исправлениями от LARTC и опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED.</a></p></div></dd><dt><span class="term">loose</span></dt><dd><p>Не включать правила маршрутизации, которые принудительно направляют через данный интерфейс трафик, исходный IP-адрес которого совпадает с адресом интерфейса канала с провайдером. Эта опция полезна для определения провайдеров, которые должны использоваться только при наличии соответствующей метки пакета. Эту опцию нельзя указывать совместно с <span class="bold"><strong>balance</strong></span>.</p></dd><dt><span class="term">optional (начиная с Shorewall 3.2.2)</span></dt><dd><p>Shorewall определит, работает ли этот интерфейс и настроен ли его IP-адрес. Если он не настроен, то будет показано предупреждение, а сам провайдер не будет включен.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Параметр 'optional' предназначен для определения состояния интерфейсов, которые могли бы вызвать сбой команды <span class="command"><strong>shorewall start</strong></span> или <span class="command"><strong>shorewall restart</strong></span> - однако даже если интерфейс находится в состоянии, в котором Shorewall может [пере]запуститься без ошибок, это не означает, что трафик может с гарантией проходить через этот интерфейс.</p></div></dd></dl></div><p>Для тех, кто окончательно запутался в том, что такое <span class="bold"><strong> track</strong></span> и <span class="bold"><strong>balance</strong></span>:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="bold"><strong>track</strong></span> управляет входящими соединениями.</p></li><li class="listitem"><p><span class="bold"><strong>balance</strong></span> управляет исходящими соединениями.</p></li></ul></div></dd><dt><span class="term">COPY</span></dt><dd><p>Если в поле DUPLICATE указана существующая таблица, то Shorewall копирует все маршруты, проходящие через интерфейс, указанный в столбце INTERFACE, а также через интерфейс, указанный в этом поле. В этом поле следует указать все интерфейсы в системе файрвола, исключая интерфейсы Internet, указанные в поле INTERFACE этого файла.</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Providers"></a>Какие функции выполняет запись в файле providers</h3></div></div></div><p>Добавление записи в файле providers приводит к созданию альтернативной таблицы маршрутизации. Помимо этого:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Если не указана опция <span class="bold"><strong>loose</strong></span>, то создается правило ip для каждого IP-адреса из поля INTERFACE, которое обеспечивает маршрутизацию трафика с этого адреса через соответствующую таблицу маршрутизации.</p></li><li class="listitem"><p>Если указана опция <span class="bold"><strong>track</strong></span>, то соединения, для которых хотя бы один пакет прошел на интерфейс, указанный в поле INTERFACE, получат метку соединения, заданную в поле MARK. В цепочке PREROUTING метка пакетов, имеющих метку соединения, будет задана равной метке соединения, и такие помеченные пакеты не будут подчиняться правилам для цепочки PREROUTING, заданным в файле <code class="filename">/etc/shorewall/tcrules</code>. Это обеспечивает маршрутизацию через правильный интерфейс для входящих соединений.</p></li><li class="listitem"><p>Если указана опция <span class="bold"><strong>balance</strong></span>, то Shorewall заменит маршрут по умолчанию с весом 100 в таблице маршрутизации 'main' маршрутом с распределением нагрузки между шлюзами, для которых опция <span class="bold"><strong>balance</strong></span> включена. Поэтому, если вы настраиваете маршруты по умолчанию, то укажите их вес меньше, чем 100, иначе маршрут, добавленный Shorewall, не будет иметь силы.</p></li></ol></div><p>Больше эти записи не делают <span class="bold"><strong>ничего</strong></span>. Вспомните основной принцип, описанный в <a class="ulink" href="Shorewall_and_Routing.html" target="_top">документации по маршрутизации Shorewall</a>:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Маршрутизация отвечает за то, куда направляются пакеты.</p></li><li class="listitem"><p>После того, как маршрут пакета определён, файрвол (Shorewall) определяет, разрешить ли отправку пакета по его маршруту.</p></li></ol></div><p>Итак, если вы хотите направить трафик через определённого провайдера, то <span class="emphasis"><em>необходимо </em></span>пометить этот трафик значением MARK провайдера в файле <code class="filename">/etc/shorewall/tcrules</code> и пометить пакет в цепочке PREROUTING; другим способом будет указание соответствующих правил в файле <code class="filename">/etc/shorewall/rtrules</code>.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a id="Undo"></a>Warning</h3><p>В Shorewall версий ниже 3.4.0 записи из файла <code class="filename">/etc/shorewall/providers</code> необратимо изменяют маршрутизацию системы, то есть эти изменения не отменяются при вызове команды <span class="command"><strong>shorewall stop</strong></span> или <span class="command"><strong>shorewall clear</strong></span>. Для того чтобы восстановить исходные маршруты, может потребоваться перезапустить сеть. Обычно это делает команда <span class="command"><strong>/etc/init.d/network restart</strong></span> или <span class="command"><strong>/etc/init.d/networking restart</strong></span>. Обратитесь к документации по сети вашего дистрибутива.</p><p>Дополнительные замечания:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Влияние изменений, вносимых Shorewall в таблицу маршрутизации, можно уменьшить, указав параметр <span class="emphasis"><em>metric</em></span> для каждого настраиваемого маршрута по умолчанию. Shorewall создаст маршрут по умолчанию с распределением нагрузки (если опция <span class="bold"><strong>balance</strong></span> включена для какого-либо из провайдеров), который не будет включать метрику и тем самым не будет заменять никакой существующий маршрут, для которого метрика отлична от нуля.</p></li><li class="listitem"><p>Опция <span class="command"><strong>-n</strong></span> команд <span class="command"><strong>shorewall restart</strong></span> и <span class="command"><strong>shorewall restore</strong></span> позволяет предотвратить изменение маршрутизации.</p></li><li class="listitem"><p>Файл <code class="filename">/etc/shorewall/stopped</code> можно также использовать для восстановления маршрутизации при остановке Shorewall. Когда система работает в обычной конфигурации маршрутизации (одна таблица), то ее содержимое можно сохранить следующим образом:</p><pre class="programlisting">ip route ls > routes</pre><p>Ниже приведен пример файла <code class="filename">routes</code> для моей системы:</p><pre class="programlisting">192.168.1.1 dev eth3 scope link
206.124.146.177 dev eth1 scope link
192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1
192.168.2.0/24 via 192.168.2.2 dev tun0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Multiple_Zones.html new/shorewall-docs-html-5.2.3.1/Multiple_Zones.html
--- old/shorewall-docs-html-5.2.3/Multiple_Zones.html 2019-02-11 23:51:18.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Multiple_Zones.html 2019-02-26 19:01:30.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Router">Router in the Local Zone</a></span></dt><dd><dl><dt><span class="section"><a href="#Standard">Can You Use the Standard Configuration?</a></span></dt><dt><span class="section"><a href="#Enough">Will One Zone be Enough?</a></span></dt><dt><span class="section"><a href="#Separate">I Need Separate Zones</a></span></dt><dd><dl><dt><span class="section"><a href="#Nested">Nested Zones</a></span></dt><dt><span class="section"><a href="#Parallel">Parallel Zones</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Special">Some Hosts have Special Firewalling Requirements</a></span></dt><dt><span class="section"><a href="#OneArmed">One-armed Router</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Router">Router in the Local Zone</a></span></dt><dd><dl><dt><span class="section"><a href="#Standard">Can You Use the Standard Configuration?</a></span></dt><dt><span class="section"><a href="#Enough">Will One Zone be Enough?</a></span></dt><dt><span class="section"><a href="#Separate">I Need Separate Zones</a></span></dt><dd><dl><dt><span class="section"><a href="#Nested">Nested Zones</a></span></dt><dt><span class="section"><a href="#Parallel">Parallel Zones</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Special">Some Hosts have Special Firewalling Requirements</a></span></dt><dt><span class="section"><a href="#OneArmed">One-armed Router</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>While most configurations can be handled with each of the firewall's
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/MyNetwork.html new/shorewall-docs-html-5.2.3.1/MyNetwork.html
--- old/shorewall-docs-html-5.2.3/MyNetwork.html 2019-02-11 23:51:18.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/MyNetwork.html 2019-02-26 19:01:30.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Introduction</a></span></dt><dt><span class="section"><a href="#idm52">Network Topology</a></span></dt><dt><span class="section"><a href="#idm65">Shorewall Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#idm68">/etc/shorewall/mirrors</a></span></dt><dt><span class="section"><a href="#params">/etc/shorewall/params</a></span></dt><dt><span class="section"><a href="#conf">/etc/shorewall/shorewall.conf</a></span></dt><dt><span class="section"><a href="#idm80">/etc/shorewall/actions</a></span></dt><dt><span class="section"><a href="#idm84">/etc/shorewall/action.Mirrors</a></span></dt><dt><span class="section"><a href="#idm89">/etc/shorewall/action.tarpit</a></span></dt><dt><span class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span class="section"><a href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span class="section"><a href="#policy">/etc/shorewall/policy</a></span></dt><dt><span class="section"><a href="#accounting">/etc/shorewall/accounting</a></span></dt><dt><span class="section"><a href="#blacklist">/etc/shorewall/blrules</a></span></dt><dt><span class="section"><a href="#findgw">/etc/shorewall/findgw</a></span></dt><dt><span class="section"><a href="#isusable">/etc/shorewall/isusable</a></span></dt><dt><span class="section"><a href="#libprivate">/etc/shorewall/lib.private</a></span></dt><dt><span class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span class="section"><a href="#idm135">/etc/shorewall/conntrack</a></span></dt><dt><span class="section"><a href="#idm139">/etc/shorewall/providers</a></span></dt><dt><span class="section"><a href="#proxyarp">/etc/shorewall/proxyarp</a></span></dt><dt><span class="section"><a href="#restored">/etc/shorewall/restored</a></span></dt><dt><span class="section"><a href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dt><span class="section"><a href="#routestopped">/etc/shorewall/stoppedrules</a></span></dt><dt><span class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span class="section"><a href="#started">/etc/shorewall/started</a></span></dt><dt><span class="section"><a href="#stopped">/etc/shorewall/stopped</a></span></dt><dt><span class="section"><a href="#tunnels">/etc/shorewall/tunnels</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The ruleset shown in this article uses Shorewall features that are
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Introduction</a></span></dt><dt><span class="section"><a href="#idm52">Network Topology</a></span></dt><dt><span class="section"><a href="#idm65">Shorewall Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#idm68">/etc/shorewall/mirrors</a></span></dt><dt><span class="section"><a href="#params">/etc/shorewall/params</a></span></dt><dt><span class="section"><a href="#conf">/etc/shorewall/shorewall.conf</a></span></dt><dt><span class="section"><a href="#idm80">/etc/shorewall/actions</a></span></dt><dt><span class="section"><a href="#idm84">/etc/shorewall/action.Mirrors</a></span></dt><dt><span class="section"><a href="#idm89">/etc/shorewall/action.tarpit</a></span></dt><dt><span class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span class="section"><a href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span class="section"><a href="#policy">/etc/shorewall/policy</a></span></dt><dt><span class="section"><a href="#accounting">/etc/shorewall/accounting</a></span></dt><dt><span class="section"><a href="#blacklist">/etc/shorewall/blrules</a></span></dt><dt><span class="section"><a href="#findgw">/etc/shorewall/findgw</a></span></dt><dt><span class="section"><a href="#isusable">/etc/shorewall/isusable</a></span></dt><dt><span class="section"><a href="#libprivate">/etc/shorewall/lib.private</a></span></dt><dt><span class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span class="section"><a href="#idm135">/etc/shorewall/conntrack</a></span></dt><dt><span class="section"><a href="#idm139">/etc/shorewall/providers</a></span></dt><dt><span class="section"><a href="#proxyarp">/etc/shorewall/proxyarp</a></span></dt><dt><span class="section"><a href="#restored">/etc/shorewall/restored</a></span></dt><dt><span class="section"><a href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dt><span class="section"><a href="#routestopped">/etc/shorewall/stoppedrules</a></span></dt><dt><span class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span class="section"><a href="#started">/etc/shorewall/started</a></span></dt><dt><span class="section"><a href="#stopped">/etc/shorewall/stopped</a></span></dt><dt><span class="section"><a href="#tunnels">/etc/shorewall/tunnels</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The ruleset shown in this article uses Shorewall features that are
not available in Shorewall versions prior to 4.6.11</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm19"></a>Introduction</h2></div></div></div><p>The configuration described in this article represents the network
at shorewall.org during the summer of 2015. It uses the following
Shorewall features:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><a class="ulink" href="MultiISP.html" target="_top">Two Internet
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/NAT.htm new/shorewall-docs-html-5.2.3.1/NAT.htm
--- old/shorewall-docs-html-5.2.3/NAT.htm 2019-02-11 23:51:19.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/NAT.htm 2019-02-26 19:01:30.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#One-to-one">One-to-one NAT</a></span></dt><dt><span class="section"><a href="#ARP">ARP cache</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#One-to-one">One-to-one NAT</a></span></dt><dt><span class="section"><a href="#ARP">ARP cache</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="One-to-one"></a>One-to-one NAT</h2></div></div></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>If all you want to do is forward ports to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/NetfilterOverview.html new/shorewall-docs-html-5.2.3.1/NetfilterOverview.html
--- old/shorewall-docs-html-5.2.3/NetfilterOverview.html 2019-02-11 23:51:19.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/NetfilterOverview.html 2019-02-26 19:01:31.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Netfilter Overview</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Overview"></a>Netfilter Overview</h2></div></div></div><p>Netfilter consists of three tables: <span class="bold"><strong>Filter</strong></span>, <span class="bold"><strong>Nat</strong></span> and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Netfilter Overview</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Overview"></a>Netfilter Overview</h2></div></div></div><p>Netfilter consists of three tables: <span class="bold"><strong>Filter</strong></span>, <span class="bold"><strong>Nat</strong></span> and
<span class="bold"><strong>Mangle</strong></span>. Each table has a number of
build-in chains: <span class="bold"><strong>PREROUTING</strong></span>, <span class="bold"><strong>INPUT</strong></span>, <span class="bold"><strong>FORWARD</strong></span>,
<span class="bold"><strong>OUTPUT</strong></span> and <span class="bold"><strong>POSTROUTING</strong></span>.</p><p>Rules in the various tables are used as follows:</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Filter</span></dt><dd><p>Packet filtering (rejecting, dropping or accepting
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/NewRelease.html new/shorewall-docs-html-5.2.3.1/NewRelease.html
--- old/shorewall-docs-html-5.2.3/NewRelease.html 2019-02-11 23:51:20.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/NewRelease.html 2019-02-26 19:01:32.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Identification</a></span></dt><dt><span class="section"><a href="#idm21">Release Schedule</a></span></dt><dt><span class="section"><a href="#idm31">Beta Releases and Release Candidates</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Identification</h2></div></div></div><p>Shorewall releases are identified by three numbers separated by
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Identification</a></span></dt><dt><span class="section"><a href="#idm21">Release Schedule</a></span></dt><dt><span class="section"><a href="#idm31">Beta Releases and Release Candidates</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Identification</h2></div></div></div><p>Shorewall releases are identified by three numbers separated by
periods (e.g., 4.4.16). The first two digits (e.g., 4.4) specify the
<em class="firstterm">major release number</em>. The third number (e.g., 16)
is the <em class="firstterm">minor release number</em>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm21"></a>Release Schedule</h2></div></div></div><p>Traditionally, major releases have occurred roughly every two years,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/OPENVPN.html new/shorewall-docs-html-5.2.3.1/OPENVPN.html
--- old/shorewall-docs-html-5.2.3/OPENVPN.html 2019-02-11 23:51:20.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/OPENVPN.html 2019-02-26 19:01:32.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span class="section"><a href="#Routed">Bridging two Masqueraded Networks</a></span></dt><dt><span class="section"><a href="#RoadWarrior">Roadwarrior</a></span></dt><dt><span class="section"><a href="#Dupnet">Roadwarrior with Duplicate Network Issue</a></span></dt><dt><span class="section"><a href="#idm190">Roadwarrior with IPv6</a></span></dt><dt><span class="section"><a href="#idm247">Bridged Roadwarrior</a></span></dt><dt><span class="section"><a href="#idm262">Bridging Two Networks</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span class="section"><a href="#Routed">Bridging two Masqueraded Networks</a></span></dt><dt><span class="section"><a href="#RoadWarrior">Roadwarrior</a></span></dt><dt><span class="section"><a href="#Dupnet">Roadwarrior with Duplicate Network Issue</a></span></dt><dt><span class="section"><a href="#idm190">Roadwarrior with IPv6</a></span></dt><dt><span class="section"><a href="#idm247">Bridged Roadwarrior</a></span></dt><dt><span class="section"><a href="#idm262">Bridging Two Networks</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later and to OpenVPN 2.0 and later. If you are running a version of
Shorewall earlier than Shorewall 3.0.0 then please see the documentation
for that release.</strong></span></p></div><p>OpenVPN is a robust and highly configurable VPN (Virtual Private
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/OpenVZ.html new/shorewall-docs-html-5.2.3.1/OpenVZ.html
--- old/shorewall-docs-html-5.2.3/OpenVZ.html 2019-02-11 23:51:20.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/OpenVZ.html 2019-02-26 19:01:32.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm29">Shorewall on an OpenVZ Host</a></span></dt><dd><dl><dt><span class="section"><a href="#idm34">Networking</a></span></dt><dt><span class="section"><a href="#idm59">Shorewall Configuration</a></span></dt><dt><span class="section"><a href="#idm69">Multi-ISP</a></span></dt><dt><span class="section"><a href="#idm73">RFC 1918 Addresses in a Container</a></span></dt></dl></dd><dt><span class="section"><a href="#idm78">Shorewall in an OpenVZ Virtual Environment</a></span></dt><dt><span class="section"><a href="#idm123">Working Example</a></span></dt><dd><dl><dt><span class="section"><a href="#idm129">OpenVZ Configuration</a></span></dt><dt><span class="section"><a href="#idm150">Shorewall Configuration on the Host</a></span></dt><dt><span class="section"><a href="#idm169">Shorewall Configuration on Server</a></span></dt></dl></dd><dt><span class="section"><a href="#idm179">Working Example Using a Bridge</a></span></dt><dd><dl><dt><span class="section"><a href="#idm186">Bridge Configuration</a></span></dt><dt><span class="section"><a href="#idm190">OpenVZ Configuration</a></span></dt><dt><span class="section"><a href="#idm217">Shorewall Configuration on the Host</a></span></dt><dt><span class="section"><a href="#idm239">Shorewall Configuration on Server</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p><a class="ulink" href="http://wiki.openvz.org/" target="_top">Open Virtuoso (OpenVZ)</a>
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm29">Shorewall on an OpenVZ Host</a></span></dt><dd><dl><dt><span class="section"><a href="#idm34">Networking</a></span></dt><dt><span class="section"><a href="#idm59">Shorewall Configuration</a></span></dt><dt><span class="section"><a href="#idm69">Multi-ISP</a></span></dt><dt><span class="section"><a href="#idm73">RFC 1918 Addresses in a Container</a></span></dt></dl></dd><dt><span class="section"><a href="#idm78">Shorewall in an OpenVZ Virtual Environment</a></span></dt><dt><span class="section"><a href="#idm123">Working Example</a></span></dt><dd><dl><dt><span class="section"><a href="#idm129">OpenVZ Configuration</a></span></dt><dt><span class="section"><a href="#idm150">Shorewall Configuration on the Host</a></span></dt><dt><span class="section"><a href="#idm169">Shorewall Configuration on Server</a></span></dt></dl></dd><dt><span class="section"><a href="#idm179">Working Example Using a Bridge</a></span></dt><dd><dl><dt><span class="section"><a href="#idm186">Bridge Configuration</a></span></dt><dt><span class="section"><a href="#idm190">OpenVZ Configuration</a></span></dt><dt><span class="section"><a href="#idm217">Shorewall Configuration on the Host</a></span></dt><dt><span class="section"><a href="#idm239">Shorewall Configuration on Server</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p><a class="ulink" href="http://wiki.openvz.org/" target="_top">Open Virtuoso (OpenVZ)</a>
is an open source kernel-based virtualization solution from
<span class="trademark"><a class="ulink" href="http://www.parallels.com" target="_top">Parallels</a></span>™ (formerly
<span class="trademark">SWSoft</span>™). Virtual servers take the form of
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/PPTP.htm new/shorewall-docs-html-5.2.3.1/PPTP.htm
--- old/shorewall-docs-html-5.2.3/PPTP.htm 2019-02-11 23:51:23.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/PPTP.htm 2019-02-26 19:01:35.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div><div><div class="abstract"><p class="title"><strong>Abstract</strong></p><p>Shorewall easily supports PPTP in a number of
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div><div><div class="abstract"><p class="title"><strong>Abstract</strong></p><p>Shorewall easily supports PPTP in a number of
configurations.</p></div></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span class="section"><a href="#ServerFW">PPTP Server Running on your Firewall</a></span></dt><dd><dl><dt><span class="section"><a href="#Samba">Configuring Samba</a></span></dt><dt><span class="section"><a href="#ConfigPppd">Configuring pppd</a></span></dt><dt><span class="section"><a href="#ConfigPptpd">Configuring pptpd</a></span></dt><dt><span class="section"><a href="#ConfigFw">Configuring Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#Basic">Basic Setup</a></span></dt><dt><span class="section"><a href="#Zones">Remote Users in a Separate Zone</a></span></dt><dt><span class="section"><a href="#Hub">Multiple Remote Networks</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#ServerBehind">PPTP Server Running Behind your Firewall</a></span></dt><dt><span class="section"><a href="#ClientsBehind">PPTP Clients Running Behind your Firewall</a></span></dt><dt><span class="section"><a href="#ClientFW">PPTP Client Running on your Firewall</a></span></dt><dt><span class="section"><a href="#PPTP_ADSL">PPTP Client running on your Firewall with PPTP Server in an ADSL
Modem</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>I have not used PPTP in years and as a consequence, this document is
no longer maintained (any volunteers?).</p><p>As far as I know, the information regarding Shorewall configuration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/PacketHandling.html new/shorewall-docs-html-5.2.3.1/PacketHandling.html
--- old/shorewall-docs-html-5.2.3/PacketHandling.html 2019-02-11 23:51:21.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/PacketHandling.html 2019-02-26 19:01:33.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Incoming">Packets Entering the Firewall from Outside</a></span></dt><dt><span class="section"><a href="#All">All Packets</a></span></dt><dt><span class="section"><a href="#Local">Packets Originating on the Firewall</a></span></dt><dt><span class="section"><a href="#Egress">Packets Leaving the Firewall</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>This article will try to help you understand how packets pass
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Incoming">Packets Entering the Firewall from Outside</a></span></dt><dt><span class="section"><a href="#All">All Packets</a></span></dt><dt><span class="section"><a href="#Local">Packets Originating on the Firewall</a></span></dt><dt><span class="section"><a href="#Egress">Packets Leaving the Firewall</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>This article will try to help you understand how packets pass
through a firewall configured by Shorewall. You may find it useful to have
a copy of the <a class="ulink" href="NetfilterOverview.html" target="_top">Netfilter
Overview</a> handy to refer to.</p><p>The discussion that follows assumes that you are running a current
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/PacketMarking.html new/shorewall-docs-html-5.2.3.1/PacketMarking.html
--- old/shorewall-docs-html-5.2.3/PacketMarking.html 2019-02-11 23:51:21.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/PacketMarking.html 2019-02-26 19:01:33.000000000 +0100
@@ -6,7 +6,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Marks">Packet and Connection Marks</a></span></dt><dt><span class="section"><a href="#Programs">Packet Marking "Programs"</a></span></dt><dt><span class="section"><a href="#Values">Mark and Mask Values</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall-defined Chains in the Mangle Table</a></span></dt><dt><span class="section"><a href="#Examples">An Example</a></span></dt><dt><span class="section"><a href="#Show">Examining the Marking Programs on a Running System</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article includes information that applies to Shorewall version
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Marks">Packet and Connection Marks</a></span></dt><dt><span class="section"><a href="#Programs">Packet Marking "Programs"</a></span></dt><dt><span class="section"><a href="#Values">Mark and Mask Values</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall-defined Chains in the Mangle Table</a></span></dt><dt><span class="section"><a href="#Examples">An Example</a></span></dt><dt><span class="section"><a href="#Show">Examining the Marking Programs on a Running System</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article includes information that applies to Shorewall version
3.2.5 and later. Not all features described here will be available in
earlier releases.</p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>/etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall
4.6.0. /etc/shorwall/tcrules is still supported but its use is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/PortKnocking.html new/shorewall-docs-html-5.2.3.1/PortKnocking.html
--- old/shorewall-docs-html-5.2.3/PortKnocking.html 2019-02-11 23:51:22.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/PortKnocking.html 2019-02-26 19:01:34.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#What">What is Port Knocking?</a></span></dt><dt><span class="section"><a href="#How">Implementing Port Knocking in Shorewall</a></span></dt><dt><span class="section"><a href="#Limit">Limiting Per-IP Connection Rate</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The techniques described in this article were superseded in
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#What">What is Port Knocking?</a></span></dt><dt><span class="section"><a href="#How">Implementing Port Knocking in Shorewall</a></span></dt><dt><span class="section"><a href="#Limit">Limiting Per-IP Connection Rate</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The techniques described in this article were superseded in
Shorewall 4.5.19 with the introduction of <a class="ulink" href="Events.html" target="_top">Shorewall Events</a>.</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The feature described in this article require '<a class="ulink" href="http://snowman.net/projects/ipt_recent/" target="_top">Recent Match</a>' in
your iptables and kernel. See the output of <span class="command"><strong>shorewall show
capabilities</strong></span> to see if you have that match.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="What"></a>What is Port Knocking?</h2></div></div></div><p>Port knocking is a technique whereby attempting to connect to port A
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ProxyARP.htm new/shorewall-docs-html-5.2.3.1/ProxyARP.htm
--- old/shorewall-docs-html-5.2.3/ProxyARP.htm 2019-02-11 23:51:23.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ProxyARP.htm 2019-02-26 19:01:35.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Overview</a></span></dt><dt><span class="section"><a href="#Example">Example</a></span></dt><dt><span class="section"><a href="#ARP">ARP cache</a></span></dt><dt><span class="section"><a href="#idm113">IPv6 - Proxy NDP</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Overview</h2></div></div></div><p>Proxy ARP (RFC 1027) is a way to make a machine physically located
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Overview</a></span></dt><dt><span class="section"><a href="#Example">Example</a></span></dt><dt><span class="section"><a href="#ARP">ARP cache</a></span></dt><dt><span class="section"><a href="#idm113">IPv6 - Proxy NDP</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Overview</h2></div></div></div><p>Proxy ARP (RFC 1027) is a way to make a machine physically located
on one network appear to be logically part of a different physical network
connected to the same router/firewall. Typically it allows us to hide a
machine with a public IP address on a private network behind a router, and
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/QOSExample.html new/shorewall-docs-html-5.2.3.1/QOSExample.html
--- old/shorewall-docs-html-5.2.3/QOSExample.html 2019-02-11 23:51:24.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/QOSExample.html 2019-02-26 19:01:35.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm30">/etc/shorewall/params</a></span></dt><dt><span class="section"><a href="#idm34">/etc/shorewall/init</a></span></dt><dt><span class="section"><a href="#idm38">/etc/shorewall/tcdevices</a></span></dt><dt><span class="section"><a href="#idm42">/etc/shorewall/tcclasses</a></span></dt><dt><span class="section"><a href="#idm46">/etc/shorewall/mangle</a></span></dt><dt><span class="section"><a href="#idm50">/etc/shorewall/tcfilters</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>This configuration was inspired by the one in this thread on the
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm30">/etc/shorewall/params</a></span></dt><dt><span class="section"><a href="#idm34">/etc/shorewall/init</a></span></dt><dt><span class="section"><a href="#idm38">/etc/shorewall/tcdevices</a></span></dt><dt><span class="section"><a href="#idm42">/etc/shorewall/tcclasses</a></span></dt><dt><span class="section"><a href="#idm46">/etc/shorewall/mangle</a></span></dt><dt><span class="section"><a href="#idm50">/etc/shorewall/tcfilters</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>This configuration was inspired by the one in this thread on the
OpenWRT Forum: <a class="ulink" href="https://forum.openwrt.org/viewtopic.php?pid=154533#p154533" target="_top">https://forum.openwrt.org/viewtopic.php?pid=154533#p154533</a>.
The configuration has been adapted to Shorewall 4.5.6 with the following
changes:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>The configuration uses an IFB, yet only uses firewall marks in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ReleaseModel.html new/shorewall-docs-html-5.2.3.1/ReleaseModel.html
--- old/shorewall-docs-html-5.2.3/ReleaseModel.html 2019-02-11 23:51:24.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ReleaseModel.html 2019-02-26 19:01:36.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Releases">Shorewall Releases</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Releases"></a>Shorewall Releases</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Releases have a three-level identification
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Releases">Shorewall Releases</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Releases"></a>Shorewall Releases</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Releases have a three-level identification
<em class="firstterm">x.y.z</em> (e.g., 4.5.0).</p></li><li class="listitem"><p>The first two levels (<span class="emphasis"><em>x.y</em></span>) designate the
<em class="firstterm">major release number</em> (e.g., 4.5).</p></li><li class="listitem"><p>The third level (<span class="emphasis"><em>y</em></span>) designates the
<em class="firstterm">minor release Number</em>.</p></li><li class="listitem"><p>Installing a new minor release involves no migration issues
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/SharedConfig.html new/shorewall-docs-html-5.2.3.1/SharedConfig.html
--- old/shorewall-docs-html-5.2.3/SharedConfig.html 2019-02-11 23:51:25.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/SharedConfig.html 2019-02-26 19:01:37.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm21">Environment</a></span></dt><dt><span class="section"><a href="#idm26">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#idm32">/usr/share/shorewall/shorewallrc</a></span></dt><dt><span class="section"><a href="#idm36">shorewall.conf and shorewall6.conf</a></span></dt><dd><dl><dt><span class="section"><a href="#idm45">shorewall.conf</a></span></dt><dt><span class="section"><a href="#idm49">shorewall6.conf</a></span></dt></dl></dd><dt><span class="section"><a href="#idm53">params</a></span></dt><dt><span class="section"><a href="#idm61">zones</a></span></dt><dt><span class="section"><a href="#idm65">interfaces</a></span></dt><dt><span class="section"><a href="#idm69">hosts</a></span></dt><dt><span class="section"><a href="#idm73">policy</a></span></dt><dt><span class="section"><a href="#idm77">providers</a></span></dt><dt><span class="section"><a href="#idm88">rtrules</a></span></dt><dt><span class="section"><a href="#idm92">routes</a></span></dt><dt><span class="section"><a href="#idm96">actions</a></span></dt><dt><span class="section"><a href="#idm102">Macros</a></span></dt><dt><span class="section"><a href="#idm107">conntrack</a></span></dt><dt><span class="section"><a href="#idm111">rules</a></span></dt><dt><span class="section"><a href="#idm115">mangle</a></span></dt><dt><span class="section"><a href="#idm119">snat</a></span></dt><dt><span class="section"><a href="#idm123">tunnels</a></span></dt><dt><span class="section"><a href="#idm127">proxyarp</a></span></dt><dt><span class="section"><a href="#idm131">isuable</a></span></dt><dt><span class="section"><a href="#idm135">started</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Netfilter separates management of IPv4 and IPv6 configurations. Each
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm21">Environment</a></span></dt><dt><span class="section"><a href="#idm26">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#idm32">/usr/share/shorewall/shorewallrc</a></span></dt><dt><span class="section"><a href="#idm36">shorewall.conf and shorewall6.conf</a></span></dt><dd><dl><dt><span class="section"><a href="#idm45">shorewall.conf</a></span></dt><dt><span class="section"><a href="#idm49">shorewall6.conf</a></span></dt></dl></dd><dt><span class="section"><a href="#idm53">params</a></span></dt><dt><span class="section"><a href="#idm61">zones</a></span></dt><dt><span class="section"><a href="#idm65">interfaces</a></span></dt><dt><span class="section"><a href="#idm69">hosts</a></span></dt><dt><span class="section"><a href="#idm73">policy</a></span></dt><dt><span class="section"><a href="#idm77">providers</a></span></dt><dt><span class="section"><a href="#idm88">rtrules</a></span></dt><dt><span class="section"><a href="#idm92">routes</a></span></dt><dt><span class="section"><a href="#idm96">actions</a></span></dt><dt><span class="section"><a href="#idm102">Macros</a></span></dt><dt><span class="section"><a href="#idm107">conntrack</a></span></dt><dt><span class="section"><a href="#idm111">rules</a></span></dt><dt><span class="section"><a href="#idm115">mangle</a></span></dt><dt><span class="section"><a href="#idm119">snat</a></span></dt><dt><span class="section"><a href="#idm123">tunnels</a></span></dt><dt><span class="section"><a href="#idm127">proxyarp</a></span></dt><dt><span class="section"><a href="#idm131">isuable</a></span></dt><dt><span class="section"><a href="#idm135">started</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Netfilter separates management of IPv4 and IPv6 configurations. Each
address family has its own utility (iptables and ip6tables), and changes
made to the configuration of one address family do not affect the other.
While Shorewall also separates the address families in this way, it is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall-4.html new/shorewall-docs-html-5.2.3.1/Shorewall-4.html
--- old/shorewall-docs-html-5.2.3/Shorewall-4.html 2019-02-11 23:51:25.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall-4.html 2019-02-26 19:01:37.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Install">Shorewall 4.4</a></span></dt><dt><span class="section"><a href="#idm70">Shorewall 4.5/4.6</a></span></dt><dt><span class="section"><a href="#Prereqs">Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Install">Shorewall 4.4</a></span></dt><dt><span class="section"><a href="#idm70">Shorewall 4.5/4.6</a></span></dt><dt><span class="section"><a href="#Prereqs">Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
Perl-based Compiler</a></span></dt><dt><span class="section"><a href="#Incompatibilities">Incompatibilities Introduced in the Shorewall Version 4 Perl-based
Compiler</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall version 4.0 represented a substantial shift in direction
for Shorewall. Up until then</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Shorewall had been written entirely in Bourne Shell.</p></li><li class="listitem"><p>Shorewall had run the <span class="command"><strong>iptables</strong></span> utility to add
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall-5.html new/shorewall-docs-html-5.2.3.1/Shorewall-5.html
--- old/shorewall-docs-html-5.2.3/Shorewall-5.html 2019-02-11 23:51:26.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall-5.html 2019-02-26 19:01:38.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Introduction</a></span></dt><dt><span class="section"><a href="#idm32">Cruft Removal</a></span></dt><dd><dl><dt><span class="section"><a href="#idm35">Scripts Compiled with Shorewall 4.4.7 or Earlier</a></span></dt><dt><span class="section"><a href="#idm38">Workarounds</a></span></dt><dt><span class="section"><a href="#idm47">Removal of Configuration Options</a></span></dt><dt><span class="section"><a href="#idm79">Obsolete Configuration Files</a></span></dt><dt><span class="section"><a href="#idm87">Macro and Action Formats</a></span></dt><dt><span class="section"><a href="#idm145">COMMENT, FORMAT and SECTION Lines</a></span></dt></dl></dd><dt><span class="section"><a href="#idm149">CLI Command Changes</a></span></dt><dd><dl><dt><span class="section"><a href="#idm152">restart</a></span></dt><dt><span class="section"><a href="#idm158">load</a></span></dt><dt><span class="section"><a href="#idm163">reload</a></span></dt><dt><span class="section"><a href="#idm176">refresh</a></span></dt></dl></dd><dt><span class="section"><a href="#idm190">CLI Unification</a></span></dt><dt><span class="section"><a href="#idm214">Upgrading to Shorewall 5</a></span></dt><dd><dl><dt><span class="section"><a href="#idm235">CHAIN_SCRIPTS Removal</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm19"></a>Introduction</h2></div></div></div><p>There are currently three principle groups of changes that
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Introduction</a></span></dt><dt><span class="section"><a href="#idm32">Cruft Removal</a></span></dt><dd><dl><dt><span class="section"><a href="#idm35">Scripts Compiled with Shorewall 4.4.7 or Earlier</a></span></dt><dt><span class="section"><a href="#idm38">Workarounds</a></span></dt><dt><span class="section"><a href="#idm47">Removal of Configuration Options</a></span></dt><dt><span class="section"><a href="#idm79">Obsolete Configuration Files</a></span></dt><dt><span class="section"><a href="#idm87">Macro and Action Formats</a></span></dt><dt><span class="section"><a href="#idm145">COMMENT, FORMAT and SECTION Lines</a></span></dt></dl></dd><dt><span class="section"><a href="#idm149">CLI Command Changes</a></span></dt><dd><dl><dt><span class="section"><a href="#idm152">restart</a></span></dt><dt><span class="section"><a href="#idm158">load</a></span></dt><dt><span class="section"><a href="#idm163">reload</a></span></dt><dt><span class="section"><a href="#idm176">refresh</a></span></dt></dl></dd><dt><span class="section"><a href="#idm190">CLI Unification</a></span></dt><dt><span class="section"><a href="#idm214">Upgrading to Shorewall 5</a></span></dt><dd><dl><dt><span class="section"><a href="#idm235">CHAIN_SCRIPTS Removal</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm19"></a>Introduction</h2></div></div></div><p>There are currently three principle groups of changes that
distinguish Shorewall 5 from Shorewall 4:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Cruft Removal - over the years, as new ways to accomplish
various tasks are added to Shorewall, support for the old way of doing
things has generally been retained but deprecated. Shorewall 5 drops
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall-Lite.html new/shorewall-docs-html-5.2.3.1/Shorewall-Lite.html
--- old/shorewall-docs-html-5.2.3/Shorewall-Lite.html 2019-02-11 23:51:29.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall-Lite.html 2019-02-26 19:01:41.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span class="section"><a href="#idm174">Module Loading</a></span></dt><dt><span class="section"><a href="#Converting">Converting a system from Shorewall to Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span class="section"><a href="#Compile">The "shorewall compile" command</a></span></dt><dt><span class="section"><a href="#Shorecap">The /etc/shorewall/capabilities file and the shorecap
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span class="section"><a href="#idm174">Module Loading</a></span></dt><dt><span class="section"><a href="#Converting">Converting a system from Shorewall to Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span class="section"><a href="#Compile">The "shorewall compile" command</a></span></dt><dt><span class="section"><a href="#Shorecap">The /etc/shorewall/capabilities file and the shorecap
program</a></span></dt><dt><span class="section"><a href="#Running">Running compiled programs directly</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation appropriate for your
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall-init.html new/shorewall-docs-html-5.2.3.1/Shorewall-init.html
--- old/shorewall-docs-html-5.2.3/Shorewall-init.html 2019-02-11 23:51:29.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall-init.html 2019-02-26 19:01:40.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#Close">Closing the Firewall before the Network Interfaces are brought
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#Close">Closing the Firewall before the Network Interfaces are brought
up</a></span></dt><dt><span class="section"><a href="#NM">Integration with NetworkManager and ifup/ifdown Scripts</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>The Shorewall init scripts released from shorewall.net and by most
distributions start Shorewall after networking. This allows Shorewall to
detect the network configuration and taylor itself accordingly. It is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall-perl.html new/shorewall-docs-html-5.2.3.1/Shorewall-perl.html
--- old/shorewall-docs-html-5.2.3/Shorewall-perl.html 2019-02-11 23:51:30.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall-perl.html 2019-02-26 19:01:42.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#What">Shorewall-perl - What is it?</a></span></dt><dt><span class="section"><a href="#DownSide">Shorewall-perl - The down side</a></span></dt><dd><dl><dt><span class="section"><a href="#Incompatibilities">Incompatibilities</a></span></dt><dt><span class="section"><a href="#PerlDep">Dependence on Perl</a></span></dt></dl></dd><dt><span class="section"><a href="#Install">Installing Shorewall Version 4.0 or 4.2</a></span></dt><dt><span class="section"><a href="#CompilerSelection">Compiler Selection (Shorewall 4.0-4.2)</a></span></dt><dt><span class="section"><a href="#Modules">The Shorewall Perl Modules</a></span></dt><dd><dl><dt><span class="section"><a href="#compiler.pl">/usr/share/shorewall/compiler.pl</a></span></dt><dt><span class="section"><a href="#Compiler">Shorewall::Compiler</a></span></dt><dt><span class="section"><a href="#Chains">Shorewall::Chains</a></span></dt><dt><span class="section"><a href="#Config">Shorewall::Config</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="What"></a>Shorewall-perl - What is it?</h2></div></div></div><p>Shorewall-perl was released as a companion product to Shorewall in
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#What">Shorewall-perl - What is it?</a></span></dt><dt><span class="section"><a href="#DownSide">Shorewall-perl - The down side</a></span></dt><dd><dl><dt><span class="section"><a href="#Incompatibilities">Incompatibilities</a></span></dt><dt><span class="section"><a href="#PerlDep">Dependence on Perl</a></span></dt></dl></dd><dt><span class="section"><a href="#Install">Installing Shorewall Version 4.0 or 4.2</a></span></dt><dt><span class="section"><a href="#CompilerSelection">Compiler Selection (Shorewall 4.0-4.2)</a></span></dt><dt><span class="section"><a href="#Modules">The Shorewall Perl Modules</a></span></dt><dd><dl><dt><span class="section"><a href="#compiler.pl">/usr/share/shorewall/compiler.pl</a></span></dt><dt><span class="section"><a href="#Compiler">Shorewall::Compiler</a></span></dt><dt><span class="section"><a href="#Chains">Shorewall::Chains</a></span></dt><dt><span class="section"><a href="#Config">Shorewall::Config</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="What"></a>Shorewall-perl - What is it?</h2></div></div></div><p>Shorewall-perl was released as a companion product to Shorewall in
Shorewall 4.0.0.</p><p>Shorewall-perl contained a re-implementation of the Shorewall
compiler written in Perl. The advantages of using Shorewall-perl over
Shorewall-shell (the shell-based compiler included in earlier Shorewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall_Doesnt.html new/shorewall-docs-html-5.2.3.1/Shorewall_Doesnt.html
--- old/shorewall-docs-html-5.2.3/Shorewall_Doesnt.html 2019-02-11 23:51:27.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall_Doesnt.html 2019-02-26 19:01:39.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Doesnt">Shorewall Does not:</a></span></dt><dt><span class="section"><a href="#Patching">In Addition:</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Doesnt">Shorewall Does not:</a></span></dt><dt><span class="section"><a href="#Patching">In Addition:</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that release</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Doesnt"></a>Shorewall Does not:</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Act as a <span class="quote">“<span class="quote">Personal Firewall</span>”</span> that allows Internet
access control by application. If that's what you are looking for, try
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall_Squid_Usage.html new/shorewall-docs-html-5.2.3.1/Shorewall_Squid_Usage.html
--- old/shorewall-docs-html-5.2.3/Shorewall_Squid_Usage.html 2019-02-11 23:51:32.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall_Squid_Usage.html 2019-02-26 19:01:44.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span class="quote">“<span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a>
- </span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Transparent">Squid as a Transparent (Interception) Proxy</a></span></dt><dd><dl><dt><span class="section"><a href="#Configurations">Configurations</a></span></dt><dd><dl><dt><span class="section"><a href="#Firewall">Squid (transparent) Running on the Firewall</a></span></dt><dt><span class="section"><a href="#Local">Squid (transparent) Running in the local network</a></span></dt><dt><span class="section"><a href="#DMZ">Squid (transparent) Running in the DMZ</a></span></dt><dt><span class="section"><a href="#idm131">Simple Configuration</a></span></dt><dt><span class="section"><a href="#idm136">More Complex configuration</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Manual">Squid as a Manual Proxy</a></span></dt><dt><span class="section"><a href="#TPROXY">Squid3 as a Transparent Proxy with TPROXY</a></span></dt></dl></div><p>This page covers Shorewall configuration to use with <a class="ulink" href="http://www.squid-cache.org" target="_top">Squid</a> running as a Transparent
+ </span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Transparent">Squid as a Transparent (Interception) Proxy</a></span></dt><dd><dl><dt><span class="section"><a href="#Configurations">Configurations</a></span></dt><dd><dl><dt><span class="section"><a href="#Firewall">Squid (transparent) Running on the Firewall</a></span></dt><dt><span class="section"><a href="#Local">Squid (transparent) Running in the local network</a></span></dt><dt><span class="section"><a href="#DMZ">Squid (transparent) Running in the DMZ</a></span></dt><dt><span class="section"><a href="#idm131">Simple Configuration</a></span></dt><dt><span class="section"><a href="#idm136">More Complex configuration</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Manual">Squid as a Manual Proxy</a></span></dt><dt><span class="section"><a href="#TPROXY">Squid3 as a Transparent Proxy with TPROXY</a></span></dt></dl></div><p>This page covers Shorewall configuration to use with <a class="ulink" href="http://www.squid-cache.org" target="_top">Squid</a> running as a Transparent
Proxy or as a Manual Proxy.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall_and_Aliased_Interfaces.html new/shorewall-docs-html-5.2.3.1/Shorewall_and_Aliased_Interfaces.html
--- old/shorewall-docs-html-5.2.3/Shorewall_and_Aliased_Interfaces.html 2019-02-11 23:51:26.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall_and_Aliased_Interfaces.html 2019-02-26 19:01:38.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dt><span class="section"><a href="#Adding">Adding Addresses to Interfaces</a></span></dt><dt><span class="section"><a href="#How">So how do I handle more than one address on an interface?</a></span></dt><dd><dl><dt><span class="section"><a href="#Rules">Separate Rules</a></span></dt><dt><span class="section"><a href="#DNAT">DNAT</a></span></dt><dt><span class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a href="#NAT">One-to-one NAT</a></span></dt><dt><span class="section"><a href="#Subnets">MULTIPLE SUBNETS</a></span></dt><dt><span class="section"><a href="#idm172">Defining a Zone-per-Address</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dt><span class="section"><a href="#Adding">Adding Addresses to Interfaces</a></span></dt><dt><span class="section"><a href="#How">So how do I handle more than one address on an interface?</a></span></dt><dd><dl><dt><span class="section"><a href="#Rules">Separate Rules</a></span></dt><dt><span class="section"><a href="#DNAT">DNAT</a></span></dt><dt><span class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a href="#NAT">One-to-one NAT</a></span></dt><dt><span class="section"><a href="#Subnets">MULTIPLE SUBNETS</a></span></dt><dt><span class="section"><a href="#idm172">Defining a Zone-per-Address</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Background"></a>Background</h2></div></div></div><p>The traditional net-tools contain a program called
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall_and_Kazaa.html new/shorewall-docs-html-5.2.3.1/Shorewall_and_Kazaa.html
--- old/shorewall-docs-html-5.2.3/Shorewall_and_Kazaa.html 2019-02-11 23:51:27.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall_and_Kazaa.html 2019-02-26 19:01:38.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><p>Beginning with Shorewall version 1.4.8, Shorewall can interface to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Shorewall_and_Routing.html new/shorewall-docs-html-5.2.3.1/Shorewall_and_Routing.html
--- old/shorewall-docs-html-5.2.3/Shorewall_and_Routing.html 2019-02-11 23:51:27.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Shorewall_and_Routing.html 2019-02-26 19:01:39.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Routing">Routing vs. Firewalling.</a></span></dt><dt><span class="section"><a href="#Netfilter">Routing and Netfilter</a></span></dt><dd><dl><dt><span class="section"><a href="#Ingress">Packets Entering the Firewall from Outside</a></span></dt><dt><span class="section"><a href="#Local">Packets Originating on the Firewall</a></span></dt></dl></dd><dt><span class="section"><a href="#RoutingTables">Alternate Routing Table Configuration</a></span></dt><dt><span class="section"><a href="#ProxyArp">Routing and Proxy ARP</a></span></dt><dt><span class="section"><a href="#MultiISP">Multiple Internet Connection Support in Shorewall 2.4.2 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Routing">Routing vs. Firewalling.</a></span></dt><dt><span class="section"><a href="#Netfilter">Routing and Netfilter</a></span></dt><dd><dl><dt><span class="section"><a href="#Ingress">Packets Entering the Firewall from Outside</a></span></dt><dt><span class="section"><a href="#Local">Packets Originating on the Firewall</a></span></dt></dl></dd><dt><span class="section"><a href="#RoutingTables">Alternate Routing Table Configuration</a></span></dt><dt><span class="section"><a href="#ProxyArp">Routing and Proxy ARP</a></span></dt><dt><span class="section"><a href="#MultiISP">Multiple Internet Connection Support in Shorewall 2.4.2 and
Later</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Routing"></a>Routing vs. Firewalling.</h2></div></div></div><p>One of the most misunderstood aspects of Shorewall is its
relationship with routing. This article attempts to clear some of the fog
that surrounds this issue.</p><p>As a general principle:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Routing determines where packets are to be sent.</p></li><li class="listitem"><p>Once routing determines where the packet is to go, the firewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/SimpleBridge.html new/shorewall-docs-html-5.2.3.1/SimpleBridge.html
--- old/shorewall-docs-html-5.2.3/SimpleBridge.html 2019-02-11 23:51:33.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/SimpleBridge.html 2019-02-26 19:01:44.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dt><span class="section"><a href="#Application">Application</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Background"></a>Background</h2></div></div></div><p>Systems where Shorewall runs normally function as
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dt><span class="section"><a href="#Application">Application</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Background"></a>Background</h2></div></div></div><p>Systems where Shorewall runs normally function as
<em class="firstterm">routers</em>. In the context of the Open System
Interconnect (OSI) reference model, a router operates at layer 3.
Shorewall may also be deployed on a GNU Linux System that acts as a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/SplitDNS.html new/shorewall-docs-html-5.2.3.1/SplitDNS.html
--- old/shorewall-docs-html-5.2.3/SplitDNS.html 2019-02-11 23:51:33.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/SplitDNS.html 2019-02-26 19:01:45.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">What is Split DNS</a></span></dt><dt><span class="section"><a href="#idm20">Why would I want to use Split DNS?</a></span></dt><dt><span class="section"><a href="#idm24">Setting up Split DNS</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>What is Split DNS</h2></div></div></div><p><em class="firstterm">Split DNS</em> is simply a configuration in which
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">What is Split DNS</a></span></dt><dt><span class="section"><a href="#idm20">Why would I want to use Split DNS?</a></span></dt><dt><span class="section"><a href="#idm24">Setting up Split DNS</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>What is Split DNS</h2></div></div></div><p><em class="firstterm">Split DNS</em> is simply a configuration in which
the IP address to which a DNS name resolves is dependent on the location
of the client. It is most often used in a NAT environment to insure that
local clients resolve the DNS names of local servers to their RFC 1918
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/UPnP.html new/shorewall-docs-html-5.2.3.1/UPnP.html
--- old/shorewall-docs-html-5.2.3/UPnP.html 2019-02-11 23:51:42.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/UPnP.html 2019-02-26 19:01:53.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#UPnP">UPnP</a></span></dt><dt><span class="section"><a href="#linux-igd">linux-igd Configuration</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall Configuration</a></span></dt><dt><span class="section"><a href="#idm62">Shorewall on a UPnP Client</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="UPnP"></a>UPnP</h2></div></div></div><p>Shorewall includes support for UPnP (Universal Plug and Play) using
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#UPnP">UPnP</a></span></dt><dt><span class="section"><a href="#linux-igd">linux-igd Configuration</a></span></dt><dt><span class="section"><a href="#Shorewall">Shorewall Configuration</a></span></dt><dt><span class="section"><a href="#idm62">Shorewall on a UPnP Client</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="UPnP"></a>UPnP</h2></div></div></div><p>Shorewall includes support for UPnP (Universal Plug and Play) using
linux-igd (<a class="ulink" href="http://linux-igd.sourceforge.net" target="_top">http://linux-igd.sourceforge.net</a>).
UPnP is required by a number of popular applications including MSN
IM.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>From a security architecture viewpoint, UPnP is a disaster. It
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Universal.html new/shorewall-docs-html-5.2.3.1/Universal.html
--- old/shorewall-docs-html-5.2.3/Universal.html 2019-02-11 23:51:41.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Universal.html 2019-02-26 19:01:53.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#idm20">What the Universal Configuration does</a></span></dt><dt><span class="section"><a href="#idm36">How to Install it</a></span></dt><dt><span class="section"><a href="#idm53">How to Start the firewall</a></span></dt><dt><span class="section"><a href="#idm69">Now that it is running, ...</a></span></dt><dd><dl><dt><span class="section"><a href="#idm71">How do I stop the firewall?</a></span></dt><dt><span class="section"><a href="#idm78">How do I prevent it from responding to ping?</a></span></dt><dt><span class="section"><a href="#idm88">How do I allow other kinds of incoming connections?</a></span></dt><dt><span class="section"><a href="#idm119">How do I make the firewall log a message when it disallows an
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#idm20">What the Universal Configuration does</a></span></dt><dt><span class="section"><a href="#idm36">How to Install it</a></span></dt><dt><span class="section"><a href="#idm53">How to Start the firewall</a></span></dt><dt><span class="section"><a href="#idm69">Now that it is running, ...</a></span></dt><dd><dl><dt><span class="section"><a href="#idm71">How do I stop the firewall?</a></span></dt><dt><span class="section"><a href="#idm78">How do I prevent it from responding to ping?</a></span></dt><dt><span class="section"><a href="#idm88">How do I allow other kinds of incoming connections?</a></span></dt><dt><span class="section"><a href="#idm119">How do I make the firewall log a message when it disallows an
incoming connection?</a></span></dt><dt><span class="section"><a href="#idm165">How do I prevent the firewall from forwarding connection
requests?</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Configuring Shorewall</h2></div></div></div><p>Once you have installed the Shorewall software, you must configure
it. The easiest way to do that is to use one of Shorewall's
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/VPN.htm new/shorewall-docs-html-5.2.3.1/VPN.htm
--- old/shorewall-docs-html-5.2.3/VPN.htm 2019-02-11 23:51:43.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/VPN.htm 2019-02-26 19:01:55.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#vpn">Virtual Private Networking (VPN)</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="vpn"></a>Virtual Private Networking (VPN)</h2></div></div></div><p>It is often the case that a system behind the firewall needs to be
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#vpn">Virtual Private Networking (VPN)</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="vpn"></a>Virtual Private Networking (VPN)</h2></div></div></div><p>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN).
The two most common means for doing this are IPsec and PPTP. The basic
setup is shown in the following diagram:</p><div><img src="images/VPN.png" /></div><p>A system with an RFC 1918 address needs to access a remote network
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/VPNBasics.html new/shorewall-docs-html-5.2.3.1/VPNBasics.html
--- old/shorewall-docs-html-5.2.3/VPNBasics.html 2019-02-11 23:51:42.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/VPNBasics.html 2019-02-26 19:01:54.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Taxonomy">Gateway-to-gateway traffic vs. Host-to-host traffic.</a></span></dt><dt><span class="section"><a href="#Netfilter">Relationship to Netfilter</a></span></dt><dt><span class="section"><a href="#Shorewall">What does this mean with Shorewall?</a></span></dt><dt><span class="section"><a href="#Zones">Defining Remote Zones</a></span></dt><dt><span class="section"><a href="#Traffic">Allowing Traffic</a></span></dt><dt><span class="section"><a href="#Policies">Different Firewall Policies for Different Remote Systems</a></span></dt><dt><span class="section"><a href="#tunnels">Eliminating the /etc/shorewall/tunnels file</a></span></dt><dd><dl><dt><span class="section"><a href="#IPSEC">IPSEC</a></span></dt><dt><span class="section"><a href="#PPTP">PPTP</a></span></dt><dt><span class="section"><a href="#OpenVPN">OpenVPN</a></span></dt></dl></dd><dt><span class="section"><a href="#idm199">Links to Other VPN Articles at shorewall.net</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Taxonomy"></a>Gateway-to-gateway traffic vs. Host-to-host traffic.</h2></div></div></div><p>The purpose of a <em class="firstterm">Virtual Private Network</em>
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Taxonomy">Gateway-to-gateway traffic vs. Host-to-host traffic.</a></span></dt><dt><span class="section"><a href="#Netfilter">Relationship to Netfilter</a></span></dt><dt><span class="section"><a href="#Shorewall">What does this mean with Shorewall?</a></span></dt><dt><span class="section"><a href="#Zones">Defining Remote Zones</a></span></dt><dt><span class="section"><a href="#Traffic">Allowing Traffic</a></span></dt><dt><span class="section"><a href="#Policies">Different Firewall Policies for Different Remote Systems</a></span></dt><dt><span class="section"><a href="#tunnels">Eliminating the /etc/shorewall/tunnels file</a></span></dt><dd><dl><dt><span class="section"><a href="#IPSEC">IPSEC</a></span></dt><dt><span class="section"><a href="#PPTP">PPTP</a></span></dt><dt><span class="section"><a href="#OpenVPN">OpenVPN</a></span></dt></dl></dd><dt><span class="section"><a href="#idm199">Links to Other VPN Articles at shorewall.net</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Taxonomy"></a>Gateway-to-gateway traffic vs. Host-to-host traffic.</h2></div></div></div><p>The purpose of a <em class="firstterm">Virtual Private Network</em>
(VPN) is to provide for secure communication between a set of hosts.
Communication between a pair of hosts connected by a VPN occurs in
stages:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p><span class="bold"><strong>Local-host-to-local-gateway</strong></span>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/Vserver.html new/shorewall-docs-html-5.2.3.1/Vserver.html
--- old/shorewall-docs-html-5.2.3/Vserver.html 2019-02-11 23:51:43.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/Vserver.html 2019-02-26 19:01:55.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm46">Vserver Zones</a></span></dt><dt><span class="section"><a href="#NDP">Sharing an IPv6 /64 between Vservers and a LAN</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Formal support for Linux-vserver was added in Shorewall 4.4.11
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16">Introduction</a></span></dt><dt><span class="section"><a href="#idm46">Vserver Zones</a></span></dt><dt><span class="section"><a href="#NDP">Sharing an IPv6 /64 between Vservers and a LAN</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>Formal support for Linux-vserver was added in Shorewall 4.4.11
Beta2. The centerpiece of that support is the
<em class="firstterm">vserver</em> zone type. Vserver zones have the following
characteristics:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>They are defined on the Linux-vserver host.</p></li><li class="listitem"><p>The $FW zone is their implicit parent.</p></li><li class="listitem"><p>Their contents must be defined using the <a class="ulink" href="manpages/shorewall-hosts.html" target="_top">shorewall-hosts </a>(5) file.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/XenMyWay-Routed.html new/shorewall-docs-html-5.2.3.1/XenMyWay-Routed.html
--- old/shorewall-docs-html-5.2.3/XenMyWay-Routed.html 2019-02-11 23:51:44.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/XenMyWay-Routed.html 2019-02-26 19:01:56.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Before">Before Xen</a></span></dt><dt><span class="section"><a href="#After">After Xen</a></span></dt><dd><dl><dt><span class="section"><a href="#Domains">Domain Configuration</a></span></dt><dt><span class="section"><a href="#Firewall">Dom0 Shorewall Configuration</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article applies to Shorewall 4.0 and later. If you are running
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Before">Before Xen</a></span></dt><dt><span class="section"><a href="#After">After Xen</a></span></dt><dd><dl><dt><span class="section"><a href="#Domains">Domain Configuration</a></span></dt><dt><span class="section"><a href="#Firewall">Dom0 Shorewall Configuration</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article applies to Shorewall 4.0 and later. If you are running
a version of Shorewall earlier than Shorewall 4.0.0 then please see the
documentation for that release.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Before"></a>Before Xen</h2></div></div></div><p>Prior to adopting Xen, I had a home office crowded with 5 systems,
three monitors a scanner and a printer. The systems were:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Firewall</p></li><li class="listitem"><p>Public Server in a DMZ (mail)</p></li><li class="listitem"><p>Private Server (wookie)</p></li><li class="listitem"><p>My personal Linux Desktop (ursa)</p></li><li class="listitem"><p>My work system (docked laptop running Windows XP).</p></li></ol></div><p>The result was a very crowded and noisy room.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="After"></a>After Xen</h2></div></div></div><p>Xen has allowed me to reduce the noise and clutter considerably. I
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/XenMyWay.html new/shorewall-docs-html-5.2.3.1/XenMyWay.html
--- old/shorewall-docs-html-5.2.3/XenMyWay.html 2019-02-11 23:51:44.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/XenMyWay.html 2019-02-26 19:01:56.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Xen Network Environment</a></span></dt><dt><span class="section"><a href="#Before">Before Xen</a></span></dt><dt><span class="section"><a href="#After">After Xen</a></span></dt><dd><dl><dt><span class="section"><a href="#Domains">Domain Configuration</a></span></dt><dt><span class="section"><a href="#Dom0">Dom0 Configuration</a></span></dt><dt><span class="section"><a href="#Firewall">Firewall DomU Configuration</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article applies to Shorewall 3.0 and later. If you are running
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Xen Network Environment</a></span></dt><dt><span class="section"><a href="#Before">Before Xen</a></span></dt><dt><span class="section"><a href="#After">After Xen</a></span></dt><dd><dl><dt><span class="section"><a href="#Domains">Domain Configuration</a></span></dt><dt><span class="section"><a href="#Dom0">Dom0 Configuration</a></span></dt><dt><span class="section"><a href="#Firewall">Firewall DomU Configuration</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article applies to Shorewall 3.0 and later. If you are running
a version of Shorewall earlier than Shorewall 3.0.0 then please see the
documentation for that release.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm19"></a>Xen Network Environment</h2></div></div></div><p><a class="ulink" href="http://www.cl.cam.ac.uk/Research/SRG/netos/xen/" target="_top">Xen</a> is a
<em class="firstterm">paravirtualization</em> tool that allows you to run
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/blacklisting_support.htm new/shorewall-docs-html-5.2.3.1/blacklisting_support.htm
--- old/shorewall-docs-html-5.2.3/blacklisting_support.htm 2019-02-11 23:50:59.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/blacklisting_support.htm 2019-02-26 19:01:11.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#idm33">Rule-based Blacklisting</a></span></dt><dt><span class="section"><a href="#idm43">Chain-based Dynamic Blacklisting</a></span></dt><dt><span class="section"><a href="#idm79">Ipset-based Dynamic Blacklisting</a></span></dt><dt><span class="section"><a href="#idm133">BLACKLIST Policy and Action</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#idm33">Rule-based Blacklisting</a></span></dt><dt><span class="section"><a href="#idm43">Chain-based Dynamic Blacklisting</a></span></dt><dt><span class="section"><a href="#idm79">Ipset-based Dynamic Blacklisting</a></span></dt><dt><span class="section"><a href="#idm133">BLACKLIST Policy and Action</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall supports two different types of blacklisting; rule-based,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/blacklisting_support_ru.html new/shorewall-docs-html-5.2.3.1/blacklisting_support_ru.html
--- old/shorewall-docs-html-5.2.3/blacklisting_support_ru.html 2019-02-11 23:50:58.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/blacklisting_support_ru.html 2019-02-26 19:01:11.000000000 +0100
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Чёрные списки в Shorewall</title><link rel="stylesheet" type="text/css" href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Чёрные списки в Shorewall</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2002-2006 Thomas M. Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation: Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке <span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Введение</a></span></dt><dt><span class="section"><a href="#Static">Статические чёрные списки</a></span></dt><dt><span class="section"><a href="#Dynamic">Динамические чёрные списки</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Введение</h2></div></div></div><p>В Shorewall предусмотрены два вида чёрных списков, статические и динамические. Опция BLACKLISTNEWONLY в файле /etc/shorewall/shorewall.conf задаёт параметры фильтрации согласно этим спискам:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>BLACKLISTNEWONLY=No -- проверка осуществляется для всех входящих пакетов. Новые записи в чёрном списке позволяют прервать уже существующие соединения.</p></li><li class="listitem"><p>BLACKLISTNEWONLY=Yes -- проверка осуществляется только для новых запросов на установление соединения. Записи в чёрном списке не влияют на уже существующие соединения. На соответствие чёрному списку проверяется только адрес источника.</p></li></ol></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>На соответствие чёрному списку проверяется только адрес источника </strong></span>. Чёрные списки закрывают доступ только хостам, перечисленным в списке, но не закрывают доступ к самим этим хостам.</p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>Динамические чёрные списки в Shorewall непригодны для случаев, когда список содержит тысячи адресов. Статические списки могут работать с большим числом адресов, но только при использовании наборов IP (ipset)</strong></span>. Без ipset большие чёрные списки будут загружаться слишком долго и заметно снизят производительность файрвола.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Static"></a>Статические чёрные списки</h2></div></div></div><p>Далее описаны параметры конфигурации статических чёрных списков в Shorewall:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Пакеты с хостов из чёрного списка будут отбрасываться без уведомления (drop) или с уведомлением (reject), согласно параметру BLACKLIST_DISPOSITION из файла <a class="ulink" href="manpages/shorewall.conf.html" target="_top"><code class="filename">/etc/shorewall/shorewall.conf</code>.</a></p></li><li class="listitem"><p>Пакеты с хостов из чёрного списка будут заноситься в протокол с заданным уровнем syslog согласно параметру BLACKLIST_LOGLEVEL из файла <a class="ulink" href="manpages/shorewall.conf.html" target="_top"><code class="filename">/etc/shorewall/shorewall.conf</code></a>.</p></li><li class="listitem"><p>IP-адреса или подсети, которые требуется занести в чёрный список, указываются в файле <a class="ulink" href="manpages/shorewall-blacklist.html" target="_top"><code class="filename">/etc/shorewall/blacklist</code></a>. В этом файле можно также указать имена протоколов, номера портов или имена служб.</p></li><li class="listitem"><p>Интерфейсы, для которых входящие пакеты проверяются на соответствие чёрному списку, задаются с помощью опции <span class="quote">“<span class="quote">blacklist</span>”</span> в файле <a class="ulink" href="manpages/shorewall-interfaces.html" target="_top"><code class="filename">/etc/shorewall/interfaces</code></a>.</p></li><li class="listitem"><p>Чёрный список из файла <code class="filename">/etc/shorewall/blacklist</code> можно обновить командой <span class="quote">“<span class="quote"><a class="ulink" href="starting_and_stopping_shorewall.htm" target="_top"><span class="command"><strong>shorewall refresh</strong></span></a></span>”</span>.</p></li></ul></div><p>При наличии большого статического чёрного списка можно включить опцию DELAYBLACKLISTLOAD в файле shorewall.conf (начиная с Shorewall версии 2.2.0). Если DELAYBLACKLISTLOAD=Yes, то Shorewall будет загружать правила чёрного списка после установления соединений. Хотя при этом соединения с хостов из чёрного списка могут осуществляться в течение времени создания списка, эта опция позволяет существенно снизить время запрета соединений в ходе выполнения команд "shorewall [re]start".</p><p>Для определения статического чёрного списка в Shorewall начиная с версии 2.4.0 поддерживаются наборы IP, или <a class="ulink" href="ipsets.html" target="_top">ipsets</a>. Пример:</p><pre class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Чёрные списки в Shorewall</title><link rel="stylesheet" type="text/css" href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Чёрные списки в Shorewall</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2002-2006 Thomas M. Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation: Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке <span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Введение</a></span></dt><dt><span class="section"><a href="#Static">Статические чёрные списки</a></span></dt><dt><span class="section"><a href="#Dynamic">Динамические чёрные списки</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Введение</h2></div></div></div><p>В Shorewall предусмотрены два вида чёрных списков, статические и динамические. Опция BLACKLISTNEWONLY в файле /etc/shorewall/shorewall.conf задаёт параметры фильтрации согласно этим спискам:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>BLACKLISTNEWONLY=No -- проверка осуществляется для всех входящих пакетов. Новые записи в чёрном списке позволяют прервать уже существующие соединения.</p></li><li class="listitem"><p>BLACKLISTNEWONLY=Yes -- проверка осуществляется только для новых запросов на установление соединения. Записи в чёрном списке не влияют на уже существующие соединения. На соответствие чёрному списку проверяется только адрес источника.</p></li></ol></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>На соответствие чёрному списку проверяется только адрес источника </strong></span>. Чёрные списки закрывают доступ только хостам, перечисленным в списке, но не закрывают доступ к самим этим хостам.</p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>Динамические чёрные списки в Shorewall непригодны для случаев, когда список содержит тысячи адресов. Статические списки могут работать с большим числом адресов, но только при использовании наборов IP (ipset)</strong></span>. Без ipset большие чёрные списки будут загружаться слишком долго и заметно снизят производительность файрвола.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Static"></a>Статические чёрные списки</h2></div></div></div><p>Далее описаны параметры конфигурации статических чёрных списков в Shorewall:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Пакеты с хостов из чёрного списка будут отбрасываться без уведомления (drop) или с уведомлением (reject), согласно параметру BLACKLIST_DISPOSITION из файла <a class="ulink" href="manpages/shorewall.conf.html" target="_top"><code class="filename">/etc/shorewall/shorewall.conf</code>.</a></p></li><li class="listitem"><p>Пакеты с хостов из чёрного списка будут заноситься в протокол с заданным уровнем syslog согласно параметру BLACKLIST_LOGLEVEL из файла <a class="ulink" href="manpages/shorewall.conf.html" target="_top"><code class="filename">/etc/shorewall/shorewall.conf</code></a>.</p></li><li class="listitem"><p>IP-адреса или подсети, которые требуется занести в чёрный список, указываются в файле <a class="ulink" href="manpages/shorewall-blacklist.html" target="_top"><code class="filename">/etc/shorewall/blacklist</code></a>. В этом файле можно также указать имена протоколов, номера портов или имена служб.</p></li><li class="listitem"><p>Интерфейсы, для которых входящие пакеты проверяются на соответствие чёрному списку, задаются с помощью опции <span class="quote">“<span class="quote">blacklist</span>”</span> в файле <a class="ulink" href="manpages/shorewall-interfaces.html" target="_top"><code class="filename">/etc/shorewall/interfaces</code></a>.</p></li><li class="listitem"><p>Чёрный список из файла <code class="filename">/etc/shorewall/blacklist</code> можно обновить командой <span class="quote">“<span class="quote"><a class="ulink" href="starting_and_stopping_shorewall.htm" target="_top"><span class="command"><strong>shorewall refresh</strong></span></a></span>”</span>.</p></li></ul></div><p>При наличии большого статического чёрного списка можно включить опцию DELAYBLACKLISTLOAD в файле shorewall.conf (начиная с Shorewall версии 2.2.0). Если DELAYBLACKLISTLOAD=Yes, то Shorewall будет загружать правила чёрного списка после установления соединений. Хотя при этом соединения с хостов из чёрного списка могут осуществляться в течение времени создания списка, эта опция позволяет существенно снизить время запрета соединений в ходе выполнения команд "shorewall [re]start".</p><p>Для определения статического чёрного списка в Shorewall начиная с версии 2.4.0 поддерживаются наборы IP, или <a class="ulink" href="ipsets.html" target="_top">ipsets</a>. Пример:</p><pre class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/bridge-Shorewall-perl.html new/shorewall-docs-html-5.2.3.1/bridge-Shorewall-perl.html
--- old/shorewall-docs-html-5.2.3/bridge-Shorewall-perl.html 2019-02-11 23:51:00.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/bridge-Shorewall-perl.html 2019-02-26 19:01:12.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dt><span class="section"><a href="#Requirements">Requirements</a></span></dt><dt><span class="section"><a href="#Application">Application</a></span></dt><dt><span class="section"><a href="#Bridge">Configuring the Bridge</a></span></dt><dt><span class="section"><a href="#Shorewall">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#Multiple">Multiple Bridges with Wildcard Ports</a></span></dt><dt><span class="section"><a href="#bridge-router">Combination Router/Bridge</a></span></dt><dt><span class="section"><a href="#veth">Using Back-to-back veth Devices to Interface with a Bridge</a></span></dt><dt><span class="section"><a href="#Limitations">Limitations</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dt><span class="section"><a href="#Requirements">Requirements</a></span></dt><dt><span class="section"><a href="#Application">Application</a></span></dt><dt><span class="section"><a href="#Bridge">Configuring the Bridge</a></span></dt><dt><span class="section"><a href="#Shorewall">Configuring Shorewall</a></span></dt><dt><span class="section"><a href="#Multiple">Multiple Bridges with Wildcard Ports</a></span></dt><dt><span class="section"><a href="#bridge-router">Combination Router/Bridge</a></span></dt><dt><span class="section"><a href="#veth">Using Back-to-back veth Devices to Interface with a Bridge</a></span></dt><dt><span class="section"><a href="#Limitations">Limitations</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
later.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Background"></a>Background</h2></div></div></div><p>Systems where Shorewall runs normally function as
<em class="firstterm">routers</em>. In the context of the Open System
Interconnect (OSI) reference model, a router operates at layer 3,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/bridge_fr.html new/shorewall-docs-html-5.2.3.1/bridge_fr.html
--- old/shorewall-docs-html-5.2.3/bridge_fr.html 2019-02-11 23:50:59.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/bridge_fr.html 2019-02-26 19:01:12.000000000 +0100
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm34">Contexte</a></span></dt><dt><span class="section"><a href="#idm47">Pré-requis système</a></span></dt><dt><span class="section"><a href="#idm72">Application</a></span></dt><dt><span class="section"><a href="#idm92">Configuration du pont</a></span></dt><dt><span class="section"><a href="#idm151">Configuration de Shorewall</a></span></dt><dt><span class="section"><a href="#bridge-router">Combinaison Pont/Routeur</a></span></dt><dt><span class="section"><a href="#idm196">Limites</a></span></dt><dt><span class="section"><a href="#idm200">Liens</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Si vous
+ License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm34">Contexte</a></span></dt><dt><span class="section"><a href="#idm47">Pré-requis système</a></span></dt><dt><span class="section"><a href="#idm72">Application</a></span></dt><dt><span class="section"><a href="#idm92">Configuration du pont</a></span></dt><dt><span class="section"><a href="#idm151">Configuration de Shorewall</a></span></dt><dt><span class="section"><a href="#bridge-router">Combinaison Pont/Routeur</a></span></dt><dt><span class="section"><a href="#idm196">Limites</a></span></dt><dt><span class="section"><a href="#idm200">Liens</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Si vous
trouvez des erreurs ou si vous avez des améliorations à apporter à cette
documentation vous pouvez <a class="ulink" href="mailto:guy@posteurs.com" target="_top">me
contacter</a>.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Attention</h3><p><span class="bold"><strong>Cet article s'applique à Shorewall 3.0 et à
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/configuration_file_basics.htm new/shorewall-docs-html-5.2.3.1/configuration_file_basics.htm
--- old/shorewall-docs-html-5.2.3/configuration_file_basics.htm 2019-02-11 23:51:01.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/configuration_file_basics.htm 2019-02-26 19:01:14.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm22">Introduction</a></span></dt><dt><span class="section"><a href="#Files">Files</a></span></dt><dt><span class="section"><a href="#Manpages">Man Pages</a></span></dt><dt><span class="section"><a href="#Comments">Comments</a></span></dt><dt><span class="section"><a href="#Names">Names</a></span></dt><dt><span class="section"><a href="#idm205">Zone and Chain Names</a></span></dt><dt><span class="section"><a href="#capabilities">Capabilities</a></span></dt><dt><span class="section"><a href="#BlankColumn">"Blank" Columns</a></span></dt><dt><span class="section"><a href="#Continuation">Line Continuation</a></span></dt><dt><span class="section"><a href="#Pairs">Alternate Specification of Column Values - Shorewall 4.4.24 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm22">Introduction</a></span></dt><dt><span class="section"><a href="#Files">Files</a></span></dt><dt><span class="section"><a href="#Manpages">Man Pages</a></span></dt><dt><span class="section"><a href="#Comments">Comments</a></span></dt><dt><span class="section"><a href="#Names">Names</a></span></dt><dt><span class="section"><a href="#idm205">Zone and Chain Names</a></span></dt><dt><span class="section"><a href="#capabilities">Capabilities</a></span></dt><dt><span class="section"><a href="#BlankColumn">"Blank" Columns</a></span></dt><dt><span class="section"><a href="#Continuation">Line Continuation</a></span></dt><dt><span class="section"><a href="#Pairs">Alternate Specification of Column Values - Shorewall 4.4.24 and
Later</a></span></dt><dt><span class="section"><a href="#idm401">Using Netfilter Features not Directly Supported by
Shorewall</a></span></dt><dt><span class="section"><a href="#idm429">Addresses</a></span></dt><dt><span class="section"><a href="#SOURCE-DEST">Specifying SOURCE and DEST</a></span></dt><dt><span class="section"><a href="#INCLUDE">INCLUDE Directive</a></span></dt><dt><span class="section"><a href="#idm585">?FORMAT Directive</a></span></dt><dt><span class="section"><a href="#idm617">?COMMENT Directive</a></span></dt><dt><span class="section"><a href="#CONFIG_PATH">CONFIG_PATH</a></span></dt><dt><span class="section"><a href="#Variables">Using Shell Variables</a></span></dt><dt><span class="section"><a href="#AddressVariables">Address Variables</a></span></dt><dt><span class="section"><a href="#Port_Variables">Port Variables</a></span></dt><dt><span class="section"><a href="#ActionVariables">Action Variables</a></span></dt><dt><span class="section"><a href="#ShorewallVariables">Shorewall Variables</a></span></dt><dt><span class="section"><a href="#Conditional">Conditional Entries</a></span></dt><dt><span class="section"><a href="#Embedded">Embedded Shell and Perl</a></span></dt><dt><span class="section"><a href="#dnsnames">Using DNS Names</a></span></dt><dt><span class="section"><a href="#Lists">Comma-separated Lists</a></span></dt><dt><span class="section"><a href="#Compliment">Complementing an Address, Subnet, Protocol or Port List</a></span></dt><dt><span class="section"><a href="#Exclusion">Exclusion Lists</a></span></dt><dt><span class="section"><a href="#IPRanges">IP Address Ranges</a></span></dt><dt><span class="section"><a href="#Ports">Protocol Number/Names and Port Numbers/Service Names</a></span></dt><dt><span class="section"><a href="#Ranges">Port Ranges</a></span></dt><dt><span class="section"><a href="#Portlists">Port Lists</a></span></dt><dt><span class="section"><a href="#ICMP">ICMP and ICMP6 Types and Codes</a></span></dt><dt><span class="section"><a href="#MAC">Using MAC Addresses</a></span></dt><dt><span class="section"><a href="#RateLimit">Rate Limiting (Rate and Burst)</a></span></dt><dt><span class="section"><a href="#TIME">TIME Columns</a></span></dt><dt><span class="section"><a href="#Switches">Switches</a></span></dt><dt><span class="section"><a href="#Logical">Logical Interface Names</a></span></dt><dt><span class="section"><a href="#idm1549">Optional and Required Interfaces</a></span></dt><dt><span class="section"><a href="#Levels">Shorewall Configurations</a></span></dt><dt><span class="section"><a href="#Save">Saved Configurations</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 5.0 and
later. If you are running a version of Shorewall earlier than Shorewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/dhcp.htm new/shorewall-docs-html-5.2.3.1/dhcp.htm
--- old/shorewall-docs-html-5.2.3/dhcp.htm 2019-02-11 23:51:02.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/dhcp.htm 2019-02-26 19:01:14.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Firewall">If you want to Run a DHCP Server on your firewall</a></span></dt><dt><span class="section"><a href="#Client">If a Firewall Interface gets its IP Address via DHCP</a></span></dt><dt><span class="section"><a href="#Bridge">If you wish to pass DHCP requests and responses through a
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Firewall">If you want to Run a DHCP Server on your firewall</a></span></dt><dt><span class="section"><a href="#Client">If a Firewall Interface gets its IP Address via DHCP</a></span></dt><dt><span class="section"><a href="#Bridge">If you wish to pass DHCP requests and responses through a
bridge</a></span></dt><dt><span class="section"><a href="#Relay">Running dhcrelay on the firewall</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>For most operations, DHCP software interfaces to the Linux IP stack
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
cannot be used effectively to police DHCP. The <span class="quote">“<span class="quote">dhcp</span>”</span>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/fallback.htm new/shorewall-docs-html-5.2.3.1/fallback.htm
--- old/shorewall-docs-html-5.2.3/fallback.htm 2019-02-11 23:51:04.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/fallback.htm 2019-02-26 19:01:17.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Tarball">Falling Back to the Previous Version of Shorewall using the
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Tarball">Falling Back to the Previous Version of Shorewall using the
Fallback Script</a></span></dt><dt><span class="section"><a href="#RPM">Falling Back to the Previous Version of Shorewall using rpm</a></span></dt><dt><span class="section"><a href="#Uninstall">Uninstalling Shorewall</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Tarball"></a>Falling Back to the Previous Version of Shorewall using the
Fallback Script</h2></div></div></div><p>If you install Shorewall and discover that it doesn't work for you,
you can fall back to your previously installed version. To do that:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>cd to the distribution directory for the version of Shoreline
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ipsets.html new/shorewall-docs-html-5.2.3.1/ipsets.html
--- old/shorewall-docs-html-5.2.3/ipsets.html 2019-02-11 23:51:12.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ipsets.html 2019-02-26 19:01:24.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Ipsets">What are Ipsets?</a></span></dt><dt><span class="section"><a href="#Support">Shorewall Support for Ipsets</a></span></dt><dt><span class="section"><a href="#idm85">Shorewall6 and Shorewall-init Support for Ipsets</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Ipsets">What are Ipsets?</a></span></dt><dt><span class="section"><a href="#Support">Shorewall Support for Ipsets</a></span></dt><dt><span class="section"><a href="#idm85">Shorewall6 and Shorewall-init Support for Ipsets</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation appropriate for your
version.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Ipsets"></a>What are Ipsets?</h2></div></div></div><p>Ipsets are an extension to Netfilter/iptables that are available in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/kernel.htm new/shorewall-docs-html-5.2.3.1/kernel.htm
--- old/shorewall-docs-html-5.2.3/kernel.htm 2019-02-11 23:51:13.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/kernel.htm 2019-02-26 19:01:25.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Network">Network Options Configuration</a></span></dt><dt><span class="section"><a href="#Netfilter">Netfilter Configuration</a></span></dt><dt><span class="section"><a href="#Netfilter-2.6">Kernel 2.6 Netfilter Options</a></span></dt><dt><span class="section"><a href="#Kernel-2.6.16">Kernel 2.6.16 and Later Netfilter Options</a></span></dt><dt><span class="section"><a href="#v2.6.20">Kernel 2.6.20 and Later Netfilter Options</a></span></dt><dt><span class="section"><a href="#v2.6.21">Minimal Configuration using Kernel 2.6.20 and later</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p><span class="bold"><strong>This article is
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Network">Network Options Configuration</a></span></dt><dt><span class="section"><a href="#Netfilter">Netfilter Configuration</a></span></dt><dt><span class="section"><a href="#Netfilter-2.6">Kernel 2.6 Netfilter Options</a></span></dt><dt><span class="section"><a href="#Kernel-2.6.16">Kernel 2.6.16 and Later Netfilter Options</a></span></dt><dt><span class="section"><a href="#v2.6.20">Kernel 2.6.20 and Later Netfilter Options</a></span></dt><dt><span class="section"><a href="#v2.6.21">Minimal Configuration using Kernel 2.6.20 and later</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p><span class="bold"><strong>This article is
unmaintained.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Network"></a>Network Options Configuration</h2></div></div></div><p>Here's a screen shot of my Network Options Configuration:</p><div align="center"><img src="images/netopts.jpg" align="middle" /></div><p>While not all of the options that I've selected are required, they
should be sufficient for most applications. Here's an excerpt from the
corresponding .config file (Note: If you are running a kernel older than
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/netmap.html new/shorewall-docs-html-5.2.3.1/netmap.html
--- old/shorewall-docs-html-5.2.3/netmap.html 2019-02-11 23:51:19.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/netmap.html 2019-02-26 19:01:31.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Why">Why use Network Mapping</a></span></dt><dt><span class="section"><a href="#Solution">Solution</a></span></dt><dd><dl><dt><span class="section"><a href="#idm109">If you are running Shorewall 4.4.22 or Earlier</a></span></dt><dt><span class="section"><a href="#idm170">If you are running Shorewall 4.4.23 or Later</a></span></dt></dl></dd><dt><span class="section"><a href="#idm181">IPv6</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Why"></a>Why use Network Mapping</h2></div></div></div><p>Network Mapping is most often used to resolve IP address conflicts.
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Why">Why use Network Mapping</a></span></dt><dt><span class="section"><a href="#Solution">Solution</a></span></dt><dd><dl><dt><span class="section"><a href="#idm109">If you are running Shorewall 4.4.22 or Earlier</a></span></dt><dt><span class="section"><a href="#idm170">If you are running Shorewall 4.4.23 or Later</a></span></dt></dl></dd><dt><span class="section"><a href="#idm181">IPv6</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Why"></a>Why use Network Mapping</h2></div></div></div><p>Network Mapping is most often used to resolve IP address conflicts.
Suppose that two organizations, A and B, need to be linked and that both
organizations have allocated the 192.168.1.0/24 subnetwork. There is a
need to connect the two networks so that all systems in A can access the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ping.html new/shorewall-docs-html-5.2.3.1/ping.html
--- old/shorewall-docs-html-5.2.3/ping.html 2019-02-11 23:51:22.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ping.html 2019-02-26 19:01:33.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Ping">'Ping' Management</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Ping">'Ping' Management</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Enabling <span class="quote">“<span class="quote">ping</span>”</span> will also enable ICMP-based
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/ports.htm new/shorewall-docs-html-5.2.3.1/ports.htm
--- old/shorewall-docs-html-5.2.3/ports.htm 2019-02-11 23:51:22.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/ports.htm 2019-02-26 19:01:34.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div><div><div class="abstract"><p class="title"><strong>Abstract</strong></p><p>In addition to those applications described in the
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div><div><div class="abstract"><p class="title"><strong>Abstract</strong></p><p>In addition to those applications described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.</p></div></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Notes">Important Notes</a></span></dt><dt><span class="section"><a href="#Auth">Auth (identd)</a></span></dt><dt><span class="section"><a href="#BT">BitTorrent</a></span></dt><dt><span class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a href="#Emule">Emule</a></span></dt><dt><span class="section"><a href="#FTP">FTP</a></span></dt><dt><span class="section"><a href="#Gnutella">Gnutella</a></span></dt><dt><span class="section"><a href="#ICQ">ICQ/AIM</a></span></dt><dt><span class="section"><a href="#IMAP">IMAP</a></span></dt><dt><span class="section"><a href="#IPSEC">IPsec</a></span></dt><dt><span class="section"><a href="#LDAP">LDAP</a></span></dt><dt><span class="section"><a href="#MySQL"><span class="trademark">My\SQL</span>™</a></span></dt><dt><span class="section"><a href="#NFS">NFS</a></span></dt><dt><span class="section"><a href="#NTP">NTP (Network Time Protocol)</a></span></dt><dt><span class="section"><a href="#PCA"><span class="trademark">PCAnywhere</span>™</a></span></dt><dt><span class="section"><a href="#POP3">POP3</a></span></dt><dt><span class="section"><a href="#PPTP">PPTP</a></span></dt><dt><span class="section"><a href="#Rdate">rdate</a></span></dt><dt><span class="section"><a href="#rsync">rsync</a></span></dt><dt><span class="section"><a href="#Siproxd">Siproxd</a></span></dt><dt><span class="section"><a href="#SSH">SSH/SFTP</a></span></dt><dt><span class="section"><a href="#SMB">SMB/NMB (Samba/<span class="trademark">Windows</span>™ Browsing/File
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/quotes.htm new/shorewall-docs-html-5.2.3.1/quotes.htm
--- old/shorewall-docs-html-5.2.3/quotes.htm 2019-02-11 23:51:24.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/quotes.htm 2019-02-26 19:01:36.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Quotes">What Users are saying...</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Quotes"></a>What Users are saying...</h2></div></div></div><div class="blockquote"><table border="0" class="blockquote" style="width: 100%; cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p><span class="emphasis"><em>I want to say that Shorewall documentation is the best
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Quotes">What Users are saying...</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Quotes"></a>What Users are saying...</h2></div></div></div><div class="blockquote"><table border="0" class="blockquote" style="width: 100%; cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p><span class="emphasis"><em>I want to say that Shorewall documentation is the best
I've ever found on the net. It's helped me a lot in understanding how
network is working. It is the best of breed. It contains not only
Shorewall specific topics with the assumption that all the rest is well
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/samba.htm new/shorewall-docs-html-5.2.3.1/samba.htm
--- old/shorewall-docs-html-5.2.3/samba.htm 2019-02-11 23:51:25.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/samba.htm 2019-02-26 19:01:36.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><p>If you wish to run Samba on your firewall and access shares between
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/shorewall_extension_scripts.htm new/shorewall-docs-html-5.2.3.1/shorewall_extension_scripts.htm
--- old/shorewall-docs-html-5.2.3/shorewall_extension_scripts.htm 2019-02-11 23:51:28.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/shorewall_extension_scripts.htm 2019-02-26 19:01:40.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Scripts">Extension Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#Perl">Compile-time vs Run-time Scripts</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Scripts">Extension Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#Perl">Compile-time vs Run-time Scripts</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Scripts"></a>Extension Scripts</h2></div></div></div><p>Extension scripts are user-provided scripts that are invoked at
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/shorewall_features.htm new/shorewall-docs-html-5.2.3.1/shorewall_features.htm
--- old/shorewall-docs-html-5.2.3/shorewall_features.htm 2019-02-11 23:51:28.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/shorewall_features.htm 2019-02-26 19:01:40.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Features">Features</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Features"></a>Features</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Uses Netfilter's connection tracking facilities for stateful
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Features">Features</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Features"></a>Features</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Uses Netfilter's connection tracking facilities for stateful
packet filtering.</p></li><li class="listitem"><p>Can be used in<span class="bold"><strong> a wide range of
router/firewall/gateway applications</strong></span> .</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"><p>Completely customizable using configuration files.</p></li><li class="listitem"><p>No limit on the number of network interfaces.</p></li><li class="listitem"><p>Allows you to partition the network into <a class="ulink" href="manpages/shorewall-zones.html" target="_top">zones</a> and gives you
complete control over the connections permitted between each pair
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/shorewall_logging.html new/shorewall-docs-html-5.2.3.1/shorewall_logging.html
--- old/shorewall-docs-html-5.2.3/shorewall_logging.html 2019-02-11 23:51:29.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/shorewall_logging.html 2019-02-26 19:01:41.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Log">How to Log Traffic Through a Shorewall Firewall</a></span></dt><dt><span class="section"><a href="#Where">Where the Traffic is Logged and How to Change the
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Log">How to Log Traffic Through a Shorewall Firewall</a></span></dt><dt><span class="section"><a href="#Where">Where the Traffic is Logged and How to Change the
Destination</a></span></dt><dd><dl><dt><span class="section"><a href="#Levels">Syslog Levels</a></span></dt><dt><span class="section"><a href="#ULOG">Configuring a Separate Log for Shorewall Messages (ulogd)</a></span></dt></dl></dd><dt><span class="section"><a href="#idm176">Log Backends</a></span></dt><dt><span class="section"><a href="#Syslog-ng">Syslog-ng</a></span></dt><dt><span class="section"><a href="#Contents">Understanding the Contents of Shorewall Log Messages</a></span></dt><dt><span class="section"><a href="#idm214">Customizing the Content of Shorewall Log Messages</a></span></dt><dd><dl><dt><span class="section"><a href="#LogTags">Log Tags</a></span></dt><dt><span class="section"><a href="#idm223">LOGTAGONLY</a></span></dt><dt><span class="section"><a href="#idm237">Log Levels in shorewall[6].conf</a></span></dt></dl></dd><dt><span class="section"><a href="#idm243">Some Additional Thoughts on Logging (by Bill Shirley)</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/shorewall_prerequisites.htm new/shorewall-docs-html-5.2.3.1/shorewall_prerequisites.htm
--- old/shorewall-docs-html-5.2.3/shorewall_prerequisites.htm 2019-02-11 23:51:30.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/shorewall_prerequisites.htm 2019-02-26 19:01:42.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Requirements">Shorewall Requires:</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Requirements">Shorewall Requires:</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Requirements"></a>Shorewall Requires:</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A <span class="bold"><strong>Linux</strong></span> kernel that supports
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/shorewall_quickstart_guide.htm new/shorewall-docs-html-5.2.3.1/shorewall_quickstart_guide.htm
--- old/shorewall-docs-html-5.2.3/shorewall_quickstart_guide.htm 2019-02-11 23:51:31.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/shorewall_quickstart_guide.htm 2019-02-26 19:01:42.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Before">Before You Start</a></span></dt><dt><span class="section"><a href="#Guides">The Guides</a></span></dt><dd><dl><dt><span class="section"><a href="#Single">If you want the firewall system to handle a <span class="bold"><strong>single public IP address</strong></span></a></span></dt><dt><span class="section"><a href="#Multi">If you want the firewall system to handle more than one public IP
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Before">Before You Start</a></span></dt><dt><span class="section"><a href="#Guides">The Guides</a></span></dt><dd><dl><dt><span class="section"><a href="#Single">If you want the firewall system to handle a <span class="bold"><strong>single public IP address</strong></span></a></span></dt><dt><span class="section"><a href="#Multi">If you want the firewall system to handle more than one public IP
address</a></span></dt></dl></dd></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Do not attempt to install Shorewall on a
remote system. You are virtually assured to lock yourself out of that
system.</strong></span></p></div><p>With thanks to Richard who reminded me once again that we must all
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/shorewall_setup_guide.htm new/shorewall-docs-html-5.2.3.1/shorewall_setup_guide.htm
--- old/shorewall-docs-html-5.2.3/shorewall_setup_guide.htm 2019-02-11 23:51:32.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/shorewall_setup_guide.htm 2019-02-26 19:01:44.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Interfaces">Network Interfaces</a></span></dt><dt><span class="section"><a href="#Addressing">Addressing, Subnets and Routing</a></span></dt><dd><dl><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#Subnets">Subnets</a></span></dt><dt><span class="section"><a href="#Routing">Routing</a></span></dt><dt><span class="section"><a href="#ARP">Address Resolution Protocol (ARP)</a></span></dt><dt><span class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span class="section"><a href="#Options">Setting Up Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#Routed">Routed</a></span></dt><dt><span class="section"><a href="#NonRouted">Non-routed</a></span></dt><dd><dl><dt><span class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a href="#dnat">DNAT</a></span></dt><dt><span class="section"><a href="#ProxyARP">Proxy ARP</a></span></dt><dt><span class="section"><a href="#NAT">One-to-one NAT</a></span></dt></dl></dd><dt><span class="section"><a href="#Rules">Rules</a></span></dt><dt><span class="section"><a href="#OddsAndEnds">Odds and Ends</a></span></dt></dl></dd><dt><span class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span class="section"><a href="#StartingAndStopping">Starting and Stopping the Firewall</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Interfaces">Network Interfaces</a></span></dt><dt><span class="section"><a href="#Addressing">Addressing, Subnets and Routing</a></span></dt><dd><dl><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#Subnets">Subnets</a></span></dt><dt><span class="section"><a href="#Routing">Routing</a></span></dt><dt><span class="section"><a href="#ARP">Address Resolution Protocol (ARP)</a></span></dt><dt><span class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span class="section"><a href="#Options">Setting Up Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#Routed">Routed</a></span></dt><dt><span class="section"><a href="#NonRouted">Non-routed</a></span></dt><dd><dl><dt><span class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a href="#dnat">DNAT</a></span></dt><dt><span class="section"><a href="#ProxyARP">Proxy ARP</a></span></dt><dt><span class="section"><a href="#NAT">One-to-one NAT</a></span></dt></dl></dd><dt><span class="section"><a href="#Rules">Rules</a></span></dt><dt><span class="section"><a href="#OddsAndEnds">Odds and Ends</a></span></dt></dl></dd><dt><span class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span class="section"><a href="#StartingAndStopping">Starting and Stopping the Firewall</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Introduction"></a>Introduction</h2></div></div></div><p>This guide is intended for users who are setting up Shorewall in an
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/shorewall_setup_guide_fr.htm new/shorewall-docs-html-5.2.3.1/shorewall_setup_guide_fr.htm
--- old/shorewall-docs-html-5.2.3/shorewall_setup_guide_fr.htm 2019-02-11 23:51:31.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/shorewall_setup_guide_fr.htm 2019-02-26 19:01:43.000000000 +0100
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span class="section"><a href="#Concepts">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span class="section"><a href="#Addressing">Adressage, Sous-réseaux et Routage</a></span></dt><dd><dl><dt><span class="section"><a href="#Addresses">Adressage IP</a></span></dt><dt><span class="section"><a href="#Subnets">Sous-réseaux</a></span></dt><dt><span class="section"><a href="#Routing">Routage</a></span></dt><dt><span class="section"><a href="#idm622">Protocole de Résolution d'Adresse (ARP)</a></span></dt><dt><span class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span class="section"><a href="#Options">Configurer votre Réseau</a></span></dt><dd><dl><dt><span class="section"><a href="#Routed">Routé</a></span></dt><dt><span class="section"><a href="#NonRouted">Non routé</a></span></dt><dd><dl><dt><span class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a href="#dnat">DNAT</a></span></dt><dt><span class="section"><a href="#ProxyARP">Proxy ARP</a></span></dt><dt><span class="section"><a href="#idm891">NAT un-à-un</a></span></dt></dl></dd><dt><span class="section"><a href="#Rules">Règles</a></span></dt><dt><span class="section"><a href="#OddsAndEnds">D'autres petites choses</a></span></dt></dl></dd><dt><span class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a href="#idm1058">Quelques Points à Garder en Mémoire</a></span></dt><dt><span class="section"><a href="#idm1086">Démarrer et Arrêter Votre Firewall</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Le
+ License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span class="section"><a href="#Concepts">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span class="section"><a href="#Addressing">Adressage, Sous-réseaux et Routage</a></span></dt><dd><dl><dt><span class="section"><a href="#Addresses">Adressage IP</a></span></dt><dt><span class="section"><a href="#Subnets">Sous-réseaux</a></span></dt><dt><span class="section"><a href="#Routing">Routage</a></span></dt><dt><span class="section"><a href="#idm622">Protocole de Résolution d'Adresse (ARP)</a></span></dt><dt><span class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span class="section"><a href="#Options">Configurer votre Réseau</a></span></dt><dd><dl><dt><span class="section"><a href="#Routed">Routé</a></span></dt><dt><span class="section"><a href="#NonRouted">Non routé</a></span></dt><dd><dl><dt><span class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a href="#dnat">DNAT</a></span></dt><dt><span class="section"><a href="#ProxyARP">Proxy ARP</a></span></dt><dt><span class="section"><a href="#idm891">NAT un-à-un</a></span></dt></dl></dd><dt><span class="section"><a href="#Rules">Règles</a></span></dt><dt><span class="section"><a href="#OddsAndEnds">D'autres petites choses</a></span></dt></dl></dd><dt><span class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a href="#idm1058">Quelques Points à Garder en Mémoire</a></span></dt><dt><span class="section"><a href="#idm1086">Démarrer et Arrêter Votre Firewall</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Le
traduction initiale a été réalisée par <a class="ulink" href="mailto:fd03x@wanadoo.fr" target="_top">Fabien Demassieux</a>. J'ai assuré la
révision pour l'adapter à la version 3 de Shorewall. Si vous trouvez des
erreurs ou des améliorations à y apporter vous pouvez <a class="ulink" href="mailto:guy@posteurs.com" target="_top">me contacter</a>.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Attention</h3><p><span class="bold"><strong>Cet article s'applique à Shorewall 3.0 et à
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/simple_traffic_shaping.html new/shorewall-docs-html-5.2.3.1/simple_traffic_shaping.html
--- old/shorewall-docs-html-5.2.3/simple_traffic_shaping.html 2019-02-11 23:51:33.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/simple_traffic_shaping.html 2019-02-26 19:01:45.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Introduction</a></span></dt><dt><span class="section"><a href="#idm37">Enabling Simple Traffic Shaping</a></span></dt><dt><span class="section"><a href="#idm61">Customizing Simple Traffic Shaping</a></span></dt><dt><span class="section"><a href="#idm107">Combined IPv4/IPv6 Simple TC Configuration</a></span></dt><dt><span class="section"><a href="#idm129">Additional Reading</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Introduction</h2></div></div></div><p>Traffic shaping and control was originally introduced into Shorewall
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm17">Introduction</a></span></dt><dt><span class="section"><a href="#idm37">Enabling Simple Traffic Shaping</a></span></dt><dt><span class="section"><a href="#idm61">Customizing Simple Traffic Shaping</a></span></dt><dt><span class="section"><a href="#idm107">Combined IPv4/IPv6 Simple TC Configuration</a></span></dt><dt><span class="section"><a href="#idm129">Additional Reading</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm17"></a>Introduction</h2></div></div></div><p>Traffic shaping and control was originally introduced into Shorewall
in version 2.2.5. That facility was based on Arne Bernin's
<em class="firstterm">tc4shorewall</em> and is generally felt to be complex
and difficult to use.</p><p>In Shorewall 4.4.6, a second traffic shaping facility that is simple
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/standalone.htm new/shorewall-docs-html-5.2.3.1/standalone.htm
--- old/shorewall-docs-html-5.2.3/standalone.htm 2019-02-11 23:51:35.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/standalone.htm 2019-02-26 19:01:46.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">System Requirements</a></span></dt><dt><span class="section"><a href="#Before">Before you start</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#External">External Interface</a></span></dt><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#Logging">Logging</a></span></dt><dt><span class="section"><a href="#Modules">Kernel Module Loading</a></span></dt><dt><span class="section"><a href="#Open">Enabling other Connections</a></span></dt><dt><span class="section"><a href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span class="section"><a href="#Problems">If it Doesn't Work</a></span></dt><dt><span class="section"><a href="#idm388">Disabling your existing Firewall</a></span></dt><dt><span class="section"><a href="#Other">Additional Recommended Reading</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">System Requirements</a></span></dt><dt><span class="section"><a href="#Before">Before you start</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#External">External Interface</a></span></dt><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#Logging">Logging</a></span></dt><dt><span class="section"><a href="#Modules">Kernel Module Loading</a></span></dt><dt><span class="section"><a href="#Open">Enabling other Connections</a></span></dt><dt><span class="section"><a href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span class="section"><a href="#Problems">If it Doesn't Work</a></span></dt><dt><span class="section"><a href="#idm388">Disabling your existing Firewall</a></span></dt><dt><span class="section"><a href="#Other">Additional Recommended Reading</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Introduction"></a>Introduction</h2></div></div></div><p>Setting up Shorewall on a standalone Linux system is very easy if
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/standalone_fr.html new/shorewall-docs-html-5.2.3.1/standalone_fr.html
--- old/shorewall-docs-html-5.2.3/standalone_fr.html 2019-02-11 23:51:34.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/standalone_fr.html 2019-02-26 19:01:45.000000000 +0100
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">Pré-requis système</a></span></dt><dt><span class="section"><a href="#Before">Avant de commencer</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#External">Interface Externe</a></span></dt><dt><span class="section"><a href="#Addresses">Adresses IP</a></span></dt><dt><span class="section"><a href="#Logging">Journalisation (log)</a></span></dt><dt><span class="section"><a href="#Open">Permettre d'autres connexions</a></span></dt><dt><span class="section"><a href="#Starting">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a href="#Problems">Si cela ne marche pas</a></span></dt><dt><span class="section"><a href="#Other">Autres Lectures Recommandées</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Le guide
+ License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">Pré-requis système</a></span></dt><dt><span class="section"><a href="#Before">Avant de commencer</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#External">Interface Externe</a></span></dt><dt><span class="section"><a href="#Addresses">Adresses IP</a></span></dt><dt><span class="section"><a href="#Logging">Journalisation (log)</a></span></dt><dt><span class="section"><a href="#Open">Permettre d'autres connexions</a></span></dt><dt><span class="section"><a href="#Starting">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a href="#Problems">Si cela ne marche pas</a></span></dt><dt><span class="section"><a href="#Other">Autres Lectures Recommandées</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Le guide
initial a été traduit par <a class="ulink" href="mailto:vetsel.patrice@wanadoo.fr" target="_top">VETSEL Patrice</a> et la
révision pour la version 2 de Shorewall a été effectuée par <a class="ulink" href="mailto:fd03x@wanadoo.fr" target="_top">Fabien Demassieux</a>. J'ai assuré la
révision pour l'adapter à la version 3, puis 4 de Shorewall. Si vous
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/standalone_ru.html new/shorewall-docs-html-5.2.3.1/standalone_ru.html
--- old/shorewall-docs-html-5.2.3/standalone_ru.html 2019-02-11 23:51:34.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/standalone_ru.html 2019-02-26 19:01:46.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm26">Введение</a></span></dt><dd><dl><dt><span class="section"><a href="#idm42">Системные требования</a></span></dt><dt><span class="section"><a href="#idm53">Перед тем как начать</a></span></dt><dt><span class="section"><a href="#idm72">Соглашения</a></span></dt></dl></dd><dt><span class="section"><a href="#idm76">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm89">Концепции Shorewall</a></span></dt><dt><span class="section"><a href="#idm161">Внешний интерфейс</a></span></dt><dt><span class="section"><a href="#idm199">IP-адреса</a></span></dt><dt><span class="section"><a href="#idm229">Разрешение других соединений</a></span></dt><dt><span class="section"><a href="#idm262">Запуск и останов Вашего файервола</a></span></dt><dt><span class="section"><a href="#idm303">Дополнительно рекоммендуемая литература</a></span></dt><dt><span class="appendix"><a href="#idm307">A. История пересмотров</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Эта статья применима для Shorewall версии 3.0
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm26">Введение</a></span></dt><dd><dl><dt><span class="section"><a href="#idm42">Системные требования</a></span></dt><dt><span class="section"><a href="#idm53">Перед тем как начать</a></span></dt><dt><span class="section"><a href="#idm72">Соглашения</a></span></dt></dl></dd><dt><span class="section"><a href="#idm76">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm89">Концепции Shorewall</a></span></dt><dt><span class="section"><a href="#idm161">Внешний интерфейс</a></span></dt><dt><span class="section"><a href="#idm199">IP-адреса</a></span></dt><dt><span class="section"><a href="#idm229">Разрешение других соединений</a></span></dt><dt><span class="section"><a href="#idm262">Запуск и останов Вашего файервола</a></span></dt><dt><span class="section"><a href="#idm303">Дополнительно рекоммендуемая литература</a></span></dt><dt><span class="appendix"><a href="#idm307">A. История пересмотров</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Эта статья применима для Shorewall версии 3.0
и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall
3.0.0, тогда смотрите документацию для этого выпуска.</strong></span></p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Пример файлов конфигурации в составе Shorewall 3.0.0 и 3.0.1 был
некорректен. Первой генерируемой ошибкой была:</p><p><span class="bold"><strong>ERROR: No Firewall Zone Defined (ОШИБКА: Не
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/starting_and_stopping_shorewall.htm new/shorewall-docs-html-5.2.3.1/starting_and_stopping_shorewall.htm
--- old/shorewall-docs-html-5.2.3/starting_and_stopping_shorewall.htm 2019-02-11 23:51:35.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/starting_and_stopping_shorewall.htm 2019-02-26 19:01:47.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#CLI">/sbin/shorewall and /sbin/shorewall-lite</a></span></dt><dt><span class="section"><a href="#Starting">Starting, Stopping and Clearing</a></span></dt><dt><span class="section"><a href="#Init">/etc/init.d/shorewall and /etc/init.d/shorewall-lite</a></span></dt><dt><span class="section"><a href="#Trace">Tracing Command Execution and other Debugging Aids</a></span></dt><dt><span class="section"><a href="#Boot">Having Shorewall Start Automatically at Boot Time</a></span></dt><dt><span class="section"><a href="#Saved">Saving a Working Configuration for Error Recovery and Fast
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#CLI">/sbin/shorewall and /sbin/shorewall-lite</a></span></dt><dt><span class="section"><a href="#Starting">Starting, Stopping and Clearing</a></span></dt><dt><span class="section"><a href="#Init">/etc/init.d/shorewall and /etc/init.d/shorewall-lite</a></span></dt><dt><span class="section"><a href="#Trace">Tracing Command Execution and other Debugging Aids</a></span></dt><dt><span class="section"><a href="#Boot">Having Shorewall Start Automatically at Boot Time</a></span></dt><dt><span class="section"><a href="#Saved">Saving a Working Configuration for Error Recovery and Fast
Startup</a></span></dt><dt><span class="section"><a href="#AddDirectories">Additional Configuration Directories</a></span></dt><dt><span class="section"><a href="#AltConfig">Alternate Configuration Directories</a></span></dt><dt><span class="section"><a href="#Commands">Commands</a></span></dt><dt><span class="section"><a href="#State">Shorewall State Diagram</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/support.htm new/shorewall-docs-html-5.2.3.1/support.htm
--- old/shorewall-docs-html-5.2.3/support.htm 2019-02-11 23:51:35.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/support.htm 2019-02-26 19:01:47.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#First">Before Reporting a Problem or Asking a Question</a></span></dt><dt><span class="section"><a href="#Guidelines">Problem Reporting Guidelines</a></span></dt><dt><span class="section"><a href="#Where">Where to Send your Problem Report or to Ask for Help</a></span></dt><dt><span class="section"><a href="#Users">Subscribing to the Users Mailing List</a></span></dt><dt><span class="section"><a href="#Announce">Subscribing to the Announce Mailing List</a></span></dt><dt><span class="section"><a href="#Devel">Subscribing to the Development Mailing List</a></span></dt><dt><span class="section"><a href="#Unsubscribe">Unsubscribing from Shorewall Mailing Lists</a></span></dt><dt><span class="section"><a href="#Other">Other Mailing Lists</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#First">Before Reporting a Problem or Asking a Question</a></span></dt><dt><span class="section"><a href="#Guidelines">Problem Reporting Guidelines</a></span></dt><dt><span class="section"><a href="#Where">Where to Send your Problem Report or to Ask for Help</a></span></dt><dt><span class="section"><a href="#Users">Subscribing to the Users Mailing List</a></span></dt><dt><span class="section"><a href="#Announce">Subscribing to the Announce Mailing List</a></span></dt><dt><span class="section"><a href="#Devel">Subscribing to the Development Mailing List</a></span></dt><dt><span class="section"><a href="#Unsubscribe">Unsubscribing from Shorewall Mailing Lists</a></span></dt><dt><span class="section"><a href="#Other">Other Mailing Lists</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="First"></a>Before Reporting a Problem or Asking a Question</h2></div></div></div><p>There are a number of sources of Shorewall information. Please try
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/survey-200603.html new/shorewall-docs-html-5.2.3.1/survey-200603.html
--- old/shorewall-docs-html-5.2.3/survey-200603.html 2019-02-11 23:51:36.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/survey-200603.html 2019-02-26 19:01:48.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dd><dl><dt><span class="section"><a href="#Survey">Survey and results links</a></span></dt><dt><span class="section"><a href="#Sample">Sample size</a></span></dt><dt><span class="section"><a href="#Factors">Other possible inaccuracies</a></span></dt></dl></dd><dt><span class="section"><a href="#Results">Results analysis</a></span></dt><dd><dl><dt><span class="section"><a href="#Org">Organisations</a></span></dt><dt><span class="section"><a href="#Users">Users</a></span></dt><dt><span class="section"><a href="#Hardware">Hardware</a></span></dt><dt><span class="section"><a href="#Network">Network</a></span></dt><dt><span class="section"><a href="#Software">Software</a></span></dt><dt><span class="section"><a href="#Comments">Comments from users</a></span></dt></dl></dd><dt><span class="section"><a href="#Lessons">Lessons learned about survey technique</a></span></dt><dd><dl><dt><span class="section"><a href="#Approach1">Treat surveys like releasing free software</a></span></dt><dt><span class="section"><a href="#Approach2">Start small and work towards what you want to know with specific,
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Background">Background</a></span></dt><dd><dl><dt><span class="section"><a href="#Survey">Survey and results links</a></span></dt><dt><span class="section"><a href="#Sample">Sample size</a></span></dt><dt><span class="section"><a href="#Factors">Other possible inaccuracies</a></span></dt></dl></dd><dt><span class="section"><a href="#Results">Results analysis</a></span></dt><dd><dl><dt><span class="section"><a href="#Org">Organisations</a></span></dt><dt><span class="section"><a href="#Users">Users</a></span></dt><dt><span class="section"><a href="#Hardware">Hardware</a></span></dt><dt><span class="section"><a href="#Network">Network</a></span></dt><dt><span class="section"><a href="#Software">Software</a></span></dt><dt><span class="section"><a href="#Comments">Comments from users</a></span></dt></dl></dd><dt><span class="section"><a href="#Lessons">Lessons learned about survey technique</a></span></dt><dd><dl><dt><span class="section"><a href="#Approach1">Treat surveys like releasing free software</a></span></dt><dt><span class="section"><a href="#Approach2">Start small and work towards what you want to know with specific,
concrete questions</a></span></dt><dt><span class="section"><a href="#Approach3">Be prepared beforehand</a></span></dt><dt><span class="section"><a href="#Approach4">Incrementally improve your surveys</a></span></dt></dl></dd><dt><span class="section"><a href="#Implications1">Possible implications for the Shorewall project</a></span></dt><dt><span class="section"><a href="#Implications2">Possible implications for other free software projects</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Background"></a>Background</h2></div></div></div><p>In early March 2006, i embarked on the journey of surveying
Shorewall users. Initially this sprang from my own curiosity: i thought
that some of the systems at work on which i use Shorewall may be bigger
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/template.html new/shorewall-docs-html-5.2.3.1/template.html
--- old/shorewall-docs-html-5.2.3/template.html 2019-02-11 23:51:36.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/template.html 2019-02-26 19:01:48.000000000 +0100
@@ -5,4 +5,4 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16"></a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a></h2></div></div></div><p></p></div></div></body></html>
\ No newline at end of file
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm16"></a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm16"></a></h2></div></div></div><p></p></div></div></body></html>
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/three-interface.htm new/shorewall-docs-html-5.2.3.1/three-interface.htm
--- old/shorewall-docs-html-5.2.3/three-interface.htm 2019-02-11 23:51:38.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/three-interface.htm 2019-02-26 19:01:49.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#Reqs">Requirements</a></span></dt><dt><span class="section"><a href="#Before">Before you start</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Interfaces">Network Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#Logging">Logging</a></span></dt><dt><span class="section"><a href="#Modules">Kernel Module Loading</a></span></dt><dt><span class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Domain Name Server (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other Connections</a></span></dt><dt><span class="section"><a href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span class="section"><a href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span class="section"><a href="#idm621">Disabling your existing Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional Recommended Reading</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#Reqs">Requirements</a></span></dt><dt><span class="section"><a href="#Before">Before you start</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Interfaces">Network Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#Logging">Logging</a></span></dt><dt><span class="section"><a href="#Modules">Kernel Module Loading</a></span></dt><dt><span class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Domain Name Server (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other Connections</a></span></dt><dt><span class="section"><a href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span class="section"><a href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span class="section"><a href="#idm621">Disabling your existing Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional Recommended Reading</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>Setting up a Linux system as a firewall for a small network with DMZ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/three-interface_fr.html new/shorewall-docs-html-5.2.3.1/three-interface_fr.html
--- old/shorewall-docs-html-5.2.3/three-interface_fr.html 2019-02-11 23:51:37.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/three-interface_fr.html 2019-02-26 19:01:48.000000000 +0100
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm46">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm73">Pré-requis Système</a></span></dt><dt><span class="section"><a href="#idm89">Avant de commencer</a></span></dt><dt><span class="section"><a href="#idm104">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#idm110">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm123">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#idm208">Les Interfaces Réseau</a></span></dt><dt><span class="section"><a href="#idm286">Adresses IP</a></span></dt><dt><span class="section"><a href="#idm365">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#DNAT">Transfert de ports (DNAT)</a></span></dt><dt><span class="section"><a href="#idm497">Service de Noms de Domaines (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a href="#idm598">Quelques Points à Garder en Mémoire</a></span></dt><dt><span class="section"><a href="#idm626">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a href="#idm668">Si cela ne marche pas</a></span></dt><dt><span class="section"><a href="#idm682">Autres Lectures Recommandées</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Le guide
+ License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm46">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#idm73">Pré-requis Système</a></span></dt><dt><span class="section"><a href="#idm89">Avant de commencer</a></span></dt><dt><span class="section"><a href="#idm104">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#idm110">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm123">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#idm208">Les Interfaces Réseau</a></span></dt><dt><span class="section"><a href="#idm286">Adresses IP</a></span></dt><dt><span class="section"><a href="#idm365">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#DNAT">Transfert de ports (DNAT)</a></span></dt><dt><span class="section"><a href="#idm497">Service de Noms de Domaines (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a href="#idm598">Quelques Points à Garder en Mémoire</a></span></dt><dt><span class="section"><a href="#idm626">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a href="#idm668">Si cela ne marche pas</a></span></dt><dt><span class="section"><a href="#idm682">Autres Lectures Recommandées</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Le guide
initial a été traduit par <a class="ulink" href="mailto:vetsel.patrice@wanadoo.fr" target="_top">VETSEL Patrice</a> et la
révision pour la version 2 de Shorewall a été effectuée par <a class="ulink" href="mailto:fd03x@wanadoo.fr" target="_top">Fabien Demassieux</a>. J'ai assuré la
révision pour l'adapter à la version 3 de Shorewall. Si vous trouvez des
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/three-interface_ru.html new/shorewall-docs-html-5.2.3.1/three-interface_ru.html
--- old/shorewall-docs-html-5.2.3/three-interface_ru.html 2019-02-11 23:51:37.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/three-interface_ru.html 2019-02-26 19:01:49.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span class="section"><a href="#idm48">Системные требования</a></span></dt><dt><span class="section"><a href="#idm59">Перед тем как начать</a></span></dt><dt><span class="section"><a href="#idm78">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#idm84">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm97">Концепции Shorewall</a></span></dt><dt><span class="section"><a href="#idm180">Сетевые интерфейсы</a></span></dt><dt><span class="section"><a href="#idm257">IP-адреса</a></span></dt><dt><span class="section"><a href="#idm360">IP-маскарадинг (SNAT)</a></span></dt><dt><span class="section"><a href="#idm420">Перенаправление портов (DNAT)</a></span></dt><dt><span class="section"><a href="#idm504">Сервер Доменных Имен (Domain Name Server - DNS)</a></span></dt><dt><span class="section"><a href="#idm549">Другие соединения</a></span></dt><dt><span class="section"><a href="#idm597">Что нужно помнить</a></span></dt><dt><span class="section"><a href="#idm630">Запуск и останов Вашего файервола</a></span></dt><dt><span class="section"><a href="#idm678">Дополнительно рекоммендуемая литература</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Эта статья применима для Shorewall версии 3.0
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span class="section"><a href="#idm48">Системные требования</a></span></dt><dt><span class="section"><a href="#idm59">Перед тем как начать</a></span></dt><dt><span class="section"><a href="#idm78">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#idm84">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm97">Концепции Shorewall</a></span></dt><dt><span class="section"><a href="#idm180">Сетевые интерфейсы</a></span></dt><dt><span class="section"><a href="#idm257">IP-адреса</a></span></dt><dt><span class="section"><a href="#idm360">IP-маскарадинг (SNAT)</a></span></dt><dt><span class="section"><a href="#idm420">Перенаправление портов (DNAT)</a></span></dt><dt><span class="section"><a href="#idm504">Сервер Доменных Имен (Domain Name Server - DNS)</a></span></dt><dt><span class="section"><a href="#idm549">Другие соединения</a></span></dt><dt><span class="section"><a href="#idm597">Что нужно помнить</a></span></dt><dt><span class="section"><a href="#idm630">Запуск и останов Вашего файервола</a></span></dt><dt><span class="section"><a href="#idm678">Дополнительно рекоммендуемая литература</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Эта статья применима для Shorewall версии 3.0
и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall
3.0.0, тогда смотрите документацию для этого выпуска.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm19"></a>Введение</h2></div></div></div><p>Установка Linux системы как файервола для небольшой сети довольно
простая задача, если Вы понимаете основы и следуете документации.</p><p>Это руководство не пытается ознакомить Вас со всеми особенностями
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/traffic_shaping.htm new/shorewall-docs-html-5.2.3.1/traffic_shaping.htm
--- old/shorewall-docs-html-5.2.3/traffic_shaping.htm 2019-02-11 23:51:39.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/traffic_shaping.htm 2019-02-26 19:01:50.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#LinuxTC">Linux traffic shaping and control</a></span></dt><dt><span class="section"><a href="#Kernel">Linux Kernel Configuration</a></span></dt><dt><span class="section"><a href="#Shorewall">Enable TC support in Shorewall</a></span></dt><dt><span class="section"><a href="#Builtin">Using builtin traffic shaping/control</a></span></dt><dd><dl><dt><span class="section"><a href="#tcdevices">/etc/shorewall/tcdevices</a></span></dt><dt><span class="section"><a href="#tcclasses">/etc/shorewall/tcclasses</a></span></dt><dt><span class="section"><a href="#tcrules">/etc/shorewall/mangle and /etc/shorewall/rules</a></span></dt><dt><span class="section"><a href="#ppp">ppp devices</a></span></dt><dt><span class="section"><a href="#idm419">Sharing a TC configuration between Shorewall and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#LinuxTC">Linux traffic shaping and control</a></span></dt><dt><span class="section"><a href="#Kernel">Linux Kernel Configuration</a></span></dt><dt><span class="section"><a href="#Shorewall">Enable TC support in Shorewall</a></span></dt><dt><span class="section"><a href="#Builtin">Using builtin traffic shaping/control</a></span></dt><dd><dl><dt><span class="section"><a href="#tcdevices">/etc/shorewall/tcdevices</a></span></dt><dt><span class="section"><a href="#tcclasses">/etc/shorewall/tcclasses</a></span></dt><dt><span class="section"><a href="#tcrules">/etc/shorewall/mangle and /etc/shorewall/rules</a></span></dt><dt><span class="section"><a href="#ppp">ppp devices</a></span></dt><dt><span class="section"><a href="#idm419">Sharing a TC configuration between Shorewall and
Shorewall6</a></span></dt><dt><span class="section"><a href="#perIP">Per-IP Traffic Shaping</a></span></dt><dt><span class="section"><a href="#Real">Real life examples</a></span></dt><dd><dl><dt><span class="section"><a href="#idm536">A Shorewall User's Experience</a></span></dt><dt><span class="section"><a href="#Wondershaper">Configuration to replace Wondershaper</a></span></dt><dt><span class="section"><a href="#simiple">A simple setup</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Xen">A Warning to Xen Users</a></span></dt><dt><span class="section"><a href="#HFSC">An HFSC Example</a></span></dt><dd><dl><dt><span class="section"><a href="#MajicNumbers">Where Did all of those Magic Numbers come from?</a></span></dt></dl></dd><dt><span class="section"><a href="#IFB">Intermediate Functional Block (IFB) Devices</a></span></dt><dd><dl><dt><span class="section"><a href="#tcfilters">/etc/shorewall/tcfilters</a></span></dt></dl></dd><dt><span class="section"><a href="#show">Understanding the output of 'shorewall show tc'</a></span></dt><dt><span class="section"><a href="#External">Using your own tc script</a></span></dt><dd><dl><dt><span class="section"><a href="#owntcstart">Replacing builtin tcstart file</a></span></dt><dt><span class="section"><a href="#Start">Traffic control outside Shorewall</a></span></dt></dl></dd><dt><span class="section"><a href="#Testing">Testing Tools</a></span></dt></dl></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Traffic shaping is complex and the Shorewall community is not well
equipped to answer traffic shaping questions. So if you are the type of
person who needs "insert tab A into slot B" instructions for everything
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/traffic_shaping_ru.html new/shorewall-docs-html-5.2.3.1/traffic_shaping_ru.html
--- old/shorewall-docs-html-5.2.3/traffic_shaping_ru.html 2019-02-11 23:51:38.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/traffic_shaping_ru.html 2019-02-26 19:01:50.000000000 +0100
@@ -4,7 +4,7 @@
версии 1.2 или более поздней, опубликованной Free Software Foundation;
без неизменяемых разделов, без текста на верхней обложке, без текста на
нижней обложке. Копия лицензии приведена по ссылке <span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Введение</a></span></dt><dt><span class="section"><a href="#LinuxTC">Управление трафиком и шейпинг трафика в Linux</a></span></dt><dt><span class="section"><a href="#Kernel">Конфигурация ядра Linux</a></span></dt><dt><span class="section"><a href="#Shorewall">Включение поддержки TC в Shorewall</a></span></dt><dt><span class="section"><a href="#Builtin">Работа с встроенными функциями управления трафиком и
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Введение</a></span></dt><dt><span class="section"><a href="#LinuxTC">Управление трафиком и шейпинг трафика в Linux</a></span></dt><dt><span class="section"><a href="#Kernel">Конфигурация ядра Linux</a></span></dt><dt><span class="section"><a href="#Shorewall">Включение поддержки TC в Shorewall</a></span></dt><dt><span class="section"><a href="#Builtin">Работа с встроенными функциями управления трафиком и
шейпинга</a></span></dt><dd><dl><dt><span class="section"><a href="#tcdevices">/etc/shorewall/tcdevices</a></span></dt><dt><span class="section"><a href="#tcclasses">/etc/shorewall/tcclasses</a></span></dt><dt><span class="section"><a href="#tcrules">/etc/shorewall/tcrules</a></span></dt><dt><span class="section"><a href="#ppp">Устройства ppp</a></span></dt><dt><span class="section"><a href="#Real">Рабочие примеры</a></span></dt><dd><dl><dt><span class="section"><a href="#Wondershaper">Конфигурация для замены Wondershaper</a></span></dt><dt><span class="section"><a href="#simiple">Простая конфигурация</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="#Xen">Замечания для пользователей Xen</a></span></dt><dt><span class="section"><a href="#External">Применение собственных сценариев tc</a></span></dt><dd><dl><dt><span class="section"><a href="#owntcstart">Замена встроенного файла tcstart</a></span></dt><dt><span class="section"><a href="#Start">Управление трафиком, внешнее по отношению к Shorewall</a></span></dt></dl></dd><dt><span class="section"><a href="#Testing">Инструменты тестирования</a></span></dt></dl></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Управление трафиком - это сложная тема, и не следует ожидать от
сообщества Shorewall готовых ответов на возникающие в связи с этим
вопросы. Поэтому, если вам нужны готовые рецепты, как нажать кнопку, чтобы
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/troubleshoot.htm new/shorewall-docs-html-5.2.3.1/troubleshoot.htm
--- old/shorewall-docs-html-5.2.3/troubleshoot.htm 2019-02-11 23:51:39.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/troubleshoot.htm 2019-02-26 19:01:51.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Start"><span class="quote">“<span class="quote">shorewall start</span>”</span> and <span class="quote">“<span class="quote">shorewall restart</span>”</span>
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Start"><span class="quote">“<span class="quote">shorewall start</span>”</span> and <span class="quote">“<span class="quote">shorewall restart</span>”</span>
Errors</a></span></dt><dt><span class="section"><a href="#Network">Your Network Environment</a></span></dt><dt><span class="section"><a href="#NewDevice">New Device Doesn't Work?</a></span></dt><dt><span class="section"><a href="#Connections">Connection Problems</a></span></dt><dt><span class="section"><a href="#Ping">Ping Problems</a></span></dt><dt><span class="section"><a href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span class="section"><a href="#More">Other Gotchas</a></span></dt><dt><span class="section"><a href="#Support">Still Having Problems?</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Start"></a><span class="quote">“<span class="quote">shorewall start</span>”</span> and <span class="quote">“<span class="quote">shorewall restart</span>”</span>
Errors</h2></div></div></div><p>If the error is detected by the Shorewall compiler, it should be
fairly obvious where the problem was found. Each error message includes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/two-interface.htm new/shorewall-docs-html-5.2.3.1/two-interface.htm
--- old/shorewall-docs-html-5.2.3/two-interface.htm 2019-02-11 23:51:40.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/two-interface.htm 2019-02-26 19:01:52.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">System Requirements</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Interfaces">Network Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#Logging">Logging</a></span></dt><dt><span class="section"><a href="#Modules">Kernel Module Loading</a></span></dt><dt><span class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Domain Name Server (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other Connections</a></span></dt><dt><span class="section"><a href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span class="section"><a href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span class="section"><a href="#idm682">Disabling your existing Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional Recommended Reading</a></span></dt><dt><span class="section"><a href="#Wireless">Adding a Wireless Segment to your Two-Interface Firewall</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">System Requirements</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Interfaces">Network Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#Logging">Logging</a></span></dt><dt><span class="section"><a href="#Modules">Kernel Module Loading</a></span></dt><dt><span class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Domain Name Server (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other Connections</a></span></dt><dt><span class="section"><a href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span class="section"><a href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span class="section"><a href="#idm682">Disabling your existing Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional Recommended Reading</a></span></dt><dt><span class="section"><a href="#Wireless">Adding a Wireless Segment to your Two-Interface Firewall</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>Setting up a Linux system as a firewall for a small network is a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/two-interface_fr.html new/shorewall-docs-html-5.2.3.1/two-interface_fr.html
--- old/shorewall-docs-html-5.2.3/two-interface_fr.html 2019-02-11 23:51:40.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/two-interface_fr.html 2019-02-26 19:01:51.000000000 +0100
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span class="quote">« <span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm49">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">Pré-requis Système</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span class="section"><a href="#Adresses">Adresses IP</a></span></dt><dt><span class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#DNAT">Transfert de ports (DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Service de Noms de Domaines (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a href="#Logging">Journalisation (log)</a></span></dt><dt><span class="section"><a href="#idm625">Quelques Points à Garder en Mémoire</a></span></dt><dt><span class="section"><a href="#idm653">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a href="#Trouble">Si cela ne marche pas</a></span></dt><dt><span class="section"><a href="#Reading">Autres Lectures Recommandées</a></span></dt><dt><span class="section"><a href="#Wireless">Ajouter un Segment Sans-fil à votre Firewall à deux
+ License</a></span> »</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span class="section"><a href="#idm49">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#System">Pré-requis Système</a></span></dt><dt><span class="section"><a href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#Concepts">Les Concepts de Shorewall</a></span></dt><dt><span class="section"><a href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span class="section"><a href="#Adresses">Adresses IP</a></span></dt><dt><span class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span class="section"><a href="#DNAT">Transfert de ports (DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Service de Noms de Domaines (DNS)</a></span></dt><dt><span class="section"><a href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a href="#Logging">Journalisation (log)</a></span></dt><dt><span class="section"><a href="#idm625">Quelques Points à Garder en Mémoire</a></span></dt><dt><span class="section"><a href="#idm653">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a href="#Trouble">Si cela ne marche pas</a></span></dt><dt><span class="section"><a href="#Reading">Autres Lectures Recommandées</a></span></dt><dt><span class="section"><a href="#Wireless">Ajouter un Segment Sans-fil à votre Firewall à deux
interfaces</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span class="underline">Notes du traducteur :</span> Le guide
initial a été traduit par <a class="ulink" href="mailto:vetsel.patrice@wanadoo.fr" target="_top">VETSEL Patrice</a> et la pour
la version 2 de Shorewall a été effectuée par <a class="ulink" href="mailto:fd03x@wanadoo.fr" target="_top">Fabien Demassieux</a>. J'ai assuré la
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/two-interface_ru.html new/shorewall-docs-html-5.2.3.1/two-interface_ru.html
--- old/shorewall-docs-html-5.2.3/two-interface_ru.html 2019-02-11 23:51:40.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/two-interface_ru.html 2019-02-26 19:01:52.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span class="section"><a href="#idm43">Системные требования</a></span></dt><dt><span class="section"><a href="#idm54">Перед тем как начать</a></span></dt><dt><span class="section"><a href="#idm73">Соглашения</a></span></dt></dl></dd><dt><span class="section"><a href="#idm79">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm92">Концепции Shorewall</a></span></dt><dt><span class="section"><a href="#idm175">Сетевые интерфейсы</a></span></dt><dt><span class="section"><a href="#idm245">IP-адреса</a></span></dt><dt><span class="section"><a href="#idm334">IP-маскарадинг (SNAT)</a></span></dt><dt><span class="section"><a href="#idm385">Перенаправление портов (DNAT)</a></span></dt><dt><span class="section"><a href="#idm451">Сервер Доменных Имен (Domain Name Server - DNS)</a></span></dt><dt><span class="section"><a href="#idm490">Другие соединения</a></span></dt><dt><span class="section"><a href="#idm542">Что нужно помнить</a></span></dt><dt><span class="section"><a href="#idm575">Запуск и останов Вашего файервола</a></span></dt><dt><span class="section"><a href="#idm622">Дополнительно рекоммендуемая литература</a></span></dt><dt><span class="section"><a href="#idm626">Добавление сегмента беспроводной связи к Вашему файерволу с двумя
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span class="section"><a href="#idm43">Системные требования</a></span></dt><dt><span class="section"><a href="#idm54">Перед тем как начать</a></span></dt><dt><span class="section"><a href="#idm73">Соглашения</a></span></dt></dl></dd><dt><span class="section"><a href="#idm79">PPTP/ADSL</a></span></dt><dt><span class="section"><a href="#idm92">Концепции Shorewall</a></span></dt><dt><span class="section"><a href="#idm175">Сетевые интерфейсы</a></span></dt><dt><span class="section"><a href="#idm245">IP-адреса</a></span></dt><dt><span class="section"><a href="#idm334">IP-маскарадинг (SNAT)</a></span></dt><dt><span class="section"><a href="#idm385">Перенаправление портов (DNAT)</a></span></dt><dt><span class="section"><a href="#idm451">Сервер Доменных Имен (Domain Name Server - DNS)</a></span></dt><dt><span class="section"><a href="#idm490">Другие соединения</a></span></dt><dt><span class="section"><a href="#idm542">Что нужно помнить</a></span></dt><dt><span class="section"><a href="#idm575">Запуск и останов Вашего файервола</a></span></dt><dt><span class="section"><a href="#idm622">Дополнительно рекоммендуемая литература</a></span></dt><dt><span class="section"><a href="#idm626">Добавление сегмента беспроводной связи к Вашему файерволу с двумя
интерфейсами</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>Эта статья применима для Shorewall версии 3.0
и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall
3.0.0, тогда смотрите документацию для этого выпуска.</strong></span></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm19"></a>Введение</h2></div></div></div><p>Установка Linux системы как файервола для небольшой сети довольно
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/upgrade_issues.htm new/shorewall-docs-html-5.2.3.1/upgrade_issues.htm
--- old/shorewall-docs-html-5.2.3/upgrade_issues.htm 2019-02-11 23:51:41.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/upgrade_issues.htm 2019-02-26 19:01:53.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="copyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Important">Important</a></span></dt><dt><span class="section"><a href="#idm42">Version >= 5.0.0</a></span></dt><dt><span class="section"><a href="#idm46">Version >= 4.6.0</a></span></dt><dt><span class="section"><a href="#idm121">Versions >= 4.5.0</a></span></dt><dt><span class="section"><a href="#idm259">Versions >= 4.4.0</a></span></dt><dt><span class="section"><a href="#idm393">Versions >= 4.2.0</a></span></dt><dt><span class="section"><a href="#V4.0.0">Versions >= 4.0.0-Beta7</a></span></dt><dt><span class="section"><a href="#V3.4.0">Versions >= 3.4.0-Beta1</a></span></dt><dt><span class="section"><a href="#V3.2.0">Version >= 3.2.0</a></span></dt><dt><span class="section"><a href="#V3.0.0">Version >= 3.0.0</a></span></dt><dt><span class="section"><a href="#V2.4.0">Version >= 2.4.0</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Important"></a>Important</h2></div></div></div><p>It is important that you read all of the sections on this page where
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="#Important">Important</a></span></dt><dt><span class="section"><a href="#idm42">Version >= 5.0.0</a></span></dt><dt><span class="section"><a href="#idm46">Version >= 4.6.0</a></span></dt><dt><span class="section"><a href="#idm121">Versions >= 4.5.0</a></span></dt><dt><span class="section"><a href="#idm259">Versions >= 4.4.0</a></span></dt><dt><span class="section"><a href="#idm393">Versions >= 4.2.0</a></span></dt><dt><span class="section"><a href="#V4.0.0">Versions >= 4.0.0-Beta7</a></span></dt><dt><span class="section"><a href="#V3.4.0">Versions >= 3.4.0-Beta1</a></span></dt><dt><span class="section"><a href="#V3.2.0">Version >= 3.2.0</a></span></dt><dt><span class="section"><a href="#V3.0.0">Version >= 3.0.0</a></span></dt><dt><span class="section"><a href="#V2.4.0">Version >= 2.4.0</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Important"></a>Important</h2></div></div></div><p>It is important that you read all of the sections on this page where
the version number mentioned in the section title is later than what you
are currently running.</p><p>In the descriptions that follows, the term
<span class="emphasis"><em>group</em></span> refers to a particular network or subnetwork
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/useful_links.html new/shorewall-docs-html-5.2.3.1/useful_links.html
--- old/shorewall-docs-html-5.2.3/useful_links.html 2019-02-11 23:51:42.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/useful_links.html 2019-02-26 19:01:54.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><div class="informaltable"><table class="informaltable" border="0"><colgroup><col /></colgroup><tbody valign="middle"><tr><td align="left" valign="middle">NIST <span class="emphasis"><em>Guide on Firewalls and Firewall
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><div class="informaltable"><table class="informaltable" border="0"><colgroup><col /></colgroup><tbody valign="middle"><tr><td align="left" valign="middle">NIST <span class="emphasis"><em>Guide on Firewalls and Firewall
Policy</em></span> - <a class="ulink" href="http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf" target="_top">http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf</a></td></tr><tr><td align="left" valign="middle">PPPPPPPS ( or, Paul's Principles for Practical Provision of
Packet Processing with Shorewall ) <a class="ulink" href="http://linuxman.wikispaces.com/PPPPPPS" target="_top">http://linuxman.wikispaces.com/PPPPPPS</a></td></tr><tr valign="middle"><td align="left" valign="middle">Netfilter Site: <a class="ulink" href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a></td></tr><tr valign="middle"><td align="left" valign="middle">Linux Advanced Routing and Traffic Control
Howto: <a class="ulink" href="http://lartc.org/" target="_top">http://lartc.org/</a></td></tr><tr valign="middle"><td align="left" valign="middle">Clustering Shorewall: <a class="ulink" href="http://linuxman.wikispaces.com/Clustering+Shorewall" target="_top">http://linuxman.wikispaces.com/Clustering+Shorewall</a></td></tr><tr valign="middle"><td align="left" valign="middle">Iproute Downloads: <a class="ulink" href="https://www.kernel.org/pub/linux/utils/net/iproute2/" target="_top">https://www.kernel.org/pub/linux/utils/net/iproute2/</a></td></tr><tr valign="middle"><td align="left" valign="middle">LEAF Site: <a class="ulink" href="http://leaf.sourceforge.net" target="_top">http://leaf.sourceforge.net</a></td></tr><tr valign="middle"><td align="left" valign="middle">Bering uClibc LEAF Distribution: <a class="ulink" href="http://leaf.sourceforge.net/bering-uclibc/" target="_top">http://leaf.sourceforge.net/bering-uclibc/</a></td></tr><tr valign="middle"><td align="left" valign="middle">Iptables Tutorial: <a class="ulink" href="https://www.frozentux.net/documents/iptables-tutorial/" target="_top">https://www.frozentux.net/documents/iptables-tutorial/</a></td></tr><tr valign="middle"><td align="left" valign="middle">Debian apt-get sources for Shorewall: <a class="ulink" href="http://people.connexer.com/~roberto/debian/" target="_top">http://people.connexer.com/~roberto/debian/</a></td></tr><tr valign="middle"><td align="left" valign="middle">About the Shorewall Author: <a class="ulink" href="http://www.shorewall.net/shoreline.htm" target="_top">http://www.shorewall.net/shoreline.htm</a></td></tr><tr valign="middle"><td align="left" valign="middle">Tom's 2005 LinuxFest NW Presentation - "Shorewall and Native
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-docs-html-5.2.3/whitelisting_under_shorewall.htm new/shorewall-docs-html-5.2.3.1/whitelisting_under_shorewall.htm
--- old/shorewall-docs-html-5.2.3/whitelisting_under_shorewall.htm 2019-02-11 23:51:44.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.1/whitelisting_under_shorewall.htm 2019-02-26 19:01:55.000000000 +0100
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink" href="copyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/11</p></div></div><hr /></div><p>White lists are most often used to give special privileges to a set of
+ License</a></span>”</span>.</p></div></div><div><p class="pubdate">2019/02/26</p></div></div><hr /></div><p>White lists are most often used to give special privileges to a set of
hosts within an organization. Let us suppose that we have the following
environment:</p><div class="itemizedlist"><ul class="itemizedlist compact" style="list-style-type: bullet; "><li class="listitem" style="list-style-type: disc"><p>A firewall with three interfaces -- one to the Internet, one to a
local network and one to a <acronym class="acronym">DMZ</acronym>.</p></li><li class="listitem" style="list-style-type: disc"><p>The local network uses <acronym class="acronym">SNAT</acronym> to the Internet and
++++++ shorewall-init-5.2.3.tar.bz2 -> shorewall-init-5.2.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3/changelog.txt new/shorewall-init-5.2.3.1/changelog.txt
--- old/shorewall-init-5.2.3/changelog.txt 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-init-5.2.3.1/changelog.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,3 +1,9 @@
+Changes in 5.2.3.1
+
+1) Update release documents.
+
+2) Correct issue with policy file zone exclusion.
+
Changes in 5.2.3 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3/configure new/shorewall-init-5.2.3.1/configure
--- old/shorewall-init-5.2.3/configure 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-init-5.2.3.1/configure 2019-02-26 18:58:36.000000000 +0100
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.2.3
+VERSION=5.2.3.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3/configure.pl new/shorewall-init-5.2.3.1/configure.pl
--- old/shorewall-init-5.2.3/configure.pl 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-init-5.2.3.1/configure.pl 2019-02-26 18:58:36.000000000 +0100
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.2.3'
+ VERSION => '5.2.3.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3/install.sh new/shorewall-init-5.2.3.1/install.sh
--- old/shorewall-init-5.2.3/install.sh 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-init-5.2.3.1/install.sh 2019-02-26 18:58:36.000000000 +0100
@@ -27,7 +27,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=5.2.3
+VERSION=5.2.3.1
PRODUCT=shorewall-init
Product="Shorewall Init"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3/releasenotes.txt new/shorewall-init-5.2.3.1/releasenotes.txt
--- old/shorewall-init-5.2.3/releasenotes.txt 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-init-5.2.3.1/releasenotes.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 2 . 3
+ S H O R E W A L L 5 . 2 . 3 . 1
-------------------------------
- F E B R U A R Y 1 5 , 2 0 1 9
+ F E B R U A R Y 2 6 , 2 0 1 9
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,8 +14,20 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Previously, to prevent a helper kernel module from being loaded, it
- was necessary to list both its current name and its
+5.2.3.1
+
+1) An issue in the implementation of policy file zone exclusion,
+ released in 5.2.3 has been resolved. In the original release,
+ if more than one zone was excluded, then the following error was
+ raised:
+
+ ERROR: 'all' is not allowed in a source zone list
+ etc/shorewall/policy (line ...)
+
+5.2.3
+
+1) To prevent a helper kernel module from being loaded, it was
+ previously necessary to list both its current name and its
pre-kernel-2.6.20 name in the DONT_LOAD option in
/etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
from being loaded, it was necessary to also list ip_conntrack_sip
@@ -60,9 +72,7 @@
4) The LOAD_HELPERS_ONLY option has been removed from
shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
- LOAD_HELPERS_ONLY=Yes had been specified. As part of this change,
- the pre-kernel 2.6.20 modules have been removed from the helpers
- file.
+ LOAD_HELPERS_ONLY=Yes had been specified.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3/shorewall-init.spec new/shorewall-init-5.2.3.1/shorewall-init.spec
--- old/shorewall-init-5.2.3/shorewall-init.spec 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-init-5.2.3.1/shorewall-init.spec 2019-02-26 18:58:36.000000000 +0100
@@ -1,6 +1,6 @@
%define name shorewall-init
%define version 5.2.3
-%define release 0base
+%define release 1
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@@ -135,6 +135,8 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Tue Feb 26 2019 Tom Eastep tom@shorewall.net
+- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0base
* Wed Feb 06 2019 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.3/uninstall.sh new/shorewall-init-5.2.3.1/uninstall.sh
--- old/shorewall-init-5.2.3/uninstall.sh 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-init-5.2.3.1/uninstall.sh 2019-02-26 18:58:36.000000000 +0100
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.2.3
+VERSION=5.2.3.1
PRODUCT=shorewall-init
Product="Shorewall Init"
++++++ shorewall-lite-5.2.3.tar.bz2 -> shorewall-lite-5.2.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3/changelog.txt new/shorewall-lite-5.2.3.1/changelog.txt
--- old/shorewall-lite-5.2.3/changelog.txt 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-lite-5.2.3.1/changelog.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,3 +1,9 @@
+Changes in 5.2.3.1
+
+1) Update release documents.
+
+2) Correct issue with policy file zone exclusion.
+
Changes in 5.2.3 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3/configure new/shorewall-lite-5.2.3.1/configure
--- old/shorewall-lite-5.2.3/configure 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-lite-5.2.3.1/configure 2019-02-26 18:58:36.000000000 +0100
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.2.3
+VERSION=5.2.3.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3/configure.pl new/shorewall-lite-5.2.3.1/configure.pl
--- old/shorewall-lite-5.2.3/configure.pl 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-lite-5.2.3.1/configure.pl 2019-02-26 18:58:36.000000000 +0100
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.2.3'
+ VERSION => '5.2.3.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3/install.sh new/shorewall-lite-5.2.3.1/install.sh
--- old/shorewall-lite-5.2.3/install.sh 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-lite-5.2.3.1/install.sh 2019-02-26 18:58:36.000000000 +0100
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=5.2.3
+VERSION=5.2.3.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3/releasenotes.txt new/shorewall-lite-5.2.3.1/releasenotes.txt
--- old/shorewall-lite-5.2.3/releasenotes.txt 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-lite-5.2.3.1/releasenotes.txt 2019-02-26 18:58:36.000000000 +0100
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 2 . 3
+ S H O R E W A L L 5 . 2 . 3 . 1
-------------------------------
- F E B R U A R Y 1 5 , 2 0 1 9
+ F E B R U A R Y 2 6 , 2 0 1 9
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,8 +14,20 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Previously, to prevent a helper kernel module from being loaded, it
- was necessary to list both its current name and its
+5.2.3.1
+
+1) An issue in the implementation of policy file zone exclusion,
+ released in 5.2.3 has been resolved. In the original release,
+ if more than one zone was excluded, then the following error was
+ raised:
+
+ ERROR: 'all' is not allowed in a source zone list
+ etc/shorewall/policy (line ...)
+
+5.2.3
+
+1) To prevent a helper kernel module from being loaded, it was
+ previously necessary to list both its current name and its
pre-kernel-2.6.20 name in the DONT_LOAD option in
/etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
from being loaded, it was necessary to also list ip_conntrack_sip
@@ -60,9 +72,7 @@
4) The LOAD_HELPERS_ONLY option has been removed from
shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
- LOAD_HELPERS_ONLY=Yes had been specified. As part of this change,
- the pre-kernel 2.6.20 modules have been removed from the helpers
- file.
+ LOAD_HELPERS_ONLY=Yes had been specified.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3/shorewall-lite.spec new/shorewall-lite-5.2.3.1/shorewall-lite.spec
--- old/shorewall-lite-5.2.3/shorewall-lite.spec 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-lite-5.2.3.1/shorewall-lite.spec 2019-02-26 18:58:36.000000000 +0100
@@ -1,6 +1,6 @@
%define name shorewall-lite
%define version 5.2.3
-%define release 0base
+%define release 1
%define initdir /etc/init.d
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -114,6 +114,8 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Tue Feb 26 2019 Tom Eastep tom@shorewall.net
+- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0base
* Wed Feb 06 2019 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.3/uninstall.sh new/shorewall-lite-5.2.3.1/uninstall.sh
--- old/shorewall-lite-5.2.3/uninstall.sh 2019-02-11 23:48:20.000000000 +0100
+++ new/shorewall-lite-5.2.3.1/uninstall.sh 2019-02-26 18:58:36.000000000 +0100
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.2.3
+VERSION=5.2.3.1
usage() # $1 = exit status
{
++++++ shorewall-5.2.3.tar.bz2 -> shorewall6-5.2.3.1.tar.bz2 ++++++
++++ 121549 lines of diff (skipped)
++++++ shorewall-lite-5.2.3.tar.bz2 -> shorewall6-lite-5.2.3.1.tar.bz2 ++++++
++++ 3017 lines of diff (skipped)