Mailinglist Archive: opensuse-commit (1903 mails)

< Previous Next >
commit shorewall for openSUSE:Factory
Hello community,

here is the log from the commit of package shorewall for openSUSE:Factory
checked in at 2019-04-15 13:59:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new.17052 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "shorewall"

Mon Apr 15 13:59:48 2019 rev:107 rq:694187 version:5.2.3.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2019-03-01
16:48:05.925783784 +0100
+++ /work/SRC/openSUSE:Factory/.shorewall.new.17052/shorewall.changes
2019-04-15 13:59:56.944717677 +0200
@@ -1,0 +2,16 @@
+Mon Apr 15 08:41:56 UTC 2019 - Bruno Friedmann <bruno@xxxxxxxxxxx>
+
+- Update to bugfix minor 5.2.3.3
+ Previously, if an ipset was specified in an SPORT column, the
+ compiler would raise an error similar to:
+ ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
+- Update to bugfix minor 5.2.3.2
+ Shorewall 5.2 automatically converts an existing 'masq' file to an
+ equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
+ automatic update, such that the following error message was issued:
+ Use of uninitialized value $Shorewall::Nat::raw::currentline in
+ pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
+ line 511, <$currentfile> line nnn. and the generated 'masq'
+ file contains only initial comments. That has been corrected.
+
+-------------------------------------------------------------------

Old:
----
shorewall-5.2.3.1.tar.bz2
shorewall-core-5.2.3.1.tar.bz2
shorewall-docs-html-5.2.3.1.tar.bz2
shorewall-init-5.2.3.1.tar.bz2
shorewall-lite-5.2.3.1.tar.bz2
shorewall6-5.2.3.1.tar.bz2
shorewall6-lite-5.2.3.1.tar.bz2

New:
----
shorewall-5.2.3.3.tar.bz2
shorewall-core-5.2.3.3.tar.bz2
shorewall-docs-html-5.2.3.3.tar.bz2
shorewall-init-5.2.3.3.tar.bz2
shorewall-lite-5.2.3.3.tar.bz2
shorewall6-5.2.3.3.tar.bz2
shorewall6-lite-5.2.3.3.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.xgEGkw/_old 2019-04-15 13:59:58.172718078 +0200
+++ /var/tmp/diff_new_pack.xgEGkw/_new 2019-04-15 13:59:58.176718079 +0200
@@ -24,7 +24,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: shorewall
-Version: 5.2.3.1
+Version: 5.2.3.3
Release: 0
Summary: An iptables-based firewall for Linux systems
License: GPL-2.0-only

++++++ shorewall-5.2.3.1.tar.bz2 -> shorewall-5.2.3.3.tar.bz2 ++++++
++++ 2648 lines of diff (skipped)

++++++ shorewall-core-5.2.3.1.tar.bz2 -> shorewall-core-5.2.3.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/changelog.txt
new/shorewall-core-5.2.3.3/changelog.txt
--- old/shorewall-core-5.2.3.1/changelog.txt 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-core-5.2.3.3/changelog.txt 2019-04-12 04:05:49.000000000
+0200
@@ -1,3 +1,15 @@
+Changes in 5.2.3.3
+
+1) Update release documents.
+
+2) Document fix for an ipset in the SPORT column.
+
+Changes in 5.2.3.2
+
+1) Update release documents.
+
+2) Document fix for masq file auto-update.
+
Changes in 5.2.3.1

1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/configure
new/shorewall-core-5.2.3.3/configure
--- old/shorewall-core-5.2.3.1/configure 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-core-5.2.3.3/configure 2019-04-12 04:05:49.000000000
+0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.2.3.1
+VERSION=5.2.3.3

case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/configure.pl
new/shorewall-core-5.2.3.3/configure.pl
--- old/shorewall-core-5.2.3.1/configure.pl 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-core-5.2.3.3/configure.pl 2019-04-12 04:05:49.000000000
+0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.2.3.1'
+ VERSION => '5.2.3.3'
};

my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/install.sh
new/shorewall-core-5.2.3.3/install.sh
--- old/shorewall-core-5.2.3.1/install.sh 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-core-5.2.3.3/install.sh 2019-04-12 04:05:49.000000000
+0200
@@ -22,7 +22,7 @@
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#

-VERSION=5.2.3.1
+VERSION=5.2.3.3
PRODUCT=shorewall-core
Product="Shorewall Core"

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/known_problems.txt
new/shorewall-core-5.2.3.3/known_problems.txt
--- old/shorewall-core-5.2.3.1/known_problems.txt 2019-02-26
18:58:36.000000000 +0100
+++ new/shorewall-core-5.2.3.3/known_problems.txt 2019-04-12
04:05:49.000000000 +0200
@@ -20,3 +20,28 @@
/etc/shorewall/policy (line 8)

Corrected in Shorewall 5.2.3.1
+
+5) Shorewall 5.2 automatically converts and existing 'masq' file to an
+ equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
+ automatic update, such that the following error message was issued:
+
+ Use of uninitialized value $Shorewall::Nat::rawcurrentline in
+ pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
+ line 511, <$currentfile> line nnn.
+
+ and the generted 'masq' file contains only initial comments.
+
+ Workaround:
+
+ After upgrading to 5.2.3, issue this command:
+
+ 'shorewall[6] update'
+
+ Corrected in 5.2.3.2.
+
+6) If an ipset is listed in the SPORT column, the compiler raises
+ an error similar to:
+
+ ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
+
+ Corrected in 5.2.3.3.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/manpages/shorewall.8
new/shorewall-core-5.2.3.3/manpages/shorewall.8
--- old/shorewall-core-5.2.3.1/manpages/shorewall.8 2019-02-11
23:50:19.000000000 +0100
+++ new/shorewall-core-5.2.3.3/manpages/shorewall.8 2019-04-12
04:07:53.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 02/11/2019
+.\" Date: 04/11/2019
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL" "8" "02/11/2019" "Administrative Commands" "Administrative
Commands"
+.TH "SHOREWALL" "8" "04/11/2019" "Administrative Commands" "Administrative
Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -2047,110 +2047,110 @@
.IP " 1." 4
http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace
.RS 4
-\%http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace
+\%http://www.shorewall.org/starting_and_stopping_shorewall.htm#Trace
.RE
.IP " 2." 4
shorewall.conf
.RS 4
-\%http://www.shorewall.net/manpages/shorewall.conf.html
+\%http://www.shorewall.org/manpages/shorewall.conf.html
.RE
.IP " 3." 4
shorewall6.conf
.RS 4
-\%http://www.shorewall.net/manpages6/shorewall6.conf.html
+\%http://www.shorewall.org/manpages6/shorewall6.conf.html
.RE
.IP " 4." 4
shorewall-interfaces
.RS 4
-\%http://www.shorewall.net/manpages/shorewall-interfaces.html
+\%http://www.shorewall.org/manpages/shorewall-interfaces.html
.RE
.IP " 5." 4
shorewall6-interfaces
.RS 4
-\%http://www.shorewall.net/manpages6/shorewall6-interfaces.html
+\%http://www.shorewall.org/manpages6/shorewall6-interfaces.html
.RE
.IP " 6." 4
shorewall-zones
.RS 4
-\%http://www.shorewall.net/manpages/shorewall-zones.html
+\%http://www.shorewall.org/manpages/shorewall-zones.html
.RE
.IP " 7." 4
shorewall6-zones
.RS 4
-\%http://www.shorewall.net???
+\%http://www.shorewall.org???
.RE
.IP " 8." 4
shorewall6-zones
.RS 4
-\%http://www.shorewall.net/manpages6/shorewall6-zones.html
+\%http://www.shorewall.org/manpages6/shorewall6-zones.html
.RE
.IP " 9." 4
shorewall-routes
.RS 4
-\%http://www.shorewall.net/manpages/shorewall-routes.html
+\%http://www.shorewall.org/manpages/shorewall-routes.html
.RE
.IP "10." 4
shorewall6-routes
.RS 4
-\%http://www.shorewall.net/manpages/shorewall6-routes.html
+\%http://www.shorewall.org/manpages/shorewall6-routes.html
.RE
.IP "11." 4
logging backend
.RS 4
-\%http://www.shorewall.net/shorewall_logging.html#Backends
+\%http://www.shorewall.org/shorewall_logging.html#Backends
.RE
.IP "12." 4
shorewall.conf
.RS 4
-\%http://www.shorewall.netshorewall.conf.html
+\%http://www.shorewall.orgshorewall.conf.html
.RE
.IP "13." 4
shorewall6.conf(5)
.RS 4
-\%http://www.shorewall.netshorewall6.conf.html
+\%http://www.shorewall.orgshorewall6.conf.html
.RE
.IP "14." 4
shorewall-accounting
.RS 4
-\%http://www.shorewall.net/manpages/shorewall-accounting.html
+\%http://www.shorewall.org/manpages/shorewall-accounting.html
.RE
.IP "15." 4
shorewall6-accounting
.RS 4
-\%http://www.shorewall.net/manpages6/shorewall6-accounting.html
+\%http://www.shorewall.org/manpages6/shorewall6-accounting.html
.RE
.IP "16." 4
shorewall-routestopped
.RS 4
-\%http://www.shorewall.net/manpages/shorewall-routestopped.html
+\%http://www.shorewall.org/manpages/shorewall-routestopped.html
.RE
.IP "17." 4
http://www.shorewall.net/starting_and_stopping_shorewall.htm
.RS 4
-\%http://www.shorewall.net/starting_and_stopping_shorewall.htm
+\%http://www.shorewall.org/starting_and_stopping_shorewall.htm
.RE
.IP "18." 4
shorewall-files(5)
.RS 4
-\%http://www.shorewall.netshorewall-files.html
+\%http://www.shorewall.orgshorewall-files.html
.RE
.IP "19." 4
shorewall-names(5)
.RS 4
-\%http://www.shorewall.netshorewall-names.html
+\%http://www.shorewall.orgshorewall-names.html
.RE
.IP "20." 4
shorewall-addresses(5)
.RS 4
-\%http://www.shorewall.netshorewall-addresses.html
+\%http://www.shorewall.orgshorewall-addresses.html
.RE
.IP "21." 4
shorewall-exclusion(5)
.RS 4
-\%http://www.shorewall.netshorewall-exclusion.html
+\%http://www.shorewall.orgshorewall-exclusion.html
.RE
.IP "22." 4
shorewall-nesting(5)
.RS 4
-\%http://www.shorewall.netshorewall-nesting.html
+\%http://www.shorewall.orgshorewall-nesting.html
.RE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/releasenotes.txt
new/shorewall-core-5.2.3.3/releasenotes.txt
--- old/shorewall-core-5.2.3.1/releasenotes.txt 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-core-5.2.3.3/releasenotes.txt 2019-04-12 04:05:49.000000000
+0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 2 . 3 . 1
+ S H O R E W A L L 5 . 2 . 3 . 3
-------------------------------
- F E B R U A R Y 2 6 , 2 0 1 9
+ A P R I L 1 2 , 2 0 1 9
----------------------------------------------------------------------------

I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,6 +14,29 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------

+5.2.3.3
+
+1) Previously, if an ipset was specified in an SPORT column, the
+ compiler would raise an error similar to:
+
+ ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
+
+ That has been corrected.
+
+5.2.3.2
+
+1) Shorewall 5.2 automatically converts and existing 'masq' file to an
+ equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
+ automatic update, such that the following error message was issued:
+
+ Use of uninitialized value $Shorewall::Nat::raw::currentline in
+ pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
+ line 511, <$currentfile> line nnn.
+
+ and the generted 'masq' file contains only initial comments.
+
+ That has been corrected.
+
5.2.3.1

1) An issue in the implementation of policy file zone exclusion,
@@ -79,7 +102,7 @@
----------------------------------------------------------------------------

If you are migrating from Shorewall 4.6.x or earlier, please see
-
http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
+
http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt

Immediately after installing Shorewall 5.2.x, we recommend that you run
'shorewall[6] update'. This command will handle many of the migration
@@ -205,7 +228,7 @@
With these changes, the Drop and Reject policy actions are now
deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
- the reader to http://www.shorewall.net/Actions.html#Default.
+ the reader to http://www.shorewall.org/Actions.html#Default.

This issue is partially handled by 'shorewall update' - see
the 5.2 issues below.
@@ -863,7 +886,7 @@

6) For installing into a Sandbox, the file shorewallrc.sandbox has
been added to Shorewall-core. See
- http://www.shorewall.net/install.htm#idm327.
+ http://www.shorewall.org/install.htm#idm327.

7) The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
and has been deleted. This removal has introduced a new
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/shorewall-core.spec
new/shorewall-core-5.2.3.3/shorewall-core.spec
--- old/shorewall-core-5.2.3.1/shorewall-core.spec 2019-02-26
18:58:36.000000000 +0100
+++ new/shorewall-core-5.2.3.3/shorewall-core.spec 2019-04-12
04:05:49.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-core
%define version 5.2.3
-%define release 1
+%define release 3

Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -10,7 +10,7 @@
Packager: Tom Eastep <teastep@xxxxxxxxxxxxx>
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
+URL: http://www.shorewall.org/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root1
Requires: iptables iproute perl
@@ -69,6 +69,10 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt

%changelog
+* Thu Apr 11 2019 Tom Eastep tom@xxxxxxxxxxxxx
+- Updated to 5.2.3-3
+* Sun Mar 17 2019 Tom Eastep tom@xxxxxxxxxxxxx
+- Updated to 5.2.3-2
* Tue Feb 26 2019 Tom Eastep tom@xxxxxxxxxxxxx
- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@xxxxxxxxxxxxx
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-core-5.2.3.1/uninstall.sh
new/shorewall-core-5.2.3.3/uninstall.sh
--- old/shorewall-core-5.2.3.1/uninstall.sh 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-core-5.2.3.3/uninstall.sh 2019-04-12 04:05:49.000000000
+0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall

-VERSION=5.2.3.1
+VERSION=5.2.3.3
PRODUCT=shorewall-core
Product="Shorewall Core"


++++++ shorewall-docs-html-5.2.3.1.tar.bz2 ->
shorewall-docs-html-5.2.3.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/6to4.htm
new/shorewall-docs-html-5.2.3.3/6to4.htm
--- old/shorewall-docs-html-5.2.3.1/6to4.htm 2019-02-26 19:01:08.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/6to4.htm 2019-04-12 04:08:29.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#FeetWet">Getting your Feet Wet with IPv6, by Tom
Eastep</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm30">Configuring IPv6 using my script</a></span></dt><dt><span
class="section"><a href="#idm100">Configuring IPv6 the Debian
Way</a></span></dt><dt><span class="section"><a href="#idm137">Configuring
Shorewall</a></span></dt><dt><span class="section"><a
href="#idm143">Configuring Shorewall6</a></span></dt></dl></dd><dt><span
class="section"><a href="#SixInFour">6in4 Tunnel</a></span></dt><dt><span
class="section"><a href="#Tunnel6to4">Connecting two IPv6 Networks, by Eric de
Thouars</a></span></dt></dl></div><p>6to4 tunneling with Shorewall can be used
to connect your IPv6 network
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#FeetWet">Getting your Feet Wet with IPv6, by Tom
Eastep</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm30">Configuring IPv6 using my script</a></span></dt><dt><span
class="section"><a href="#idm100">Configuring IPv6 the Debian
Way</a></span></dt><dt><span class="section"><a href="#idm137">Configuring
Shorewall</a></span></dt><dt><span class="section"><a
href="#idm143">Configuring Shorewall6</a></span></dt></dl></dd><dt><span
class="section"><a href="#SixInFour">6in4 Tunnel</a></span></dt><dt><span
class="section"><a href="#Tunnel6to4">Connecting two IPv6 Networks, by Eric de
Thouars</a></span></dt></dl></div><p>6to4 tunneling with Shorewall can be used
to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure. It can also allow you
to experiment with IPv6 even if your ISP doesn't provide IPv6
connectivity.</p><p>More information on Linux and IPv6 can be found in the
<a class="ulink" href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO";
target="_top">Linux IPv6 HOWTO</a>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Accounting.html
new/shorewall-docs-html-5.2.3.3/Accounting.html
--- old/shorewall-docs-html-5.2.3.1/Accounting.html 2019-02-26
19:01:08.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Accounting.html 2019-04-12
04:08:30.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Basics">Accounting Basics</a></span></dt><dt><span
class="section"><a href="#Bridge">Accounting with
Bridges</a></span></dt><dt><span class="section"><a href="#idm89">Sectioned
Accounting Rules</a></span></dt><dt><span class="section"><a
href="#Collectd">Integrating Shorewall Accounting with
Collectd</a></span></dt><dt><span class="section"><a href="#perIP">Per-IP
Accounting</a></span></dt><dt><span class="section"><a
href="#nfacct">Accounting using nfacct</a></span></dt><dt><span
class="section"><a href="#idm248">Preserving Counters over Restart and
Reboot</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Basics">Accounting Basics</a></span></dt><dt><span
class="section"><a href="#Bridge">Accounting with
Bridges</a></span></dt><dt><span class="section"><a href="#idm89">Sectioned
Accounting Rules</a></span></dt><dt><span class="section"><a
href="#Collectd">Integrating Shorewall Accounting with
Collectd</a></span></dt><dt><span class="section"><a href="#perIP">Per-IP
Accounting</a></span></dt><dt><span class="section"><a
href="#nfacct">Accounting using nfacct</a></span></dt><dt><span
class="section"><a href="#idm248">Preserving Counters over Restart and
Reboot</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release</strong></span>.</p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Basics"></a>Accounting Basics</h2></div></div></div><p>Shorewall accounting
rules are described in the file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Actions.html
new/shorewall-docs-html-5.2.3.3/Actions.html
--- old/shorewall-docs-html-5.2.3.1/Actions.html 2019-02-26
19:01:09.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Actions.html 2019-04-12
04:08:30.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">What are Shorewall
Actions?</a></span></dt><dt><span class="section"><a href="#Default">Policy
Actions (Formerly Default Actions)</a></span></dt><dt><span class="section"><a
href="#Defining">Defining your own Actions</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm198">Shorewall 5.0.0 and
Later.</a></span></dt><dt><span class="section"><a href="#idm227">Mangle
Actions</a></span></dt></dl></dd><dt><span class="section"><a
href="#Logging">Actions and Logging</a></span></dt><dt><span class="section"><a
href="#Embedded">Using Embedded Perl in an Action</a></span></dt><dt><span
class="section"><a href="#Extension">Creating an Action using an Extension
Script (deprecated in favor
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">What are Shorewall
Actions?</a></span></dt><dt><span class="section"><a href="#Default">Policy
Actions (Formerly Default Actions)</a></span></dt><dt><span class="section"><a
href="#Defining">Defining your own Actions</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm198">Shorewall 5.0.0 and
Later.</a></span></dt><dt><span class="section"><a href="#idm227">Mangle
Actions</a></span></dt></dl></dd><dt><span class="section"><a
href="#Logging">Actions and Logging</a></span></dt><dt><span class="section"><a
href="#Embedded">Using Embedded Perl in an Action</a></span></dt><dt><span
class="section"><a href="#Extension">Creating an Action using an Extension
Script (deprecated in favor
of BEGIN PERL ... END PERL)</a></span></dt><dt><span class="section"><a
href="#Limit">Limiting Per-IP Connection Rate using the Limit
Action</a></span></dt><dd><dl><dt><span class="section"><a href="#LimitImp">How
Limit is Implemented</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm507">Mangle Actions</a></span></dt><dt><span class="section"><a
href="#idm538">SNAT Actions</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Anatomy.html
new/shorewall-docs-html-5.2.3.3/Anatomy.html
--- old/shorewall-docs-html-5.2.3.1/Anatomy.html 2019-02-26
19:01:10.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Anatomy.html 2019-04-12
04:08:31.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Products">Products</a></span></dt><dt><span
class="section"><a href="#Shorewall">Shorewall</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin">/sbin ($SBINDIR)</a></span></dt><dt><span
class="section"><a href="#share-shorewall">/usr/share/shorewall
(${SHAREDIR}/shorewall)</a></span></dt><dt><span class="section"><a
href="#shorewall">/etc/shorewall
(${CONFDIR}/shorewall)</a></span></dt><dt><span class="section"><a
href="#init">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Products">Products</a></span></dt><dt><span
class="section"><a href="#Shorewall">Shorewall</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin">/sbin ($SBINDIR)</a></span></dt><dt><span
class="section"><a href="#share-shorewall">/usr/share/shorewall
(${SHAREDIR}/shorewall)</a></span></dt><dt><span class="section"><a
href="#shorewall">/etc/shorewall
(${CONFDIR}/shorewall)</a></span></dt><dt><span class="section"><a
href="#init">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</a></span></dt><dt><span
class="section"><a href="#var">/var/lib/shorewall
(${VARLIB}/shorewall)</a></span></dt></dl></dd><dt><span class="section"><a
href="#Shorewall-perl">Shorewall6</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin6">/sbin ($SBINDIR)</a></span></dt><dt><span
class="section"><a href="#share-shorewall6">/usr/share/shorewall6
(${SHAREDIR}/shorewall6)</a></span></dt><dt><span class="section"><a
href="#etc-shorewall6">/etc/shorewall6
(${CONFDIR}/shorewall6)</a></span></dt><dt><span class="section"><a
href="#init6">/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</a></span></dt><dt><span
class="section"><a href="#var-shorewall6">/var/lib/shorewall6
(${VARLIB}/shorewall6)</a></span></dt></dl></dd><dt><span class="section"><a
href="#Shorewall-lite">Shorewall-lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin-lite">/sbin ($SBINDIR)</a></span></dt><dt><span
class="section"><a href="#init-lite">/etc/init.d or /etc/rc.d (depends on
distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</a></span></dt><dt><span
class="section"><a href="#shorewall-lite">/etc/shorewall-lite
(${CONFDIR}/shorewall-lite)</a></span></dt><dt><span class="section"><a
href="#share-lite">/usr/share/shorewall-lite
(${SHAREDIR}/shorewall-lite)</a></span></dt><dt><span class="section"><a
href="#var-lite">/var/lib/shorewall-lite
(${VARLIB}/shorewall-lite)</a></span></dt></dl></dd><dt><span
class="section"><a
href="#Shorewall6-lite">Shorewall6-lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin-lite6">/sbin</a></span></dt><dt><span
class="section"><a href="#init-6lite">/etc/init.d or /etc/rc.d (depends on
distribution) ($INITDIR) or
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Anatomy_ru.html
new/shorewall-docs-html-5.2.3.3/Anatomy_ru.html
--- old/shorewall-docs-html-5.2.3.1/Anatomy_ru.html 2019-02-26
19:01:09.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Anatomy_ru.html 2019-04-12
04:08:30.000000000 +0200
@@ -1,2 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html
xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>Анатомия Shorewall 4.0</title><link
rel="stylesheet" type="text/css" href="html.css" /><meta name="generator"
content="DocBook XSL Stylesheets V1.79.1" /></head><body><div
class="article"><div class="titlepage"><div><div><h2 class="title"><a
id="idm1"></a>Анатомия Shorewall 4.0</h2></div><div><div
class="authorgroup"><div class="author"><h3 class="author"><span
class="firstname">Tom</span> <span
class="surname">Eastep</span></h3></div></div></div><div><p
class="copyright">Copyright © 2007 Thomas M. Eastep</p></div><div><p
class="copyright">Copyright © 2007 Russian Translation: Grigory
Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот
документ разрешается копировать, распространять и/или изменять при выполнении
условий лицензии GNU Free Documentation License версии 1.2 или более поздней,
опубликованной Free Software Foundation; без неизменяемых разделов, без текста
на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по
ссылке <span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Products">Продукты</a></span></dt><dt><span
class="section"><a
href="#Shorewall">Shorewall-common</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin">/sbin</a></span></dt><dt><span
class="section"><a
href="#share-shorewall">/usr/share/shorewall</a></span></dt><dt><span
class="section"><a href="#shorewall">/etc/shorewall</a></span></dt><dt><span
class="section"><a href="#init">/etc/init.d или /etc/rc.d (зависит от
дистрибутива)</a></span></dt><dt><span class="section"><a
href="#var">/var/lib/shorewall</a></span></dt></dl></dd><dt><span
class="section"><a
href="#Shorewall-shell">Shorewall-shell</a></span></dt><dt><span
class="section"><a
href="#Shorewall-perl">Shorewall-perl</a></span></dt><dt><span
class="section"><a
href="#Shorewall-lite">Shorewall-lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin-lite">/sbin</a></span></dt><dt><span
class="section"><a href="#init-lite">/etc/init.d или /etc/rc.d (зависит от
дистрибутива)</a></span></dt><dt><span class="section"><a
href="#shorewall-lite">/etc/shorewall-lite</a></span></dt><dt><span
class="section"><a
href="#share-lite">/usr/share/shorewall-lite</a></span></dt><dt><span
class="section"><a
href="#var-lite">/var/lib/shorewall-lite</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Products"></a>Продукты</h2></div></div></div><p>В
состав Shorewall 4.0 входят следующие четыре пакета. </p><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p><span
class="bold"><strong>Shorewall-common</strong></span>. Этот пакет необходимо
установить хотя бы в одной системе в вашей сети. В этой системе также должны
быть установлены Shorewall-shell и/или Shorewall-perl. </p></li><li
class="listitem"><p><span class="bold"><strong>Shorewall-shell</strong></span>.
Этот пакет содержит прежний компилятор конфигурации Shorewall, написанный на
Bourne Shell. Этот компилятор работает в большинстве систем, но он медленный, и
его сопровождение стало затруднительным.</p></li><li class="listitem"><p><span
class="bold"><strong>Shorewall-perl</strong></span>. Этот компилятор заменяет
Shorewall-shell и написан на языке Perl. Он работает на всех платформах Unix,
поддерживающих Perl (включая Cygwin), и рекомендуется для всех систем, где
Shorewall устанавливается заново. </p></li><li class="listitem"><p><span
class="bold"><strong>Shorewall-lite</strong></span>. В Shorewall предусмотрена
возможность централизованного управления несколькими системами файрволов. Для
этого применяется пакет Shorewall lite. Полностью продукт Shorewall, включая
Shorewall-shell и/или Shorewall-perl, устанавливается в центральной
административной системе, где генерируются сценарии Shorewall. Эти сценарии
копируются в системы файрволов, где они выполняются под управлением
Shorewall-lite. </p></li></ol></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall"></a>Shorewall-common</h2></div></div></div><p>Пакет
Shorewall-common включает много файлов, которые устанавливаются в каталоги
/<code class="filename">sbin</code>, <code
class="filename">/usr/share/shorewall</code>, <code
class="filename">/etc/shorewall</code>, <code
class="filename">/etc/init.d</code> и <code
class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="sbin"></a>/sbin</h3></div></div></div><p>Программа <code
class="filename">/sbin/shorewall</code> взаимодействует с Shorewall. См. <a
class="ulink" href="manpages/shorewall.html"
target="_top">shorewall</a>(8).</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="share-shorewall"></a>/usr/share/shorewall</h3></div></div></div><p>Здесь
устанавливаются основные файлы Shorewall. </p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">action.template</code> - файл
шаблонов для создания <a class="ulink" href="Actions.html"
target="_top">действий</a>.</p></li><li class="listitem"><p><code
class="filename">action.*</code> - стандартные действия Shorewall. </p></li><li
class="listitem"><p><code class="filename">actions.std</code> - в этом файле
перечислены стандартные действия. </p></li><li class="listitem"><p><code
class="filename">configfiles</code> - в этом каталоге содержатся файлы
конфигурации, при копировании которых создается <a class="ulink"
href="CompiledPrograms.html#Lite" target="_top">каталог экспорта
Shorewall-lite.</a></p></li><li class="listitem"><p><code
class="filename"><code class="filename">configpath</code></code> - здесь
содержится информация о путях, которая зависит от дистрибутива. </p></li><li
class="listitem"><p><code class="filename">firewall</code> - эта программа
обрабатывает команды <span class="command"><strong>add</strong></span> и <span
class="command"><strong>delete</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)). Кроме того, она
обрабатывает команды <span class="command"><strong>stop</strong></span> и <span
class="command"><strong>clear</strong></span>, если в системе нет текущего
скомпилированного сценария файрвола. </p></li><li class="listitem"><p><code
class="filename">functions</code> - ссылка на <code
class="filename">lib.base</code>, предусмотренная для совместимости с прежними
версиями Shorewall.</p></li><li class="listitem"><p><code
class="filename">init</code> - ссылка на сценарий инициализации (обычно это -
<code class="filename">/etc/init.d/shorewall</code>).</p></li><li
class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций
оболочки, используемые другими программами. </p></li><li
class="listitem"><p><code class="filename">macro.*</code> - стандартные <a
class="ulink" href="Macros.html" target="_top">макросы</a>
Shorewall.</p></li><li class="listitem"><p><code
class="filename">modules</code> - файл, управляющий загрузкой модулей Netfilter
ядра. Его можно переопределить в файле <code
class="filename">/etc/shorewall/modules</code>.</p></li><li
class="listitem"><p><code class="filename">version</code> - файл, в котором
указана текущая установленная версия Shorewall.</p></li><li
class="listitem"><p><code class="filename">wait4ifup</code> - программа,
которую могут использовать <a class="ulink"
href="shorewall_extension_scripts.htm" target="_top">сценарии расширения</a>
для ожидания готовности сетевого интерфейса. </p></li></ul></div></div><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="shorewall"></a>/etc/shorewall</h3></div></div></div><p>В этом каталоге
содержатся файлы конфигурации, настраиваемые пользователем. </p></div><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="init"></a>/etc/init.d или /etc/rc.d (зависит от
дистрибутива)</h3></div></div></div><p>Здесь устанавливается сценарий
инициализации. В зависимости от дистрибутива, он называется <code
class="filename">shorewall</code> или <code
class="filename">rc.firewall</code>.</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="var"></a>/var/lib/shorewall</h3></div></div></div><p>Shorewall не
устанавливает никаких файлов в этот каталог. Он используется для хранения
данных во время выполнения. Этот каталог можно перенести командой <a
class="ulink" href="manpages/shorewall-vardir.html"
target="_top">shorewall-vardir</a>(5).</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">chains</code> - если в <a
class="ulink" href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5) задан DYNAMIC_ZONES=Yes, то в этом файле
содержится информация для команд <span
class="command"><strong>add</strong></span> и <span
class="command"><strong>delete</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li
class="listitem"><p><code class="filename">.iptables-restore-input </code>-
этот файл передается программе iptables-restore для инициализации файрвола в
ходе выполнения последней команды <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li
class="listitem"><p><code class="filename">.modules</code> - содержимое файла
модулей, использованного последними командами <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li
class="listitem"><p><code class="filename">.modulesdir</code> - параметр
MODULESDIR (<a class="ulink" href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5)) в ходе выполнения последней команды <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart.</strong></span></p></li><li
class="listitem"><p><code class="filename">nat</code> - в этом файле (с
неудачным именем) записаны IP-адреса, добавленные при включенных опциях
ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink"
href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code
class="filename">proxyarp</code> - записи arp, добавленные элементами <a
class="ulink" href="manpages/shorewall-proxyarp.html"
target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code
class="filename">.refresh</code> - программа, которая выполнила последнюю
успешную команду <span class="command"><strong>refresh</strong></span>.
</p></li><li class="listitem"><p><code class="filename">.restart</code> -
программа, которая выполнила последнюю успешную команду <span
class="command"><strong>restart</strong></span>. </p></li><li
class="listitem"><p><code class="filename">restore</code> - программа по
умолчанию, выполняющая команды <span
class="command"><strong>restore</strong></span>. </p></li><li
class="listitem"><p><code class="filename">.restore</code> - программа, которая
выполнила последнюю успешную команду <span class="command"><strong>refresh,
restart</strong></span> или <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">save</code> - файл, созданный
командой <span class="command"><strong>save</strong></span> и используемый для
восстановления динамического чёрного списка в ходе выполнения команд <span
class="command"><strong>start/restart</strong></span>.</p></li><li
class="listitem"><p><code class="filename">.start</code> - программа, которая
выполнила последнюю успешную команду <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">state</code> - здесь записано
текущее состояние файрвола. </p></li><li class="listitem"><p><code
class="filename">zones</code> - здесь записано текущее состояние
зон.</p></li></ul></div></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall-shell"></a>Shorewall-shell</h2></div></div></div><p>Все файлы
продукта Shorewall-shell устанавливаются в каталоге /usr/share/<code
class="filename">shorewall-shell</code>.</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">compiler</code> - компилятор
конфигурации (программа shell). </p></li><li class="listitem"><p><code
class="filename">lib.*</code> - библиотеки функций оболочки, используемые
компилятором. Для уменьшения объема в встроенных системах могут быть
установлены не все библиотеки. </p></li><li class="listitem"><p><code
class="filename">prog.*</code> - фрагменты кода на shell, используемые
компилятором. </p></li><li class="listitem"><p><code
class="filename">version</code> - файл, в котором указана текущая установленная
версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall-perl"></a>Shorewall-perl</h2></div></div></div><p>Все файлы
продукта Shorewall-perl устанавливаются в каталоге /usr/share/<code
class="filename">shorewall-perl</code>.</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">buildports.pl</code> - программа на
Perl, которая компонует модуль Shorewall/Ports.pm во время установки.
</p></li><li class="listitem"><p><code class="filename">compiler</code> -
компилятор конфигурации (программа shell). </p></li><li
class="listitem"><p><code class="filename">prog.*</code> - фрагменты кода на
shell, используемые компилятором. </p></li><li class="listitem"><p><code
class="filename">Shorewall</code> - каталог, содержащий модули Shorewall Perl,
используемые компилятором. </p></li><li class="listitem"><p><code
class="filename">version</code> - файл, в котором указана текущая установленная
версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall-lite"></a>Shorewall-lite</h2></div></div></div><p>Файлы
Shorewall-lite устанавливаются в каталогах /<code class="filename">sbin</code>,
<code class="filename">/usr/share/shorewall-lite</code>, /etc/<code
class="filename">shorewall-lite</code>, <code
class="filename">/etc/init.d</code> и <code
class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="sbin-lite"></a>/sbin</h3></div></div></div><p>Программа <code
class="filename">/sbin/shorewall-lite</code> взаимодействует с Shorewall lite.
См. <a class="ulink" href="manpages/shorewall-lite.html"
target="_top">shorewall-lite</a>(8).</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a id="init-lite"></a>/etc/init.d
или /etc/rc.d (зависит от дистрибутива)</h3></div></div></div><p>Здесь
устанавливается сценарий инициализации. В зависимости от дистрибутива, он
называется <code class="filename">shorewall-lite</code> или <code
class="filename">rc.firewall</code>.</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="shorewall-lite"></a>/etc/shorewall-lite</h3></div></div></div><p>В этом
каталоге содержатся файлы конфигурации, настраиваемые пользователем.
</p></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a
id="share-lite"></a>/usr/share/shorewall-lite</h3></div></div></div><p>Здесь
устанавливаются основные файлы Shorewall-lite. </p><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p><code class="filename"><code
class="filename">configpath</code></code> - здесь содержится информация о
путях, которая зависит от дистрибутива. </p></li><li class="listitem"><p><code
class="filename">functions</code> - ссылка на <code
class="filename">lib.base</code>, предусмотренная для совместимости с прежними
версиями Shorewall.</p></li><li class="listitem"><p><code
class="filename">lib.*</code> - библиотеки функций оболочки, используемые
другими программами. Это копии соответствующих библиотек продукта Shorewall.
</p></li><li class="listitem"><p><code class="filename">modules</code> - файл,
управляющий загрузкой модулей Netfilter ядра. Его можно переопределить в файле
<code class="filename">/etc/shorewall-lite/modules</code>.</p></li><li
class="listitem"><p><code class="filename">shorecap</code> - программа, которая
создает файл capabilities. См. <a class="ulink"
href="CompiledPrograms.html#Lite" target="_top">документацию
Shorewall-lite</a>.</p></li><li class="listitem"><p><code
class="filename">version</code> - файл, в котором указана текущая установленная
версия Shorewall.</p></li><li class="listitem"><p><code
class="filename">wait4ifup</code> - программа, которую могут использовать <a
class="ulink" href="shorewall_extension_scripts.htm" target="_top">сценарии
расширения</a> для ожидания готовности сетевого интерфейса.
</p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="var-lite"></a>/var/lib/shorewall-lite</h3></div></div></div><p>Shorewall-lite
не устанавливает никаких файлов в этот каталог. Он используется для хранения
данных во время выполнения. Этот каталог можно перенести командой <a
class="ulink" href="manpages/shorewall-lite-vardir.html"
target="_top">shorewall-lite-vardir</a>(5).</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">firewall</code> - скомпилированный
сценарий, который устанавливается командой load или reload, выполняемой в
административной системе (см. <a class="ulink" href="manpages/shorewall.html"
target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code
class="filename">firewall.conf</code> - дайджест файла shorewall.conf,
использованного для компиляции сценария файрвола в административной системе.
</p></li></ul></div><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p><code
class="filename">.iptables-restore-input </code>- этот файл передается
программе iptables-restore для инициализации файрвола в ходе выполнения
последней команды <span class="command"><strong>start</strong></span> или <span
class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall-lite.html"
target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code
class="filename">.modules</code> - содержимое файла модулей, использованного
последними командами <span class="command"><strong>start</strong></span> или
<span class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall-lite.html"
target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code
class="filename">.modulesdir</code> - параметр MODULESDIR (<a class="ulink"
href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5)) в ходе
выполнения последней команды <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart.</strong></span></p></li><li
class="listitem"><p><code class="filename">nat</code> - в этом файле (с
неудачным именем) записаны IP-адреса, добавленные при включенных опциях
ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink"
href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code
class="filename">proxyarp</code> - записи arp, добавленные элементами <a
class="ulink" href="manpages/shorewall-proxyarp.html"
target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code
class="filename">.refresh</code> - программа, которая выполнила последнюю
успешную команду <span class="command"><strong>refresh</strong></span>.
</p></li><li class="listitem"><p><code class="filename">.restart</code> -
программа, которая выполнила последнюю успешную команду <span
class="command"><strong>restart</strong></span>. </p></li><li
class="listitem"><p><code class="filename">restore</code> - программа по
умолчанию, выполняющая команды <span
class="command"><strong>restore</strong></span>. </p></li><li
class="listitem"><p><code class="filename">.restore</code> - программа, которая
выполнила последнюю успешную команду <span class="command"><strong>refresh,
restart</strong></span> или <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">save</code> - файл, созданный
командой <span class="command"><strong>save</strong></span> и используемый для
восстановления динамического чёрного списка в ходе выполнения команд <span
class="command"><strong>start/restart</strong></span>.</p></li><li
class="listitem"><p><code class="filename">.start</code> - программа, которая
выполнила последнюю успешную команду <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">state</code> - здесь записано
текущее состояние файрвола. </p></li><li class="listitem"><p><code
class="filename">zones</code> - здесь записано текущее состояние
зон.</p></li></ul></div></div></div></div></body></html>
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html
xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>Анатомия Shorewall 4.0</title><link
rel="stylesheet" type="text/css" href="html.css" /><meta name="generator"
content="DocBook XSL Stylesheets V1.79.1" /></head><body><div
class="article"><div class="titlepage"><div><div><h2 class="title"><a
id="idm1"></a>Анатомия Shorewall 4.0</h2></div><div><div
class="authorgroup"><div class="author"><h3 class="author"><span
class="firstname">Tom</span> <span
class="surname">Eastep</span></h3></div></div></div><div><p
class="copyright">Copyright © 2007 Thomas M. Eastep</p></div><div><p
class="copyright">Copyright © 2007 Russian Translation: Grigory
Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот
документ разрешается копировать, распространять и/или изменять при выполнении
условий лицензии GNU Free Documentation License версии 1.2 или более поздней,
опубликованной Free Software Foundation; без неизменяемых разделов, без текста
на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по
ссылке <span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Products">Продукты</a></span></dt><dt><span
class="section"><a
href="#Shorewall">Shorewall-common</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin">/sbin</a></span></dt><dt><span
class="section"><a
href="#share-shorewall">/usr/share/shorewall</a></span></dt><dt><span
class="section"><a href="#shorewall">/etc/shorewall</a></span></dt><dt><span
class="section"><a href="#init">/etc/init.d или /etc/rc.d (зависит от
дистрибутива)</a></span></dt><dt><span class="section"><a
href="#var">/var/lib/shorewall</a></span></dt></dl></dd><dt><span
class="section"><a
href="#Shorewall-shell">Shorewall-shell</a></span></dt><dt><span
class="section"><a
href="#Shorewall-perl">Shorewall-perl</a></span></dt><dt><span
class="section"><a
href="#Shorewall-lite">Shorewall-lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#sbin-lite">/sbin</a></span></dt><dt><span
class="section"><a href="#init-lite">/etc/init.d или /etc/rc.d (зависит от
дистрибутива)</a></span></dt><dt><span class="section"><a
href="#shorewall-lite">/etc/shorewall-lite</a></span></dt><dt><span
class="section"><a
href="#share-lite">/usr/share/shorewall-lite</a></span></dt><dt><span
class="section"><a
href="#var-lite">/var/lib/shorewall-lite</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Products"></a>Продукты</h2></div></div></div><p>В
состав Shorewall 4.0 входят следующие четыре пакета. </p><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p><span
class="bold"><strong>Shorewall-common</strong></span>. Этот пакет необходимо
установить хотя бы в одной системе в вашей сети. В этой системе также должны
быть установлены Shorewall-shell и/или Shorewall-perl. </p></li><li
class="listitem"><p><span class="bold"><strong>Shorewall-shell</strong></span>.
Этот пакет содержит прежний компилятор конфигурации Shorewall, написанный на
Bourne Shell. Этот компилятор работает в большинстве систем, но он медленный, и
его сопровождение стало затруднительным.</p></li><li class="listitem"><p><span
class="bold"><strong>Shorewall-perl</strong></span>. Этот компилятор заменяет
Shorewall-shell и написан на языке Perl. Он работает на всех платформах Unix,
поддерживающих Perl (включая Cygwin), и рекомендуется для всех систем, где
Shorewall устанавливается заново. </p></li><li class="listitem"><p><span
class="bold"><strong>Shorewall-lite</strong></span>. В Shorewall предусмотрена
возможность централизованного управления несколькими системами файрволов. Для
этого применяется пакет Shorewall lite. Полностью продукт Shorewall, включая
Shorewall-shell и/или Shorewall-perl, устанавливается в центральной
административной системе, где генерируются сценарии Shorewall. Эти сценарии
копируются в системы файрволов, где они выполняются под управлением
Shorewall-lite. </p></li></ol></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall"></a>Shorewall-common</h2></div></div></div><p>Пакет
Shorewall-common включает много файлов, которые устанавливаются в каталоги
/<code class="filename">sbin</code>, <code
class="filename">/usr/share/shorewall</code>, <code
class="filename">/etc/shorewall</code>, <code
class="filename">/etc/init.d</code> и <code
class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="sbin"></a>/sbin</h3></div></div></div><p>Программа <code
class="filename">/sbin/shorewall</code> взаимодействует с Shorewall. См. <a
class="ulink" href="manpages/shorewall.html"
target="_top">shorewall</a>(8).</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="share-shorewall"></a>/usr/share/shorewall</h3></div></div></div><p>Здесь
устанавливаются основные файлы Shorewall. </p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">action.template</code> - файл
шаблонов для создания <a class="ulink" href="Actions.html"
target="_top">действий</a>.</p></li><li class="listitem"><p><code
class="filename">action.*</code> - стандартные действия Shorewall. </p></li><li
class="listitem"><p><code class="filename">actions.std</code> - в этом файле
перечислены стандартные действия. </p></li><li class="listitem"><p><code
class="filename">configfiles</code> - в этом каталоге содержатся файлы
конфигурации, при копировании которых создается <a class="ulink"
href="CompiledPrograms.html#Lite" target="_top">каталог экспорта
Shorewall-lite.</a></p></li><li class="listitem"><p><code
class="filename"><code class="filename">configpath</code></code> - здесь
содержится информация о путях, которая зависит от дистрибутива. </p></li><li
class="listitem"><p><code class="filename">firewall</code> - эта программа
обрабатывает команды <span class="command"><strong>add</strong></span> и <span
class="command"><strong>delete</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)). Кроме того, она
обрабатывает команды <span class="command"><strong>stop</strong></span> и <span
class="command"><strong>clear</strong></span>, если в системе нет текущего
скомпилированного сценария файрвола. </p></li><li class="listitem"><p><code
class="filename">functions</code> - ссылка на <code
class="filename">lib.base</code>, предусмотренная для совместимости с прежними
версиями Shorewall.</p></li><li class="listitem"><p><code
class="filename">init</code> - ссылка на сценарий инициализации (обычно это -
<code class="filename">/etc/init.d/shorewall</code>).</p></li><li
class="listitem"><p><code class="filename">lib.*</code> - библиотеки функций
оболочки, используемые другими программами. </p></li><li
class="listitem"><p><code class="filename">macro.*</code> - стандартные <a
class="ulink" href="Macros.html" target="_top">макросы</a>
Shorewall.</p></li><li class="listitem"><p><code
class="filename">modules</code> - файл, управляющий загрузкой модулей Netfilter
ядра. Его можно переопределить в файле <code
class="filename">/etc/shorewall/modules</code>.</p></li><li
class="listitem"><p><code class="filename">version</code> - файл, в котором
указана текущая установленная версия Shorewall.</p></li><li
class="listitem"><p><code class="filename">wait4ifup</code> - программа,
которую могут использовать <a class="ulink"
href="shorewall_extension_scripts.htm" target="_top">сценарии расширения</a>
для ожидания готовности сетевого интерфейса. </p></li></ul></div></div><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="shorewall"></a>/etc/shorewall</h3></div></div></div><p>В этом каталоге
содержатся файлы конфигурации, настраиваемые пользователем. </p></div><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="init"></a>/etc/init.d или /etc/rc.d (зависит от
дистрибутива)</h3></div></div></div><p>Здесь устанавливается сценарий
инициализации. В зависимости от дистрибутива, он называется <code
class="filename">shorewall</code> или <code
class="filename">rc.firewall</code>.</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="var"></a>/var/lib/shorewall</h3></div></div></div><p>Shorewall не
устанавливает никаких файлов в этот каталог. Он используется для хранения
данных во время выполнения. Этот каталог можно перенести командой <a
class="ulink" href="manpages/shorewall-vardir.html"
target="_top">shorewall-vardir</a>(5).</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">chains</code> - если в <a
class="ulink" href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5) задан DYNAMIC_ZONES=Yes, то в этом файле
содержится информация для команд <span
class="command"><strong>add</strong></span> и <span
class="command"><strong>delete</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li
class="listitem"><p><code class="filename">.iptables-restore-input </code>-
этот файл передается программе iptables-restore для инициализации файрвола в
ходе выполнения последней команды <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li
class="listitem"><p><code class="filename">.modules</code> - содержимое файла
модулей, использованного последними командами <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall.html" target="_top">shorewall</a>(8)).</p></li><li
class="listitem"><p><code class="filename">.modulesdir</code> - параметр
MODULESDIR (<a class="ulink" href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5)) в ходе выполнения последней команды <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart.</strong></span></p></li><li
class="listitem"><p><code class="filename">nat</code> - в этом файле (с
неудачным именем) записаны IP-адреса, добавленные при включенных опциях
ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink"
href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code
class="filename">proxyarp</code> - записи arp, добавленные элементами <a
class="ulink" href="manpages/shorewall-proxyarp.html"
target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code
class="filename">.refresh</code> - программа, которая выполнила последнюю
успешную команду <span class="command"><strong>refresh</strong></span>.
</p></li><li class="listitem"><p><code class="filename">.restart</code> -
программа, которая выполнила последнюю успешную команду <span
class="command"><strong>restart</strong></span>. </p></li><li
class="listitem"><p><code class="filename">restore</code> - программа по
умолчанию, выполняющая команды <span
class="command"><strong>restore</strong></span>. </p></li><li
class="listitem"><p><code class="filename">.restore</code> - программа, которая
выполнила последнюю успешную команду <span class="command"><strong>refresh,
restart</strong></span> или <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">save</code> - файл, созданный
командой <span class="command"><strong>save</strong></span> и используемый для
восстановления динамического чёрного списка в ходе выполнения команд <span
class="command"><strong>start/restart</strong></span>.</p></li><li
class="listitem"><p><code class="filename">.start</code> - программа, которая
выполнила последнюю успешную команду <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">state</code> - здесь записано
текущее состояние файрвола. </p></li><li class="listitem"><p><code
class="filename">zones</code> - здесь записано текущее состояние
зон.</p></li></ul></div></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall-shell"></a>Shorewall-shell</h2></div></div></div><p>Все файлы
продукта Shorewall-shell устанавливаются в каталоге /usr/share/<code
class="filename">shorewall-shell</code>.</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">compiler</code> - компилятор
конфигурации (программа shell). </p></li><li class="listitem"><p><code
class="filename">lib.*</code> - библиотеки функций оболочки, используемые
компилятором. Для уменьшения объема в встроенных системах могут быть
установлены не все библиотеки. </p></li><li class="listitem"><p><code
class="filename">prog.*</code> - фрагменты кода на shell, используемые
компилятором. </p></li><li class="listitem"><p><code
class="filename">version</code> - файл, в котором указана текущая установленная
версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall-perl"></a>Shorewall-perl</h2></div></div></div><p>Все файлы
продукта Shorewall-perl устанавливаются в каталоге /usr/share/<code
class="filename">shorewall-perl</code>.</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">buildports.pl</code> - программа на
Perl, которая компонует модуль Shorewall/Ports.pm во время установки.
</p></li><li class="listitem"><p><code class="filename">compiler</code> -
компилятор конфигурации (программа shell). </p></li><li
class="listitem"><p><code class="filename">prog.*</code> - фрагменты кода на
shell, используемые компилятором. </p></li><li class="listitem"><p><code
class="filename">Shorewall</code> - каталог, содержащий модули Shorewall Perl,
используемые компилятором. </p></li><li class="listitem"><p><code
class="filename">version</code> - файл, в котором указана текущая установленная
версия Shorewall-shell.</p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Shorewall-lite"></a>Shorewall-lite</h2></div></div></div><p>Файлы
Shorewall-lite устанавливаются в каталогах /<code class="filename">sbin</code>,
<code class="filename">/usr/share/shorewall-lite</code>, /etc/<code
class="filename">shorewall-lite</code>, <code
class="filename">/etc/init.d</code> и <code
class="filename">/var/lilb/shorewall/</code>. Они описаны далее. </p><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="sbin-lite"></a>/sbin</h3></div></div></div><p>Программа <code
class="filename">/sbin/shorewall-lite</code> взаимодействует с Shorewall lite.
См. <a class="ulink" href="manpages/shorewall-lite.html"
target="_top">shorewall-lite</a>(8).</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a id="init-lite"></a>/etc/init.d
или /etc/rc.d (зависит от дистрибутива)</h3></div></div></div><p>Здесь
устанавливается сценарий инициализации. В зависимости от дистрибутива, он
называется <code class="filename">shorewall-lite</code> или <code
class="filename">rc.firewall</code>.</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="shorewall-lite"></a>/etc/shorewall-lite</h3></div></div></div><p>В этом
каталоге содержатся файлы конфигурации, настраиваемые пользователем.
</p></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a
id="share-lite"></a>/usr/share/shorewall-lite</h3></div></div></div><p>Здесь
устанавливаются основные файлы Shorewall-lite. </p><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p><code class="filename"><code
class="filename">configpath</code></code> - здесь содержится информация о
путях, которая зависит от дистрибутива. </p></li><li class="listitem"><p><code
class="filename">functions</code> - ссылка на <code
class="filename">lib.base</code>, предусмотренная для совместимости с прежними
версиями Shorewall.</p></li><li class="listitem"><p><code
class="filename">lib.*</code> - библиотеки функций оболочки, используемые
другими программами. Это копии соответствующих библиотек продукта Shorewall.
</p></li><li class="listitem"><p><code class="filename">modules</code> - файл,
управляющий загрузкой модулей Netfilter ядра. Его можно переопределить в файле
<code class="filename">/etc/shorewall-lite/modules</code>.</p></li><li
class="listitem"><p><code class="filename">shorecap</code> - программа, которая
создает файл capabilities. См. <a class="ulink"
href="CompiledPrograms.html#Lite" target="_top">документацию
Shorewall-lite</a>.</p></li><li class="listitem"><p><code
class="filename">version</code> - файл, в котором указана текущая установленная
версия Shorewall.</p></li><li class="listitem"><p><code
class="filename">wait4ifup</code> - программа, которую могут использовать <a
class="ulink" href="shorewall_extension_scripts.htm" target="_top">сценарии
расширения</a> для ожидания готовности сетевого интерфейса.
</p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="var-lite"></a>/var/lib/shorewall-lite</h3></div></div></div><p>Shorewall-lite
не устанавливает никаких файлов в этот каталог. Он используется для хранения
данных во время выполнения. Этот каталог можно перенести командой <a
class="ulink" href="manpages/shorewall-lite-vardir.html"
target="_top">shorewall-lite-vardir</a>(5).</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><code class="filename">firewall</code> - скомпилированный
сценарий, который устанавливается командой load или reload, выполняемой в
административной системе (см. <a class="ulink" href="manpages/shorewall.html"
target="_top">shorewall</a>(8)).</p></li><li class="listitem"><p><code
class="filename">firewall.conf</code> - дайджест файла shorewall.conf,
использованного для компиляции сценария файрвола в административной системе.
</p></li></ul></div><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p><code
class="filename">.iptables-restore-input </code>- этот файл передается
программе iptables-restore для инициализации файрвола в ходе выполнения
последней команды <span class="command"><strong>start</strong></span> или <span
class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall-lite.html"
target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code
class="filename">.modules</code> - содержимое файла модулей, использованного
последними командами <span class="command"><strong>start</strong></span> или
<span class="command"><strong>restart</strong></span> (см. <a class="ulink"
href="manpages/shorewall-lite.html"
target="_top">shorewall-lite</a>(8)).</p></li><li class="listitem"><p><code
class="filename">.modulesdir</code> - параметр MODULESDIR (<a class="ulink"
href="manpages/shorewall.conf.html" target="_top">shorewall.conf</a>(5)) в ходе
выполнения последней команды <span
class="command"><strong>start</strong></span> или <span
class="command"><strong>restart.</strong></span></p></li><li
class="listitem"><p><code class="filename">nat</code> - в этом файле (с
неудачным именем) записаны IP-адреса, добавленные при включенных опциях
ADD_SNAT_ALIASES=Yes и ADD_IP_ALIASES=Yes в <a class="ulink"
href="manpages/shorewall.conf.html"
target="_top">shorewall.conf</a>(5).</p></li><li class="listitem"><p><code
class="filename">proxyarp</code> - записи arp, добавленные элементами <a
class="ulink" href="manpages/shorewall-proxyarp.html"
target="_top">shorewall-proxyarp</a>(5).</p></li><li class="listitem"><p><code
class="filename">.refresh</code> - программа, которая выполнила последнюю
успешную команду <span class="command"><strong>refresh</strong></span>.
</p></li><li class="listitem"><p><code class="filename">.restart</code> -
программа, которая выполнила последнюю успешную команду <span
class="command"><strong>restart</strong></span>. </p></li><li
class="listitem"><p><code class="filename">restore</code> - программа по
умолчанию, выполняющая команды <span
class="command"><strong>restore</strong></span>. </p></li><li
class="listitem"><p><code class="filename">.restore</code> - программа, которая
выполнила последнюю успешную команду <span class="command"><strong>refresh,
restart</strong></span> или <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">save</code> - файл, созданный
командой <span class="command"><strong>save</strong></span> и используемый для
восстановления динамического чёрного списка в ходе выполнения команд <span
class="command"><strong>start/restart</strong></span>.</p></li><li
class="listitem"><p><code class="filename">.start</code> - программа, которая
выполнила последнюю успешную команду <span
class="command"><strong>start</strong></span>. </p></li><li
class="listitem"><p><code class="filename">state</code> - здесь записано
текущее состояние файрвола. </p></li><li class="listitem"><p><code
class="filename">zones</code> - здесь записано текущее состояние
зон.</p></li></ul></div></div></div></div></body></html>
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Anti-Spoofing.html
new/shorewall-docs-html-5.2.3.3/Anti-Spoofing.html
--- old/shorewall-docs-html-5.2.3.1/Anti-Spoofing.html 2019-02-26
19:01:10.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Anti-Spoofing.html 2019-04-12
04:08:31.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm20">The <span
class="emphasis"><em>routefilter</em></span> Interface
Option</a></span></dt><dt><span class="section"><a href="#idm37">Hairpin
Filtering</a></span></dt><dt><span class="section"><a href="#idm45">The <span
class="emphasis"><em>rpfilter</em></span> Interface
Option</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p><em
class="firstterm">Spoofing</em> is the practice of sending packets
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm20">The <span
class="emphasis"><em>routefilter</em></span> Interface
Option</a></span></dt><dt><span class="section"><a href="#idm37">Hairpin
Filtering</a></span></dt><dt><span class="section"><a href="#idm45">The <span
class="emphasis"><em>rpfilter</em></span> Interface
Option</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p><em
class="firstterm">Spoofing</em> is the practice of sending packets
with a forged source address in an attempt to circumvent security
measures. Shorewall supports a variety of measures to counter spoofing
attacks.</p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm20"></a>The <span class="emphasis"><em>routefilter</em></span> Interface
Option</h2></div></div></div><p>This <a class="ulink" href="???"
target="_top">shorewall-interfaces</a> (5) option was
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Audit.html
new/shorewall-docs-html-5.2.3.3/Audit.html
--- old/shorewall-docs-html-5.2.3.1/Audit.html 2019-02-26 19:01:10.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/Audit.html 2019-04-12 04:08:32.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Background</a></span></dt><dt><span
class="section"><a href="#idm49">Shorewall
Support</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Background</h2></div></div></div><p>In early 2011, Thomas Graf
submitted a set of patches to the
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Background</a></span></dt><dt><span
class="section"><a href="#idm49">Shorewall
Support</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Background</h2></div></div></div><p>In early 2011, Thomas Graf
submitted a set of patches to the
Netfilter development list that implemented an AUDIT rule target. This is
from the initial submittal:</p><div class="blockquote"><blockquote
class="blockquote"><p>This patch adds a new netfilter target which creates
audit records
for packets traversing a certain chain. It can be used to record packets
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Build.html
new/shorewall-docs-html-5.2.3.3/Build.html
--- old/shorewall-docs-html-5.2.3.1/Build.html 2019-02-26 19:01:12.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/Build.html 2019-04-12 04:08:34.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm20">Git Taxonomy</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm26">trunk (clone of Code)</a></span></dt><dt><span
class="section"><a href="#idm43">trunk/docs</a></span></dt><dt><span
class="section"><a href="#idm46">tools (Clone of
Tools)</a></span></dt><dt><span class="section"><a href="#idm58">web (Clone of
Web)</a></span></dt><dt><span class="section"><a href="#idm61">release (Clone
of Release)</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm64">Build Tools</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm68">setversion</a></span></dt><dt><span class="section"><a
href="#idm79">build45, build46 and build50</a></span></dt><dt><span
class="section"><a href="#idm204">upload</a></span></dt><dt><span
class="section"><a href="#idm257">install.sh
files</a></span></dt></dl></dd></dl></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This information is
provided primarily for Shorewall developers.
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm20">Git Taxonomy</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm26">trunk (clone of Code)</a></span></dt><dt><span
class="section"><a href="#idm43">trunk/docs</a></span></dt><dt><span
class="section"><a href="#idm46">tools (Clone of
Tools)</a></span></dt><dt><span class="section"><a href="#idm58">web (Clone of
Web)</a></span></dt><dt><span class="section"><a href="#idm61">release (Clone
of Release)</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm64">Build Tools</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm68">setversion</a></span></dt><dt><span class="section"><a
href="#idm79">build45, build46 and build50</a></span></dt><dt><span
class="section"><a href="#idm204">upload</a></span></dt><dt><span
class="section"><a href="#idm257">install.sh
files</a></span></dt></dl></dd></dl></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This information is
provided primarily for Shorewall developers.
Users are expected to install from pre-built tarballs or
packages.</p></div><div class="section"><div class="titlepage"><div><div><h2
class="title" style="clear: both"><a id="idm20"></a>Git
Taxonomy</h2></div></div></div><p>The Shorewall Git tree at Sourceforge serves
as the master
repository for Shorewall 4.4 and later versions. It is not possible to
simply export a directory from Git and run the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/CompiledPrograms.html
new/shorewall-docs-html-5.2.3.3/CompiledPrograms.html
--- old/shorewall-docs-html-5.2.3.1/CompiledPrograms.html 2019-02-26
19:01:13.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/CompiledPrograms.html 2019-04-12
04:08:34.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span
class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm177">Module Loading</a></span></dt><dt><span
class="section"><a href="#Converting">Converting a system from Shorewall to
Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a
href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span
class="section"><a href="#Compile">The "shorewall compile"
command</a></span></dt><dt><span class="section"><a href="#Shorecap">The
/etc/shorewall/capabilities file and the shorecap
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span
class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm177">Module Loading</a></span></dt><dt><span
class="section"><a href="#Converting">Converting a system from Shorewall to
Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a
href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span
class="section"><a href="#Compile">The "shorewall compile"
command</a></span></dt><dt><span class="section"><a href="#Shorecap">The
/etc/shorewall/capabilities file and the shorecap
program</a></span></dt><dt><span class="section"><a
href="#Running">Running compiled programs
directly</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation appropriate for your
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ConnectionRate.html
new/shorewall-docs-html-5.2.3.3/ConnectionRate.html
--- old/shorewall-docs-html-5.2.3.1/ConnectionRate.html 2019-02-26
19:01:14.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/ConnectionRate.html 2019-04-12
04:08:35.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm42">Policy Rate Limiting</a></span></dt><dt><span
class="section"><a href="#idm47">Rules Rate Limiting</a></span></dt><dt><span
class="section"><a href="#idm51">Limit
Action</a></span></dt></dl></dd></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm17"></a>Introduction</h2></div></div></div><p>Shorewall supports several
mechanisms for limiting connection rates.
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm42">Policy Rate Limiting</a></span></dt><dt><span
class="section"><a href="#idm47">Rules Rate Limiting</a></span></dt><dt><span
class="section"><a href="#idm51">Limit
Action</a></span></dt></dl></dd></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm17"></a>Introduction</h2></div></div></div><p>Shorewall supports several
mechanisms for limiting connection rates.
These are described in the following sections.</p><p>Rates are expressed
in terms of a <em class="firstterm">connections per unit
time</em> and a <code class="filename">burst</code>. An
<em class="firstterm">interval</em> is calculated by dividing the unit of
time
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Docker.html
new/shorewall-docs-html-5.2.3.3/Docker.html
--- old/shorewall-docs-html-5.2.3.1/Docker.html 2019-02-26 19:01:15.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/Docker.html 2019-04-12 04:08:36.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Shorewall 5.0.5 and
Earlier</a></span></dt><dt><span class="section"><a href="#idm20">Shorewall
5.0.6 and Later</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Shorewall 5.0.5 and Earlier</h2></div></div></div><p>Both Docker
and Shorewall assume that they 'own' the iptables
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Shorewall 5.0.5 and
Earlier</a></span></dt><dt><span class="section"><a href="#idm20">Shorewall
5.0.6 and Later</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Shorewall 5.0.5 and Earlier</h2></div></div></div><p>Both Docker
and Shorewall assume that they 'own' the iptables
configuration. This leads to problems when Shorewall is restarted or
reloaded, because it drops all of the rules added by Docker. Fortunately,
the extensibility features in Shorewall allow users to <a class="ulink"
href="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#";
target="_top">create
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Documentation_Index.html
new/shorewall-docs-html-5.2.3.3/Documentation_Index.html
--- old/shorewall-docs-html-5.2.3.1/Documentation_Index.html 2019-02-26
19:01:15.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Documentation_Index.html 2019-04-12
04:08:36.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Frequent">Frequently Used
Articles</a></span></dt><dt><span class="section"><a
href="#idm39">Documentation for Earlier Versions</a></span></dt><dt><span
class="section"><a href="#Index">Index to the HOWTOs and Other
Articles</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Frequent"></a>Frequently Used Articles</h2></div></div></div><div
class="informaltable"><table class="informaltable" border="0"><colgroup><col
/></colgroup><tbody><tr><td><a class="ulink" href="FAQ.htm"
target="_top">FAQs</a></td></tr><tr><td><a class="ulink" href="Manpages.html"
target="_top">IPv4 Manpages</a></td></tr><tr><td><a class="ulink"
href="Manpages6.html" target="_top">IPv6 Manpages</a></td></tr><tr><td><a
class="ulink" href="configuration_file_basics.htm" target="_top">Configuration
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Frequent">Frequently Used
Articles</a></span></dt><dt><span class="section"><a
href="#idm39">Documentation for Earlier Versions</a></span></dt><dt><span
class="section"><a href="#Index">Index to the HOWTOs and Other
Articles</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Frequent"></a>Frequently Used Articles</h2></div></div></div><div
class="informaltable"><table class="informaltable" border="0"><colgroup><col
/></colgroup><tbody><tr><td><a class="ulink" href="FAQ.htm"
target="_top">FAQs</a></td></tr><tr><td><a class="ulink" href="Manpages.html"
target="_top">IPv4 Manpages</a></td></tr><tr><td><a class="ulink"
href="Manpages6.html" target="_top">IPv6 Manpages</a></td></tr><tr><td><a
class="ulink" href="configuration_file_basics.htm" target="_top">Configuration
File Basics</a></td></tr><tr><td><a class="ulink"
href="GettingStarted.html" target="_top">Beginner
Documentation</a></td></tr><tr><td><a class="ulink"
href="troubleshoot.htm"
target="_top">Troubleshooting</a></td></tr></tbody></table></div></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm39"></a>Documentation for Earlier
Versions</h2></div></div></div><p><a class="ulink"
href="4.6/Documentation_Index.html" target="_top">Shorewall 4.4/4.6
Documentation</a></p><p><a class="ulink"
href="4.2/Documentation_Index.html" target="_top">Shorewall 4.0/4.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Dynamic.html
new/shorewall-docs-html-5.2.3.3/Dynamic.html
--- old/shorewall-docs-html-5.2.3.1/Dynamic.html 2019-02-26
19:01:15.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Dynamic.html 2019-04-12
04:08:37.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Overview</a></span></dt><dt><span
class="section"><a href="#idm23">Dynamic Zones</a></span></dt><dd><dl><dt><span
class="section"><a href="#defining">Defining a Dynamic
Zone</a></span></dt><dt><span class="section"><a href="#Adding">Adding a Host
to a Dynamic Zone.</a></span></dt><dt><span class="section"><a
href="#delete">Deleting a Host from a Dynamic Zone</a></span></dt><dt><span
class="section"><a href="#listing">Listing the Contents of a Dynamic
Zone</a></span></dt></dl></dd><dt><span class="section"><a
href="#start-stop">Dynamic Zone Contents and Shorewall
stop/start/restart</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm17"></a>Overview</h2></div></div></div><p>There is sometimes a need to
be able to define a zone whose members
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Overview</a></span></dt><dt><span
class="section"><a href="#idm23">Dynamic Zones</a></span></dt><dd><dl><dt><span
class="section"><a href="#defining">Defining a Dynamic
Zone</a></span></dt><dt><span class="section"><a href="#Adding">Adding a Host
to a Dynamic Zone.</a></span></dt><dt><span class="section"><a
href="#delete">Deleting a Host from a Dynamic Zone</a></span></dt><dt><span
class="section"><a href="#listing">Listing the Contents of a Dynamic
Zone</a></span></dt></dl></dd><dt><span class="section"><a
href="#start-stop">Dynamic Zone Contents and Shorewall
stop/start/restart</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm17"></a>Overview</h2></div></div></div><p>There is sometimes a need to
be able to define a zone whose members
are unknown at compile-time. For example, you may wish to require
authentication of internal users before allowing them access to the
internet. When a user is authenticated, the user's IP address is added to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ECN.html
new/shorewall-docs-html-5.2.3.3/ECN.html
--- old/shorewall-docs-html-5.2.3.1/ECN.html 2019-02-26 19:01:16.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/ECN.html 2019-04-12 04:08:37.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#ecn">Explicit Congestion Notification
(ECN)</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Warning</h3><p>2006-01-17. The ECN
Netfilter target in some 2.6 Linux Kernels is
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#ecn">Explicit Congestion Notification
(ECN)</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Warning</h3><p>2006-01-17. The ECN
Netfilter target in some 2.6 Linux Kernels is
broken. Symptoms are that you will be unable to establish a TCP connection
to hosts defined in the /etc/shorewall/ecn file.</p></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="ecn"></a>Explicit Congestion Notification
(ECN)</h2></div></div></div><p>Explicit Congestion Notification (ECN) is
described in RFC 3168 and
is a proposed Internet standard. Unfortunately, not all sites support ECN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Events.html
new/shorewall-docs-html-5.2.3.3/Events.html
--- old/shorewall-docs-html-5.2.3.1/Events.html 2019-02-26 19:01:16.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/Events.html 2019-04-12 04:08:37.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Overview</a></span></dt><dt><span
class="section"><a href="#idm59">Details</a></span></dt><dd><dl><dt><span
class="section"><a href="#SetEvent">SetEvent</a></span></dt><dt><span
class="section"><a href="#ResetEvent">ResetEvent</a></span></dt><dt><span
class="section"><a href="#IfEvent">IfEvent</a></span></dt><dt><span
class="section"><a href="#ShowEvents">'show event' and 'show events'
Commands</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm239">Examples</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm241">Automatic Blacklisting</a></span></dt><dt><span
class="section"><a href="#AutoBL">Generalized Automatic
Blacklisting</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm262">AutoBL</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm309">Port Knocking</a></span></dt><dt><span class="section"><a
href="#Stateful">Stateful Port Knocking (knock with a sequence of
ports)</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article applies to Shorewall 4.5.19 and later
and supersedes
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Overview</a></span></dt><dt><span
class="section"><a href="#idm59">Details</a></span></dt><dd><dl><dt><span
class="section"><a href="#SetEvent">SetEvent</a></span></dt><dt><span
class="section"><a href="#ResetEvent">ResetEvent</a></span></dt><dt><span
class="section"><a href="#IfEvent">IfEvent</a></span></dt><dt><span
class="section"><a href="#ShowEvents">'show event' and 'show events'
Commands</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm239">Examples</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm241">Automatic Blacklisting</a></span></dt><dt><span
class="section"><a href="#AutoBL">Generalized Automatic
Blacklisting</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm262">AutoBL</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm309">Port Knocking</a></span></dt><dt><span class="section"><a
href="#Stateful">Stateful Port Knocking (knock with a sequence of
ports)</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article applies to Shorewall 4.5.19 and later
and supersedes
<a class="ulink" href="PortKnocking.html" target="_top">this
article.</a></p></div><div class="section"><div class="titlepage"><div><div><h2
class="title" style="clear: both"><a
id="idm19"></a>Overview</h2></div></div></div><p>Shorewall events were
introduced in Shorewall 4.5.19 and provide a
high-level interface to the Netfilter<em class="firstterm"> recent
match</em>
capability. An event is actually a list of (IP address, timestamp) pairs,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/FAQ.htm
new/shorewall-docs-html-5.2.3.3/FAQ.htm
--- old/shorewall-docs-html-5.2.3.1/FAQ.htm 2019-02-26 19:01:18.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/FAQ.htm 2019-04-12 04:08:39.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span
class="quote">“<span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free
Documentation License</a>
- </span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Install">Installing
Shorewall</a></span></dt><dd><dl><dt><span class="section"><a
href="#Howto">Where do I find Step by Step Installation and Configuration
+ </span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Install">Installing
Shorewall</a></span></dt><dd><dl><dt><span class="section"><a
href="#Howto">Where do I find Step by Step Installation and Configuration
Instructions?</a></span></dt><dt><span class="section"><a
href="#faq92">(FAQ 92) There are lots of Shorewall packages; which one(s) do I
install?</a></span></dt><dd><dl><dt><span class="section"><a
href="#faq92a">(FAQ 92a) Someone once told me to install shorewall-perl;
anything to that?</a></span></dt></dl></dd><dt><span
class="section"><a href="#faq37">(FAQ 37) I just installed Shorewall on Debian
and the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/FAQ_fr.html
new/shorewall-docs-html-5.2.3.3/FAQ_fr.html
--- old/shorewall-docs-html-5.2.3.1/FAQ_fr.html 2019-02-26 19:01:17.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/FAQ_fr.html 2019-04-12 04:08:38.000000000
+0200
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span
class="quote">« <span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free
Documentation License</a>
- </span> »</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm35">Installation de
Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#idm37">Où
puis-je trouver des instructions d'installation et de
+ </span> »</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm35">Installation de
Shorewall</a></span></dt><dd><dl><dt><span class="section"><a href="#idm37">Où
puis-je trouver des instructions d'installation et de
configuration pas à pas ?</a></span></dt><dt><span class="section"><a
href="#faq37">(FAQ 37) Je viens d'installer Shorewall sur Debian et le
répertoire /etc/shorewall est vide!!!</a></span></dt><dt><span
class="section"><a href="#faq44">(FAQ 44) Je n'arrive pas à installer ou mettre
à jour le RPM -
J'ai le message d'erreur "error: failed dependencies:iproute is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/FTP.html
new/shorewall-docs-html-5.2.3.3/FTP.html
--- old/shorewall-docs-html-5.2.3.1/FTP.html 2019-02-26 19:01:19.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/FTP.html 2019-04-12 04:08:40.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Protocol">FTP Protocol</a></span></dt><dt><span
class="section"><a href="#Conntrack">Linux FTP
connection-tracking</a></span></dt><dt><span class="section"><a
href="#idm93">FTP with Kernel 3.5 and Later</a></span></dt><dt><span
class="section"><a href="#Ports">FTP on Non-standard
Ports</a></span></dt><dt><span class="section"><a
href="#Rules">Rules</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Protocol">FTP Protocol</a></span></dt><dt><span
class="section"><a href="#Conntrack">Linux FTP
connection-tracking</a></span></dt><dt><span class="section"><a
href="#idm93">FTP with Kernel 3.5 and Later</a></span></dt><dt><span
class="section"><a href="#Ports">FTP on Non-standard
Ports</a></span></dt><dt><span class="section"><a
href="#Rules">Rules</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Protocol"></a>FTP Protocol</h2></div></div></div><p>FTP transfers involve
two TCP connections. The first <span
class="bold"><strong>control</strong></span> connection goes from the FTP
client to port
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/FoolsFirewall.html
new/shorewall-docs-html-5.2.3.3/FoolsFirewall.html
--- old/shorewall-docs-html-5.2.3.1/FoolsFirewall.html 2019-02-26
19:01:18.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/FoolsFirewall.html 2019-04-12
04:08:39.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Definition</a></span></dt><dt><span
class="section"><a href="#idm26">Security Issue</a></span></dt><dt><span
class="section"><a href="#idm30">ARP Roulette</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Definition</h2></div></div></div><p>Occasionally, we hear from
someone who has cabled his firewall's
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Definition</a></span></dt><dt><span
class="section"><a href="#idm26">Security Issue</a></span></dt><dt><span
class="section"><a href="#idm30">ARP Roulette</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Definition</h2></div></div></div><p>Occasionally, we hear from
someone who has cabled his firewall's
external and internal firewall interfaces to the same unmanaged switch (or
mis-configured managed switch). I call this configuration <em
class="firstterm">The
Fool's Firewall</em>.</p><p>When the external interface supports
broadcast, this configuration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/GenericTunnels.html
new/shorewall-docs-html-5.2.3.3/GenericTunnels.html
--- old/shorewall-docs-html-5.2.3.1/GenericTunnels.html 2019-02-26
19:01:19.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/GenericTunnels.html 2019-04-12
04:08:40.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Bridged">Bridging two Masqueraded
Networks</a></span></dt></dl></div><p>Shorewall includes built-in support for a
wide range of VPN solutions.
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Bridged">Bridging two Masqueraded
Networks</a></span></dt></dl></div><p>Shorewall includes built-in support for a
wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support, you
can generally describe the tunneling software using <span
class="quote">“<span class="quote">generic
tunnels</span>”</span>.</p><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Bridged"></a>Bridging two Masqueraded
Networks</h2></div></div></div><p>Suppose that we have the following
situation:</p><div><img src="images/TwoNets1.png" /></div><p>We want systems in
the 192.168.1.0/24 subnetwork to be able to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/GettingStarted.html
new/shorewall-docs-html-5.2.3.3/GettingStarted.html
--- old/shorewall-docs-html-5.2.3.1/GettingStarted.html 2019-02-26
19:01:19.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/GettingStarted.html 2019-04-12
04:08:41.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>Do not attempt to
install Shorewall on a
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>Do not attempt to
install Shorewall on a
remote system. You are virtually assured to lock yourself
out.</strong></span></p></div><p>Please read this short article
first.</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p><a class="ulink"
href="Introduction.html" target="_top">Introduction to
Shorewall</a></p></li></ul></div><p>Now, <a class="ulink"
href="Install.htm" target="_top">install Shorewall</a>.</p><p>Next, read the
QuickStart Guide that is appropriate for your
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Helpers.html
new/shorewall-docs-html-5.2.3.3/Helpers.html
--- old/shorewall-docs-html-5.2.3.1/Helpers.html 2019-02-26
19:01:20.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Helpers.html 2019-04-12
04:08:41.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Helpers -
Introduction</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm42">Helper Module Loading</a></span></dt><dt><span class="section"><a
href="#idm58">Iptables and Helpers</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm113">Shorewall Support for
Helpers</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm116">Module Loading</a></span></dt><dt><span class="section"><a
href="#idm189">Iptables</a></span></dt><dt><span class="section"><a
href="#idm201">Capabilities</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm217">Kernel &gt;= 3.5 and Shorewall &gt;=
4.5.7</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Helpers - Introduction</h2></div></div></div><p>There are a
number of applications that create connections
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Helpers -
Introduction</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm42">Helper Module Loading</a></span></dt><dt><span class="section"><a
href="#idm58">Iptables and Helpers</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm113">Shorewall Support for
Helpers</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm116">Module Loading</a></span></dt><dt><span class="section"><a
href="#idm189">Iptables</a></span></dt><dt><span class="section"><a
href="#idm201">Capabilities</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm217">Kernel &gt;= 3.5 and Shorewall &gt;=
4.5.7</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Helpers - Introduction</h2></div></div></div><p>There are a
number of applications that create connections
dynamically between a client and server. These connections use temporary
TCP or UDP ports, so static configuration of firewall rules to allow those
connections would require a very lax firewall configuration. To deal with
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/IPIP.htm
new/shorewall-docs-html-5.2.3.3/IPIP.htm
--- old/shorewall-docs-html-5.2.3.1/IPIP.htm 2019-02-26 19:01:22.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/IPIP.htm 2019-04-12 04:08:43.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Bridged">Bridging two Masqueraded
Networks</a></span></dt></dl></div><div class="warning" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>GRE and IPIP
Tunnels are insecure when used over the Internet; use
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Bridged">Bridging two Masqueraded
Networks</a></span></dt></dl></div><div class="warning" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>GRE and IPIP
Tunnels are insecure when used over the Internet; use
them at your own risk</p></div><p>GRE and IPIP tunneling with Shorewall
can be used to bridge two
masqueraded networks.</p><p>The simple scripts described in the <em
class="citetitle"><a class="ulink" href="http://ds9a.nl/lartc";
target="_top">Linux Advanced Routing and Shaping
HOWTO</a></em> work fine with Shorewall. Shorewall also includes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/IPP2P.html
new/shorewall-docs-html-5.2.3.3/IPP2P.html
--- old/shorewall-docs-html-5.2.3.1/IPP2P.html 2019-02-26 19:01:23.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/IPP2P.html 2019-04-12 04:08:44.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Scope">Scope</a></span></dt><dt><span
class="section"><a href="#Example">Example:</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Scope">Scope</a></span></dt><dt><span
class="section"><a href="#Example">Example:</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall includes support
for the ipp2p match facility. This is a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/IPSEC-2.6.html
new/shorewall-docs-html-5.2.3.3/IPSEC-2.6.html
--- old/shorewall-docs-html-5.2.3.1/IPSEC-2.6.html 2019-02-26
19:01:23.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/IPSEC-2.6.html 2019-04-12
04:08:44.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Shorwall and Kernel 2.6
IPsec</a></span></dt><dt><span class="section"><a href="#GwFw">IPsec Gateway on
the Firewall System</a></span></dt><dt><span class="section"><a
href="#RoadWarrior">Mobile System (Road Warrior)</a></span></dt><dt><span
class="section"><a href="#RW-L2TP">Mobile System (Road Warrior) with Layer 2
Tunneling Protocol
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Shorwall and Kernel 2.6
IPsec</a></span></dt><dt><span class="section"><a href="#GwFw">IPsec Gateway on
the Firewall System</a></span></dt><dt><span class="section"><a
href="#RoadWarrior">Mobile System (Road Warrior)</a></span></dt><dt><span
class="section"><a href="#RW-L2TP">Mobile System (Road Warrior) with Layer 2
Tunneling Protocol
(L2TP)</a></span></dt><dt><span class="section"><a
href="#Transport">Transport Mode</a></span></dt><dt><span class="section"><a
href="#ipcomp">IPCOMP</a></span></dt><dt><span class="section"><a
href="#idm297">Using SNAT to Force Traffic over an IPsec
Tunnel</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/IPSEC.htm
new/shorewall-docs-html-5.2.3.3/IPSEC.htm
--- old/shorewall-docs-html-5.2.3.1/IPSEC.htm 2019-02-26 19:01:23.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/IPSEC.htm 2019-04-12 04:08:44.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span
class="section"><a href="#Swans">Configuring FreeS/Wan and Derivatives Such as
OpenS/Wan</a></span></dt><dt><span class="section"><a href="#GwFw">IPSec
Gateway on the Firewall System</a></span></dt><dt><span class="section"><a
href="#Hub">VPN Hub using Kernel 2.4</a></span></dt><dt><span
class="section"><a href="#RoadWarrior">Mobile System (Road Warrior) Using
Kernel 2.4</a></span></dt><dt><span class="section"><a href="#Dynamic">Dynamic
RoadWarrior Zones</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span
class="section"><a href="#Swans">Configuring FreeS/Wan and Derivatives Such as
OpenS/Wan</a></span></dt><dt><span class="section"><a href="#GwFw">IPSec
Gateway on the Firewall System</a></span></dt><dt><span class="section"><a
href="#Hub">VPN Hub using Kernel 2.4</a></span></dt><dt><span
class="section"><a href="#RoadWarrior">Mobile System (Road Warrior) Using
Kernel 2.4</a></span></dt><dt><span class="section"><a href="#Dynamic">Dynamic
RoadWarrior Zones</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>The information in this article is only
applicable if you plan to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/IPv6Support.html
new/shorewall-docs-html-5.2.3.3/IPv6Support.html
--- old/shorewall-docs-html-5.2.3.1/IPv6Support.html 2019-02-26
19:01:24.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/IPv6Support.html 2019-04-12
04:08:45.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm22">Overview</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm25">Prerequisites</a></span></dt><dt><span
class="section"><a href="#idm36">Packages</a></span></dt><dt><span
class="section"><a href="#idm50">IPv4/IPv6
Interaction</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm54">DISABLE_IPV6</a></span></dt><dt><span class="section"><a
href="#idm58">TC_ENABLED</a></span></dt><dt><span class="section"><a
href="#idm68">KEEP_RT_TABLES</a></span></dt><dt><span class="section"><a
href="#idm89">6TO4</a></span></dt></dl></dd></dl></dd><dt><span
class="section"><a href="#idm94">Shorewall6 Differences from
Shorewall</a></span></dt><dt><span class="section"><a href="#idm247">Installing
IPv6 Support</a></span></dt><dt><span class="section"><a href="#idm256">Shared
Shorewall/Shorewall6 Configuration Files</a></span></dt><dt><span
class="section"><a href="#idm260">More information about
IPv6</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm22">Overview</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm25">Prerequisites</a></span></dt><dt><span
class="section"><a href="#idm36">Packages</a></span></dt><dt><span
class="section"><a href="#idm50">IPv4/IPv6
Interaction</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm54">DISABLE_IPV6</a></span></dt><dt><span class="section"><a
href="#idm58">TC_ENABLED</a></span></dt><dt><span class="section"><a
href="#idm68">KEEP_RT_TABLES</a></span></dt><dt><span class="section"><a
href="#idm89">6TO4</a></span></dt></dl></dd></dl></dd><dt><span
class="section"><a href="#idm94">Shorewall6 Differences from
Shorewall</a></span></dt><dt><span class="section"><a href="#idm247">Installing
IPv6 Support</a></span></dt><dt><span class="section"><a href="#idm256">Shared
Shorewall/Shorewall6 Configuration Files</a></span></dt><dt><span
class="section"><a href="#idm260">More information about
IPv6</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm22"></a>Overview</h2></div></div></div><p>Beginning with Shorewall
4.2.4, support for firewalling IPv6 is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ISO-3661.html
new/shorewall-docs-html-5.2.3.3/ISO-3661.html
--- old/shorewall-docs-html-5.2.3.1/ISO-3661.html 2019-02-26
19:01:25.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/ISO-3661.html 2019-04-12
04:08:46.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm39">IPv4</a></span></dt><dt><span
class="section"><a href="#idm42">IPv6</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Beginning with Shorewall
4.5.4, Shorewall allows matching packet
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm39">IPv4</a></span></dt><dt><span
class="section"><a href="#idm42">IPv6</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Beginning with Shorewall
4.5.4, Shorewall allows matching packet
SOURCE and/or DEST IP addresses by their corresponding country. That is
done by specifying a comma-separated list of up to 15 ISO-3661 2-character
Country Codes enclosed in square brackets ('[...]') and prefixed by a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Install.htm
new/shorewall-docs-html-5.2.3.3/Install.htm
--- old/shorewall-docs-html-5.2.3.1/Install.htm 2019-02-26 19:01:21.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/Install.htm 2019-04-12 04:08:42.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Install_RPM">Install using
RPM</a></span></dt><dt><span class="section"><a href="#Install_Tarball">Install
using tarball</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm77">Versions 4.5.2 and Later</a></span></dt><dd><dl><dt><span
class="section"><a href="#shorewallrc">Settings in a shorewallrc
file</a></span></dt><dt><span class="section"><a href="#idm278">configure
Script</a></span></dt><dt><span class="section"><a href="#idm322">Install for
Packaging.</a></span></dt><dt><span class="section"><a href="#idm327">Install
into a Sandbox</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm333">Versions 4.5.1 and Earlier</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm376">Executables in /usr and Perl
Modules</a></span></dt><dt><span class="section"><a href="#Locations">Default
Install Locations</a></span></dt></dl></dd></dl></dd><dt><span
class="section"><a href="#Debian">Install the .deb</a></span></dt><dt><span
class="section"><a href="#Upgrade">General Notes about Upgrading
Shorewall</a></span></dt><dt><span class="section"><a
href="#Upgrade_RPM">Upgrade using RPM</a></span></dt><dt><span
class="section"><a href="#Upgrade_Tarball">Upgrade using
tarball</a></span></dt><dt><span class="section"><a
href="#Upgrade_Deb">Upgrading the .deb</a></span></dt><dt><span
class="section"><a href="#Config_Files">Configuring
Shorewall</a></span></dt><dt><span class="section"><a
href="#Uninstall">Uninstall/Fallback</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Install_RPM">Install using
RPM</a></span></dt><dt><span class="section"><a href="#Install_Tarball">Install
using tarball</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm77">Versions 4.5.2 and Later</a></span></dt><dd><dl><dt><span
class="section"><a href="#shorewallrc">Settings in a shorewallrc
file</a></span></dt><dt><span class="section"><a href="#idm278">configure
Script</a></span></dt><dt><span class="section"><a href="#idm322">Install for
Packaging.</a></span></dt><dt><span class="section"><a href="#idm327">Install
into a Sandbox</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm333">Versions 4.5.1 and Earlier</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm376">Executables in /usr and Perl
Modules</a></span></dt><dt><span class="section"><a href="#Locations">Default
Install Locations</a></span></dt></dl></dd></dl></dd><dt><span
class="section"><a href="#Debian">Install the .deb</a></span></dt><dt><span
class="section"><a href="#Upgrade">General Notes about Upgrading
Shorewall</a></span></dt><dt><span class="section"><a
href="#Upgrade_RPM">Upgrade using RPM</a></span></dt><dt><span
class="section"><a href="#Upgrade_Tarball">Upgrade using
tarball</a></span></dt><dt><span class="section"><a
href="#Upgrade_Deb">Upgrading the .deb</a></span></dt><dt><span
class="section"><a href="#Config_Files">Configuring
Shorewall</a></span></dt><dt><span class="section"><a
href="#Uninstall">Uninstall/Fallback</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are installing or upgrading to a version of Shorewall
earlier than Shorewall 4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Before attempting installation, I strongly urge
you to read and
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Install_fr.html
new/shorewall-docs-html-5.2.3.3/Install_fr.html
--- old/shorewall-docs-html-5.2.3.1/Install_fr.html 2019-02-26
19:01:21.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Install_fr.html 2019-04-12
04:08:42.000000000 +0200
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#Install_RPM">Installation avec un
RPM</a></span></dt><dt><span class="section"><a
href="#Install_Tarball">Installer avec le fichier
tarball</a></span></dt><dt><span class="section"><a href="#idm169">Installer
avec le .deb</a></span></dt><dt><span class="section"><a
href="#Upgrade">Observations générales sur les mises à jour de
Shorewall</a></span></dt><dt><span class="section"><a href="#Upgrade_RPM">Mise
à jour avec un RPM</a></span></dt><dt><span class="section"><a
href="#Upgrade_Tarball">Mise à niveau avec le tarball</a></span></dt><dt><span
class="section"><a href="#Upgrade_Deb">Mettre à jour avec le
.deb</a></span></dt><dt><span class="section"><a href="#LRP_Upgrade">Mettre à
jour avec le .lrp</a></span></dt><dt><span class="section"><a
href="#Config_Files">Configurer Shorewall</a></span></dt><dt><span
class="section"><a href="#Uninstall">Désinstaller / Revenir à la version
antérieure</a></span></dt></dl></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span
class="underline">Notes du traducteur :</span> Si vous
+ License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#Install_RPM">Installation avec un
RPM</a></span></dt><dt><span class="section"><a
href="#Install_Tarball">Installer avec le fichier
tarball</a></span></dt><dt><span class="section"><a href="#idm169">Installer
avec le .deb</a></span></dt><dt><span class="section"><a
href="#Upgrade">Observations générales sur les mises à jour de
Shorewall</a></span></dt><dt><span class="section"><a href="#Upgrade_RPM">Mise
à jour avec un RPM</a></span></dt><dt><span class="section"><a
href="#Upgrade_Tarball">Mise à niveau avec le tarball</a></span></dt><dt><span
class="section"><a href="#Upgrade_Deb">Mettre à jour avec le
.deb</a></span></dt><dt><span class="section"><a href="#LRP_Upgrade">Mettre à
jour avec le .lrp</a></span></dt><dt><span class="section"><a
href="#Config_Files">Configurer Shorewall</a></span></dt><dt><span
class="section"><a href="#Uninstall">Désinstaller / Revenir à la version
antérieure</a></span></dt></dl></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span
class="underline">Notes du traducteur :</span> Si vous
trouvez des erreurs ou si vous avez des améliorations à apporter à cette
traduction vous pouvez <a class="ulink" href="mailto:guy@xxxxxxxxxxxx";
target="_top">me
contacter</a>.</p></div><div class="caution" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Attention</h3><p><span
class="bold"><strong>Cet article s'applique à Shorewall 3.0 et à
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Internals.html
new/shorewall-docs-html-5.2.3.3/Internals.html
--- old/shorewall-docs-html-5.2.3.1/Internals.html 2019-02-26
19:01:22.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Internals.html 2019-04-12
04:08:43.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm19">History</a></span></dt><dt><span
class="section"><a href="#idm28">Architecture</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm43">Build/Install
Subsystem</a></span></dt><dt><span class="section"><a
href="#idm53">CLI</a></span></dt><dt><span class="section"><a
href="#idm74">Run-time Libraries</a></span></dt><dt><span class="section"><a
href="#Compiler">Compiler</a></span></dt><dt><span class="section"><a
href="#idm177">Configuration Files</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm180">The Generated
Script</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm187">Compiler Internals</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm190">Modularization</a></span></dt><dt><span
class="section"><a href="#idm194">Module
Initialization</a></span></dt><dt><span class="section"><a
href="#idm199">Module Dependence</a></span></dt><dt><span class="section"><a
href="#idm203">Config Module</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm206">Pre-processor</a></span></dt><dt><span
class="section"><a href="#idm315">Error and Progress Message
Production</a></span></dt><dt><span class="section"><a href="#idm354">Script
File Handling</a></span></dt></dl></dd></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>This document provides an
overview of Shorewall internals. It is
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm19">History</a></span></dt><dt><span
class="section"><a href="#idm28">Architecture</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm43">Build/Install
Subsystem</a></span></dt><dt><span class="section"><a
href="#idm53">CLI</a></span></dt><dt><span class="section"><a
href="#idm74">Run-time Libraries</a></span></dt><dt><span class="section"><a
href="#Compiler">Compiler</a></span></dt><dt><span class="section"><a
href="#idm177">Configuration Files</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm180">The Generated
Script</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm187">Compiler Internals</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm190">Modularization</a></span></dt><dt><span
class="section"><a href="#idm194">Module
Initialization</a></span></dt><dt><span class="section"><a
href="#idm199">Module Dependence</a></span></dt><dt><span class="section"><a
href="#idm203">Config Module</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm206">Pre-processor</a></span></dt><dt><span
class="section"><a href="#idm315">Error and Progress Message
Production</a></span></dt><dt><span class="section"><a href="#idm354">Script
File Handling</a></span></dt></dl></dd></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>This document provides an
overview of Shorewall internals. It is
intended to ease the task of approaching the Shorewall code base by
providing a roadmap of what you will find there.</p><div
class="section"><div class="titlepage"><div><div><h3 class="title"><a
id="idm19"></a>History</h3></div></div></div><p>Shorewall was originally
written entirely in Bourne Shell. The
chief advantage of this approach was that virtually any platform
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Introduction.html
new/shorewall-docs-html-5.2.3.3/Introduction.html
--- old/shorewall-docs-html-5.2.3.1/Introduction.html 2019-02-26
19:01:22.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Introduction.html 2019-04-12
04:08:43.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="Copyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#Glossary">Glossary</a></span></dt><dt><span
class="section"><a href="#Shorewall">What is
Shorewall?</a></span></dt></dl></dd><dt><span class="section"><a
href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a
href="#Compile">Compile then Execute</a></span></dt><dt><span
class="section"><a href="#Packages">Shorewall Packages</a></span></dt><dt><span
class="section"><a href="#License">License</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>The
information in this document applies only to 4.3 and later
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#Glossary">Glossary</a></span></dt><dt><span
class="section"><a href="#Shorewall">What is
Shorewall?</a></span></dt></dl></dd><dt><span class="section"><a
href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a
href="#Compile">Compile then Execute</a></span></dt><dt><span
class="section"><a href="#Packages">Shorewall Packages</a></span></dt><dt><span
class="section"><a href="#License">License</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>The
information in this document applies only to 4.3 and later
releases of Shorewall.</p><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="Glossary"></a>Glossary</h3></div></div></div><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><a
class="ulink" href="http://www.netfilter.org"; target="_top">Netfilter</a> - the
packet filter facility built into the 2.4 and later Linux
kernels.</p></li><li class="listitem"><p>ipchains - the packet
filter facility built into the 2.2 Linux
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/KVM.html
new/shorewall-docs-html-5.2.3.3/KVM.html
--- old/shorewall-docs-html-5.2.3.1/KVM.html 2019-02-26 19:01:25.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/KVM.html 2019-04-12 04:08:46.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm29">Networking
Configuration</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Kernel-mode Virtual
Machines (<a class="ulink" href="http://kvm.qumranet.com/";
target="_top">http://kvm.qumranet.com/</a>) is a
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm29">Networking
Configuration</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Kernel-mode Virtual
Machines (<a class="ulink" href="http://kvm.qumranet.com/";
target="_top">http://kvm.qumranet.com/</a>) is a
virtualization platform that leverages the virtualization capabilities
available with current microprocessors from both
<span class="trademark">Intel</span>™ and <span
class="trademark">AMD</span>™. For an
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/LXC.html
new/shorewall-docs-html-5.2.3.3/LXC.html
--- old/shorewall-docs-html-5.2.3.1/LXC.html 2019-02-26 19:01:26.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/LXC.html 2019-04-12 04:08:47.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Background</a></span></dt><dt><span
class="section"><a href="#idm21">Overview of a Working
Configuration</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Background</h2></div></div></div><p>LXC (<a class="ulink"
href="http://lxc.sourceforge.net/";
target="_top">http://lxc.sourceforge.net/</a>) is
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Background</a></span></dt><dt><span
class="section"><a href="#idm21">Overview of a Working
Configuration</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Background</h2></div></div></div><p>LXC (<a class="ulink"
href="http://lxc.sourceforge.net/";
target="_top">http://lxc.sourceforge.net/</a>) is
a set of user-space tools for managing the container capabilities that
have been in the Linux Kernel since 2.6.27.</p><p>This short article
describes how I've implemented LXC here at
shorewall.net, with emphasis on the networking and firewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Laptop.html
new/shorewall-docs-html-5.2.3.3/Laptop.html
--- old/shorewall-docs-html-5.2.3.1/Laptop.html 2019-02-26 19:01:26.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/Laptop.html 2019-04-12 04:08:47.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Overview</a></span></dt><dt><span
class="section"><a href="#idm27">Configuration</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm16"></a>Overview</h2></div></div></div><p>Laptop
computers generally have several network interfaces, one of
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Overview</a></span></dt><dt><span
class="section"><a href="#idm27">Configuration</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm16"></a>Overview</h2></div></div></div><p>Laptop
computers generally have several network interfaces, one of
which will be used at a time.</p><div class="orderedlist"><ol
class="orderedlist" type="1"><li class="listitem"><p>Ethernet interface ‒ Used
when the computer is on the desktop at
home or at work.</p></li><li class="listitem"><p>Wireless interface ‒
Used when the laptop is being used in a
cafe, train or airline terminal.</p></li><li
class="listitem"><p>Point-to-point (PPP) interface ‒ Used when neither wired nor
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/LennyToSqueeze.html
new/shorewall-docs-html-5.2.3.3/LennyToSqueeze.html
--- old/shorewall-docs-html-5.2.3.1/LennyToSqueeze.html 2019-02-26
19:01:26.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/LennyToSqueeze.html 2019-04-12
04:08:47.000000000 +0200
@@ -6,7 +6,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Introduction</a></span></dt><dt><span
class="section"><a href="#Packages">Packaging
Differences</a></span></dt><dt><span class="section"><a href="#Issues">Issues
Most Likely to Cause Problems or Concerns</a></span></dt><dd><dl><dt><span
class="section"><a href="#conf">shorewall.conf</a></span></dt><dt><span
class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span
class="section"><a href="#ipsec">/etc/shorewall/ipsec</a></span></dt><dt><span
class="section"><a
href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span
class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span
class="section"><a
href="#policy">/etc/shorewall/policy</a></span></dt><dt><span
class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span
class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span
class="section"><a
href="#routestopped">/etc/shorewall/routestopped</a></span></dt><dt><span
class="section"><a href="#tos">/etc/shorewall/tos</a></span></dt><dt><span
class="section"><a href="#extension">Extension Scripts</a></span></dt><dt><span
class="section"><a href="#ipsets">Ipsets</a></span></dt><dt><span
class="section"><a href="#SimpleTC">Simple Traffic
Shaping</a></span></dt></dl></dd><dt><span class="section"><a
href="#Additional">Additional Sources of
Information</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm17"></a>Introduction</h2></div></div></div><p>Debian Lenny includes
Shorewall version 4.0.15 while Squeeze
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Introduction</a></span></dt><dt><span
class="section"><a href="#Packages">Packaging
Differences</a></span></dt><dt><span class="section"><a href="#Issues">Issues
Most Likely to Cause Problems or Concerns</a></span></dt><dd><dl><dt><span
class="section"><a href="#conf">shorewall.conf</a></span></dt><dt><span
class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span
class="section"><a href="#ipsec">/etc/shorewall/ipsec</a></span></dt><dt><span
class="section"><a
href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span
class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span
class="section"><a
href="#policy">/etc/shorewall/policy</a></span></dt><dt><span
class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span
class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span
class="section"><a
href="#routestopped">/etc/shorewall/routestopped</a></span></dt><dt><span
class="section"><a href="#tos">/etc/shorewall/tos</a></span></dt><dt><span
class="section"><a href="#extension">Extension Scripts</a></span></dt><dt><span
class="section"><a href="#ipsets">Ipsets</a></span></dt><dt><span
class="section"><a href="#SimpleTC">Simple Traffic
Shaping</a></span></dt></dl></dd><dt><span class="section"><a
href="#Additional">Additional Sources of
Information</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm17"></a>Introduction</h2></div></div></div><p>Debian Lenny includes
Shorewall version 4.0.15 while Squeeze
includes Shorewall 4.4. Because there are significant differences between
the two product versions, some users may experience upgrade issues. This
article outlines those issues and offers advice for dealing with
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/MAC_Validation.html
new/shorewall-docs-html-5.2.3.3/MAC_Validation.html
--- old/shorewall-docs-html-5.2.3.1/MAC_Validation.html 2019-02-26
19:01:27.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/MAC_Validation.html 2019-04-12
04:08:48.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Components">Components</a></span></dt><dt><span
class="section"><a
href="#maclist">/etc/shorewall/maclist</a></span></dt><dt><span
class="section"><a href="#Examples">Examples</a></span></dt></dl></div><p>All
traffic from an interface or from a subnet on an interface can be
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Components">Components</a></span></dt><dt><span
class="section"><a
href="#maclist">/etc/shorewall/maclist</a></span></dt><dt><span
class="section"><a href="#Examples">Examples</a></span></dt></dl></div><p>All
traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore, each
MAC address may be optionally associated with one or more IP
addresses.</p><div class="important" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Important</h3><p><span
class="bold"><strong>MAC addresses are only visible within an
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Macros.html
new/shorewall-docs-html-5.2.3.3/Macros.html
--- old/shorewall-docs-html-5.2.3.1/Macros.html 2019-02-26 19:01:27.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/Macros.html 2019-04-12 04:08:48.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Overview of Shorewall
Macros?</a></span></dt><dt><span class="section"><a href="#Defining">Defining
your own Macros</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm112">Shorewall 5.0.0 and Later</a></span></dt><dt><span
class="section"><a href="#idm116">Shorewall 4.4.16 and
Later</a></span></dt><dt><span class="section"><a href="#idm129">Shorewall
4.4.15 and Earlier</a></span></dt></dl></dd><dt><span class="section"><a
href="#Logging">Macros and Logging</a></span></dt><dt><span class="section"><a
href="#ActionOrMacro">How do I know if I should create an Action or a
Macro?</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Overview of Shorewall
Macros?</a></span></dt><dt><span class="section"><a href="#Defining">Defining
your own Macros</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm112">Shorewall 5.0.0 and Later</a></span></dt><dt><span
class="section"><a href="#idm116">Shorewall 4.4.16 and
Later</a></span></dt><dt><span class="section"><a href="#idm129">Shorewall
4.4.15 and Earlier</a></span></dt></dl></dd><dt><span class="section"><a
href="#Logging">Macros and Logging</a></span></dt><dt><span class="section"><a
href="#ActionOrMacro">How do I know if I should create an Action or a
Macro?</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Overview"></a>Overview of Shorewall
Macros?</h2></div></div></div><p>Shorewall macros allow a symbolic name to be
associated with a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Manpages.html
new/shorewall-docs-html-5.2.3.3/Manpages.html
--- old/shorewall-docs-html-5.2.3.1/Manpages.html 2019-02-26
19:01:28.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Manpages.html 2019-04-12
04:08:49.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Section5">Section 5 — Files and
Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8
— Administrative Commands</a></span></dt></dl></div><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Warning</h3><p>These manpages are for Shorewall 5.0 and later
only. They describe
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Section5">Section 5 — Files and
Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8
— Administrative Commands</a></span></dt></dl></div><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Warning</h3><p>These manpages are for Shorewall 5.0 and later
only. They describe
features and options not available on earlier releases. The manpages for
Shorewall 4.4-4.6 are available<a class="ulink"
href="/manpages4/Manpages.html" target="_top">
here</a>.</p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Section5"></a>Section 5 — Files and Concepts</h2></div></div></div><div
class="blockquote"><blockquote class="blockquote"><table border="0"
summary="Simple list" class="simplelist"><tr><td><a class="ulink"
href="manpages/shorewall-accounting.html" target="_top">accounting</a> - Define
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Manpages6.html
new/shorewall-docs-html-5.2.3.3/Manpages6.html
--- old/shorewall-docs-html-5.2.3.1/Manpages6.html 2019-02-26
19:01:28.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Manpages6.html 2019-04-12
04:08:49.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Section5">Section 5 — Files and
Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8
— Administrative Commands</a></span></dt></dl></div><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Warning</h3><p>These manpages are for Shorewall6 5.0 and later
only. They describe
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Section5">Section 5 — Files and
Concepts</a></span></dt><dt><span class="section"><a href="#Section8">Section 8
— Administrative Commands</a></span></dt></dl></div><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Warning</h3><p>These manpages are for Shorewall6 5.0 and later
only. They describe
features and options not available on earlier releases.The manpages for
Shorewall 4.4-4.6 are available <a class="ulink"
href="/manpages4/Manpages.html" target="_top">here</a>.</p></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Section5"></a>Section 5 — Files and
Concepts</h2></div></div></div><div class="blockquote"><blockquote
class="blockquote"><table border="0" summary="Simple list"
class="simplelist"><tr><td><a class="ulink"
href="manpages6/shorewall6-accounting.html" target="_top">accounting</a> -
Define
IP accounting rules.</td></tr><tr><td><a class="ulink"
href="manpages6/shorewall6-actions.html" target="_top">actions</a>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ManualChains.html
new/shorewall-docs-html-5.2.3.3/ManualChains.html
--- old/shorewall-docs-html-5.2.3.1/ManualChains.html 2019-02-26
19:01:28.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/ManualChains.html 2019-04-12
04:08:49.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Example">Example</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>For
Perl programmers, manual chains provide an alternative to
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Example">Example</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>For
Perl programmers, manual chains provide an alternative to
Actions with extension scripts. Manual chains are chains which you create
and populate yourself using the low-level functions in
Shorewall::Chains.</p><p>Manual chains work in conjunction with the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/MultiISP.html
new/shorewall-docs-html-5.2.3.3/MultiISP.html
--- old/shorewall-docs-html-5.2.3.1/MultiISP.html 2019-02-26
19:01:29.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/MultiISP.html 2019-04-12
04:08:50.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Support">Multiple Internet Connection
Support</a></span></dt><dd><dl><dt><span class="section"><a
href="#Overview">Overview</a></span></dt><dt><span class="section"><a
href="#idm98">USE_DEFAULT_RT</a></span></dt><dt><span class="section"><a
href="#providers">/etc/shorewall/providers File</a></span></dt><dt><span
class="section"><a href="#Providers">What an entry in the Providers File
Does</a></span></dt><dt><span class="section"><a href="#idm346">What an entry
in the Providers File Does Not Do</a></span></dt><dt><span class="section"><a
href="#masq">./etc/shorewall/masq (/etc/shorewall/snat) and
Multi-ISP</a></span></dt><dt><span class="section"><a
href="#Martians">Martians</a></span></dt><dt><span class="section"><a
href="#Example1">Legacy Example</a></span></dt><dt><span class="section"><a
href="#Example2">Example using USE_DEFAULT_RT=Yes</a></span></dt><dt><span
class="section"><a href="#Applications">Routing a Particular Application
Through a Specific
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Support">Multiple Internet Connection
Support</a></span></dt><dd><dl><dt><span class="section"><a
href="#Overview">Overview</a></span></dt><dt><span class="section"><a
href="#idm98">USE_DEFAULT_RT</a></span></dt><dt><span class="section"><a
href="#providers">/etc/shorewall/providers File</a></span></dt><dt><span
class="section"><a href="#Providers">What an entry in the Providers File
Does</a></span></dt><dt><span class="section"><a href="#idm346">What an entry
in the Providers File Does Not Do</a></span></dt><dt><span class="section"><a
href="#masq">./etc/shorewall/masq (/etc/shorewall/snat) and
Multi-ISP</a></span></dt><dt><span class="section"><a
href="#Martians">Martians</a></span></dt><dt><span class="section"><a
href="#Example1">Legacy Example</a></span></dt><dt><span class="section"><a
href="#Example2">Example using USE_DEFAULT_RT=Yes</a></span></dt><dt><span
class="section"><a href="#Applications">Routing a Particular Application
Through a Specific
Interface</a></span></dt><dt><span class="section"><a
href="#PortForwarding">Port Forwarding</a></span></dt><dt><span
class="section"><a href="#morethan2">More than 2
Providers</a></span></dt><dt><span class="section"><a
href="#rtrules">/etc/shorewall/rtrules (formerly
/etc/shorewall/route_rules)</a></span></dt><dd><dl><dt><span
class="section"><a href="#Routing_rules">Routing Rules</a></span></dt><dt><span
class="section"><a href="#rtrules_columns">Columns in the rtrules
file</a></span></dt><dt><span class="section"><a href="#idm548">Multi-ISP and
VPN</a></span></dt><dt><span class="section"><a
href="#Examples">Examples</a></span></dt></dl></dd><dt><span class="section"><a
href="#Local">Applications running on the Firewall - making them use a
particular provider</a></span></dt><dt><span class="section"><a
href="#routes">/etc/shorewall/routes File</a></span></dt><dt><span
class="section"><a href="#null_routing">Null
Routing</a></span></dt><dd><dl><dt><span class="section"><a href="#idm662">Null
Routing Implementation in Shorewall</a></span></dt><dt><span class="section"><a
href="#idm709">Important Points To Remember When Using Null Routing in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/MultiISP_ru.html
new/shorewall-docs-html-5.2.3.3/MultiISP_ru.html
--- old/shorewall-docs-html-5.2.3.1/MultiISP_ru.html 2019-02-26
19:01:29.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/MultiISP_ru.html 2019-04-12
04:08:50.000000000 +0200
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html
xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>Shorewall и подключение к Internet
по нескольким каналам</title><link rel="stylesheet" type="text/css"
href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets
V1.79.1" /></head><body><div class="article"><div
class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Shorewall и
подключение к Internet по нескольким каналам</h2></div><div><div
class="authorgroup"><div class="author"><h3 class="author"><span
class="firstname">Tom</span> <span
class="surname">Eastep</span></h3></div></div></div><div><p
class="copyright">Copyright © 2005, 2006, 2007 Thomas M.
Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation:
Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm17"></a><p>Этот
документ разрешается копировать, распространять и/или изменять при выполнении
условий лицензии GNU Free Documentation License версии 1.2 или более поздней,
опубликованной Free Software Foundation; без неизменяемых разделов, без текста
на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по
ссылке <span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Support">Поддержка нескольких соединений с
Internet</a></span></dt><dd><dl><dt><span class="section"><a
href="#Overview">Обзор</a></span></dt><dt><span class="section"><a
href="#providers">Файл /etc/shorewall/providers</a></span></dt><dt><span
class="section"><a href="#Providers">Какие функции выполняет запись в файле
providers</a></span></dt><dt><span class="section"><a
href="#Provider_Doesnt">Какие функции НЕ выполняет запись в файле
providers</a></span></dt><dt><span class="section"><a
href="#Martians">Марсианские пакеты</a></span></dt><dt><span class="section"><a
href="#Example1">Пример</a></span></dt><dt><span class="section"><a
href="#morethan2">Если провайдеров больше, чем 2</a></span></dt><dt><span
class="section"><a href="#Local">Приложения, работающие в системе
файрвола</a></span></dt><dt><span class="section"><a
href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dd><dl><dt><span
class="section"><a href="#Routing_rules">Правила
маршрутизации</a></span></dt><dt><span class="section"><a
href="#rtrules_columns">Файл
rtrules</a></span></dt></dl></dd></dl></dd></dl></div><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Warning</h3><p>Вы должны <span class="bold"><strong> установить
современный дистрибутив, который обновляется поставщиком</strong></span>,
прежде чем пытаться настроить работу в этом режиме. Старые дистрибутивы не
удовлетворяют минимальным требованиям, и вам потребуется перекомпилировать
iptables, ядро и прочее программное обеспечение в системе. Если вы
проигнорируете этот совет, <span class="bold"><strong>то <span
class="bold"><strong>не </strong></span> рассчитывайте, что кто-либо сможет вам
помочь.</strong></span>.</p></div><div class="warning" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Чтение только
документации Shorewall не будет достаточным для понимания раскрываемых здесь
тем. Shorewall упрощает работу с iptables, но разработчики Shorewall не имеют
достаточных ресурсов, чтобы учить вас основам управляемой маршрутизации в Linux
(равно как и пособие по вождению комбайна не учит правильно выращивать
пшеницу). Скорее всего вам потребуется обратиться к следующим дополнительным
источникам:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>LARTC HOWTO: <a
class="ulink" href="http://www.lartc.org";
target="_top">http://www.lartc.org</a></p></li><li class="listitem"><p>Вывод
команды <span class="command"><strong>man ip</strong></span></p></li><li
class="listitem"><p>Вывод команд <span class="command"><strong>ip route
help</strong></span> и <span class="command"><strong>ip rule
help</strong></span></p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Support"></a>Поддержка нескольких соединений с
Internet</h2></div></div></div><p>Начиная с версии 2.3.2 в Shorewall
реализована ограниченная поддержка нескольких соединений с Internet. Ниже
описаны существующие ограничения:</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p>Используется статическая конфигурация маршрутов. Поэтому не
предусмотрены меры по защите от сбоя какого-либо из каналов связи с
провайдером.</p></li><li class="listitem"><p>Изменения маршрутизации и очистка
кэша маршрутов осуществляются при запуске <span class="bold"><strong>и при
перезапуске Shorewall </strong></span> (если не указана опция "-n" для <span
class="command"><strong>shorewall restart</strong></span>). Вообще говоря, в
идеальном случае перезапуск пакетного фильтра никак не должен влиять на
маршрутизацию.</p></li><li class="listitem"><p>В версиях Shorewall ниже 3.4.0
маршруты и правила маршрутизации, добавляемые при запуске, не удалялись
полностью в ходе выполнения команд <span class="command"><strong>shorewall
stop</strong></span>, <span class="command"><strong>shorewall
clear</strong></span> или <span class="command"><strong>shorewall
restart</strong></span>.</p></li></ul></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="Overview"></a>Обзор</h3></div></div></div><p>Предположим, что система, в
которой работает файрвол, подключена к двум провайдерам по двум интерфейсам
Ethernet, как показано на рисунке.</p><div align="center"><table border="0"
summary="manufactured viewport for HTML img" style="cellpadding: 0;
cellspacing: 0;"><tr><td align="center" valign="middle"><img
src="images/TwoISPs.png" align="middle" /></td></tr></table></div><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>eth0 подключен к ISP1. IP-адрес eth0 - это
206.124.146.176, и шлюз провайдера имеет IP-адрес 206.124.146.254.</p></li><li
class="listitem"><p>eth1 подключен к ISP2. IP-адрес eth1 - это 130.252.99.27, и
шлюз провайдера имеет IP-адрес 130.252.99.254.</p></li><li
class="listitem"><p>eth2 подключен к локальной сети. У него может быть любой
IP-адрес.</p></li></ul></div><p>Все эти <em class="firstterm">провайдеры </em>
должны быть перечислены в файле <code
class="filename">/etc/shorewall/providers</code>.</p><p>В записях в файле <code
class="filename">/etc/shorewall/providers</code> можно указать, что для
исходящих соединений должно быть включено распределение нагрузки по двум
каналам связи с провайдерами. В записях в файле <code
class="filename">/etc/shorewall/tcrules</code> можно указать, что некоторые
исходящие соединения должны использовать определённый канал провайдера. Правила
в файле <code class="filename">/etc/shorewall/tcrules</code> необязательны для
того, чтобы настройка <code class="filename">/etc/shorewall/providers</code>
работала, но необходимо указать уникальное значение MARK для каждого из
провайдеров, чтобы Shorewall настроил правила маркировки.</p><p>Если задать
опцию <span class="bold"><strong>track</strong></span> в файле <code
class="filename">/etc/shorewall/providers</code>, то соединения из Internet
будут автоматически маршрутизироваться обратно через правильный интерфейс на
соответствующий шлюз провайдера. Это будет работать как в том случае, когда
соединение обрабатывается самим файрволом, так и для соединений,
маршрутизируемых или пробрасываемых к системам позади файрвола.</p><p>Shorewall
настраивает маршрутизацию и обновляет файл <code
class="filename">/etc/iproute2/rt_tables</code>, включая в него имена таблиц и
их номера.</p><div class="caution" style="margin-left: 0.5in; margin-right:
0.5in;"><h3 class="title">Caution</h3><p>При этом используются функции <a
class="ulink" href="traffic_shaping.htm" target="_top">маркировки пакетов</a>
для управления маршрутизацией. Как следствие этого возникают ограничения на
записи в файле <code class="filename">/etc/shorewall/tcrules</code>:</p><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>Маркировка пакетов для целей управления трафиком не
может осуществляться в цепочке PREROUTING для соединений с участием
провайдеров, для которых задана опция 'track' (см. далее).</p></li><li
class="listitem"><p>Нельзя использовать опции SAVE или RESTORE.</p></li><li
class="listitem"><p>Нельзя использовать маркировку
соединений.</p></li></ul></div></div><p>Файл <code
class="filename">/etc/shorewall/providers</code> может также использоваться в
других сценариях маршрутизации. В <a class="ulink"
href="Shorewall_Squid_Usage.html" target="_top">документации по работе с Squid
</a> приведены примеры.</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a id="providers"></a>Файл
/etc/shorewall/providers</h3></div></div></div><p>Далее описаны поля этого
файла. Как и везде в файлах конфигурации Shorewall, укажите в поле для столбца
"-", если не требуется задавать никакое значение.</p><div
class="variablelist"><dl class="variablelist"><dt><span
class="term">NAME</span></dt><dd><p>Имя провайдера. Должно начинаться с буквы и
состоять из букв и цифр. Имя провайдера становится именем сгенерированной
таблицы маршрутизации для этого провайдера.</p></dd><dt><span
class="term">NUMBER</span></dt><dd><p>Число от 1 до 252. Оно будет номером
таблицы маршрутизации для сгенерированной таблицы для этого
провайдера.</p></dd><dt><span class="term">MARK</span></dt><dd><p>Метка,
применяемая в файле /etc/shorewall/tcrules для направления пакетов через этого
провайдера. Shorewall также помечает этой меткой соединения, которые входят
через этого провайдера, и восстанавливает метку пакета в цепочке PREROUTING.
Метка должна быть целым числом от 1 до 255.</p><p>Начиная с Shorewall версии
3.2.0 Beta 6, можно задать опцию HIGH_ROUTE_MARKS=Yes в файле <code
class="filename">/etc/shorewall/shorewall.conf</code>. Это позволяет решить
следующие задачи:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>Использовать метки
пакетов для управления трафиком, при условии что эти метки присваиваются в
цепочке FORWARD.</p></li><li class="listitem"><p>Использовать значения меток
&gt; 255 для меток провайдера. Эти метки должны быть кратными 256 в диапазоне
256-65280 (в 16-ричном представлении 0x100 - 0xFF00, с нулевыми младшими 8
битами).</p></li></ul></div></dd><dt><span
class="term">DUPLICATE</span></dt><dd><p>Имя или номер таблицы маршрутизации,
которая будет продублирована. Можно указать 'main' или имя или номер ранее
объявленного провайдера. Для большинства приложений здесь достаточно будет
указать 'main'.</p></dd><dt><span class="term">INTERFACE</span></dt><dd><p>Имя
интерфейса канала связи с провайдером.</p><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>В реализации поддержки нескольких подключений с
провайдерами Shorewall предполагается, что каждый провайдер подключен к
собственному интерфейсу.</p></div></dd><dt><span
class="term">GATEWAY</span></dt><dd><p>IP-адрес шлюза провайдера.</p><p>Здесь
можно указать <span class="bold"><strong>detect</strong></span> для
автоматического определения IP-адреса шлюза.</p><p><span
class="bold"><strong>Совет:</strong></span> <span
class="bold"><strong>"detect"</strong></span> следует указывать в том случае,
если интерфейс из поля INTERFACE настраивается динамически по
DHCP.</p></dd><dt><span class="term">OPTIONS</span></dt><dd><p>Список
параметров через запятую, описанных ниже:</p><div class="variablelist"><dl
class="variablelist"><dt><span class="term">track</span></dt><dd><p>Если эта
опция включена, то будут отслеживаться соединения, ВХОДЯЩИЕ через этот
интерфейс, чтобы ответы могли маршрутизироваться обратно через этот же
интерфейс.</p><p>Укажите 'track', если через этого провайдера к локальным
серверам будут обращаться хосты из Internet. Вместе с 'track' всегда следует
указывать опцию 'balance'.</p><p>Для работы с этой функцией ядро и iptables
должны поддерживать цель CONNMARK и сравнение connmark. Расширение цели ROUTE
не требуется.</p><div class="warning" style="margin-left: 0.5in; margin-right:
0.5in;"><h3 class="title">Warning</h3><p>В iptables 1.3.1 есть ошибка в
реализации CONNMARK и iptables-save/iptables-restore. Поэтому при настройке
нескольких провайдеров команда <span class="command"><strong>shorewall
restore</strong></span> может быть не выполнена. Если это имеет место,
примените исправление iptables, доступное по адресу <a class="ulink"
href="http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff";
target="_top">http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff</a>.</p></div><div
class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Если используется файл <code
class="filename">/etc/shorewall/providers</code> для настройки нескольких
соединений с Internet, укажите опцию 'track', даже если в ней нет
необходимости. Она помогает поддерживать длительные соединения, в которых могут
быть долгие периоды отсутствия трафика.</p></div></dd><dt><span
class="term">balance</span></dt><dd><p>Опция 'balance' позволяет распределять
нагрузку исходящих потоков между несколькими провайдерами. Распределение
нагрузки не будет идеальным, поскольку оно осуществляется посредством
маршрутов, а маршруты кэшируются. При этом маршрут к хостам, к которым часто
обращаются пользователи, будет проходить всегда через одного и того же
провайдера.</p><p>По умолчанию всем провайдерам присваивается одинаковый вес
(1). Вес конкретного провайдера можно изменить опцией <span
class="emphasis"><em>balance</em></span> с "=" и весом (например, balance=2).
Веса отражают относительную пропускную способность каналов связи с провайдером.
Они должны быть небольшими числами, потому что ядро создает дополнительные
маршруты для каждого приращения веса. </p><div class="important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Если файл <code
class="filename">/etc/shorewall/providers</code> используется для настройки
нескольких соединений с Internet, укажите опцию 'balance', даже если в ней нет
необходимости. Для направления всего трафика через какого-либо определенного
провайдера можно использовать файл <code
class="filename">/etc/shorewall/tcrules</code>. </p><div class="note"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p>Если вы проигнорируете этот совет, то прочитайте <a
class="ulink" href="FAQ.htm#faq57" target="_top">FAQ 57</a> и <a class="ulink"
href="FAQ.htm#faq58" target="_top">FAQ 58</a>.</p></div></div><div
class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Если указана опция 'balance', но весь трафик
по-прежнему идёт через одного провайдера, то причина этого может состоять в
том, что ядро не собрано с опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. У
некоторых пользователей пересборка ядра с этой опцией помогла устранить
неполадку.</p><p>Эта неполадка присутствует в ядре SuSE 10.0, и согласно <a
class="ulink" href="https://bugzilla.novell.com/show_bug.cgi?id=190908";
target="_top">в этом случае может возникать критическая ошибка ядра.</a> В SUSE
10.1 и SLES 10 опция CONFIG_IP_ROUTE_MULTIPATH_CACHED=n включена по умолчанию.
Источник неполадки описан здесь: <a class="ulink"
href="http://news.gmane.org/find-root.php?message_id=%3c00da01c5b35a%24b12b9860%241b00a8c0%40cruncher%3e";
target="_top">несовместимость между исправлениями от LARTC и опцией
CONFIG_IP_ROUTE_MULTIPATH_CACHED.</a></p></div></dd><dt><span
class="term">loose</span></dt><dd><p>Не включать правила маршрутизации, которые
принудительно направляют через данный интерфейс трафик, исходный IP-адрес
которого совпадает с адресом интерфейса канала с провайдером. Эта опция полезна
для определения провайдеров, которые должны использоваться только при наличии
соответствующей метки пакета. Эту опцию нельзя указывать совместно с <span
class="bold"><strong>balance</strong></span>.</p></dd><dt><span
class="term">optional (начиная с Shorewall 3.2.2)</span></dt><dd><p>Shorewall
определит, работает ли этот интерфейс и настроен ли его IP-адрес. Если он не
настроен, то будет показано предупреждение, а сам провайдер не будет
включен.</p><div class="note" style="margin-left: 0.5in; margin-right:
0.5in;"><h3 class="title">Note</h3><p>Параметр 'optional' предназначен для
определения состояния интерфейсов, которые могли бы вызвать сбой команды <span
class="command"><strong>shorewall start</strong></span> или <span
class="command"><strong>shorewall restart</strong></span> - однако даже если
интерфейс находится в состоянии, в котором Shorewall может [пере]запуститься
без ошибок, это не означает, что трафик может с гарантией проходить через этот
интерфейс.</p></div></dd></dl></div><p>Для тех, кто окончательно запутался в
том, что такое <span class="bold"><strong> track</strong></span> и <span
class="bold"><strong>balance</strong></span>:</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><span class="bold"><strong>track</strong></span> управляет
входящими соединениями.</p></li><li class="listitem"><p><span
class="bold"><strong>balance</strong></span> управляет исходящими
соединениями.</p></li></ul></div></dd><dt><span
class="term">COPY</span></dt><dd><p>Если в поле DUPLICATE указана существующая
таблица, то Shorewall копирует все маршруты, проходящие через интерфейс,
указанный в столбце INTERFACE, а также через интерфейс, указанный в этом поле.
В этом поле следует указать все интерфейсы в системе файрвола, исключая
интерфейсы Internet, указанные в поле INTERFACE этого
файла.</p></dd></dl></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a id="Providers"></a>Какие
функции выполняет запись в файле providers</h3></div></div></div><p>Добавление
записи в файле providers приводит к созданию альтернативной таблицы
маршрутизации. Помимо этого:</p><div class="orderedlist"><ol
class="orderedlist" type="1"><li class="listitem"><p>Если не указана опция
<span class="bold"><strong>loose</strong></span>, то создается правило ip для
каждого IP-адреса из поля INTERFACE, которое обеспечивает маршрутизацию трафика
с этого адреса через соответствующую таблицу маршрутизации.</p></li><li
class="listitem"><p>Если указана опция <span
class="bold"><strong>track</strong></span>, то соединения, для которых хотя бы
один пакет прошел на интерфейс, указанный в поле INTERFACE, получат метку
соединения, заданную в поле MARK. В цепочке PREROUTING метка пакетов, имеющих
метку соединения, будет задана равной метке соединения, и такие помеченные
пакеты не будут подчиняться правилам для цепочки PREROUTING, заданным в файле
<code class="filename">/etc/shorewall/tcrules</code>. Это обеспечивает
маршрутизацию через правильный интерфейс для входящих соединений.</p></li><li
class="listitem"><p>Если указана опция <span
class="bold"><strong>balance</strong></span>, то Shorewall заменит маршрут по
умолчанию с весом 100 в таблице маршрутизации 'main' маршрутом с распределением
нагрузки между шлюзами, для которых опция <span
class="bold"><strong>balance</strong></span> включена. Поэтому, если вы
настраиваете маршруты по умолчанию, то укажите их вес меньше, чем 100, иначе
маршрут, добавленный Shorewall, не будет иметь
силы.</p></li></ol></div><p>Больше эти записи не делают <span
class="bold"><strong>ничего</strong></span>. Вспомните основной принцип,
описанный в <a class="ulink" href="Shorewall_and_Routing.html"
target="_top">документации по маршрутизации Shorewall</a>:</p><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>Маршрутизация отвечает за то, куда направляются
пакеты.</p></li><li class="listitem"><p>После того, как маршрут пакета
определён, файрвол (Shorewall) определяет, разрешить ли отправку пакета по его
маршруту.</p></li></ol></div><p>Итак, если вы хотите направить трафик через
определённого провайдера, то <span class="emphasis"><em>необходимо
</em></span>пометить этот трафик значением MARK провайдера в файле <code
class="filename">/etc/shorewall/tcrules</code> и пометить пакет в цепочке
PREROUTING; другим способом будет указание соответствующих правил в файле <code
class="filename">/etc/shorewall/rtrules</code>.</p><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a
id="Undo"></a>Warning</h3><p>В Shorewall версий ниже 3.4.0 записи из файла
<code class="filename">/etc/shorewall/providers</code> необратимо изменяют
маршрутизацию системы, то есть эти изменения не отменяются при вызове команды
<span class="command"><strong>shorewall stop</strong></span> или <span
class="command"><strong>shorewall clear</strong></span>. Для того чтобы
восстановить исходные маршруты, может потребоваться перезапустить сеть. Обычно
это делает команда <span class="command"><strong>/etc/init.d/network
restart</strong></span> или <span
class="command"><strong>/etc/init.d/networking restart</strong></span>.
Обратитесь к документации по сети вашего дистрибутива.</p><p>Дополнительные
замечания:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>Влияние изменений,
вносимых Shorewall в таблицу маршрутизации, можно уменьшить, указав параметр
<span class="emphasis"><em>metric</em></span> для каждого настраиваемого
маршрута по умолчанию. Shorewall создаст маршрут по умолчанию с распределением
нагрузки (если опция <span class="bold"><strong>balance</strong></span>
включена для какого-либо из провайдеров), который не будет включать метрику и
тем самым не будет заменять никакой существующий маршрут, для которого метрика
отлична от нуля.</p></li><li class="listitem"><p>Опция <span
class="command"><strong>-n</strong></span> команд <span
class="command"><strong>shorewall restart</strong></span> и <span
class="command"><strong>shorewall restore</strong></span> позволяет
предотвратить изменение маршрутизации.</p></li><li class="listitem"><p>Файл
<code class="filename">/etc/shorewall/stopped</code> можно также использовать
для восстановления маршрутизации при остановке Shorewall. Когда система
работает в обычной конфигурации маршрутизации (одна таблица), то ее содержимое
можно сохранить следующим образом:</p><pre class="programlisting">ip route ls
&gt; routes</pre><p>Ниже приведен пример файла <code
class="filename">routes</code> для моей системы:</p><pre
class="programlisting">192.168.1.1 dev eth3 scope link
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html
xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>Shorewall и подключение к Internet
по нескольким каналам</title><link rel="stylesheet" type="text/css"
href="html.css" /><meta name="generator" content="DocBook XSL Stylesheets
V1.79.1" /></head><body><div class="article"><div
class="titlepage"><div><div><h2 class="title"><a id="idm1"></a>Shorewall и
подключение к Internet по нескольким каналам</h2></div><div><div
class="authorgroup"><div class="author"><h3 class="author"><span
class="firstname">Tom</span> <span
class="surname">Eastep</span></h3></div></div></div><div><p
class="copyright">Copyright © 2005, 2006, 2007 Thomas M.
Eastep</p></div><div><p class="copyright">Copyright © 2007 Russian Translation:
Grigory Mokhin</p></div><div><div class="legalnotice"><a id="idm17"></a><p>Этот
документ разрешается копировать, распространять и/или изменять при выполнении
условий лицензии GNU Free Documentation License версии 1.2 или более поздней,
опубликованной Free Software Foundation; без неизменяемых разделов, без текста
на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по
ссылке <span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Support">Поддержка нескольких соединений с
Internet</a></span></dt><dd><dl><dt><span class="section"><a
href="#Overview">Обзор</a></span></dt><dt><span class="section"><a
href="#providers">Файл /etc/shorewall/providers</a></span></dt><dt><span
class="section"><a href="#Providers">Какие функции выполняет запись в файле
providers</a></span></dt><dt><span class="section"><a
href="#Provider_Doesnt">Какие функции НЕ выполняет запись в файле
providers</a></span></dt><dt><span class="section"><a
href="#Martians">Марсианские пакеты</a></span></dt><dt><span class="section"><a
href="#Example1">Пример</a></span></dt><dt><span class="section"><a
href="#morethan2">Если провайдеров больше, чем 2</a></span></dt><dt><span
class="section"><a href="#Local">Приложения, работающие в системе
файрвола</a></span></dt><dt><span class="section"><a
href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dd><dl><dt><span
class="section"><a href="#Routing_rules">Правила
маршрутизации</a></span></dt><dt><span class="section"><a
href="#rtrules_columns">Файл
rtrules</a></span></dt></dl></dd></dl></dd></dl></div><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Warning</h3><p>Вы должны <span class="bold"><strong> установить
современный дистрибутив, который обновляется поставщиком</strong></span>,
прежде чем пытаться настроить работу в этом режиме. Старые дистрибутивы не
удовлетворяют минимальным требованиям, и вам потребуется перекомпилировать
iptables, ядро и прочее программное обеспечение в системе. Если вы
проигнорируете этот совет, <span class="bold"><strong>то <span
class="bold"><strong>не </strong></span> рассчитывайте, что кто-либо сможет вам
помочь.</strong></span>.</p></div><div class="warning" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Чтение только
документации Shorewall не будет достаточным для понимания раскрываемых здесь
тем. Shorewall упрощает работу с iptables, но разработчики Shorewall не имеют
достаточных ресурсов, чтобы учить вас основам управляемой маршрутизации в Linux
(равно как и пособие по вождению комбайна не учит правильно выращивать
пшеницу). Скорее всего вам потребуется обратиться к следующим дополнительным
источникам:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>LARTC HOWTO: <a
class="ulink" href="http://www.lartc.org";
target="_top">http://www.lartc.org</a></p></li><li class="listitem"><p>Вывод
команды <span class="command"><strong>man ip</strong></span></p></li><li
class="listitem"><p>Вывод команд <span class="command"><strong>ip route
help</strong></span> и <span class="command"><strong>ip rule
help</strong></span></p></li></ul></div></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Support"></a>Поддержка нескольких соединений с
Internet</h2></div></div></div><p>Начиная с версии 2.3.2 в Shorewall
реализована ограниченная поддержка нескольких соединений с Internet. Ниже
описаны существующие ограничения:</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p>Используется статическая конфигурация маршрутов. Поэтому не
предусмотрены меры по защите от сбоя какого-либо из каналов связи с
провайдером.</p></li><li class="listitem"><p>Изменения маршрутизации и очистка
кэша маршрутов осуществляются при запуске <span class="bold"><strong>и при
перезапуске Shorewall </strong></span> (если не указана опция "-n" для <span
class="command"><strong>shorewall restart</strong></span>). Вообще говоря, в
идеальном случае перезапуск пакетного фильтра никак не должен влиять на
маршрутизацию.</p></li><li class="listitem"><p>В версиях Shorewall ниже 3.4.0
маршруты и правила маршрутизации, добавляемые при запуске, не удалялись
полностью в ходе выполнения команд <span class="command"><strong>shorewall
stop</strong></span>, <span class="command"><strong>shorewall
clear</strong></span> или <span class="command"><strong>shorewall
restart</strong></span>.</p></li></ul></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a
id="Overview"></a>Обзор</h3></div></div></div><p>Предположим, что система, в
которой работает файрвол, подключена к двум провайдерам по двум интерфейсам
Ethernet, как показано на рисунке.</p><div align="center"><table border="0"
summary="manufactured viewport for HTML img" style="cellpadding: 0;
cellspacing: 0;"><tr><td align="center" valign="middle"><img
src="images/TwoISPs.png" align="middle" /></td></tr></table></div><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>eth0 подключен к ISP1. IP-адрес eth0 - это
206.124.146.176, и шлюз провайдера имеет IP-адрес 206.124.146.254.</p></li><li
class="listitem"><p>eth1 подключен к ISP2. IP-адрес eth1 - это 130.252.99.27, и
шлюз провайдера имеет IP-адрес 130.252.99.254.</p></li><li
class="listitem"><p>eth2 подключен к локальной сети. У него может быть любой
IP-адрес.</p></li></ul></div><p>Все эти <em class="firstterm">провайдеры </em>
должны быть перечислены в файле <code
class="filename">/etc/shorewall/providers</code>.</p><p>В записях в файле <code
class="filename">/etc/shorewall/providers</code> можно указать, что для
исходящих соединений должно быть включено распределение нагрузки по двум
каналам связи с провайдерами. В записях в файле <code
class="filename">/etc/shorewall/tcrules</code> можно указать, что некоторые
исходящие соединения должны использовать определённый канал провайдера. Правила
в файле <code class="filename">/etc/shorewall/tcrules</code> необязательны для
того, чтобы настройка <code class="filename">/etc/shorewall/providers</code>
работала, но необходимо указать уникальное значение MARK для каждого из
провайдеров, чтобы Shorewall настроил правила маркировки.</p><p>Если задать
опцию <span class="bold"><strong>track</strong></span> в файле <code
class="filename">/etc/shorewall/providers</code>, то соединения из Internet
будут автоматически маршрутизироваться обратно через правильный интерфейс на
соответствующий шлюз провайдера. Это будет работать как в том случае, когда
соединение обрабатывается самим файрволом, так и для соединений,
маршрутизируемых или пробрасываемых к системам позади файрвола.</p><p>Shorewall
настраивает маршрутизацию и обновляет файл <code
class="filename">/etc/iproute2/rt_tables</code>, включая в него имена таблиц и
их номера.</p><div class="caution" style="margin-left: 0.5in; margin-right:
0.5in;"><h3 class="title">Caution</h3><p>При этом используются функции <a
class="ulink" href="traffic_shaping.htm" target="_top">маркировки пакетов</a>
для управления маршрутизацией. Как следствие этого возникают ограничения на
записи в файле <code class="filename">/etc/shorewall/tcrules</code>:</p><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>Маркировка пакетов для целей управления трафиком не
может осуществляться в цепочке PREROUTING для соединений с участием
провайдеров, для которых задана опция 'track' (см. далее).</p></li><li
class="listitem"><p>Нельзя использовать опции SAVE или RESTORE.</p></li><li
class="listitem"><p>Нельзя использовать маркировку
соединений.</p></li></ul></div></div><p>Файл <code
class="filename">/etc/shorewall/providers</code> может также использоваться в
других сценариях маршрутизации. В <a class="ulink"
href="Shorewall_Squid_Usage.html" target="_top">документации по работе с Squid
</a> приведены примеры.</p></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a id="providers"></a>Файл
/etc/shorewall/providers</h3></div></div></div><p>Далее описаны поля этого
файла. Как и везде в файлах конфигурации Shorewall, укажите в поле для столбца
"-", если не требуется задавать никакое значение.</p><div
class="variablelist"><dl class="variablelist"><dt><span
class="term">NAME</span></dt><dd><p>Имя провайдера. Должно начинаться с буквы и
состоять из букв и цифр. Имя провайдера становится именем сгенерированной
таблицы маршрутизации для этого провайдера.</p></dd><dt><span
class="term">NUMBER</span></dt><dd><p>Число от 1 до 252. Оно будет номером
таблицы маршрутизации для сгенерированной таблицы для этого
провайдера.</p></dd><dt><span class="term">MARK</span></dt><dd><p>Метка,
применяемая в файле /etc/shorewall/tcrules для направления пакетов через этого
провайдера. Shorewall также помечает этой меткой соединения, которые входят
через этого провайдера, и восстанавливает метку пакета в цепочке PREROUTING.
Метка должна быть целым числом от 1 до 255.</p><p>Начиная с Shorewall версии
3.2.0 Beta 6, можно задать опцию HIGH_ROUTE_MARKS=Yes в файле <code
class="filename">/etc/shorewall/shorewall.conf</code>. Это позволяет решить
следующие задачи:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>Использовать метки
пакетов для управления трафиком, при условии что эти метки присваиваются в
цепочке FORWARD.</p></li><li class="listitem"><p>Использовать значения меток
&gt; 255 для меток провайдера. Эти метки должны быть кратными 256 в диапазоне
256-65280 (в 16-ричном представлении 0x100 - 0xFF00, с нулевыми младшими 8
битами).</p></li></ul></div></dd><dt><span
class="term">DUPLICATE</span></dt><dd><p>Имя или номер таблицы маршрутизации,
которая будет продублирована. Можно указать 'main' или имя или номер ранее
объявленного провайдера. Для большинства приложений здесь достаточно будет
указать 'main'.</p></dd><dt><span class="term">INTERFACE</span></dt><dd><p>Имя
интерфейса канала связи с провайдером.</p><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>В реализации поддержки нескольких подключений с
провайдерами Shorewall предполагается, что каждый провайдер подключен к
собственному интерфейсу.</p></div></dd><dt><span
class="term">GATEWAY</span></dt><dd><p>IP-адрес шлюза провайдера.</p><p>Здесь
можно указать <span class="bold"><strong>detect</strong></span> для
автоматического определения IP-адреса шлюза.</p><p><span
class="bold"><strong>Совет:</strong></span> <span
class="bold"><strong>"detect"</strong></span> следует указывать в том случае,
если интерфейс из поля INTERFACE настраивается динамически по
DHCP.</p></dd><dt><span class="term">OPTIONS</span></dt><dd><p>Список
параметров через запятую, описанных ниже:</p><div class="variablelist"><dl
class="variablelist"><dt><span class="term">track</span></dt><dd><p>Если эта
опция включена, то будут отслеживаться соединения, ВХОДЯЩИЕ через этот
интерфейс, чтобы ответы могли маршрутизироваться обратно через этот же
интерфейс.</p><p>Укажите 'track', если через этого провайдера к локальным
серверам будут обращаться хосты из Internet. Вместе с 'track' всегда следует
указывать опцию 'balance'.</p><p>Для работы с этой функцией ядро и iptables
должны поддерживать цель CONNMARK и сравнение connmark. Расширение цели ROUTE
не требуется.</p><div class="warning" style="margin-left: 0.5in; margin-right:
0.5in;"><h3 class="title">Warning</h3><p>В iptables 1.3.1 есть ошибка в
реализации CONNMARK и iptables-save/iptables-restore. Поэтому при настройке
нескольких провайдеров команда <span class="command"><strong>shorewall
restore</strong></span> может быть не выполнена. Если это имеет место,
примените исправление iptables, доступное по адресу <a class="ulink"
href="http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff";
target="_top">http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff</a>.</p></div><div
class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Если используется файл <code
class="filename">/etc/shorewall/providers</code> для настройки нескольких
соединений с Internet, укажите опцию 'track', даже если в ней нет
необходимости. Она помогает поддерживать длительные соединения, в которых могут
быть долгие периоды отсутствия трафика.</p></div></dd><dt><span
class="term">balance</span></dt><dd><p>Опция 'balance' позволяет распределять
нагрузку исходящих потоков между несколькими провайдерами. Распределение
нагрузки не будет идеальным, поскольку оно осуществляется посредством
маршрутов, а маршруты кэшируются. При этом маршрут к хостам, к которым часто
обращаются пользователи, будет проходить всегда через одного и того же
провайдера.</p><p>По умолчанию всем провайдерам присваивается одинаковый вес
(1). Вес конкретного провайдера можно изменить опцией <span
class="emphasis"><em>balance</em></span> с "=" и весом (например, balance=2).
Веса отражают относительную пропускную способность каналов связи с провайдером.
Они должны быть небольшими числами, потому что ядро создает дополнительные
маршруты для каждого приращения веса. </p><div class="important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Если файл <code
class="filename">/etc/shorewall/providers</code> используется для настройки
нескольких соединений с Internet, укажите опцию 'balance', даже если в ней нет
необходимости. Для направления всего трафика через какого-либо определенного
провайдера можно использовать файл <code
class="filename">/etc/shorewall/tcrules</code>. </p><div class="note"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p>Если вы проигнорируете этот совет, то прочитайте <a
class="ulink" href="FAQ.htm#faq57" target="_top">FAQ 57</a> и <a class="ulink"
href="FAQ.htm#faq58" target="_top">FAQ 58</a>.</p></div></div><div
class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Если указана опция 'balance', но весь трафик
по-прежнему идёт через одного провайдера, то причина этого может состоять в
том, что ядро не собрано с опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. У
некоторых пользователей пересборка ядра с этой опцией помогла устранить
неполадку.</p><p>Эта неполадка присутствует в ядре SuSE 10.0, и согласно <a
class="ulink" href="https://bugzilla.novell.com/show_bug.cgi?id=190908";
target="_top">в этом случае может возникать критическая ошибка ядра.</a> В SUSE
10.1 и SLES 10 опция CONFIG_IP_ROUTE_MULTIPATH_CACHED=n включена по умолчанию.
Источник неполадки описан здесь: <a class="ulink"
href="http://news.gmane.org/find-root.php?message_id=%3c00da01c5b35a%24b12b9860%241b00a8c0%40cruncher%3e";
target="_top">несовместимость между исправлениями от LARTC и опцией
CONFIG_IP_ROUTE_MULTIPATH_CACHED.</a></p></div></dd><dt><span
class="term">loose</span></dt><dd><p>Не включать правила маршрутизации, которые
принудительно направляют через данный интерфейс трафик, исходный IP-адрес
которого совпадает с адресом интерфейса канала с провайдером. Эта опция полезна
для определения провайдеров, которые должны использоваться только при наличии
соответствующей метки пакета. Эту опцию нельзя указывать совместно с <span
class="bold"><strong>balance</strong></span>.</p></dd><dt><span
class="term">optional (начиная с Shorewall 3.2.2)</span></dt><dd><p>Shorewall
определит, работает ли этот интерфейс и настроен ли его IP-адрес. Если он не
настроен, то будет показано предупреждение, а сам провайдер не будет
включен.</p><div class="note" style="margin-left: 0.5in; margin-right:
0.5in;"><h3 class="title">Note</h3><p>Параметр 'optional' предназначен для
определения состояния интерфейсов, которые могли бы вызвать сбой команды <span
class="command"><strong>shorewall start</strong></span> или <span
class="command"><strong>shorewall restart</strong></span> - однако даже если
интерфейс находится в состоянии, в котором Shorewall может [пере]запуститься
без ошибок, это не означает, что трафик может с гарантией проходить через этот
интерфейс.</p></div></dd></dl></div><p>Для тех, кто окончательно запутался в
том, что такое <span class="bold"><strong> track</strong></span> и <span
class="bold"><strong>balance</strong></span>:</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p><span class="bold"><strong>track</strong></span> управляет
входящими соединениями.</p></li><li class="listitem"><p><span
class="bold"><strong>balance</strong></span> управляет исходящими
соединениями.</p></li></ul></div></dd><dt><span
class="term">COPY</span></dt><dd><p>Если в поле DUPLICATE указана существующая
таблица, то Shorewall копирует все маршруты, проходящие через интерфейс,
указанный в столбце INTERFACE, а также через интерфейс, указанный в этом поле.
В этом поле следует указать все интерфейсы в системе файрвола, исключая
интерфейсы Internet, указанные в поле INTERFACE этого
файла.</p></dd></dl></div></div><div class="section"><div
class="titlepage"><div><div><h3 class="title"><a id="Providers"></a>Какие
функции выполняет запись в файле providers</h3></div></div></div><p>Добавление
записи в файле providers приводит к созданию альтернативной таблицы
маршрутизации. Помимо этого:</p><div class="orderedlist"><ol
class="orderedlist" type="1"><li class="listitem"><p>Если не указана опция
<span class="bold"><strong>loose</strong></span>, то создается правило ip для
каждого IP-адреса из поля INTERFACE, которое обеспечивает маршрутизацию трафика
с этого адреса через соответствующую таблицу маршрутизации.</p></li><li
class="listitem"><p>Если указана опция <span
class="bold"><strong>track</strong></span>, то соединения, для которых хотя бы
один пакет прошел на интерфейс, указанный в поле INTERFACE, получат метку
соединения, заданную в поле MARK. В цепочке PREROUTING метка пакетов, имеющих
метку соединения, будет задана равной метке соединения, и такие помеченные
пакеты не будут подчиняться правилам для цепочки PREROUTING, заданным в файле
<code class="filename">/etc/shorewall/tcrules</code>. Это обеспечивает
маршрутизацию через правильный интерфейс для входящих соединений.</p></li><li
class="listitem"><p>Если указана опция <span
class="bold"><strong>balance</strong></span>, то Shorewall заменит маршрут по
умолчанию с весом 100 в таблице маршрутизации 'main' маршрутом с распределением
нагрузки между шлюзами, для которых опция <span
class="bold"><strong>balance</strong></span> включена. Поэтому, если вы
настраиваете маршруты по умолчанию, то укажите их вес меньше, чем 100, иначе
маршрут, добавленный Shorewall, не будет иметь
силы.</p></li></ol></div><p>Больше эти записи не делают <span
class="bold"><strong>ничего</strong></span>. Вспомните основной принцип,
описанный в <a class="ulink" href="Shorewall_and_Routing.html"
target="_top">документации по маршрутизации Shorewall</a>:</p><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>Маршрутизация отвечает за то, куда направляются
пакеты.</p></li><li class="listitem"><p>После того, как маршрут пакета
определён, файрвол (Shorewall) определяет, разрешить ли отправку пакета по его
маршруту.</p></li></ol></div><p>Итак, если вы хотите направить трафик через
определённого провайдера, то <span class="emphasis"><em>необходимо
</em></span>пометить этот трафик значением MARK провайдера в файле <code
class="filename">/etc/shorewall/tcrules</code> и пометить пакет в цепочке
PREROUTING; другим способом будет указание соответствующих правил в файле <code
class="filename">/etc/shorewall/rtrules</code>.</p><div class="warning"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a
id="Undo"></a>Warning</h3><p>В Shorewall версий ниже 3.4.0 записи из файла
<code class="filename">/etc/shorewall/providers</code> необратимо изменяют
маршрутизацию системы, то есть эти изменения не отменяются при вызове команды
<span class="command"><strong>shorewall stop</strong></span> или <span
class="command"><strong>shorewall clear</strong></span>. Для того чтобы
восстановить исходные маршруты, может потребоваться перезапустить сеть. Обычно
это делает команда <span class="command"><strong>/etc/init.d/network
restart</strong></span> или <span
class="command"><strong>/etc/init.d/networking restart</strong></span>.
Обратитесь к документации по сети вашего дистрибутива.</p><p>Дополнительные
замечания:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>Влияние изменений,
вносимых Shorewall в таблицу маршрутизации, можно уменьшить, указав параметр
<span class="emphasis"><em>metric</em></span> для каждого настраиваемого
маршрута по умолчанию. Shorewall создаст маршрут по умолчанию с распределением
нагрузки (если опция <span class="bold"><strong>balance</strong></span>
включена для какого-либо из провайдеров), который не будет включать метрику и
тем самым не будет заменять никакой существующий маршрут, для которого метрика
отлична от нуля.</p></li><li class="listitem"><p>Опция <span
class="command"><strong>-n</strong></span> команд <span
class="command"><strong>shorewall restart</strong></span> и <span
class="command"><strong>shorewall restore</strong></span> позволяет
предотвратить изменение маршрутизации.</p></li><li class="listitem"><p>Файл
<code class="filename">/etc/shorewall/stopped</code> можно также использовать
для восстановления маршрутизации при остановке Shorewall. Когда система
работает в обычной конфигурации маршрутизации (одна таблица), то ее содержимое
можно сохранить следующим образом:</p><pre class="programlisting">ip route ls
&gt; routes</pre><p>Ниже приведен пример файла <code
class="filename">routes</code> для моей системы:</p><pre
class="programlisting">192.168.1.1 dev eth3 scope link
206.124.146.177 dev eth1 scope link
192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1
192.168.2.0/24 via 192.168.2.2 dev tun0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Multiple_Zones.html
new/shorewall-docs-html-5.2.3.3/Multiple_Zones.html
--- old/shorewall-docs-html-5.2.3.1/Multiple_Zones.html 2019-02-26
19:01:30.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Multiple_Zones.html 2019-04-12
04:08:51.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Router">Router in the Local
Zone</a></span></dt><dd><dl><dt><span class="section"><a href="#Standard">Can
You Use the Standard Configuration?</a></span></dt><dt><span class="section"><a
href="#Enough">Will One Zone be Enough?</a></span></dt><dt><span
class="section"><a href="#Separate">I Need Separate
Zones</a></span></dt><dd><dl><dt><span class="section"><a href="#Nested">Nested
Zones</a></span></dt><dt><span class="section"><a href="#Parallel">Parallel
Zones</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a
href="#Special">Some Hosts have Special Firewalling
Requirements</a></span></dt><dt><span class="section"><a
href="#OneArmed">One-armed Router</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Router">Router in the Local
Zone</a></span></dt><dd><dl><dt><span class="section"><a href="#Standard">Can
You Use the Standard Configuration?</a></span></dt><dt><span class="section"><a
href="#Enough">Will One Zone be Enough?</a></span></dt><dt><span
class="section"><a href="#Separate">I Need Separate
Zones</a></span></dt><dd><dl><dt><span class="section"><a href="#Nested">Nested
Zones</a></span></dt><dt><span class="section"><a href="#Parallel">Parallel
Zones</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a
href="#Special">Some Hosts have Special Firewalling
Requirements</a></span></dt><dt><span class="section"><a
href="#OneArmed">One-armed Router</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>While most configurations
can be handled with each of the firewall's
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/MyNetwork.html
new/shorewall-docs-html-5.2.3.3/MyNetwork.html
--- old/shorewall-docs-html-5.2.3.1/MyNetwork.html 2019-02-26
19:01:30.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/MyNetwork.html 2019-04-12
04:08:51.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Introduction</a></span></dt><dt><span
class="section"><a href="#idm52">Network Topology</a></span></dt><dt><span
class="section"><a href="#idm65">Shorewall
Configuration</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm68">/etc/shorewall/mirrors</a></span></dt><dt><span
class="section"><a
href="#params">/etc/shorewall/params</a></span></dt><dt><span
class="section"><a
href="#conf">/etc/shorewall/shorewall.conf</a></span></dt><dt><span
class="section"><a
href="#idm80">/etc/shorewall/actions</a></span></dt><dt><span
class="section"><a
href="#idm84">/etc/shorewall/action.Mirrors</a></span></dt><dt><span
class="section"><a
href="#idm89">/etc/shorewall/action.tarpit</a></span></dt><dt><span
class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span
class="section"><a
href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span
class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span
class="section"><a
href="#policy">/etc/shorewall/policy</a></span></dt><dt><span
class="section"><a
href="#accounting">/etc/shorewall/accounting</a></span></dt><dt><span
class="section"><a
href="#blacklist">/etc/shorewall/blrules</a></span></dt><dt><span
class="section"><a
href="#findgw">/etc/shorewall/findgw</a></span></dt><dt><span
class="section"><a
href="#isusable">/etc/shorewall/isusable</a></span></dt><dt><span
class="section"><a
href="#libprivate">/etc/shorewall/lib.private</a></span></dt><dt><span
class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span
class="section"><a
href="#idm135">/etc/shorewall/conntrack</a></span></dt><dt><span
class="section"><a
href="#idm139">/etc/shorewall/providers</a></span></dt><dt><span
class="section"><a
href="#proxyarp">/etc/shorewall/proxyarp</a></span></dt><dt><span
class="section"><a
href="#restored">/etc/shorewall/restored</a></span></dt><dt><span
class="section"><a
href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dt><span
class="section"><a
href="#routestopped">/etc/shorewall/stoppedrules</a></span></dt><dt><span
class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span
class="section"><a
href="#started">/etc/shorewall/started</a></span></dt><dt><span
class="section"><a
href="#stopped">/etc/shorewall/stopped</a></span></dt><dt><span
class="section"><a
href="#tunnels">/etc/shorewall/tunnels</a></span></dt></dl></dd></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>The ruleset shown in this article uses Shorewall
features that are
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Introduction</a></span></dt><dt><span
class="section"><a href="#idm52">Network Topology</a></span></dt><dt><span
class="section"><a href="#idm65">Shorewall
Configuration</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm68">/etc/shorewall/mirrors</a></span></dt><dt><span
class="section"><a
href="#params">/etc/shorewall/params</a></span></dt><dt><span
class="section"><a
href="#conf">/etc/shorewall/shorewall.conf</a></span></dt><dt><span
class="section"><a
href="#idm80">/etc/shorewall/actions</a></span></dt><dt><span
class="section"><a
href="#idm84">/etc/shorewall/action.Mirrors</a></span></dt><dt><span
class="section"><a
href="#idm89">/etc/shorewall/action.tarpit</a></span></dt><dt><span
class="section"><a href="#zones">/etc/shorewall/zones</a></span></dt><dt><span
class="section"><a
href="#interfaces">/etc/shorewall/interfaces</a></span></dt><dt><span
class="section"><a href="#hosts">/etc/shorewall/hosts</a></span></dt><dt><span
class="section"><a
href="#policy">/etc/shorewall/policy</a></span></dt><dt><span
class="section"><a
href="#accounting">/etc/shorewall/accounting</a></span></dt><dt><span
class="section"><a
href="#blacklist">/etc/shorewall/blrules</a></span></dt><dt><span
class="section"><a
href="#findgw">/etc/shorewall/findgw</a></span></dt><dt><span
class="section"><a
href="#isusable">/etc/shorewall/isusable</a></span></dt><dt><span
class="section"><a
href="#libprivate">/etc/shorewall/lib.private</a></span></dt><dt><span
class="section"><a href="#masq">/etc/shorewall/masq</a></span></dt><dt><span
class="section"><a
href="#idm135">/etc/shorewall/conntrack</a></span></dt><dt><span
class="section"><a
href="#idm139">/etc/shorewall/providers</a></span></dt><dt><span
class="section"><a
href="#proxyarp">/etc/shorewall/proxyarp</a></span></dt><dt><span
class="section"><a
href="#restored">/etc/shorewall/restored</a></span></dt><dt><span
class="section"><a
href="#rtrules">/etc/shorewall/rtrules</a></span></dt><dt><span
class="section"><a
href="#routestopped">/etc/shorewall/stoppedrules</a></span></dt><dt><span
class="section"><a href="#rules">/etc/shorewall/rules</a></span></dt><dt><span
class="section"><a
href="#started">/etc/shorewall/started</a></span></dt><dt><span
class="section"><a
href="#stopped">/etc/shorewall/stopped</a></span></dt><dt><span
class="section"><a
href="#tunnels">/etc/shorewall/tunnels</a></span></dt></dl></dd></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>The ruleset shown in this article uses Shorewall
features that are
not available in Shorewall versions prior to 4.6.11</p></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm19"></a>Introduction</h2></div></div></div><p>The
configuration described in this article represents the network
at shorewall.org during the summer of 2015. It uses the following
Shorewall features:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p><a class="ulink"
href="MultiISP.html" target="_top">Two Internet
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/NAT.htm
new/shorewall-docs-html-5.2.3.3/NAT.htm
--- old/shorewall-docs-html-5.2.3.1/NAT.htm 2019-02-26 19:01:30.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/NAT.htm 2019-04-12 04:08:52.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#One-to-one">One-to-one NAT</a></span></dt><dt><span
class="section"><a href="#ARP">ARP cache</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#One-to-one">One-to-one NAT</a></span></dt><dt><span
class="section"><a href="#ARP">ARP cache</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="One-to-one"></a>One-to-one NAT</h2></div></div></div><div class="important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p><span class="bold"><strong>If all you want to do
is forward ports to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/NetfilterOverview.html
new/shorewall-docs-html-5.2.3.3/NetfilterOverview.html
--- old/shorewall-docs-html-5.2.3.1/NetfilterOverview.html 2019-02-26
19:01:31.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/NetfilterOverview.html 2019-04-12
04:08:52.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Netfilter
Overview</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Overview"></a>Netfilter Overview</h2></div></div></div><p>Netfilter
consists of three tables: <span class="bold"><strong>Filter</strong></span>,
<span class="bold"><strong>Nat</strong></span> and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Netfilter
Overview</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Overview"></a>Netfilter Overview</h2></div></div></div><p>Netfilter
consists of three tables: <span class="bold"><strong>Filter</strong></span>,
<span class="bold"><strong>Nat</strong></span> and
<span class="bold"><strong>Mangle</strong></span>. Each table has a number
of
build-in chains: <span class="bold"><strong>PREROUTING</strong></span>,
<span class="bold"><strong>INPUT</strong></span>, <span
class="bold"><strong>FORWARD</strong></span>,
<span class="bold"><strong>OUTPUT</strong></span> and <span
class="bold"><strong>POSTROUTING</strong></span>.</p><p>Rules in the various
tables are used as follows:</p><div class="variablelist"><dl
class="variablelist"><dt><span class="term">Filter</span></dt><dd><p>Packet
filtering (rejecting, dropping or accepting
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/NewRelease.html
new/shorewall-docs-html-5.2.3.3/NewRelease.html
--- old/shorewall-docs-html-5.2.3.1/NewRelease.html 2019-02-26
19:01:32.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/NewRelease.html 2019-04-12
04:08:53.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Identification</a></span></dt><dt><span
class="section"><a href="#idm21">Release Schedule</a></span></dt><dt><span
class="section"><a href="#idm31">Beta Releases and Release
Candidates</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Identification</h2></div></div></div><p>Shorewall releases are
identified by three numbers separated by
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Identification</a></span></dt><dt><span
class="section"><a href="#idm21">Release Schedule</a></span></dt><dt><span
class="section"><a href="#idm31">Beta Releases and Release
Candidates</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Identification</h2></div></div></div><p>Shorewall releases are
identified by three numbers separated by
periods (e.g., 4.4.16). The first two digits (e.g., 4.4) specify the
<em class="firstterm">major release number</em>. The third number (e.g.,
16)
is the <em class="firstterm">minor release number</em>.</p></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm21"></a>Release
Schedule</h2></div></div></div><p>Traditionally, major releases have occurred
roughly every two years,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/OPENVPN.html
new/shorewall-docs-html-5.2.3.3/OPENVPN.html
--- old/shorewall-docs-html-5.2.3.1/OPENVPN.html 2019-02-26
19:01:32.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/OPENVPN.html 2019-04-12
04:08:53.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span
class="section"><a href="#Routed">Bridging two Masqueraded
Networks</a></span></dt><dt><span class="section"><a
href="#RoadWarrior">Roadwarrior</a></span></dt><dt><span class="section"><a
href="#Dupnet">Roadwarrior with Duplicate Network
Issue</a></span></dt><dt><span class="section"><a href="#idm190">Roadwarrior
with IPv6</a></span></dt><dt><span class="section"><a href="#idm247">Bridged
Roadwarrior</a></span></dt><dt><span class="section"><a href="#idm262">Bridging
Two Networks</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span
class="section"><a href="#Routed">Bridging two Masqueraded
Networks</a></span></dt><dt><span class="section"><a
href="#RoadWarrior">Roadwarrior</a></span></dt><dt><span class="section"><a
href="#Dupnet">Roadwarrior with Duplicate Network
Issue</a></span></dt><dt><span class="section"><a href="#idm190">Roadwarrior
with IPv6</a></span></dt><dt><span class="section"><a href="#idm247">Bridged
Roadwarrior</a></span></dt><dt><span class="section"><a href="#idm262">Bridging
Two Networks</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 3.0 and
later and to OpenVPN 2.0 and later. If you are running a version of
Shorewall earlier than Shorewall 3.0.0 then please see the documentation
for that release.</strong></span></p></div><p>OpenVPN is a robust and
highly configurable VPN (Virtual Private
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/OpenVZ.html
new/shorewall-docs-html-5.2.3.3/OpenVZ.html
--- old/shorewall-docs-html-5.2.3.1/OpenVZ.html 2019-02-26 19:01:32.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/OpenVZ.html 2019-04-12 04:08:54.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm29">Shorewall on an OpenVZ
Host</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm34">Networking</a></span></dt><dt><span class="section"><a
href="#idm59">Shorewall Configuration</a></span></dt><dt><span
class="section"><a href="#idm69">Multi-ISP</a></span></dt><dt><span
class="section"><a href="#idm73">RFC 1918 Addresses in a
Container</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm78">Shorewall in an OpenVZ Virtual
Environment</a></span></dt><dt><span class="section"><a href="#idm123">Working
Example</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm129">OpenVZ Configuration</a></span></dt><dt><span class="section"><a
href="#idm150">Shorewall Configuration on the Host</a></span></dt><dt><span
class="section"><a href="#idm169">Shorewall Configuration on
Server</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm179">Working Example Using a Bridge</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm186">Bridge Configuration</a></span></dt><dt><span
class="section"><a href="#idm190">OpenVZ Configuration</a></span></dt><dt><span
class="section"><a href="#idm217">Shorewall Configuration on the
Host</a></span></dt><dt><span class="section"><a href="#idm239">Shorewall
Configuration on Server</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p><a
class="ulink" href="http://wiki.openvz.org/"; target="_top">Open Virtuoso
(OpenVZ)</a>
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm29">Shorewall on an OpenVZ
Host</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm34">Networking</a></span></dt><dt><span class="section"><a
href="#idm59">Shorewall Configuration</a></span></dt><dt><span
class="section"><a href="#idm69">Multi-ISP</a></span></dt><dt><span
class="section"><a href="#idm73">RFC 1918 Addresses in a
Container</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm78">Shorewall in an OpenVZ Virtual
Environment</a></span></dt><dt><span class="section"><a href="#idm123">Working
Example</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm129">OpenVZ Configuration</a></span></dt><dt><span class="section"><a
href="#idm150">Shorewall Configuration on the Host</a></span></dt><dt><span
class="section"><a href="#idm169">Shorewall Configuration on
Server</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm179">Working Example Using a Bridge</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm186">Bridge Configuration</a></span></dt><dt><span
class="section"><a href="#idm190">OpenVZ Configuration</a></span></dt><dt><span
class="section"><a href="#idm217">Shorewall Configuration on the
Host</a></span></dt><dt><span class="section"><a href="#idm239">Shorewall
Configuration on Server</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p><a
class="ulink" href="http://wiki.openvz.org/"; target="_top">Open Virtuoso
(OpenVZ)</a>
is an open source kernel-based virtualization solution from
<span class="trademark"><a class="ulink" href="http://www.parallels.com";
target="_top">Parallels</a></span>™ (formerly
<span class="trademark">SWSoft</span>™). Virtual servers take the form of
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/PPTP.htm
new/shorewall-docs-html-5.2.3.3/PPTP.htm
--- old/shorewall-docs-html-5.2.3.1/PPTP.htm 2019-02-26 19:01:35.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/PPTP.htm 2019-04-12 04:08:56.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div><div><div class="abstract"><p
class="title"><strong>Abstract</strong></p><p>Shorewall easily supports PPTP in
a number of
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div><div><div class="abstract"><p
class="title"><strong>Abstract</strong></p><p>Shorewall easily supports PPTP in
a number of
configurations.</p></div></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Prelim">Preliminary Reading</a></span></dt><dt><span
class="section"><a href="#ServerFW">PPTP Server Running on your
Firewall</a></span></dt><dd><dl><dt><span class="section"><a
href="#Samba">Configuring Samba</a></span></dt><dt><span class="section"><a
href="#ConfigPppd">Configuring pppd</a></span></dt><dt><span class="section"><a
href="#ConfigPptpd">Configuring pptpd</a></span></dt><dt><span
class="section"><a href="#ConfigFw">Configuring
Shorewall</a></span></dt><dd><dl><dt><span class="section"><a
href="#Basic">Basic Setup</a></span></dt><dt><span class="section"><a
href="#Zones">Remote Users in a Separate Zone</a></span></dt><dt><span
class="section"><a href="#Hub">Multiple Remote
Networks</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a
href="#ServerBehind">PPTP Server Running Behind your
Firewall</a></span></dt><dt><span class="section"><a href="#ClientsBehind">PPTP
Clients Running Behind your Firewall</a></span></dt><dt><span
class="section"><a href="#ClientFW">PPTP Client Running on your
Firewall</a></span></dt><dt><span class="section"><a href="#PPTP_ADSL">PPTP
Client running on your Firewall with PPTP Server in an ADSL
Modem</a></span></dt></dl></div><div class="warning" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>I have not used
PPTP in years and as a consequence, this document is
no longer maintained (any volunteers?).</p><p>As far as I know, the
information regarding Shorewall configuration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/PacketHandling.html
new/shorewall-docs-html-5.2.3.3/PacketHandling.html
--- old/shorewall-docs-html-5.2.3.1/PacketHandling.html 2019-02-26
19:01:33.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/PacketHandling.html 2019-04-12
04:08:54.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Incoming">Packets Entering the Firewall from
Outside</a></span></dt><dt><span class="section"><a href="#All">All
Packets</a></span></dt><dt><span class="section"><a href="#Local">Packets
Originating on the Firewall</a></span></dt><dt><span class="section"><a
href="#Egress">Packets Leaving the Firewall</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>This article will try to
help you understand how packets pass
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Incoming">Packets Entering the Firewall from
Outside</a></span></dt><dt><span class="section"><a href="#All">All
Packets</a></span></dt><dt><span class="section"><a href="#Local">Packets
Originating on the Firewall</a></span></dt><dt><span class="section"><a
href="#Egress">Packets Leaving the Firewall</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>This article will try to
help you understand how packets pass
through a firewall configured by Shorewall. You may find it useful to have
a copy of the <a class="ulink" href="NetfilterOverview.html"
target="_top">Netfilter
Overview</a> handy to refer to.</p><p>The discussion that follows assumes
that you are running a current
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/PacketMarking.html
new/shorewall-docs-html-5.2.3.3/PacketMarking.html
--- old/shorewall-docs-html-5.2.3.1/PacketMarking.html 2019-02-26
19:01:33.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/PacketMarking.html 2019-04-12
04:08:54.000000000 +0200
@@ -6,7 +6,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Marks">Packet and Connection
Marks</a></span></dt><dt><span class="section"><a href="#Programs">Packet
Marking "Programs"</a></span></dt><dt><span class="section"><a
href="#Values">Mark and Mask Values</a></span></dt><dt><span class="section"><a
href="#Shorewall">Shorewall-defined Chains in the Mangle
Table</a></span></dt><dt><span class="section"><a href="#Examples">An
Example</a></span></dt><dt><span class="section"><a href="#Show">Examining the
Marking Programs on a Running System</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article includes information that applies to
Shorewall version
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Marks">Packet and Connection
Marks</a></span></dt><dt><span class="section"><a href="#Programs">Packet
Marking "Programs"</a></span></dt><dt><span class="section"><a
href="#Values">Mark and Mask Values</a></span></dt><dt><span class="section"><a
href="#Shorewall">Shorewall-defined Chains in the Mangle
Table</a></span></dt><dt><span class="section"><a href="#Examples">An
Example</a></span></dt><dt><span class="section"><a href="#Show">Examining the
Marking Programs on a Running System</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article includes information that applies to
Shorewall version
3.2.5 and later. Not all features described here will be available in
earlier releases.</p></div><div class="important" style="margin-left:
0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>/etc/shorewall/mangle superseded
/etc/shorewall/tcrules in Shorewall
4.6.0. /etc/shorwall/tcrules is still supported but its use is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/PortKnocking.html
new/shorewall-docs-html-5.2.3.3/PortKnocking.html
--- old/shorewall-docs-html-5.2.3.1/PortKnocking.html 2019-02-26
19:01:34.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/PortKnocking.html 2019-04-12
04:08:55.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#What">What is Port Knocking?</a></span></dt><dt><span
class="section"><a href="#How">Implementing Port Knocking in
Shorewall</a></span></dt><dt><span class="section"><a href="#Limit">Limiting
Per-IP Connection Rate</a></span></dt></dl></div><div class="note"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p>The techniques described in this article were
superseded in
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#What">What is Port Knocking?</a></span></dt><dt><span
class="section"><a href="#How">Implementing Port Knocking in
Shorewall</a></span></dt><dt><span class="section"><a href="#Limit">Limiting
Per-IP Connection Rate</a></span></dt></dl></div><div class="note"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p>The techniques described in this article were
superseded in
Shorewall 4.5.19 with the introduction of <a class="ulink"
href="Events.html" target="_top">Shorewall Events</a>.</p></div><div
class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p>The feature described in this article require '<a
class="ulink" href="http://snowman.net/projects/ipt_recent/";
target="_top">Recent Match</a>' in
your iptables and kernel. See the output of <span
class="command"><strong>shorewall show
capabilities</strong></span> to see if you have that match.</p></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="What"></a>What is Port
Knocking?</h2></div></div></div><p>Port knocking is a technique whereby
attempting to connect to port A
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ProxyARP.htm
new/shorewall-docs-html-5.2.3.3/ProxyARP.htm
--- old/shorewall-docs-html-5.2.3.1/ProxyARP.htm 2019-02-26
19:01:35.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/ProxyARP.htm 2019-04-12
04:08:56.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Overview</a></span></dt><dt><span
class="section"><a href="#Example">Example</a></span></dt><dt><span
class="section"><a href="#ARP">ARP cache</a></span></dt><dt><span
class="section"><a href="#idm113">IPv6 - Proxy
NDP</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Overview</h2></div></div></div><p>Proxy ARP (RFC 1027) is a way
to make a machine physically located
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Overview</a></span></dt><dt><span
class="section"><a href="#Example">Example</a></span></dt><dt><span
class="section"><a href="#ARP">ARP cache</a></span></dt><dt><span
class="section"><a href="#idm113">IPv6 - Proxy
NDP</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Overview</h2></div></div></div><p>Proxy ARP (RFC 1027) is a way
to make a machine physically located
on one network appear to be logically part of a different physical network
connected to the same router/firewall. Typically it allows us to hide a
machine with a public IP address on a private network behind a router, and
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/QOSExample.html
new/shorewall-docs-html-5.2.3.3/QOSExample.html
--- old/shorewall-docs-html-5.2.3.1/QOSExample.html 2019-02-26
19:01:35.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/QOSExample.html 2019-04-12
04:08:57.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm30">/etc/shorewall/params</a></span></dt><dt><span
class="section"><a href="#idm34">/etc/shorewall/init</a></span></dt><dt><span
class="section"><a
href="#idm38">/etc/shorewall/tcdevices</a></span></dt><dt><span
class="section"><a
href="#idm42">/etc/shorewall/tcclasses</a></span></dt><dt><span
class="section"><a href="#idm46">/etc/shorewall/mangle</a></span></dt><dt><span
class="section"><a
href="#idm50">/etc/shorewall/tcfilters</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>This configuration was
inspired by the one in this thread on the
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm30">/etc/shorewall/params</a></span></dt><dt><span
class="section"><a href="#idm34">/etc/shorewall/init</a></span></dt><dt><span
class="section"><a
href="#idm38">/etc/shorewall/tcdevices</a></span></dt><dt><span
class="section"><a
href="#idm42">/etc/shorewall/tcclasses</a></span></dt><dt><span
class="section"><a href="#idm46">/etc/shorewall/mangle</a></span></dt><dt><span
class="section"><a
href="#idm50">/etc/shorewall/tcfilters</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>This configuration was
inspired by the one in this thread on the
OpenWRT Forum: <a class="ulink"
href="https://forum.openwrt.org/viewtopic.php?pid=154533#p154533";
target="_top">https://forum.openwrt.org/viewtopic.php?pid=154533#p154533</a>.
The configuration has been adapted to Shorewall 4.5.6 with the following
changes:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>The configuration uses an IFB, yet only uses firewall marks
in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ReleaseModel.html
new/shorewall-docs-html-5.2.3.3/ReleaseModel.html
--- old/shorewall-docs-html-5.2.3.1/ReleaseModel.html 2019-02-26
19:01:36.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/ReleaseModel.html 2019-04-12
04:08:57.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Releases">Shorewall
Releases</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Releases"></a>Shorewall Releases</h2></div></div></div><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>Releases have a three-level identification
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Releases">Shorewall
Releases</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Releases"></a>Shorewall Releases</h2></div></div></div><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>Releases have a three-level identification
<em class="firstterm">x.y.z</em> (e.g., 4.5.0).</p></li><li
class="listitem"><p>The first two levels (<span
class="emphasis"><em>x.y</em></span>) designate the
<em class="firstterm">major release number</em> (e.g.,
4.5).</p></li><li class="listitem"><p>The third level (<span
class="emphasis"><em>y</em></span>) designates the
<em class="firstterm">minor release Number</em>.</p></li><li
class="listitem"><p>Installing a new minor release involves no migration issues
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/SharedConfig.html
new/shorewall-docs-html-5.2.3.3/SharedConfig.html
--- old/shorewall-docs-html-5.2.3.1/SharedConfig.html 2019-02-26
19:01:37.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/SharedConfig.html 2019-04-12
04:08:58.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm21">Environment</a></span></dt><dt><span
class="section"><a href="#idm26">Configuration</a></span></dt><dd><dl><dt><span
class="section"><a
href="#idm32">/usr/share/shorewall/shorewallrc</a></span></dt><dt><span
class="section"><a href="#idm36">shorewall.conf and
shorewall6.conf</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm45">shorewall.conf</a></span></dt><dt><span class="section"><a
href="#idm49">shorewall6.conf</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm53">params</a></span></dt><dt><span
class="section"><a href="#idm61">zones</a></span></dt><dt><span
class="section"><a href="#idm65">interfaces</a></span></dt><dt><span
class="section"><a href="#idm69">hosts</a></span></dt><dt><span
class="section"><a href="#idm73">policy</a></span></dt><dt><span
class="section"><a href="#idm77">providers</a></span></dt><dt><span
class="section"><a href="#idm88">rtrules</a></span></dt><dt><span
class="section"><a href="#idm92">routes</a></span></dt><dt><span
class="section"><a href="#idm96">actions</a></span></dt><dt><span
class="section"><a href="#idm102">Macros</a></span></dt><dt><span
class="section"><a href="#idm107">conntrack</a></span></dt><dt><span
class="section"><a href="#idm111">rules</a></span></dt><dt><span
class="section"><a href="#idm115">mangle</a></span></dt><dt><span
class="section"><a href="#idm119">snat</a></span></dt><dt><span
class="section"><a href="#idm123">tunnels</a></span></dt><dt><span
class="section"><a href="#idm127">proxyarp</a></span></dt><dt><span
class="section"><a href="#idm131">isuable</a></span></dt><dt><span
class="section"><a
href="#idm135">started</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Netfilter separates
management of IPv4 and IPv6 configurations. Each
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm21">Environment</a></span></dt><dt><span
class="section"><a href="#idm26">Configuration</a></span></dt><dd><dl><dt><span
class="section"><a
href="#idm32">/usr/share/shorewall/shorewallrc</a></span></dt><dt><span
class="section"><a href="#idm36">shorewall.conf and
shorewall6.conf</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm45">shorewall.conf</a></span></dt><dt><span class="section"><a
href="#idm49">shorewall6.conf</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm53">params</a></span></dt><dt><span
class="section"><a href="#idm61">zones</a></span></dt><dt><span
class="section"><a href="#idm65">interfaces</a></span></dt><dt><span
class="section"><a href="#idm69">hosts</a></span></dt><dt><span
class="section"><a href="#idm73">policy</a></span></dt><dt><span
class="section"><a href="#idm77">providers</a></span></dt><dt><span
class="section"><a href="#idm88">rtrules</a></span></dt><dt><span
class="section"><a href="#idm92">routes</a></span></dt><dt><span
class="section"><a href="#idm96">actions</a></span></dt><dt><span
class="section"><a href="#idm102">Macros</a></span></dt><dt><span
class="section"><a href="#idm107">conntrack</a></span></dt><dt><span
class="section"><a href="#idm111">rules</a></span></dt><dt><span
class="section"><a href="#idm115">mangle</a></span></dt><dt><span
class="section"><a href="#idm119">snat</a></span></dt><dt><span
class="section"><a href="#idm123">tunnels</a></span></dt><dt><span
class="section"><a href="#idm127">proxyarp</a></span></dt><dt><span
class="section"><a href="#idm131">isuable</a></span></dt><dt><span
class="section"><a
href="#idm135">started</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Netfilter separates
management of IPv4 and IPv6 configurations. Each
address family has its own utility (iptables and ip6tables), and changes
made to the configuration of one address family do not affect the other.
While Shorewall also separates the address families in this way, it is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Shorewall-4.html
new/shorewall-docs-html-5.2.3.3/Shorewall-4.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall-4.html 2019-02-26
19:01:37.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall-4.html 2019-04-12
04:08:58.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Install">Shorewall 4.4</a></span></dt><dt><span
class="section"><a href="#idm70">Shorewall 4.5/4.6</a></span></dt><dt><span
class="section"><a href="#Prereqs">Prerequisites for using the Shorewall
Version 4.2/4.4/4.5/4.6
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#Install">Shorewall 4.4</a></span></dt><dt><span
class="section"><a href="#idm70">Shorewall 4.5/4.6</a></span></dt><dt><span
class="section"><a href="#Prereqs">Prerequisites for using the Shorewall
Version 4.2/4.4/4.5/4.6
Perl-based Compiler</a></span></dt><dt><span class="section"><a
href="#Incompatibilities">Incompatibilities Introduced in the Shorewall Version
4 Perl-based
Compiler</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall version 4.0
represented a substantial shift in direction
for Shorewall. Up until then</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p>Shorewall had been written entirely in Bourne
Shell.</p></li><li class="listitem"><p>Shorewall had run the <span
class="command"><strong>iptables</strong></span> utility to add
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Shorewall-5.html
new/shorewall-docs-html-5.2.3.3/Shorewall-5.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall-5.html 2019-02-26
19:01:38.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall-5.html 2019-04-12
04:08:59.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Introduction</a></span></dt><dt><span
class="section"><a href="#idm32">Cruft Removal</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm35">Scripts Compiled with Shorewall 4.4.7 or
Earlier</a></span></dt><dt><span class="section"><a
href="#idm38">Workarounds</a></span></dt><dt><span class="section"><a
href="#idm47">Removal of Configuration Options</a></span></dt><dt><span
class="section"><a href="#idm79">Obsolete Configuration
Files</a></span></dt><dt><span class="section"><a href="#idm87">Macro and
Action Formats</a></span></dt><dt><span class="section"><a
href="#idm145">COMMENT, FORMAT and SECTION
Lines</a></span></dt></dl></dd><dt><span class="section"><a href="#idm149">CLI
Command Changes</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm152">restart</a></span></dt><dt><span class="section"><a
href="#idm158">load</a></span></dt><dt><span class="section"><a
href="#idm163">reload</a></span></dt><dt><span class="section"><a
href="#idm176">refresh</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm190">CLI Unification</a></span></dt><dt><span class="section"><a
href="#idm214">Upgrading to Shorewall 5</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm235">CHAIN_SCRIPTS
Removal</a></span></dt></dl></dd></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm19"></a>Introduction</h2></div></div></div><p>There are currently three
principle groups of changes that
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Introduction</a></span></dt><dt><span
class="section"><a href="#idm32">Cruft Removal</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm35">Scripts Compiled with Shorewall 4.4.7 or
Earlier</a></span></dt><dt><span class="section"><a
href="#idm38">Workarounds</a></span></dt><dt><span class="section"><a
href="#idm47">Removal of Configuration Options</a></span></dt><dt><span
class="section"><a href="#idm79">Obsolete Configuration
Files</a></span></dt><dt><span class="section"><a href="#idm87">Macro and
Action Formats</a></span></dt><dt><span class="section"><a
href="#idm145">COMMENT, FORMAT and SECTION
Lines</a></span></dt></dl></dd><dt><span class="section"><a href="#idm149">CLI
Command Changes</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm152">restart</a></span></dt><dt><span class="section"><a
href="#idm158">load</a></span></dt><dt><span class="section"><a
href="#idm163">reload</a></span></dt><dt><span class="section"><a
href="#idm176">refresh</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm190">CLI Unification</a></span></dt><dt><span class="section"><a
href="#idm214">Upgrading to Shorewall 5</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm235">CHAIN_SCRIPTS
Removal</a></span></dt></dl></dd></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm19"></a>Introduction</h2></div></div></div><p>There are currently three
principle groups of changes that
distinguish Shorewall 5 from Shorewall 4:</p><div class="orderedlist"><ol
class="orderedlist" type="1"><li class="listitem"><p>Cruft Removal - over the
years, as new ways to accomplish
various tasks are added to Shorewall, support for the old way of doing
things has generally been retained but deprecated. Shorewall 5 drops
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Shorewall-Lite.html
new/shorewall-docs-html-5.2.3.3/Shorewall-Lite.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall-Lite.html 2019-02-26
19:01:41.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall-Lite.html 2019-04-12
04:09:02.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span
class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm174">Module Loading</a></span></dt><dt><span
class="section"><a href="#Converting">Converting a system from Shorewall to
Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a
href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span
class="section"><a href="#Compile">The "shorewall compile"
command</a></span></dt><dt><span class="section"><a href="#Shorecap">The
/etc/shorewall/capabilities file and the shorecap
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Overview">Overview</a></span></dt><dd><dl><dt><span
class="section"><a href="#Lite">Shorewall Lite</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm174">Module Loading</a></span></dt><dt><span
class="section"><a href="#Converting">Converting a system from Shorewall to
Shorewall Lite</a></span></dt></dl></dd><dt><span class="section"><a
href="#Restrictions">Restrictions</a></span></dt></dl></dd><dt><span
class="section"><a href="#Compile">The "shorewall compile"
command</a></span></dt><dt><span class="section"><a href="#Shorecap">The
/etc/shorewall/capabilities file and the shorecap
program</a></span></dt><dt><span class="section"><a
href="#Running">Running compiled programs
directly</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation appropriate for your
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Shorewall-init.html
new/shorewall-docs-html-5.2.3.3/Shorewall-init.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall-init.html 2019-02-26
19:01:40.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall-init.html 2019-04-12
04:09:01.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#Close">Closing the Firewall before the Network
Interfaces are brought
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#Close">Closing the Firewall before the Network
Interfaces are brought
up</a></span></dt><dt><span class="section"><a href="#NM">Integration with
NetworkManager and ifup/ifdown Scripts</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="idm16"></a>Introduction</h2></div></div></div><p>The
Shorewall init scripts released from shorewall.net and by most
distributions start Shorewall after networking. This allows Shorewall to
detect the network configuration and taylor itself accordingly. It is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Shorewall-perl.html
new/shorewall-docs-html-5.2.3.3/Shorewall-perl.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall-perl.html 2019-02-26
19:01:42.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall-perl.html 2019-04-12
04:09:03.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#What">Shorewall-perl - What is
it?</a></span></dt><dt><span class="section"><a href="#DownSide">Shorewall-perl
- The down side</a></span></dt><dd><dl><dt><span class="section"><a
href="#Incompatibilities">Incompatibilities</a></span></dt><dt><span
class="section"><a href="#PerlDep">Dependence on
Perl</a></span></dt></dl></dd><dt><span class="section"><a
href="#Install">Installing Shorewall Version 4.0 or
4.2</a></span></dt><dt><span class="section"><a
href="#CompilerSelection">Compiler Selection (Shorewall
4.0-4.2)</a></span></dt><dt><span class="section"><a href="#Modules">The
Shorewall Perl Modules</a></span></dt><dd><dl><dt><span class="section"><a
href="#compiler.pl">/usr/share/shorewall/compiler.pl</a></span></dt><dt><span
class="section"><a
href="#Compiler">Shorewall::Compiler</a></span></dt><dt><span
class="section"><a href="#Chains">Shorewall::Chains</a></span></dt><dt><span
class="section"><a
href="#Config">Shorewall::Config</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="What"></a>Shorewall-perl - What is
it?</h2></div></div></div><p>Shorewall-perl was released as a companion product
to Shorewall in
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#What">Shorewall-perl - What is
it?</a></span></dt><dt><span class="section"><a href="#DownSide">Shorewall-perl
- The down side</a></span></dt><dd><dl><dt><span class="section"><a
href="#Incompatibilities">Incompatibilities</a></span></dt><dt><span
class="section"><a href="#PerlDep">Dependence on
Perl</a></span></dt></dl></dd><dt><span class="section"><a
href="#Install">Installing Shorewall Version 4.0 or
4.2</a></span></dt><dt><span class="section"><a
href="#CompilerSelection">Compiler Selection (Shorewall
4.0-4.2)</a></span></dt><dt><span class="section"><a href="#Modules">The
Shorewall Perl Modules</a></span></dt><dd><dl><dt><span class="section"><a
href="#compiler.pl">/usr/share/shorewall/compiler.pl</a></span></dt><dt><span
class="section"><a
href="#Compiler">Shorewall::Compiler</a></span></dt><dt><span
class="section"><a href="#Chains">Shorewall::Chains</a></span></dt><dt><span
class="section"><a
href="#Config">Shorewall::Config</a></span></dt></dl></dd></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="What"></a>Shorewall-perl - What is
it?</h2></div></div></div><p>Shorewall-perl was released as a companion product
to Shorewall in
Shorewall 4.0.0.</p><p>Shorewall-perl contained a re-implementation of the
Shorewall
compiler written in Perl. The advantages of using Shorewall-perl over
Shorewall-shell (the shell-based compiler included in earlier Shorewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Shorewall_Doesnt.html
new/shorewall-docs-html-5.2.3.3/Shorewall_Doesnt.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall_Doesnt.html 2019-02-26
19:01:39.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall_Doesnt.html 2019-04-12
04:09:00.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Doesnt">Shorewall Does not:</a></span></dt><dt><span
class="section"><a href="#Patching">In Addition:</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Doesnt">Shorewall Does not:</a></span></dt><dt><span
class="section"><a href="#Patching">In Addition:</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Doesnt"></a>Shorewall Does not:</h2></div></div></div><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>Act as a <span class="quote">“<span
class="quote">Personal Firewall</span>”</span> that allows Internet
access control by application. If that's what you are looking for, try
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/Shorewall_Squid_Usage.html
new/shorewall-docs-html-5.2.3.3/Shorewall_Squid_Usage.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall_Squid_Usage.html 2019-02-26
19:01:44.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall_Squid_Usage.html 2019-04-12
04:09:05.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span
class="quote">“<span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free
Documentation License</a>
- </span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Transparent">Squid as a Transparent (Interception)
Proxy</a></span></dt><dd><dl><dt><span class="section"><a
href="#Configurations">Configurations</a></span></dt><dd><dl><dt><span
class="section"><a href="#Firewall">Squid (transparent) Running on the
Firewall</a></span></dt><dt><span class="section"><a href="#Local">Squid
(transparent) Running in the local network</a></span></dt><dt><span
class="section"><a href="#DMZ">Squid (transparent) Running in the
DMZ</a></span></dt><dt><span class="section"><a href="#idm131">Simple
Configuration</a></span></dt><dt><span class="section"><a href="#idm136">More
Complex configuration</a></span></dt></dl></dd></dl></dd><dt><span
class="section"><a href="#Manual">Squid as a Manual
Proxy</a></span></dt><dt><span class="section"><a href="#TPROXY">Squid3 as a
Transparent Proxy with TPROXY</a></span></dt></dl></div><p>This page covers
Shorewall configuration to use with <a class="ulink"
href="http://www.squid-cache.org"; target="_top">Squid</a> running as a
Transparent
+ </span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Transparent">Squid as a Transparent (Interception)
Proxy</a></span></dt><dd><dl><dt><span class="section"><a
href="#Configurations">Configurations</a></span></dt><dd><dl><dt><span
class="section"><a href="#Firewall">Squid (transparent) Running on the
Firewall</a></span></dt><dt><span class="section"><a href="#Local">Squid
(transparent) Running in the local network</a></span></dt><dt><span
class="section"><a href="#DMZ">Squid (transparent) Running in the
DMZ</a></span></dt><dt><span class="section"><a href="#idm131">Simple
Configuration</a></span></dt><dt><span class="section"><a href="#idm136">More
Complex configuration</a></span></dt></dl></dd></dl></dd><dt><span
class="section"><a href="#Manual">Squid as a Manual
Proxy</a></span></dt><dt><span class="section"><a href="#TPROXY">Squid3 as a
Transparent Proxy with TPROXY</a></span></dt></dl></div><p>This page covers
Shorewall configuration to use with <a class="ulink"
href="http://www.squid-cache.org"; target="_top">Squid</a> running as a
Transparent
Proxy or as a Manual Proxy.</p><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/Shorewall_and_Aliased_Interfaces.html
new/shorewall-docs-html-5.2.3.3/Shorewall_and_Aliased_Interfaces.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall_and_Aliased_Interfaces.html
2019-02-26 19:01:38.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall_and_Aliased_Interfaces.html
2019-04-12 04:08:59.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Background">Background</a></span></dt><dt><span
class="section"><a href="#Adding">Adding Addresses to
Interfaces</a></span></dt><dt><span class="section"><a href="#How">So how do I
handle more than one address on an interface?</a></span></dt><dd><dl><dt><span
class="section"><a href="#Rules">Separate Rules</a></span></dt><dt><span
class="section"><a href="#DNAT">DNAT</a></span></dt><dt><span
class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span
class="section"><a href="#NAT">One-to-one NAT</a></span></dt><dt><span
class="section"><a href="#Subnets">MULTIPLE SUBNETS</a></span></dt><dt><span
class="section"><a href="#idm172">Defining a
Zone-per-Address</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Background">Background</a></span></dt><dt><span
class="section"><a href="#Adding">Adding Addresses to
Interfaces</a></span></dt><dt><span class="section"><a href="#How">So how do I
handle more than one address on an interface?</a></span></dt><dd><dl><dt><span
class="section"><a href="#Rules">Separate Rules</a></span></dt><dt><span
class="section"><a href="#DNAT">DNAT</a></span></dt><dt><span
class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span
class="section"><a href="#NAT">One-to-one NAT</a></span></dt><dt><span
class="section"><a href="#Subnets">MULTIPLE SUBNETS</a></span></dt><dt><span
class="section"><a href="#idm172">Defining a
Zone-per-Address</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Background"></a>Background</h2></div></div></div><p>The traditional
net-tools contain a program called
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Shorewall_and_Kazaa.html
new/shorewall-docs-html-5.2.3.3/Shorewall_and_Kazaa.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall_and_Kazaa.html 2019-02-26
19:01:38.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall_and_Kazaa.html 2019-04-12
04:08:59.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><p>Beginning with Shorewall version
1.4.8, Shorewall can interface to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/Shorewall_and_Routing.html
new/shorewall-docs-html-5.2.3.3/Shorewall_and_Routing.html
--- old/shorewall-docs-html-5.2.3.1/Shorewall_and_Routing.html 2019-02-26
19:01:39.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Shorewall_and_Routing.html 2019-04-12
04:09:00.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Routing">Routing vs.
Firewalling.</a></span></dt><dt><span class="section"><a
href="#Netfilter">Routing and Netfilter</a></span></dt><dd><dl><dt><span
class="section"><a href="#Ingress">Packets Entering the Firewall from
Outside</a></span></dt><dt><span class="section"><a href="#Local">Packets
Originating on the Firewall</a></span></dt></dl></dd><dt><span
class="section"><a href="#RoutingTables">Alternate Routing Table
Configuration</a></span></dt><dt><span class="section"><a
href="#ProxyArp">Routing and Proxy ARP</a></span></dt><dt><span
class="section"><a href="#MultiISP">Multiple Internet Connection Support in
Shorewall 2.4.2 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Routing">Routing vs.
Firewalling.</a></span></dt><dt><span class="section"><a
href="#Netfilter">Routing and Netfilter</a></span></dt><dd><dl><dt><span
class="section"><a href="#Ingress">Packets Entering the Firewall from
Outside</a></span></dt><dt><span class="section"><a href="#Local">Packets
Originating on the Firewall</a></span></dt></dl></dd><dt><span
class="section"><a href="#RoutingTables">Alternate Routing Table
Configuration</a></span></dt><dt><span class="section"><a
href="#ProxyArp">Routing and Proxy ARP</a></span></dt><dt><span
class="section"><a href="#MultiISP">Multiple Internet Connection Support in
Shorewall 2.4.2 and
Later</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Routing"></a>Routing vs. Firewalling.</h2></div></div></div><p>One of the
most misunderstood aspects of Shorewall is its
relationship with routing. This article attempts to clear some of the fog
that surrounds this issue.</p><p>As a general principle:</p><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>Routing determines where packets are to be
sent.</p></li><li class="listitem"><p>Once routing determines where the packet
is to go, the firewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/SimpleBridge.html
new/shorewall-docs-html-5.2.3.3/SimpleBridge.html
--- old/shorewall-docs-html-5.2.3.1/SimpleBridge.html 2019-02-26
19:01:44.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/SimpleBridge.html 2019-04-12
04:09:05.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Background">Background</a></span></dt><dt><span
class="section"><a
href="#Application">Application</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="Background"></a>Background</h2></div></div></div><p>Systems where Shorewall
runs normally function as
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Background">Background</a></span></dt><dt><span
class="section"><a
href="#Application">Application</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="Background"></a>Background</h2></div></div></div><p>Systems where Shorewall
runs normally function as
<em class="firstterm">routers</em>. In the context of the Open System
Interconnect (OSI) reference model, a router operates at layer 3.
Shorewall may also be deployed on a GNU Linux System that acts as a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/SplitDNS.html
new/shorewall-docs-html-5.2.3.3/SplitDNS.html
--- old/shorewall-docs-html-5.2.3.1/SplitDNS.html 2019-02-26
19:01:45.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/SplitDNS.html 2019-04-12
04:09:06.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">What is Split DNS</a></span></dt><dt><span
class="section"><a href="#idm20">Why would I want to use Split
DNS?</a></span></dt><dt><span class="section"><a href="#idm24">Setting up Split
DNS</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>What is Split DNS</h2></div></div></div><p><em
class="firstterm">Split DNS</em> is simply a configuration in which
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">What is Split DNS</a></span></dt><dt><span
class="section"><a href="#idm20">Why would I want to use Split
DNS?</a></span></dt><dt><span class="section"><a href="#idm24">Setting up Split
DNS</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>What is Split DNS</h2></div></div></div><p><em
class="firstterm">Split DNS</em> is simply a configuration in which
the IP address to which a DNS name resolves is dependent on the location
of the client. It is most often used in a NAT environment to insure that
local clients resolve the DNS names of local servers to their RFC 1918
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/UPnP.html
new/shorewall-docs-html-5.2.3.3/UPnP.html
--- old/shorewall-docs-html-5.2.3.1/UPnP.html 2019-02-26 19:01:53.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/UPnP.html 2019-04-12 04:09:14.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#UPnP">UPnP</a></span></dt><dt><span
class="section"><a href="#linux-igd">linux-igd
Configuration</a></span></dt><dt><span class="section"><a
href="#Shorewall">Shorewall Configuration</a></span></dt><dt><span
class="section"><a href="#idm62">Shorewall on a UPnP
Client</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="UPnP"></a>UPnP</h2></div></div></div><p>Shorewall includes support for UPnP
(Universal Plug and Play) using
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#UPnP">UPnP</a></span></dt><dt><span
class="section"><a href="#linux-igd">linux-igd
Configuration</a></span></dt><dt><span class="section"><a
href="#Shorewall">Shorewall Configuration</a></span></dt><dt><span
class="section"><a href="#idm62">Shorewall on a UPnP
Client</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="UPnP"></a>UPnP</h2></div></div></div><p>Shorewall includes support for UPnP
(Universal Plug and Play) using
linux-igd (<a class="ulink" href="http://linux-igd.sourceforge.net";
target="_top">http://linux-igd.sourceforge.net</a>).
UPnP is required by a number of popular applications including MSN
IM.</p><div class="warning" style="margin-left: 0.5in; margin-right:
0.5in;"><h3 class="title">Warning</h3><p>From a security architecture
viewpoint, UPnP is a disaster. It
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Universal.html
new/shorewall-docs-html-5.2.3.3/Universal.html
--- old/shorewall-docs-html-5.2.3.1/Universal.html 2019-02-26
19:01:53.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Universal.html 2019-04-12
04:09:14.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Configuring Shorewall</a></span></dt><dt><span
class="section"><a href="#idm20">What the Universal Configuration
does</a></span></dt><dt><span class="section"><a href="#idm36">How to Install
it</a></span></dt><dt><span class="section"><a href="#idm53">How to Start the
firewall</a></span></dt><dt><span class="section"><a href="#idm69">Now that it
is running, ...</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm71">How do I stop the firewall?</a></span></dt><dt><span
class="section"><a href="#idm78">How do I prevent it from responding to
ping?</a></span></dt><dt><span class="section"><a href="#idm88">How do I allow
other kinds of incoming connections?</a></span></dt><dt><span
class="section"><a href="#idm119">How do I make the firewall log a message when
it disallows an
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Configuring Shorewall</a></span></dt><dt><span
class="section"><a href="#idm20">What the Universal Configuration
does</a></span></dt><dt><span class="section"><a href="#idm36">How to Install
it</a></span></dt><dt><span class="section"><a href="#idm53">How to Start the
firewall</a></span></dt><dt><span class="section"><a href="#idm69">Now that it
is running, ...</a></span></dt><dd><dl><dt><span class="section"><a
href="#idm71">How do I stop the firewall?</a></span></dt><dt><span
class="section"><a href="#idm78">How do I prevent it from responding to
ping?</a></span></dt><dt><span class="section"><a href="#idm88">How do I allow
other kinds of incoming connections?</a></span></dt><dt><span
class="section"><a href="#idm119">How do I make the firewall log a message when
it disallows an
incoming connection?</a></span></dt><dt><span class="section"><a
href="#idm165">How do I prevent the firewall from forwarding connection
requests?</a></span></dt></dl></dd></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Configuring Shorewall</h2></div></div></div><p>Once you have
installed the Shorewall software, you must configure
it. The easiest way to do that is to use one of Shorewall's
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/VPN.htm
new/shorewall-docs-html-5.2.3.3/VPN.htm
--- old/shorewall-docs-html-5.2.3.1/VPN.htm 2019-02-26 19:01:55.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/VPN.htm 2019-04-12 04:09:16.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#vpn">Virtual Private Networking
(VPN)</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="vpn"></a>Virtual Private Networking (VPN)</h2></div></div></div><p>It is
often the case that a system behind the firewall needs to be
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#vpn">Virtual Private Networking
(VPN)</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="vpn"></a>Virtual Private Networking (VPN)</h2></div></div></div><p>It is
often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN).
The two most common means for doing this are IPsec and PPTP. The basic
setup is shown in the following diagram:</p><div><img src="images/VPN.png"
/></div><p>A system with an RFC 1918 address needs to access a remote network
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/VPNBasics.html
new/shorewall-docs-html-5.2.3.3/VPNBasics.html
--- old/shorewall-docs-html-5.2.3.1/VPNBasics.html 2019-02-26
19:01:54.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/VPNBasics.html 2019-04-12
04:09:15.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Taxonomy">Gateway-to-gateway traffic vs. Host-to-host
traffic.</a></span></dt><dt><span class="section"><a
href="#Netfilter">Relationship to Netfilter</a></span></dt><dt><span
class="section"><a href="#Shorewall">What does this mean with
Shorewall?</a></span></dt><dt><span class="section"><a href="#Zones">Defining
Remote Zones</a></span></dt><dt><span class="section"><a
href="#Traffic">Allowing Traffic</a></span></dt><dt><span class="section"><a
href="#Policies">Different Firewall Policies for Different Remote
Systems</a></span></dt><dt><span class="section"><a href="#tunnels">Eliminating
the /etc/shorewall/tunnels file</a></span></dt><dd><dl><dt><span
class="section"><a href="#IPSEC">IPSEC</a></span></dt><dt><span
class="section"><a href="#PPTP">PPTP</a></span></dt><dt><span
class="section"><a href="#OpenVPN">OpenVPN</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm199">Links to Other VPN Articles at
shorewall.net</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Taxonomy"></a>Gateway-to-gateway traffic vs. Host-to-host
traffic.</h2></div></div></div><p>The purpose of a <em
class="firstterm">Virtual Private Network</em>
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Taxonomy">Gateway-to-gateway traffic vs. Host-to-host
traffic.</a></span></dt><dt><span class="section"><a
href="#Netfilter">Relationship to Netfilter</a></span></dt><dt><span
class="section"><a href="#Shorewall">What does this mean with
Shorewall?</a></span></dt><dt><span class="section"><a href="#Zones">Defining
Remote Zones</a></span></dt><dt><span class="section"><a
href="#Traffic">Allowing Traffic</a></span></dt><dt><span class="section"><a
href="#Policies">Different Firewall Policies for Different Remote
Systems</a></span></dt><dt><span class="section"><a href="#tunnels">Eliminating
the /etc/shorewall/tunnels file</a></span></dt><dd><dl><dt><span
class="section"><a href="#IPSEC">IPSEC</a></span></dt><dt><span
class="section"><a href="#PPTP">PPTP</a></span></dt><dt><span
class="section"><a href="#OpenVPN">OpenVPN</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm199">Links to Other VPN Articles at
shorewall.net</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Taxonomy"></a>Gateway-to-gateway traffic vs. Host-to-host
traffic.</h2></div></div></div><p>The purpose of a <em
class="firstterm">Virtual Private Network</em>
(VPN) is to provide for secure communication between a set of hosts.
Communication between a pair of hosts connected by a VPN occurs in
stages:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p><span
class="bold"><strong>Local-host-to-local-gateway</strong></span>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/Vserver.html
new/shorewall-docs-html-5.2.3.3/Vserver.html
--- old/shorewall-docs-html-5.2.3.1/Vserver.html 2019-02-26
19:01:55.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/Vserver.html 2019-04-12
04:09:16.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm46">Vserver Zones</a></span></dt><dt><span
class="section"><a href="#NDP">Sharing an IPv6 /64 between Vservers and a
LAN</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Formal support for
Linux-vserver was added in Shorewall 4.4.11
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16">Introduction</a></span></dt><dt><span
class="section"><a href="#idm46">Vserver Zones</a></span></dt><dt><span
class="section"><a href="#NDP">Sharing an IPv6 /64 between Vservers and a
LAN</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm16"></a>Introduction</h2></div></div></div><p>Formal support for
Linux-vserver was added in Shorewall 4.4.11
Beta2. The centerpiece of that support is the
<em class="firstterm">vserver</em> zone type. Vserver zones have the
following
characteristics:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>They are defined on the
Linux-vserver host.</p></li><li class="listitem"><p>The $FW zone is their
implicit parent.</p></li><li class="listitem"><p>Their contents must be defined
using the <a class="ulink" href="manpages/shorewall-hosts.html"
target="_top">shorewall-hosts </a>(5) file.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/XenMyWay-Routed.html
new/shorewall-docs-html-5.2.3.3/XenMyWay-Routed.html
--- old/shorewall-docs-html-5.2.3.1/XenMyWay-Routed.html 2019-02-26
19:01:56.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/XenMyWay-Routed.html 2019-04-12
04:09:17.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Before">Before Xen</a></span></dt><dt><span
class="section"><a href="#After">After Xen</a></span></dt><dd><dl><dt><span
class="section"><a href="#Domains">Domain
Configuration</a></span></dt><dt><span class="section"><a href="#Firewall">Dom0
Shorewall Configuration</a></span></dt></dl></dd></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article applies to Shorewall 4.0 and later.
If you are running
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Before">Before Xen</a></span></dt><dt><span
class="section"><a href="#After">After Xen</a></span></dt><dd><dl><dt><span
class="section"><a href="#Domains">Domain
Configuration</a></span></dt><dt><span class="section"><a href="#Firewall">Dom0
Shorewall Configuration</a></span></dt></dl></dd></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article applies to Shorewall 4.0 and later.
If you are running
a version of Shorewall earlier than Shorewall 4.0.0 then please see the
documentation for that release.</p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Before"></a>Before Xen</h2></div></div></div><p>Prior to adopting Xen, I
had a home office crowded with 5 systems,
three monitors a scanner and a printer. The systems were:</p><div
class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>Firewall</p></li><li class="listitem"><p>Public Server in a
DMZ (mail)</p></li><li class="listitem"><p>Private Server (wookie)</p></li><li
class="listitem"><p>My personal Linux Desktop (ursa)</p></li><li
class="listitem"><p>My work system (docked laptop running Windows
XP).</p></li></ol></div><p>The result was a very crowded and noisy
room.</p></div><div class="section"><div class="titlepage"><div><div><h2
class="title" style="clear: both"><a id="After"></a>After
Xen</h2></div></div></div><p>Xen has allowed me to reduce the noise and clutter
considerably. I
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/XenMyWay.html
new/shorewall-docs-html-5.2.3.3/XenMyWay.html
--- old/shorewall-docs-html-5.2.3.1/XenMyWay.html 2019-02-26
19:01:56.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/XenMyWay.html 2019-04-12
04:09:17.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Xen Network
Environment</a></span></dt><dt><span class="section"><a href="#Before">Before
Xen</a></span></dt><dt><span class="section"><a href="#After">After
Xen</a></span></dt><dd><dl><dt><span class="section"><a href="#Domains">Domain
Configuration</a></span></dt><dt><span class="section"><a href="#Dom0">Dom0
Configuration</a></span></dt><dt><span class="section"><a
href="#Firewall">Firewall DomU
Configuration</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article applies to Shorewall 3.0 and later.
If you are running
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Xen Network
Environment</a></span></dt><dt><span class="section"><a href="#Before">Before
Xen</a></span></dt><dt><span class="section"><a href="#After">After
Xen</a></span></dt><dd><dl><dt><span class="section"><a href="#Domains">Domain
Configuration</a></span></dt><dt><span class="section"><a href="#Dom0">Dom0
Configuration</a></span></dt><dt><span class="section"><a
href="#Firewall">Firewall DomU
Configuration</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p>This article applies to Shorewall 3.0 and later.
If you are running
a version of Shorewall earlier than Shorewall 3.0.0 then please see the
documentation for that release.</p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm19"></a>Xen Network Environment</h2></div></div></div><p><a
class="ulink" href="http://www.cl.cam.ac.uk/Research/SRG/netos/xen/";
target="_top">Xen</a> is a
<em class="firstterm">paravirtualization</em> tool that allows you to run
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/blacklisting_support.htm
new/shorewall-docs-html-5.2.3.3/blacklisting_support.htm
--- old/shorewall-docs-html-5.2.3.1/blacklisting_support.htm 2019-02-26
19:01:11.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/blacklisting_support.htm 2019-04-12
04:08:32.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#idm33">Rule-based
Blacklisting</a></span></dt><dt><span class="section"><a
href="#idm43">Chain-based Dynamic Blacklisting</a></span></dt><dt><span
class="section"><a href="#idm79">Ipset-based Dynamic
Blacklisting</a></span></dt><dt><span class="section"><a
href="#idm133">BLACKLIST Policy and Action</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#idm33">Rule-based
Blacklisting</a></span></dt><dt><span class="section"><a
href="#idm43">Chain-based Dynamic Blacklisting</a></span></dt><dt><span
class="section"><a href="#idm79">Ipset-based Dynamic
Blacklisting</a></span></dt><dt><span class="section"><a
href="#idm133">BLACKLIST Policy and Action</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall supports two
different types of blacklisting; rule-based,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/blacklisting_support_ru.html
new/shorewall-docs-html-5.2.3.3/blacklisting_support_ru.html
--- old/shorewall-docs-html-5.2.3.1/blacklisting_support_ru.html
2019-02-26 19:01:11.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/blacklisting_support_ru.html
2019-04-12 04:08:32.000000000 +0200
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html
xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>Чёрные списки в
Shorewall</title><link rel="stylesheet" type="text/css" href="html.css" /><meta
name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div
class="article"><div class="titlepage"><div><div><h2 class="title"><a
id="idm1"></a>Чёрные списки в Shorewall</h2></div><div><div
class="authorgroup"><div class="author"><h3 class="author"><span
class="firstname">Tom</span> <span
class="surname">Eastep</span></h3></div></div></div><div><p
class="copyright">Copyright © 2002-2006 Thomas M. Eastep</p></div><div><p
class="copyright">Copyright © 2007 Russian Translation: Grigory
Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот
документ разрешается копировать, распространять и/или изменять при выполнении
условий лицензии GNU Free Documentation License версии 1.2 или более поздней,
опубликованной Free Software Foundation; без неизменяемых разделов, без текста
на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по
ссылке <span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Введение</a></span></dt><dt><span
class="section"><a href="#Static">Статические чёрные
списки</a></span></dt><dt><span class="section"><a href="#Dynamic">Динамические
чёрные списки</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Введение</h2></div></div></div><p>В Shorewall предусмотрены два
вида чёрных списков, статические и динамические. Опция BLACKLISTNEWONLY в файле
/etc/shorewall/shorewall.conf задаёт параметры фильтрации согласно этим
спискам:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>BLACKLISTNEWONLY=No -- проверка осуществляется для всех
входящих пакетов. Новые записи в чёрном списке позволяют прервать уже
существующие соединения.</p></li><li class="listitem"><p>BLACKLISTNEWONLY=Yes
-- проверка осуществляется только для новых запросов на установление
соединения. Записи в чёрном списке не влияют на уже существующие соединения. На
соответствие чёрному списку проверяется только адрес
источника.</p></li></ol></div><div class="important" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Important</h3><p><span
class="bold"><strong>На соответствие чёрному списку проверяется только адрес
источника </strong></span>. Чёрные списки закрывают доступ только хостам,
перечисленным в списке, но не закрывают доступ к самим этим
хостам.</p></div><div class="important" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Important</h3><p><span
class="bold"><strong>Динамические чёрные списки в Shorewall непригодны для
случаев, когда список содержит тысячи адресов. Статические списки могут
работать с большим числом адресов, но только при использовании наборов IP
(ipset)</strong></span>. Без ipset большие чёрные списки будут загружаться
слишком долго и заметно снизят производительность файрвола.</p></div></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Static"></a>Статические чёрные
списки</h2></div></div></div><p>Далее описаны параметры конфигурации
статических чёрных списков в Shorewall:</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p>Пакеты с хостов из чёрного списка будут отбрасываться без
уведомления (drop) или с уведомлением (reject), согласно параметру
BLACKLIST_DISPOSITION из файла <a class="ulink"
href="manpages/shorewall.conf.html" target="_top"><code
class="filename">/etc/shorewall/shorewall.conf</code>.</a></p></li><li
class="listitem"><p>Пакеты с хостов из чёрного списка будут заноситься в
протокол с заданным уровнем syslog согласно параметру BLACKLIST_LOGLEVEL из
файла <a class="ulink" href="manpages/shorewall.conf.html" target="_top"><code
class="filename">/etc/shorewall/shorewall.conf</code></a>.</p></li><li
class="listitem"><p>IP-адреса или подсети, которые требуется занести в чёрный
список, указываются в файле <a class="ulink"
href="manpages/shorewall-blacklist.html" target="_top"><code
class="filename">/etc/shorewall/blacklist</code></a>. В этом файле можно также
указать имена протоколов, номера портов или имена служб.</p></li><li
class="listitem"><p>Интерфейсы, для которых входящие пакеты проверяются на
соответствие чёрному списку, задаются с помощью опции <span
class="quote">“<span class="quote">blacklist</span>”</span> в файле <a
class="ulink" href="manpages/shorewall-interfaces.html" target="_top"><code
class="filename">/etc/shorewall/interfaces</code></a>.</p></li><li
class="listitem"><p>Чёрный список из файла <code
class="filename">/etc/shorewall/blacklist</code> можно обновить командой <span
class="quote">“<span class="quote"><a class="ulink"
href="starting_and_stopping_shorewall.htm" target="_top"><span
class="command"><strong>shorewall
refresh</strong></span></a></span>”</span>.</p></li></ul></div><p>При наличии
большого статического чёрного списка можно включить опцию DELAYBLACKLISTLOAD в
файле shorewall.conf (начиная с Shorewall версии 2.2.0). Если
DELAYBLACKLISTLOAD=Yes, то Shorewall будет загружать правила чёрного списка
после установления соединений. Хотя при этом соединения с хостов из чёрного
списка могут осуществляться в течение времени создания списка, эта опция
позволяет существенно снизить время запрета соединений в ходе выполнения команд
"shorewall [re]start".</p><p>Для определения статического чёрного списка в
Shorewall начиная с версии 2.4.0 поддерживаются наборы IP, или <a class="ulink"
href="ipsets.html" target="_top">ipsets</a>. Пример:</p><pre
class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html
xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" /><title>Чёрные списки в
Shorewall</title><link rel="stylesheet" type="text/css" href="html.css" /><meta
name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div
class="article"><div class="titlepage"><div><div><h2 class="title"><a
id="idm1"></a>Чёрные списки в Shorewall</h2></div><div><div
class="authorgroup"><div class="author"><h3 class="author"><span
class="firstname">Tom</span> <span
class="surname">Eastep</span></h3></div></div></div><div><p
class="copyright">Copyright © 2002-2006 Thomas M. Eastep</p></div><div><p
class="copyright">Copyright © 2007 Russian Translation: Grigory
Mokhin</p></div><div><div class="legalnotice"><a id="idm15"></a><p>Этот
документ разрешается копировать, распространять и/или изменять при выполнении
условий лицензии GNU Free Documentation License версии 1.2 или более поздней,
опубликованной Free Software Foundation; без неизменяемых разделов, без текста
на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по
ссылке <span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Введение</a></span></dt><dt><span
class="section"><a href="#Static">Статические чёрные
списки</a></span></dt><dt><span class="section"><a href="#Dynamic">Динамические
чёрные списки</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Введение</h2></div></div></div><p>В Shorewall предусмотрены два
вида чёрных списков, статические и динамические. Опция BLACKLISTNEWONLY в файле
/etc/shorewall/shorewall.conf задаёт параметры фильтрации согласно этим
спискам:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li
class="listitem"><p>BLACKLISTNEWONLY=No -- проверка осуществляется для всех
входящих пакетов. Новые записи в чёрном списке позволяют прервать уже
существующие соединения.</p></li><li class="listitem"><p>BLACKLISTNEWONLY=Yes
-- проверка осуществляется только для новых запросов на установление
соединения. Записи в чёрном списке не влияют на уже существующие соединения. На
соответствие чёрному списку проверяется только адрес
источника.</p></li></ol></div><div class="important" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Important</h3><p><span
class="bold"><strong>На соответствие чёрному списку проверяется только адрес
источника </strong></span>. Чёрные списки закрывают доступ только хостам,
перечисленным в списке, но не закрывают доступ к самим этим
хостам.</p></div><div class="important" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Important</h3><p><span
class="bold"><strong>Динамические чёрные списки в Shorewall непригодны для
случаев, когда список содержит тысячи адресов. Статические списки могут
работать с большим числом адресов, но только при использовании наборов IP
(ipset)</strong></span>. Без ipset большие чёрные списки будут загружаться
слишком долго и заметно снизят производительность файрвола.</p></div></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Static"></a>Статические чёрные
списки</h2></div></div></div><p>Далее описаны параметры конфигурации
статических чёрных списков в Shorewall:</p><div class="itemizedlist"><ul
class="itemizedlist" style="list-style-type: disc; "><li
class="listitem"><p>Пакеты с хостов из чёрного списка будут отбрасываться без
уведомления (drop) или с уведомлением (reject), согласно параметру
BLACKLIST_DISPOSITION из файла <a class="ulink"
href="manpages/shorewall.conf.html" target="_top"><code
class="filename">/etc/shorewall/shorewall.conf</code>.</a></p></li><li
class="listitem"><p>Пакеты с хостов из чёрного списка будут заноситься в
протокол с заданным уровнем syslog согласно параметру BLACKLIST_LOGLEVEL из
файла <a class="ulink" href="manpages/shorewall.conf.html" target="_top"><code
class="filename">/etc/shorewall/shorewall.conf</code></a>.</p></li><li
class="listitem"><p>IP-адреса или подсети, которые требуется занести в чёрный
список, указываются в файле <a class="ulink"
href="manpages/shorewall-blacklist.html" target="_top"><code
class="filename">/etc/shorewall/blacklist</code></a>. В этом файле можно также
указать имена протоколов, номера портов или имена служб.</p></li><li
class="listitem"><p>Интерфейсы, для которых входящие пакеты проверяются на
соответствие чёрному списку, задаются с помощью опции <span
class="quote">“<span class="quote">blacklist</span>”</span> в файле <a
class="ulink" href="manpages/shorewall-interfaces.html" target="_top"><code
class="filename">/etc/shorewall/interfaces</code></a>.</p></li><li
class="listitem"><p>Чёрный список из файла <code
class="filename">/etc/shorewall/blacklist</code> можно обновить командой <span
class="quote">“<span class="quote"><a class="ulink"
href="starting_and_stopping_shorewall.htm" target="_top"><span
class="command"><strong>shorewall
refresh</strong></span></a></span>”</span>.</p></li></ul></div><p>При наличии
большого статического чёрного списка можно включить опцию DELAYBLACKLISTLOAD в
файле shorewall.conf (начиная с Shorewall версии 2.2.0). Если
DELAYBLACKLISTLOAD=Yes, то Shorewall будет загружать правила чёрного списка
после установления соединений. Хотя при этом соединения с хостов из чёрного
списка могут осуществляться в течение времени создания списка, эта опция
позволяет существенно снизить время запрета соединений в ходе выполнения команд
"shorewall [re]start".</p><p>Для определения статического чёрного списка в
Shorewall начиная с версии 2.4.0 поддерживаются наборы IP, или <a class="ulink"
href="ipsets.html" target="_top">ipsets</a>. Пример:</p><pre
class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/bridge-Shorewall-perl.html
new/shorewall-docs-html-5.2.3.3/bridge-Shorewall-perl.html
--- old/shorewall-docs-html-5.2.3.1/bridge-Shorewall-perl.html 2019-02-26
19:01:12.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/bridge-Shorewall-perl.html 2019-04-12
04:08:33.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Background">Background</a></span></dt><dt><span
class="section"><a href="#Requirements">Requirements</a></span></dt><dt><span
class="section"><a href="#Application">Application</a></span></dt><dt><span
class="section"><a href="#Bridge">Configuring the
Bridge</a></span></dt><dt><span class="section"><a
href="#Shorewall">Configuring Shorewall</a></span></dt><dt><span
class="section"><a href="#Multiple">Multiple Bridges with Wildcard
Ports</a></span></dt><dt><span class="section"><a
href="#bridge-router">Combination Router/Bridge</a></span></dt><dt><span
class="section"><a href="#veth">Using Back-to-back veth Devices to Interface
with a Bridge</a></span></dt><dt><span class="section"><a
href="#Limitations">Limitations</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Background">Background</a></span></dt><dt><span
class="section"><a href="#Requirements">Requirements</a></span></dt><dt><span
class="section"><a href="#Application">Application</a></span></dt><dt><span
class="section"><a href="#Bridge">Configuring the
Bridge</a></span></dt><dt><span class="section"><a
href="#Shorewall">Configuring Shorewall</a></span></dt><dt><span
class="section"><a href="#Multiple">Multiple Bridges with Wildcard
Ports</a></span></dt><dt><span class="section"><a
href="#bridge-router">Combination Router/Bridge</a></span></dt><dt><span
class="section"><a href="#veth">Using Back-to-back veth Devices to Interface
with a Bridge</a></span></dt><dt><span class="section"><a
href="#Limitations">Limitations</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
later.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Background"></a>Background</h2></div></div></div><p>Systems where Shorewall
runs normally function as
<em class="firstterm">routers</em>. In the context of the Open System
Interconnect (OSI) reference model, a router operates at layer 3,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/bridge_fr.html
new/shorewall-docs-html-5.2.3.3/bridge_fr.html
--- old/shorewall-docs-html-5.2.3.1/bridge_fr.html 2019-02-26
19:01:12.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/bridge_fr.html 2019-04-12
04:08:33.000000000 +0200
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm34">Contexte</a></span></dt><dt><span
class="section"><a href="#idm47">Pré-requis système</a></span></dt><dt><span
class="section"><a href="#idm72">Application</a></span></dt><dt><span
class="section"><a href="#idm92">Configuration du pont</a></span></dt><dt><span
class="section"><a href="#idm151">Configuration de
Shorewall</a></span></dt><dt><span class="section"><a
href="#bridge-router">Combinaison Pont/Routeur</a></span></dt><dt><span
class="section"><a href="#idm196">Limites</a></span></dt><dt><span
class="section"><a href="#idm200">Liens</a></span></dt></dl></div><div
class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p><span class="underline">Notes du traducteur :</span>
Si vous
+ License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm34">Contexte</a></span></dt><dt><span
class="section"><a href="#idm47">Pré-requis système</a></span></dt><dt><span
class="section"><a href="#idm72">Application</a></span></dt><dt><span
class="section"><a href="#idm92">Configuration du pont</a></span></dt><dt><span
class="section"><a href="#idm151">Configuration de
Shorewall</a></span></dt><dt><span class="section"><a
href="#bridge-router">Combinaison Pont/Routeur</a></span></dt><dt><span
class="section"><a href="#idm196">Limites</a></span></dt><dt><span
class="section"><a href="#idm200">Liens</a></span></dt></dl></div><div
class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p><span class="underline">Notes du traducteur :</span>
Si vous
trouvez des erreurs ou si vous avez des améliorations à apporter à cette
documentation vous pouvez <a class="ulink" href="mailto:guy@xxxxxxxxxxxx";
target="_top">me
contacter</a>.</p></div><div class="caution" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Attention</h3><p><span
class="bold"><strong>Cet article s'applique à Shorewall 3.0 et à
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/configuration_file_basics.htm
new/shorewall-docs-html-5.2.3.3/configuration_file_basics.htm
--- old/shorewall-docs-html-5.2.3.1/configuration_file_basics.htm
2019-02-26 19:01:14.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/configuration_file_basics.htm
2019-04-12 04:08:35.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm22">Introduction</a></span></dt><dt><span
class="section"><a href="#Files">Files</a></span></dt><dt><span
class="section"><a href="#Manpages">Man Pages</a></span></dt><dt><span
class="section"><a href="#Comments">Comments</a></span></dt><dt><span
class="section"><a href="#Names">Names</a></span></dt><dt><span
class="section"><a href="#idm205">Zone and Chain Names</a></span></dt><dt><span
class="section"><a href="#capabilities">Capabilities</a></span></dt><dt><span
class="section"><a href="#BlankColumn">"Blank" Columns</a></span></dt><dt><span
class="section"><a href="#Continuation">Line
Continuation</a></span></dt><dt><span class="section"><a
href="#Pairs">Alternate Specification of Column Values - Shorewall 4.4.24 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm22">Introduction</a></span></dt><dt><span
class="section"><a href="#Files">Files</a></span></dt><dt><span
class="section"><a href="#Manpages">Man Pages</a></span></dt><dt><span
class="section"><a href="#Comments">Comments</a></span></dt><dt><span
class="section"><a href="#Names">Names</a></span></dt><dt><span
class="section"><a href="#idm205">Zone and Chain Names</a></span></dt><dt><span
class="section"><a href="#capabilities">Capabilities</a></span></dt><dt><span
class="section"><a href="#BlankColumn">"Blank" Columns</a></span></dt><dt><span
class="section"><a href="#Continuation">Line
Continuation</a></span></dt><dt><span class="section"><a
href="#Pairs">Alternate Specification of Column Values - Shorewall 4.4.24 and
Later</a></span></dt><dt><span class="section"><a href="#idm401">Using
Netfilter Features not Directly Supported by
Shorewall</a></span></dt><dt><span class="section"><a
href="#idm429">Addresses</a></span></dt><dt><span class="section"><a
href="#SOURCE-DEST">Specifying SOURCE and DEST</a></span></dt><dt><span
class="section"><a href="#INCLUDE">INCLUDE Directive</a></span></dt><dt><span
class="section"><a href="#idm585">?FORMAT Directive</a></span></dt><dt><span
class="section"><a href="#idm617">?COMMENT Directive</a></span></dt><dt><span
class="section"><a href="#CONFIG_PATH">CONFIG_PATH</a></span></dt><dt><span
class="section"><a href="#Variables">Using Shell
Variables</a></span></dt><dt><span class="section"><a
href="#AddressVariables">Address Variables</a></span></dt><dt><span
class="section"><a href="#Port_Variables">Port
Variables</a></span></dt><dt><span class="section"><a
href="#ActionVariables">Action Variables</a></span></dt><dt><span
class="section"><a href="#ShorewallVariables">Shorewall
Variables</a></span></dt><dt><span class="section"><a
href="#Conditional">Conditional Entries</a></span></dt><dt><span
class="section"><a href="#Embedded">Embedded Shell and
Perl</a></span></dt><dt><span class="section"><a href="#dnsnames">Using DNS
Names</a></span></dt><dt><span class="section"><a href="#Lists">Comma-separated
Lists</a></span></dt><dt><span class="section"><a
href="#Compliment">Complementing an Address, Subnet, Protocol or Port
List</a></span></dt><dt><span class="section"><a href="#Exclusion">Exclusion
Lists</a></span></dt><dt><span class="section"><a href="#IPRanges">IP Address
Ranges</a></span></dt><dt><span class="section"><a href="#Ports">Protocol
Number/Names and Port Numbers/Service Names</a></span></dt><dt><span
class="section"><a href="#Ranges">Port Ranges</a></span></dt><dt><span
class="section"><a href="#Portlists">Port Lists</a></span></dt><dt><span
class="section"><a href="#ICMP">ICMP and ICMP6 Types and
Codes</a></span></dt><dt><span class="section"><a href="#MAC">Using MAC
Addresses</a></span></dt><dt><span class="section"><a href="#RateLimit">Rate
Limiting (Rate and Burst)</a></span></dt><dt><span class="section"><a
href="#TIME">TIME Columns</a></span></dt><dt><span class="section"><a
href="#Switches">Switches</a></span></dt><dt><span class="section"><a
href="#Logical">Logical Interface Names</a></span></dt><dt><span
class="section"><a href="#idm1549">Optional and Required
Interfaces</a></span></dt><dt><span class="section"><a href="#Levels">Shorewall
Configurations</a></span></dt><dt><span class="section"><a href="#Save">Saved
Configurations</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 5.0 and
later. If you are running a version of Shorewall earlier than Shorewall
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/dhcp.htm
new/shorewall-docs-html-5.2.3.3/dhcp.htm
--- old/shorewall-docs-html-5.2.3.1/dhcp.htm 2019-02-26 19:01:14.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/dhcp.htm 2019-04-12 04:08:35.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Firewall">If you want to Run a DHCP Server on your
firewall</a></span></dt><dt><span class="section"><a href="#Client">If a
Firewall Interface gets its IP Address via DHCP</a></span></dt><dt><span
class="section"><a href="#Bridge">If you wish to pass DHCP requests and
responses through a
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Firewall">If you want to Run a DHCP Server on your
firewall</a></span></dt><dt><span class="section"><a href="#Client">If a
Firewall Interface gets its IP Address via DHCP</a></span></dt><dt><span
class="section"><a href="#Bridge">If you wish to pass DHCP requests and
responses through a
bridge</a></span></dt><dt><span class="section"><a href="#Relay">Running
dhcrelay on the firewall</a></span></dt></dl></div><div class="note"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p>For most operations, DHCP software interfaces to the
Linux IP stack
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
cannot be used effectively to police DHCP. The <span class="quote">“<span
class="quote">dhcp</span>”</span>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/fallback.htm
new/shorewall-docs-html-5.2.3.3/fallback.htm
--- old/shorewall-docs-html-5.2.3.1/fallback.htm 2019-02-26
19:01:17.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/fallback.htm 2019-04-12
04:08:38.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Tarball">Falling Back to the Previous Version of
Shorewall using the
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Tarball">Falling Back to the Previous Version of
Shorewall using the
Fallback Script</a></span></dt><dt><span class="section"><a
href="#RPM">Falling Back to the Previous Version of Shorewall using
rpm</a></span></dt><dt><span class="section"><a href="#Uninstall">Uninstalling
Shorewall</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Tarball"></a>Falling Back to the Previous Version of Shorewall using the
Fallback Script</h2></div></div></div><p>If you install Shorewall and
discover that it doesn't work for you,
you can fall back to your previously installed version. To do
that:</p><div class="itemizedlist"><ul class="itemizedlist"
style="list-style-type: disc; "><li class="listitem"><p>cd to the distribution
directory for the version of Shoreline
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ipsets.html
new/shorewall-docs-html-5.2.3.3/ipsets.html
--- old/shorewall-docs-html-5.2.3.1/ipsets.html 2019-02-26 19:01:24.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/ipsets.html 2019-04-12 04:08:45.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Ipsets">What are Ipsets?</a></span></dt><dt><span
class="section"><a href="#Support">Shorewall Support for
Ipsets</a></span></dt><dt><span class="section"><a href="#idm85">Shorewall6 and
Shorewall-init Support for Ipsets</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Ipsets">What are Ipsets?</a></span></dt><dt><span
class="section"><a href="#Support">Shorewall Support for
Ipsets</a></span></dt><dt><span class="section"><a href="#idm85">Shorewall6 and
Shorewall-init Support for Ipsets</a></span></dt></dl></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation appropriate for your
version.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Ipsets"></a>What are Ipsets?</h2></div></div></div><p>Ipsets are an
extension to Netfilter/iptables that are available in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/kernel.htm
new/shorewall-docs-html-5.2.3.3/kernel.htm
--- old/shorewall-docs-html-5.2.3.1/kernel.htm 2019-02-26 19:01:25.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/kernel.htm 2019-04-12 04:08:46.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Network">Network Options
Configuration</a></span></dt><dt><span class="section"><a
href="#Netfilter">Netfilter Configuration</a></span></dt><dt><span
class="section"><a href="#Netfilter-2.6">Kernel 2.6 Netfilter
Options</a></span></dt><dt><span class="section"><a
href="#Kernel-2.6.16">Kernel 2.6.16 and Later Netfilter
Options</a></span></dt><dt><span class="section"><a href="#v2.6.20">Kernel
2.6.20 and Later Netfilter Options</a></span></dt><dt><span class="section"><a
href="#v2.6.21">Minimal Configuration using Kernel 2.6.20 and
later</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Warning</h3><p><span
class="bold"><strong>This article is
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Network">Network Options
Configuration</a></span></dt><dt><span class="section"><a
href="#Netfilter">Netfilter Configuration</a></span></dt><dt><span
class="section"><a href="#Netfilter-2.6">Kernel 2.6 Netfilter
Options</a></span></dt><dt><span class="section"><a
href="#Kernel-2.6.16">Kernel 2.6.16 and Later Netfilter
Options</a></span></dt><dt><span class="section"><a href="#v2.6.20">Kernel
2.6.20 and Later Netfilter Options</a></span></dt><dt><span class="section"><a
href="#v2.6.21">Minimal Configuration using Kernel 2.6.20 and
later</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Warning</h3><p><span
class="bold"><strong>This article is
unmaintained.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Network"></a>Network Options Configuration</h2></div></div></div><p>Here's
a screen shot of my Network Options Configuration:</p><div align="center"><img
src="images/netopts.jpg" align="middle" /></div><p>While not all of the options
that I've selected are required, they
should be sufficient for most applications. Here's an excerpt from the
corresponding .config file (Note: If you are running a kernel older than
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/netmap.html
new/shorewall-docs-html-5.2.3.3/netmap.html
--- old/shorewall-docs-html-5.2.3.1/netmap.html 2019-02-26 19:01:31.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/netmap.html 2019-04-12 04:08:52.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Why">Why use Network Mapping</a></span></dt><dt><span
class="section"><a href="#Solution">Solution</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm109">If you are running Shorewall 4.4.22 or
Earlier</a></span></dt><dt><span class="section"><a href="#idm170">If you are
running Shorewall 4.4.23 or Later</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm181">IPv6</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Why"></a>Why use Network
Mapping</h2></div></div></div><p>Network Mapping is most often used to resolve
IP address conflicts.
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Why">Why use Network Mapping</a></span></dt><dt><span
class="section"><a href="#Solution">Solution</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm109">If you are running Shorewall 4.4.22 or
Earlier</a></span></dt><dt><span class="section"><a href="#idm170">If you are
running Shorewall 4.4.23 or Later</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm181">IPv6</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Why"></a>Why use Network
Mapping</h2></div></div></div><p>Network Mapping is most often used to resolve
IP address conflicts.
Suppose that two organizations, A and B, need to be linked and that both
organizations have allocated the 192.168.1.0/24 subnetwork. There is a
need to connect the two networks so that all systems in A can access the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ping.html
new/shorewall-docs-html-5.2.3.3/ping.html
--- old/shorewall-docs-html-5.2.3.1/ping.html 2019-02-26 19:01:33.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/ping.html 2019-04-12 04:08:55.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Ping">'Ping'
Management</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Ping">'Ping'
Management</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Enabling <span
class="quote">“<span class="quote">ping</span>”</span> will also enable
ICMP-based
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/ports.htm
new/shorewall-docs-html-5.2.3.3/ports.htm
--- old/shorewall-docs-html-5.2.3.1/ports.htm 2019-02-26 19:01:34.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/ports.htm 2019-04-12 04:08:55.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div><div><div class="abstract"><p
class="title"><strong>Abstract</strong></p><p>In addition to those applications
described in the
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div><div><div class="abstract"><p
class="title"><strong>Abstract</strong></p><p>In addition to those applications
described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.</p></div></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Notes">Important Notes</a></span></dt><dt><span
class="section"><a href="#Auth">Auth (identd)</a></span></dt><dt><span
class="section"><a href="#BT">BitTorrent</a></span></dt><dt><span
class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a
href="#Emule">Emule</a></span></dt><dt><span class="section"><a
href="#FTP">FTP</a></span></dt><dt><span class="section"><a
href="#Gnutella">Gnutella</a></span></dt><dt><span class="section"><a
href="#ICQ">ICQ/AIM</a></span></dt><dt><span class="section"><a
href="#IMAP">IMAP</a></span></dt><dt><span class="section"><a
href="#IPSEC">IPsec</a></span></dt><dt><span class="section"><a
href="#LDAP">LDAP</a></span></dt><dt><span class="section"><a
href="#MySQL"><span class="trademark">My\SQL</span>™</a></span></dt><dt><span
class="section"><a href="#NFS">NFS</a></span></dt><dt><span class="section"><a
href="#NTP">NTP (Network Time Protocol)</a></span></dt><dt><span
class="section"><a href="#PCA"><span
class="trademark">PCAnywhere</span>™</a></span></dt><dt><span
class="section"><a href="#POP3">POP3</a></span></dt><dt><span
class="section"><a href="#PPTP">PPTP</a></span></dt><dt><span
class="section"><a href="#Rdate">rdate</a></span></dt><dt><span
class="section"><a href="#rsync">rsync</a></span></dt><dt><span
class="section"><a href="#Siproxd">Siproxd</a></span></dt><dt><span
class="section"><a href="#SSH">SSH/SFTP</a></span></dt><dt><span
class="section"><a href="#SMB">SMB/NMB (Samba/<span
class="trademark">Windows</span>™ Browsing/File
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/quotes.htm
new/shorewall-docs-html-5.2.3.3/quotes.htm
--- old/shorewall-docs-html-5.2.3.1/quotes.htm 2019-02-26 19:01:36.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/quotes.htm 2019-04-12 04:08:57.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Quotes">What Users are
saying...</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Quotes"></a>What Users are saying...</h2></div></div></div><div
class="blockquote"><table border="0" class="blockquote" style="width: 100%;
cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%"
valign="top"> </td><td width="80%" valign="top"><p><span class="emphasis"><em>I
want to say that Shorewall documentation is the best
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Quotes">What Users are
saying...</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Quotes"></a>What Users are saying...</h2></div></div></div><div
class="blockquote"><table border="0" class="blockquote" style="width: 100%;
cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%"
valign="top"> </td><td width="80%" valign="top"><p><span class="emphasis"><em>I
want to say that Shorewall documentation is the best
I've ever found on the net. It's helped me a lot in understanding how
network is working. It is the best of breed. It contains not only
Shorewall specific topics with the assumption that all the rest is well
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/samba.htm
new/shorewall-docs-html-5.2.3.3/samba.htm
--- old/shorewall-docs-html-5.2.3.1/samba.htm 2019-02-26 19:01:36.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/samba.htm 2019-04-12 04:08:58.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><p>If you wish to run Samba on your
firewall and access shares between
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/shorewall_extension_scripts.htm
new/shorewall-docs-html-5.2.3.3/shorewall_extension_scripts.htm
--- old/shorewall-docs-html-5.2.3.1/shorewall_extension_scripts.htm
2019-02-26 19:01:40.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/shorewall_extension_scripts.htm
2019-04-12 04:09:01.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Scripts">Extension
Scripts</a></span></dt><dd><dl><dt><span class="section"><a
href="#Perl">Compile-time vs Run-time
Scripts</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Scripts">Extension
Scripts</a></span></dt><dd><dl><dt><span class="section"><a
href="#Perl">Compile-time vs Run-time
Scripts</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Scripts"></a>Extension Scripts</h2></div></div></div><p>Extension scripts
are user-provided scripts that are invoked at
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/shorewall_features.htm
new/shorewall-docs-html-5.2.3.3/shorewall_features.htm
--- old/shorewall-docs-html-5.2.3.1/shorewall_features.htm 2019-02-26
19:01:40.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/shorewall_features.htm 2019-04-12
04:09:01.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Features">Features</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Features"></a>Features</h2></div></div></div><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>Uses Netfilter's connection tracking facilities for
stateful
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Features">Features</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Features"></a>Features</h2></div></div></div><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>Uses Netfilter's connection tracking facilities for
stateful
packet filtering.</p></li><li class="listitem"><p>Can be used in<span
class="bold"><strong> a wide range of
router/firewall/gateway applications</strong></span> .</p><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle;
"><li class="listitem"><p>Completely customizable using configuration
files.</p></li><li class="listitem"><p>No limit on the number of network
interfaces.</p></li><li class="listitem"><p>Allows you to partition the network
into <a class="ulink" href="manpages/shorewall-zones.html"
target="_top">zones</a> and gives you
complete control over the connections permitted between each pair
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/shorewall_logging.html
new/shorewall-docs-html-5.2.3.3/shorewall_logging.html
--- old/shorewall-docs-html-5.2.3.1/shorewall_logging.html 2019-02-26
19:01:41.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/shorewall_logging.html 2019-04-12
04:09:02.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Log">How to Log Traffic Through a Shorewall
Firewall</a></span></dt><dt><span class="section"><a href="#Where">Where the
Traffic is Logged and How to Change the
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Log">How to Log Traffic Through a Shorewall
Firewall</a></span></dt><dt><span class="section"><a href="#Where">Where the
Traffic is Logged and How to Change the
Destination</a></span></dt><dd><dl><dt><span class="section"><a
href="#Levels">Syslog Levels</a></span></dt><dt><span class="section"><a
href="#ULOG">Configuring a Separate Log for Shorewall Messages
(ulogd)</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm176">Log Backends</a></span></dt><dt><span class="section"><a
href="#Syslog-ng">Syslog-ng</a></span></dt><dt><span class="section"><a
href="#Contents">Understanding the Contents of Shorewall Log
Messages</a></span></dt><dt><span class="section"><a href="#idm214">Customizing
the Content of Shorewall Log Messages</a></span></dt><dd><dl><dt><span
class="section"><a href="#LogTags">Log Tags</a></span></dt><dt><span
class="section"><a href="#idm223">LOGTAGONLY</a></span></dt><dt><span
class="section"><a href="#idm237">Log Levels in
shorewall[6].conf</a></span></dt></dl></dd><dt><span class="section"><a
href="#idm243">Some Additional Thoughts on Logging (by Bill
Shirley)</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/shorewall_prerequisites.htm
new/shorewall-docs-html-5.2.3.3/shorewall_prerequisites.htm
--- old/shorewall-docs-html-5.2.3.1/shorewall_prerequisites.htm 2019-02-26
19:01:42.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/shorewall_prerequisites.htm 2019-04-12
04:09:03.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Requirements">Shorewall
Requires:</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Requirements">Shorewall
Requires:</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Requirements"></a>Shorewall Requires:</h2></div></div></div><div
class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc;
"><li class="listitem"><p>A <span class="bold"><strong>Linux</strong></span>
kernel that supports
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/shorewall_quickstart_guide.htm
new/shorewall-docs-html-5.2.3.3/shorewall_quickstart_guide.htm
--- old/shorewall-docs-html-5.2.3.1/shorewall_quickstart_guide.htm
2019-02-26 19:01:42.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/shorewall_quickstart_guide.htm
2019-04-12 04:09:03.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Before">Before You Start</a></span></dt><dt><span
class="section"><a href="#Guides">The Guides</a></span></dt><dd><dl><dt><span
class="section"><a href="#Single">If you want the firewall system to handle a
<span class="bold"><strong>single public IP
address</strong></span></a></span></dt><dt><span class="section"><a
href="#Multi">If you want the firewall system to handle more than one public IP
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Before">Before You Start</a></span></dt><dt><span
class="section"><a href="#Guides">The Guides</a></span></dt><dd><dl><dt><span
class="section"><a href="#Single">If you want the firewall system to handle a
<span class="bold"><strong>single public IP
address</strong></span></a></span></dt><dt><span class="section"><a
href="#Multi">If you want the firewall system to handle more than one public IP
address</a></span></dt></dl></dd></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>Do not attempt to
install Shorewall on a
remote system. You are virtually assured to lock yourself out of that
system.</strong></span></p></div><p>With thanks to Richard who reminded me
once again that we must all
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/shorewall_setup_guide.htm
new/shorewall-docs-html-5.2.3.3/shorewall_setup_guide.htm
--- old/shorewall-docs-html-5.2.3.1/shorewall_setup_guide.htm 2019-02-26
19:01:44.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/shorewall_setup_guide.htm 2019-04-12
04:09:05.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#Interfaces">Network
Interfaces</a></span></dt><dt><span class="section"><a
href="#Addressing">Addressing, Subnets and
Routing</a></span></dt><dd><dl><dt><span class="section"><a
href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a
href="#Subnets">Subnets</a></span></dt><dt><span class="section"><a
href="#Routing">Routing</a></span></dt><dt><span class="section"><a
href="#ARP">Address Resolution Protocol (ARP)</a></span></dt><dt><span
class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span
class="section"><a href="#Options">Setting Up Your
Network</a></span></dt><dd><dl><dt><span class="section"><a
href="#Routed">Routed</a></span></dt><dt><span class="section"><a
href="#NonRouted">Non-routed</a></span></dt><dd><dl><dt><span
class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span
class="section"><a href="#dnat">DNAT</a></span></dt><dt><span
class="section"><a href="#ProxyARP">Proxy ARP</a></span></dt><dt><span
class="section"><a href="#NAT">One-to-one
NAT</a></span></dt></dl></dd><dt><span class="section"><a
href="#Rules">Rules</a></span></dt><dt><span class="section"><a
href="#OddsAndEnds">Odds and Ends</a></span></dt></dl></dd><dt><span
class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a
href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span
class="section"><a href="#StartingAndStopping">Starting and Stopping the
Firewall</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 3.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#Interfaces">Network
Interfaces</a></span></dt><dt><span class="section"><a
href="#Addressing">Addressing, Subnets and
Routing</a></span></dt><dd><dl><dt><span class="section"><a
href="#Addresses">IP Addresses</a></span></dt><dt><span class="section"><a
href="#Subnets">Subnets</a></span></dt><dt><span class="section"><a
href="#Routing">Routing</a></span></dt><dt><span class="section"><a
href="#ARP">Address Resolution Protocol (ARP)</a></span></dt><dt><span
class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span
class="section"><a href="#Options">Setting Up Your
Network</a></span></dt><dd><dl><dt><span class="section"><a
href="#Routed">Routed</a></span></dt><dt><span class="section"><a
href="#NonRouted">Non-routed</a></span></dt><dd><dl><dt><span
class="section"><a href="#SNAT">SNAT</a></span></dt><dt><span
class="section"><a href="#dnat">DNAT</a></span></dt><dt><span
class="section"><a href="#ProxyARP">Proxy ARP</a></span></dt><dt><span
class="section"><a href="#NAT">One-to-one
NAT</a></span></dt></dl></dd><dt><span class="section"><a
href="#Rules">Rules</a></span></dt><dt><span class="section"><a
href="#OddsAndEnds">Odds and Ends</a></span></dt></dl></dd><dt><span
class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a
href="#Other">Some Things to Keep in Mind</a></span></dt><dt><span
class="section"><a href="#StartingAndStopping">Starting and Stopping the
Firewall</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Introduction"></a>Introduction</h2></div></div></div><p>This guide is
intended for users who are setting up Shorewall in an
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/shorewall_setup_guide_fr.htm
new/shorewall-docs-html-5.2.3.3/shorewall_setup_guide_fr.htm
--- old/shorewall-docs-html-5.2.3.1/shorewall_setup_guide_fr.htm
2019-02-26 19:01:43.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/shorewall_setup_guide_fr.htm
2019-04-12 04:09:04.000000000 +0200
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span
class="section"><a href="#Concepts">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a
href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span
class="section"><a href="#Addressing">Adressage, Sous-réseaux et
Routage</a></span></dt><dd><dl><dt><span class="section"><a
href="#Addresses">Adressage IP</a></span></dt><dt><span class="section"><a
href="#Subnets">Sous-réseaux</a></span></dt><dt><span class="section"><a
href="#Routing">Routage</a></span></dt><dt><span class="section"><a
href="#idm622">Protocole de Résolution d'Adresse (ARP)</a></span></dt><dt><span
class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span
class="section"><a href="#Options">Configurer votre
Réseau</a></span></dt><dd><dl><dt><span class="section"><a
href="#Routed">Routé</a></span></dt><dt><span class="section"><a
href="#NonRouted">Non routé</a></span></dt><dd><dl><dt><span class="section"><a
href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a
href="#dnat">DNAT</a></span></dt><dt><span class="section"><a
href="#ProxyARP">Proxy ARP</a></span></dt><dt><span class="section"><a
href="#idm891">NAT un-à-un</a></span></dt></dl></dd><dt><span
class="section"><a href="#Rules">Règles</a></span></dt><dt><span
class="section"><a href="#OddsAndEnds">D'autres petites
choses</a></span></dt></dl></dd><dt><span class="section"><a
href="#DNS">DNS</a></span></dt><dt><span class="section"><a
href="#idm1058">Quelques Points à Garder en Mémoire</a></span></dt><dt><span
class="section"><a href="#idm1086">Démarrer et Arrêter Votre
Firewall</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Note</h3><p><span
class="underline">Notes du traducteur :</span> Le
+ License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#Introduction">Introduction</a></span></dt><dt><span
class="section"><a href="#Concepts">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a
href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span
class="section"><a href="#Addressing">Adressage, Sous-réseaux et
Routage</a></span></dt><dd><dl><dt><span class="section"><a
href="#Addresses">Adressage IP</a></span></dt><dt><span class="section"><a
href="#Subnets">Sous-réseaux</a></span></dt><dt><span class="section"><a
href="#Routing">Routage</a></span></dt><dt><span class="section"><a
href="#idm622">Protocole de Résolution d'Adresse (ARP)</a></span></dt><dt><span
class="section"><a href="#RFC1918">RFC 1918</a></span></dt></dl></dd><dt><span
class="section"><a href="#Options">Configurer votre
Réseau</a></span></dt><dd><dl><dt><span class="section"><a
href="#Routed">Routé</a></span></dt><dt><span class="section"><a
href="#NonRouted">Non routé</a></span></dt><dd><dl><dt><span class="section"><a
href="#SNAT">SNAT</a></span></dt><dt><span class="section"><a
href="#dnat">DNAT</a></span></dt><dt><span class="section"><a
href="#ProxyARP">Proxy ARP</a></span></dt><dt><span class="section"><a
href="#idm891">NAT un-à-un</a></span></dt></dl></dd><dt><span
class="section"><a href="#Rules">Règles</a></span></dt><dt><span
class="section"><a href="#OddsAndEnds">D'autres petites
choses</a></span></dt></dl></dd><dt><span class="section"><a
href="#DNS">DNS</a></span></dt><dt><span class="section"><a
href="#idm1058">Quelques Points à Garder en Mémoire</a></span></dt><dt><span
class="section"><a href="#idm1086">Démarrer et Arrêter Votre
Firewall</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Note</h3><p><span
class="underline">Notes du traducteur :</span> Le
traduction initiale a été réalisée par <a class="ulink"
href="mailto:fd03x@xxxxxxxxxx"; target="_top">Fabien Demassieux</a>. J'ai assuré
la
révision pour l'adapter à la version 3 de Shorewall. Si vous trouvez des
erreurs ou des améliorations à y apporter vous pouvez <a class="ulink"
href="mailto:guy@xxxxxxxxxxxx"; target="_top">me contacter</a>.</p></div><div
class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Attention</h3><p><span class="bold"><strong>Cet article
s'applique à Shorewall 3.0 et à
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/simple_traffic_shaping.html
new/shorewall-docs-html-5.2.3.3/simple_traffic_shaping.html
--- old/shorewall-docs-html-5.2.3.1/simple_traffic_shaping.html 2019-02-26
19:01:45.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/simple_traffic_shaping.html 2019-04-12
04:09:06.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Introduction</a></span></dt><dt><span
class="section"><a href="#idm37">Enabling Simple Traffic
Shaping</a></span></dt><dt><span class="section"><a href="#idm61">Customizing
Simple Traffic Shaping</a></span></dt><dt><span class="section"><a
href="#idm107">Combined IPv4/IPv6 Simple TC
Configuration</a></span></dt><dt><span class="section"><a
href="#idm129">Additional Reading</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm17"></a>Introduction</h2></div></div></div><p>Traffic shaping and
control was originally introduced into Shorewall
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm17">Introduction</a></span></dt><dt><span
class="section"><a href="#idm37">Enabling Simple Traffic
Shaping</a></span></dt><dt><span class="section"><a href="#idm61">Customizing
Simple Traffic Shaping</a></span></dt><dt><span class="section"><a
href="#idm107">Combined IPv4/IPv6 Simple TC
Configuration</a></span></dt><dt><span class="section"><a
href="#idm129">Additional Reading</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm17"></a>Introduction</h2></div></div></div><p>Traffic shaping and
control was originally introduced into Shorewall
in version 2.2.5. That facility was based on Arne Bernin's
<em class="firstterm">tc4shorewall</em> and is generally felt to be complex
and difficult to use.</p><p>In Shorewall 4.4.6, a second traffic shaping
facility that is simple
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/standalone.htm
new/shorewall-docs-html-5.2.3.3/standalone.htm
--- old/shorewall-docs-html-5.2.3.1/standalone.htm 2019-02-26
19:01:46.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/standalone.htm 2019-04-12
04:09:08.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a
href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">System Requirements</a></span></dt><dt><span
class="section"><a href="#Before">Before you start</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#External">External Interface</a></span></dt><dt><span
class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span
class="section"><a href="#Logging">Logging</a></span></dt><dt><span
class="section"><a href="#Modules">Kernel Module
Loading</a></span></dt><dt><span class="section"><a href="#Open">Enabling other
Connections</a></span></dt><dt><span class="section"><a
href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span
class="section"><a href="#Problems">If it Doesn't Work</a></span></dt><dt><span
class="section"><a href="#idm388">Disabling your existing
Firewall</a></span></dt><dt><span class="section"><a href="#Other">Additional
Recommended Reading</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a
href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">System Requirements</a></span></dt><dt><span
class="section"><a href="#Before">Before you start</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#External">External Interface</a></span></dt><dt><span
class="section"><a href="#Addresses">IP Addresses</a></span></dt><dt><span
class="section"><a href="#Logging">Logging</a></span></dt><dt><span
class="section"><a href="#Modules">Kernel Module
Loading</a></span></dt><dt><span class="section"><a href="#Open">Enabling other
Connections</a></span></dt><dt><span class="section"><a
href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span
class="section"><a href="#Problems">If it Doesn't Work</a></span></dt><dt><span
class="section"><a href="#idm388">Disabling your existing
Firewall</a></span></dt><dt><span class="section"><a href="#Other">Additional
Recommended Reading</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Introduction"></a>Introduction</h2></div></div></div><p>Setting up
Shorewall on a standalone Linux system is very easy if
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/standalone_fr.html
new/shorewall-docs-html-5.2.3.3/standalone_fr.html
--- old/shorewall-docs-html-5.2.3.1/standalone_fr.html 2019-02-26
19:01:45.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/standalone_fr.html 2019-04-12
04:09:07.000000000 +0200
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a
href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">Pré-requis système</a></span></dt><dt><span
class="section"><a href="#Before">Avant de commencer</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a
href="#External">Interface Externe</a></span></dt><dt><span class="section"><a
href="#Addresses">Adresses IP</a></span></dt><dt><span class="section"><a
href="#Logging">Journalisation (log)</a></span></dt><dt><span
class="section"><a href="#Open">Permettre d'autres
connexions</a></span></dt><dt><span class="section"><a
href="#Starting">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span
class="section"><a href="#Problems">Si cela ne marche
pas</a></span></dt><dt><span class="section"><a href="#Other">Autres Lectures
Recommandées</a></span></dt></dl></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span
class="underline">Notes du traducteur :</span> Le guide
+ License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a
href="#Introduction">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">Pré-requis système</a></span></dt><dt><span
class="section"><a href="#Before">Avant de commencer</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a
href="#External">Interface Externe</a></span></dt><dt><span class="section"><a
href="#Addresses">Adresses IP</a></span></dt><dt><span class="section"><a
href="#Logging">Journalisation (log)</a></span></dt><dt><span
class="section"><a href="#Open">Permettre d'autres
connexions</a></span></dt><dt><span class="section"><a
href="#Starting">Démarrer et Arrêter Votre Firewall</a></span></dt><dt><span
class="section"><a href="#Problems">Si cela ne marche
pas</a></span></dt><dt><span class="section"><a href="#Other">Autres Lectures
Recommandées</a></span></dt></dl></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span
class="underline">Notes du traducteur :</span> Le guide
initial a été traduit par <a class="ulink"
href="mailto:vetsel.patrice@xxxxxxxxxx"; target="_top">VETSEL Patrice</a> et la
révision pour la version 2 de Shorewall a été effectuée par <a
class="ulink" href="mailto:fd03x@xxxxxxxxxx"; target="_top">Fabien
Demassieux</a>. J'ai assuré la
révision pour l'adapter à la version 3, puis 4 de Shorewall. Si vous
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/standalone_ru.html
new/shorewall-docs-html-5.2.3.3/standalone_ru.html
--- old/shorewall-docs-html-5.2.3.1/standalone_ru.html 2019-02-26
19:01:46.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/standalone_ru.html 2019-04-12
04:09:07.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm26">Введение</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm42">Системные требования</a></span></dt><dt><span
class="section"><a href="#idm53">Перед тем как начать</a></span></dt><dt><span
class="section"><a href="#idm72">Соглашения</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm76">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm89">Концепции Shorewall</a></span></dt><dt><span
class="section"><a href="#idm161">Внешний интерфейс</a></span></dt><dt><span
class="section"><a href="#idm199">IP-адреса</a></span></dt><dt><span
class="section"><a href="#idm229">Разрешение других
соединений</a></span></dt><dt><span class="section"><a href="#idm262">Запуск и
останов Вашего файервола</a></span></dt><dt><span class="section"><a
href="#idm303">Дополнительно рекоммендуемая литература</a></span></dt><dt><span
class="appendix"><a href="#idm307">A. История
пересмотров</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>Эта статья применима для Shorewall версии 3.0
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm26">Введение</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm42">Системные требования</a></span></dt><dt><span
class="section"><a href="#idm53">Перед тем как начать</a></span></dt><dt><span
class="section"><a href="#idm72">Соглашения</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm76">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm89">Концепции Shorewall</a></span></dt><dt><span
class="section"><a href="#idm161">Внешний интерфейс</a></span></dt><dt><span
class="section"><a href="#idm199">IP-адреса</a></span></dt><dt><span
class="section"><a href="#idm229">Разрешение других
соединений</a></span></dt><dt><span class="section"><a href="#idm262">Запуск и
останов Вашего файервола</a></span></dt><dt><span class="section"><a
href="#idm303">Дополнительно рекоммендуемая литература</a></span></dt><dt><span
class="appendix"><a href="#idm307">A. История
пересмотров</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>Эта статья применима для Shorewall версии 3.0
и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall
3.0.0, тогда смотрите документацию для этого
выпуска.</strong></span></p></div><div class="warning" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Пример файлов
конфигурации в составе Shorewall 3.0.0 и 3.0.1 был
некорректен. Первой генерируемой ошибкой была:</p><p><span
class="bold"><strong>ERROR: No Firewall Zone Defined (ОШИБКА: Не
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/starting_and_stopping_shorewall.htm
new/shorewall-docs-html-5.2.3.3/starting_and_stopping_shorewall.htm
--- old/shorewall-docs-html-5.2.3.1/starting_and_stopping_shorewall.htm
2019-02-26 19:01:47.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/starting_and_stopping_shorewall.htm
2019-04-12 04:09:08.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#CLI">/sbin/shorewall and
/sbin/shorewall-lite</a></span></dt><dt><span class="section"><a
href="#Starting">Starting, Stopping and Clearing</a></span></dt><dt><span
class="section"><a href="#Init">/etc/init.d/shorewall and
/etc/init.d/shorewall-lite</a></span></dt><dt><span class="section"><a
href="#Trace">Tracing Command Execution and other Debugging
Aids</a></span></dt><dt><span class="section"><a href="#Boot">Having Shorewall
Start Automatically at Boot Time</a></span></dt><dt><span class="section"><a
href="#Saved">Saving a Working Configuration for Error Recovery and Fast
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#CLI">/sbin/shorewall and
/sbin/shorewall-lite</a></span></dt><dt><span class="section"><a
href="#Starting">Starting, Stopping and Clearing</a></span></dt><dt><span
class="section"><a href="#Init">/etc/init.d/shorewall and
/etc/init.d/shorewall-lite</a></span></dt><dt><span class="section"><a
href="#Trace">Tracing Command Execution and other Debugging
Aids</a></span></dt><dt><span class="section"><a href="#Boot">Having Shorewall
Start Automatically at Boot Time</a></span></dt><dt><span class="section"><a
href="#Saved">Saving a Working Configuration for Error Recovery and Fast
Startup</a></span></dt><dt><span class="section"><a
href="#AddDirectories">Additional Configuration
Directories</a></span></dt><dt><span class="section"><a
href="#AltConfig">Alternate Configuration Directories</a></span></dt><dt><span
class="section"><a href="#Commands">Commands</a></span></dt><dt><span
class="section"><a href="#State">Shorewall State
Diagram</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/support.htm
new/shorewall-docs-html-5.2.3.3/support.htm
--- old/shorewall-docs-html-5.2.3.1/support.htm 2019-02-26 19:01:47.000000000
+0100
+++ new/shorewall-docs-html-5.2.3.3/support.htm 2019-04-12 04:09:08.000000000
+0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#First">Before Reporting a Problem or Asking a
Question</a></span></dt><dt><span class="section"><a href="#Guidelines">Problem
Reporting Guidelines</a></span></dt><dt><span class="section"><a
href="#Where">Where to Send your Problem Report or to Ask for
Help</a></span></dt><dt><span class="section"><a href="#Users">Subscribing to
the Users Mailing List</a></span></dt><dt><span class="section"><a
href="#Announce">Subscribing to the Announce Mailing
List</a></span></dt><dt><span class="section"><a href="#Devel">Subscribing to
the Development Mailing List</a></span></dt><dt><span class="section"><a
href="#Unsubscribe">Unsubscribing from Shorewall Mailing
Lists</a></span></dt><dt><span class="section"><a href="#Other">Other Mailing
Lists</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.0 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#First">Before Reporting a Problem or Asking a
Question</a></span></dt><dt><span class="section"><a href="#Guidelines">Problem
Reporting Guidelines</a></span></dt><dt><span class="section"><a
href="#Where">Where to Send your Problem Report or to Ask for
Help</a></span></dt><dt><span class="section"><a href="#Users">Subscribing to
the Users Mailing List</a></span></dt><dt><span class="section"><a
href="#Announce">Subscribing to the Announce Mailing
List</a></span></dt><dt><span class="section"><a href="#Devel">Subscribing to
the Development Mailing List</a></span></dt><dt><span class="section"><a
href="#Unsubscribe">Unsubscribing from Shorewall Mailing
Lists</a></span></dt><dt><span class="section"><a href="#Other">Other Mailing
Lists</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in;
margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="First"></a>Before Reporting a Problem or Asking a
Question</h2></div></div></div><p>There are a number of sources of Shorewall
information. Please try
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/survey-200603.html
new/shorewall-docs-html-5.2.3.3/survey-200603.html
--- old/shorewall-docs-html-5.2.3.1/survey-200603.html 2019-02-26
19:01:48.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/survey-200603.html 2019-04-12
04:09:09.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a
href="#Background">Background</a></span></dt><dd><dl><dt><span
class="section"><a href="#Survey">Survey and results
links</a></span></dt><dt><span class="section"><a href="#Sample">Sample
size</a></span></dt><dt><span class="section"><a href="#Factors">Other possible
inaccuracies</a></span></dt></dl></dd><dt><span class="section"><a
href="#Results">Results analysis</a></span></dt><dd><dl><dt><span
class="section"><a href="#Org">Organisations</a></span></dt><dt><span
class="section"><a href="#Users">Users</a></span></dt><dt><span
class="section"><a href="#Hardware">Hardware</a></span></dt><dt><span
class="section"><a href="#Network">Network</a></span></dt><dt><span
class="section"><a href="#Software">Software</a></span></dt><dt><span
class="section"><a href="#Comments">Comments from
users</a></span></dt></dl></dd><dt><span class="section"><a
href="#Lessons">Lessons learned about survey
technique</a></span></dt><dd><dl><dt><span class="section"><a
href="#Approach1">Treat surveys like releasing free
software</a></span></dt><dt><span class="section"><a href="#Approach2">Start
small and work towards what you want to know with specific,
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a
href="#Background">Background</a></span></dt><dd><dl><dt><span
class="section"><a href="#Survey">Survey and results
links</a></span></dt><dt><span class="section"><a href="#Sample">Sample
size</a></span></dt><dt><span class="section"><a href="#Factors">Other possible
inaccuracies</a></span></dt></dl></dd><dt><span class="section"><a
href="#Results">Results analysis</a></span></dt><dd><dl><dt><span
class="section"><a href="#Org">Organisations</a></span></dt><dt><span
class="section"><a href="#Users">Users</a></span></dt><dt><span
class="section"><a href="#Hardware">Hardware</a></span></dt><dt><span
class="section"><a href="#Network">Network</a></span></dt><dt><span
class="section"><a href="#Software">Software</a></span></dt><dt><span
class="section"><a href="#Comments">Comments from
users</a></span></dt></dl></dd><dt><span class="section"><a
href="#Lessons">Lessons learned about survey
technique</a></span></dt><dd><dl><dt><span class="section"><a
href="#Approach1">Treat surveys like releasing free
software</a></span></dt><dt><span class="section"><a href="#Approach2">Start
small and work towards what you want to know with specific,
concrete questions</a></span></dt><dt><span class="section"><a
href="#Approach3">Be prepared beforehand</a></span></dt><dt><span
class="section"><a href="#Approach4">Incrementally improve your
surveys</a></span></dt></dl></dd><dt><span class="section"><a
href="#Implications1">Possible implications for the Shorewall
project</a></span></dt><dt><span class="section"><a
href="#Implications2">Possible implications for other free software
projects</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Background"></a>Background</h2></div></div></div><p>In early March 2006, i
embarked on the journey of surveying
Shorewall users. Initially this sprang from my own curiosity: i thought
that some of the systems at work on which i use Shorewall may be bigger
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/template.html
new/shorewall-docs-html-5.2.3.3/template.html
--- old/shorewall-docs-html-5.2.3.1/template.html 2019-02-26
19:01:48.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/template.html 2019-04-12
04:09:09.000000000 +0200
@@ -5,4 +5,4 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16"></a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a></h2></div></div></div><p></p></div></div></body></html>
\ No newline at end of file
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm16"></a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a
id="idm16"></a></h2></div></div></div><p></p></div></div></body></html>
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/three-interface.htm
new/shorewall-docs-html-5.2.3.3/three-interface.htm
--- old/shorewall-docs-html-5.2.3.1/three-interface.htm 2019-02-26
19:01:49.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/three-interface.htm 2019-04-12
04:09:11.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#Reqs">Requirements</a></span></dt><dt><span
class="section"><a href="#Before">Before you start</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#Interfaces">Network
Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP
Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP
Masquerading (SNAT)</a></span></dt><dt><span class="section"><a
href="#Logging">Logging</a></span></dt><dt><span class="section"><a
href="#Modules">Kernel Module Loading</a></span></dt><dt><span
class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span
class="section"><a href="#DNS">Domain Name Server
(DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other
Connections</a></span></dt><dt><span class="section"><a href="#Other">Some
Things to Keep in Mind</a></span></dt><dt><span class="section"><a
href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span
class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span
class="section"><a href="#idm621">Disabling your existing
Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional
Recommended Reading</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#Reqs">Requirements</a></span></dt><dt><span
class="section"><a href="#Before">Before you start</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#Interfaces">Network
Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP
Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP
Masquerading (SNAT)</a></span></dt><dt><span class="section"><a
href="#Logging">Logging</a></span></dt><dt><span class="section"><a
href="#Modules">Kernel Module Loading</a></span></dt><dt><span
class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span
class="section"><a href="#DNS">Domain Name Server
(DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other
Connections</a></span></dt><dt><span class="section"><a href="#Other">Some
Things to Keep in Mind</a></span></dt><dt><span class="section"><a
href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span
class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span
class="section"><a href="#idm621">Disabling your existing
Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional
Recommended Reading</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>This article applies to
Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>Setting up a Linux system
as a firewall for a small network with DMZ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/three-interface_fr.html
new/shorewall-docs-html-5.2.3.3/three-interface_fr.html
--- old/shorewall-docs-html-5.2.3.1/three-interface_fr.html 2019-02-26
19:01:48.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/three-interface_fr.html 2019-04-12
04:09:10.000000000 +0200
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">« <span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm46">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm73">Pré-requis Système</a></span></dt><dt><span
class="section"><a href="#idm89">Avant de commencer</a></span></dt><dt><span
class="section"><a
href="#idm104">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm110">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm123">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a href="#idm208">Les
Interfaces Réseau</a></span></dt><dt><span class="section"><a
href="#idm286">Adresses IP</a></span></dt><dt><span class="section"><a
href="#idm365">IP Masquerading (SNAT)</a></span></dt><dt><span
class="section"><a href="#DNAT">Transfert de ports
(DNAT)</a></span></dt><dt><span class="section"><a href="#idm497">Service de
Noms de Domaines (DNS)</a></span></dt><dt><span class="section"><a
href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a
href="#idm598">Quelques Points à Garder en Mémoire</a></span></dt><dt><span
class="section"><a href="#idm626">Démarrer et Arrêter Votre
Firewall</a></span></dt><dt><span class="section"><a href="#idm668">Si cela ne
marche pas</a></span></dt><dt><span class="section"><a href="#idm682">Autres
Lectures Recommandées</a></span></dt></dl></div><div class="note"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p><span class="underline">Notes du traducteur :</span>
Le guide
+ License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm46">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm73">Pré-requis Système</a></span></dt><dt><span
class="section"><a href="#idm89">Avant de commencer</a></span></dt><dt><span
class="section"><a
href="#idm104">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm110">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm123">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a href="#idm208">Les
Interfaces Réseau</a></span></dt><dt><span class="section"><a
href="#idm286">Adresses IP</a></span></dt><dt><span class="section"><a
href="#idm365">IP Masquerading (SNAT)</a></span></dt><dt><span
class="section"><a href="#DNAT">Transfert de ports
(DNAT)</a></span></dt><dt><span class="section"><a href="#idm497">Service de
Noms de Domaines (DNS)</a></span></dt><dt><span class="section"><a
href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a
href="#idm598">Quelques Points à Garder en Mémoire</a></span></dt><dt><span
class="section"><a href="#idm626">Démarrer et Arrêter Votre
Firewall</a></span></dt><dt><span class="section"><a href="#idm668">Si cela ne
marche pas</a></span></dt><dt><span class="section"><a href="#idm682">Autres
Lectures Recommandées</a></span></dt></dl></div><div class="note"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Note</h3><p><span class="underline">Notes du traducteur :</span>
Le guide
initial a été traduit par <a class="ulink"
href="mailto:vetsel.patrice@xxxxxxxxxx"; target="_top">VETSEL Patrice</a> et la
révision pour la version 2 de Shorewall a été effectuée par <a
class="ulink" href="mailto:fd03x@xxxxxxxxxx"; target="_top">Fabien
Demassieux</a>. J'ai assuré la
révision pour l'adapter à la version 3 de Shorewall. Si vous trouvez des
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/three-interface_ru.html
new/shorewall-docs-html-5.2.3.3/three-interface_ru.html
--- old/shorewall-docs-html-5.2.3.1/three-interface_ru.html 2019-02-26
19:01:49.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/three-interface_ru.html 2019-04-12
04:09:10.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm48">Системные требования</a></span></dt><dt><span
class="section"><a href="#idm59">Перед тем как начать</a></span></dt><dt><span
class="section"><a href="#idm78">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm84">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm97">Концепции Shorewall</a></span></dt><dt><span
class="section"><a href="#idm180">Сетевые интерфейсы</a></span></dt><dt><span
class="section"><a href="#idm257">IP-адреса</a></span></dt><dt><span
class="section"><a href="#idm360">IP-маскарадинг
(SNAT)</a></span></dt><dt><span class="section"><a
href="#idm420">Перенаправление портов (DNAT)</a></span></dt><dt><span
class="section"><a href="#idm504">Сервер Доменных Имен (Domain Name Server -
DNS)</a></span></dt><dt><span class="section"><a href="#idm549">Другие
соединения</a></span></dt><dt><span class="section"><a href="#idm597">Что нужно
помнить</a></span></dt><dt><span class="section"><a href="#idm630">Запуск и
останов Вашего файервола</a></span></dt><dt><span class="section"><a
href="#idm678">Дополнительно рекоммендуемая
литература</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>Эта статья применима для Shorewall версии 3.0
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm48">Системные требования</a></span></dt><dt><span
class="section"><a href="#idm59">Перед тем как начать</a></span></dt><dt><span
class="section"><a href="#idm78">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm84">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm97">Концепции Shorewall</a></span></dt><dt><span
class="section"><a href="#idm180">Сетевые интерфейсы</a></span></dt><dt><span
class="section"><a href="#idm257">IP-адреса</a></span></dt><dt><span
class="section"><a href="#idm360">IP-маскарадинг
(SNAT)</a></span></dt><dt><span class="section"><a
href="#idm420">Перенаправление портов (DNAT)</a></span></dt><dt><span
class="section"><a href="#idm504">Сервер Доменных Имен (Domain Name Server -
DNS)</a></span></dt><dt><span class="section"><a href="#idm549">Другие
соединения</a></span></dt><dt><span class="section"><a href="#idm597">Что нужно
помнить</a></span></dt><dt><span class="section"><a href="#idm630">Запуск и
останов Вашего файервола</a></span></dt><dt><span class="section"><a
href="#idm678">Дополнительно рекоммендуемая
литература</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>Эта статья применима для Shorewall версии 3.0
и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall
3.0.0, тогда смотрите документацию для этого
выпуска.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm19"></a>Введение</h2></div></div></div><p>Установка Linux системы как
файервола для небольшой сети довольно
простая задача, если Вы понимаете основы и следуете
документации.</p><p>Это руководство не пытается ознакомить Вас со всеми
особенностями
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/traffic_shaping.htm
new/shorewall-docs-html-5.2.3.3/traffic_shaping.htm
--- old/shorewall-docs-html-5.2.3.1/traffic_shaping.htm 2019-02-26
19:01:50.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/traffic_shaping.htm 2019-04-12
04:09:11.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#LinuxTC">Linux traffic shaping and
control</a></span></dt><dt><span class="section"><a href="#Kernel">Linux Kernel
Configuration</a></span></dt><dt><span class="section"><a
href="#Shorewall">Enable TC support in Shorewall</a></span></dt><dt><span
class="section"><a href="#Builtin">Using builtin traffic
shaping/control</a></span></dt><dd><dl><dt><span class="section"><a
href="#tcdevices">/etc/shorewall/tcdevices</a></span></dt><dt><span
class="section"><a
href="#tcclasses">/etc/shorewall/tcclasses</a></span></dt><dt><span
class="section"><a href="#tcrules">/etc/shorewall/mangle and
/etc/shorewall/rules</a></span></dt><dt><span class="section"><a
href="#ppp">ppp devices</a></span></dt><dt><span class="section"><a
href="#idm419">Sharing a TC configuration between Shorewall and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dt><span
class="section"><a href="#LinuxTC">Linux traffic shaping and
control</a></span></dt><dt><span class="section"><a href="#Kernel">Linux Kernel
Configuration</a></span></dt><dt><span class="section"><a
href="#Shorewall">Enable TC support in Shorewall</a></span></dt><dt><span
class="section"><a href="#Builtin">Using builtin traffic
shaping/control</a></span></dt><dd><dl><dt><span class="section"><a
href="#tcdevices">/etc/shorewall/tcdevices</a></span></dt><dt><span
class="section"><a
href="#tcclasses">/etc/shorewall/tcclasses</a></span></dt><dt><span
class="section"><a href="#tcrules">/etc/shorewall/mangle and
/etc/shorewall/rules</a></span></dt><dt><span class="section"><a
href="#ppp">ppp devices</a></span></dt><dt><span class="section"><a
href="#idm419">Sharing a TC configuration between Shorewall and
Shorewall6</a></span></dt><dt><span class="section"><a
href="#perIP">Per-IP Traffic Shaping</a></span></dt><dt><span
class="section"><a href="#Real">Real life
examples</a></span></dt><dd><dl><dt><span class="section"><a href="#idm536">A
Shorewall User's Experience</a></span></dt><dt><span class="section"><a
href="#Wondershaper">Configuration to replace
Wondershaper</a></span></dt><dt><span class="section"><a href="#simiple">A
simple setup</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a
href="#Xen">A Warning to Xen Users</a></span></dt><dt><span class="section"><a
href="#HFSC">An HFSC Example</a></span></dt><dd><dl><dt><span
class="section"><a href="#MajicNumbers">Where Did all of those Magic Numbers
come from?</a></span></dt></dl></dd><dt><span class="section"><a
href="#IFB">Intermediate Functional Block (IFB)
Devices</a></span></dt><dd><dl><dt><span class="section"><a
href="#tcfilters">/etc/shorewall/tcfilters</a></span></dt></dl></dd><dt><span
class="section"><a href="#show">Understanding the output of 'shorewall show
tc'</a></span></dt><dt><span class="section"><a href="#External">Using your own
tc script</a></span></dt><dd><dl><dt><span class="section"><a
href="#owntcstart">Replacing builtin tcstart file</a></span></dt><dt><span
class="section"><a href="#Start">Traffic control outside
Shorewall</a></span></dt></dl></dd><dt><span class="section"><a
href="#Testing">Testing Tools</a></span></dt></dl></div><div class="important"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Traffic shaping is complex and the Shorewall
community is not well
equipped to answer traffic shaping questions. So if you are the type of
person who needs "insert tab A into slot B" instructions for everything
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/traffic_shaping_ru.html
new/shorewall-docs-html-5.2.3.3/traffic_shaping_ru.html
--- old/shorewall-docs-html-5.2.3.1/traffic_shaping_ru.html 2019-02-26
19:01:50.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/traffic_shaping_ru.html 2019-04-12
04:09:11.000000000 +0200
@@ -4,7 +4,7 @@
версии 1.2 или более поздней, опубликованной Free Software Foundation;
без неизменяемых разделов, без текста на верхней обложке, без текста на
нижней обложке. Копия лицензии приведена по ссылке <span
class="quote">“<span class="quote"><a class="ulink" href="GnuCopyright.htm"
target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Введение</a></span></dt><dt><span
class="section"><a href="#LinuxTC">Управление трафиком и шейпинг трафика в
Linux</a></span></dt><dt><span class="section"><a href="#Kernel">Конфигурация
ядра Linux</a></span></dt><dt><span class="section"><a
href="#Shorewall">Включение поддержки TC в Shorewall</a></span></dt><dt><span
class="section"><a href="#Builtin">Работа с встроенными функциями управления
трафиком и
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Введение</a></span></dt><dt><span
class="section"><a href="#LinuxTC">Управление трафиком и шейпинг трафика в
Linux</a></span></dt><dt><span class="section"><a href="#Kernel">Конфигурация
ядра Linux</a></span></dt><dt><span class="section"><a
href="#Shorewall">Включение поддержки TC в Shorewall</a></span></dt><dt><span
class="section"><a href="#Builtin">Работа с встроенными функциями управления
трафиком и
шейпинга</a></span></dt><dd><dl><dt><span class="section"><a
href="#tcdevices">/etc/shorewall/tcdevices</a></span></dt><dt><span
class="section"><a
href="#tcclasses">/etc/shorewall/tcclasses</a></span></dt><dt><span
class="section"><a
href="#tcrules">/etc/shorewall/tcrules</a></span></dt><dt><span
class="section"><a href="#ppp">Устройства ppp</a></span></dt><dt><span
class="section"><a href="#Real">Рабочие
примеры</a></span></dt><dd><dl><dt><span class="section"><a
href="#Wondershaper">Конфигурация для замены
Wondershaper</a></span></dt><dt><span class="section"><a
href="#simiple">Простая
конфигурация</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a
href="#Xen">Замечания для пользователей Xen</a></span></dt><dt><span
class="section"><a href="#External">Применение собственных сценариев
tc</a></span></dt><dd><dl><dt><span class="section"><a
href="#owntcstart">Замена встроенного файла tcstart</a></span></dt><dt><span
class="section"><a href="#Start">Управление трафиком, внешнее по отношению к
Shorewall</a></span></dt></dl></dd><dt><span class="section"><a
href="#Testing">Инструменты тестирования</a></span></dt></dl></div><div
class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Important</h3><p>Управление трафиком - это сложная тема, и не
следует ожидать от
сообщества Shorewall готовых ответов на возникающие в связи с этим
вопросы. Поэтому, если вам нужны готовые рецепты, как нажать кнопку, чтобы
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/troubleshoot.htm
new/shorewall-docs-html-5.2.3.3/troubleshoot.htm
--- old/shorewall-docs-html-5.2.3.1/troubleshoot.htm 2019-02-26
19:01:51.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/troubleshoot.htm 2019-04-12
04:09:12.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Start"><span class="quote">“<span
class="quote">shorewall start</span>”</span> and <span class="quote">“<span
class="quote">shorewall restart</span>”</span>
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Start"><span class="quote">“<span
class="quote">shorewall start</span>”</span> and <span class="quote">“<span
class="quote">shorewall restart</span>”</span>
Errors</a></span></dt><dt><span class="section"><a href="#Network">Your
Network Environment</a></span></dt><dt><span class="section"><a
href="#NewDevice">New Device Doesn't Work?</a></span></dt><dt><span
class="section"><a href="#Connections">Connection
Problems</a></span></dt><dt><span class="section"><a href="#Ping">Ping
Problems</a></span></dt><dt><span class="section"><a href="#Other">Some Things
to Keep in Mind</a></span></dt><dt><span class="section"><a href="#More">Other
Gotchas</a></span></dt><dt><span class="section"><a href="#Support">Still
Having Problems?</a></span></dt></dl></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Start"></a><span class="quote">“<span class="quote">shorewall
start</span>”</span> and <span class="quote">“<span class="quote">shorewall
restart</span>”</span>
Errors</h2></div></div></div><p>If the error is detected by the Shorewall
compiler, it should be
fairly obvious where the problem was found. Each error message includes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/two-interface.htm
new/shorewall-docs-html-5.2.3.3/two-interface.htm
--- old/shorewall-docs-html-5.2.3.1/two-interface.htm 2019-02-26
19:01:52.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/two-interface.htm 2019-04-12
04:09:13.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">System Requirements</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#Interfaces">Network
Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP
Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP
Masquerading (SNAT)</a></span></dt><dt><span class="section"><a
href="#Logging">Logging</a></span></dt><dt><span class="section"><a
href="#Modules">Kernel Module Loading</a></span></dt><dt><span
class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span
class="section"><a href="#DNS">Domain Name Server
(DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other
Connections</a></span></dt><dt><span class="section"><a href="#Other">Some
Things to Keep in Mind</a></span></dt><dt><span class="section"><a
href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span
class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span
class="section"><a href="#idm682">Disabling your existing
Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional
Recommended Reading</a></span></dt><dt><span class="section"><a
href="#Wireless">Adding a Wireless Segment to your Two-Interface
Firewall</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.4 and
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">System Requirements</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span
class="section"><a href="#Interfaces">Network
Interfaces</a></span></dt><dt><span class="section"><a href="#Addresses">IP
Addresses</a></span></dt><dt><span class="section"><a href="#SNAT">IP
Masquerading (SNAT)</a></span></dt><dt><span class="section"><a
href="#Logging">Logging</a></span></dt><dt><span class="section"><a
href="#Modules">Kernel Module Loading</a></span></dt><dt><span
class="section"><a href="#DNAT">Port Forwarding (DNAT)</a></span></dt><dt><span
class="section"><a href="#DNS">Domain Name Server
(DNS)</a></span></dt><dt><span class="section"><a href="#Open">Other
Connections</a></span></dt><dt><span class="section"><a href="#Other">Some
Things to Keep in Mind</a></span></dt><dt><span class="section"><a
href="#Starting">Starting and Stopping Your Firewall</a></span></dt><dt><span
class="section"><a href="#Trouble">If it Doesn't Work</a></span></dt><dt><span
class="section"><a href="#idm682">Disabling your existing
Firewall</a></span></dt><dt><span class="section"><a href="#Reading">Additional
Recommended Reading</a></span></dt><dt><span class="section"><a
href="#Wireless">Adding a Wireless Segment to your Two-Interface
Firewall</a></span></dt></dl></div><div class="caution" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span
class="bold"><strong>This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.4.0 then please see the documentation for that
release.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="Intro"></a>Introduction</h2></div></div></div><p>Setting up a Linux system
as a firewall for a small network is a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/two-interface_fr.html
new/shorewall-docs-html-5.2.3.3/two-interface_fr.html
--- old/shorewall-docs-html-5.2.3.1/two-interface_fr.html 2019-02-26
19:01:51.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/two-interface_fr.html 2019-04-12
04:09:12.000000000 +0200
@@ -17,7 +17,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <span
class="quote">« <span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_top">GNU Free
Documentation
- License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm49">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">Pré-requis Système</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a
href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span
class="section"><a href="#Adresses">Adresses IP</a></span></dt><dt><span
class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span
class="section"><a href="#DNAT">Transfert de ports
(DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Service de Noms
de Domaines (DNS)</a></span></dt><dt><span class="section"><a
href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a
href="#Logging">Journalisation (log)</a></span></dt><dt><span
class="section"><a href="#idm625">Quelques Points à Garder en
Mémoire</a></span></dt><dt><span class="section"><a href="#idm653">Démarrer et
Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a
href="#Trouble">Si cela ne marche pas</a></span></dt><dt><span
class="section"><a href="#Reading">Autres Lectures
Recommandées</a></span></dt><dt><span class="section"><a
href="#Wireless">Ajouter un Segment Sans-fil à votre Firewall à deux
+ License</a></span> »</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table des matières</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm49">Introduction</a></span></dt><dd><dl><dt><span
class="section"><a href="#System">Pré-requis Système</a></span></dt><dt><span
class="section"><a
href="#Conventions">Conventions</a></span></dt></dl></dd><dt><span
class="section"><a href="#PPTP">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#Concepts">Les Concepts de
Shorewall</a></span></dt><dt><span class="section"><a
href="#Interfaces">Interfaces Réseau</a></span></dt><dt><span
class="section"><a href="#Adresses">Adresses IP</a></span></dt><dt><span
class="section"><a href="#SNAT">IP Masquerading (SNAT)</a></span></dt><dt><span
class="section"><a href="#DNAT">Transfert de ports
(DNAT)</a></span></dt><dt><span class="section"><a href="#DNS">Service de Noms
de Domaines (DNS)</a></span></dt><dt><span class="section"><a
href="#Open">Autres Connexions</a></span></dt><dt><span class="section"><a
href="#Logging">Journalisation (log)</a></span></dt><dt><span
class="section"><a href="#idm625">Quelques Points à Garder en
Mémoire</a></span></dt><dt><span class="section"><a href="#idm653">Démarrer et
Arrêter Votre Firewall</a></span></dt><dt><span class="section"><a
href="#Trouble">Si cela ne marche pas</a></span></dt><dt><span
class="section"><a href="#Reading">Autres Lectures
Recommandées</a></span></dt><dt><span class="section"><a
href="#Wireless">Ajouter un Segment Sans-fil à votre Firewall à deux
interfaces</a></span></dt></dl></div><div class="note" style="margin-left:
0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><span
class="underline">Notes du traducteur :</span> Le guide
initial a été traduit par <a class="ulink"
href="mailto:vetsel.patrice@xxxxxxxxxx"; target="_top">VETSEL Patrice</a> et la
pour
la version 2 de Shorewall a été effectuée par <a class="ulink"
href="mailto:fd03x@xxxxxxxxxx"; target="_top">Fabien Demassieux</a>. J'ai assuré
la
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/two-interface_ru.html
new/shorewall-docs-html-5.2.3.3/two-interface_ru.html
--- old/shorewall-docs-html-5.2.3.1/two-interface_ru.html 2019-02-26
19:01:52.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/two-interface_ru.html 2019-04-12
04:09:13.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm43">Системные требования</a></span></dt><dt><span
class="section"><a href="#idm54">Перед тем как начать</a></span></dt><dt><span
class="section"><a href="#idm73">Соглашения</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm79">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm92">Концепции Shorewall</a></span></dt><dt><span
class="section"><a href="#idm175">Сетевые интерфейсы</a></span></dt><dt><span
class="section"><a href="#idm245">IP-адреса</a></span></dt><dt><span
class="section"><a href="#idm334">IP-маскарадинг
(SNAT)</a></span></dt><dt><span class="section"><a
href="#idm385">Перенаправление портов (DNAT)</a></span></dt><dt><span
class="section"><a href="#idm451">Сервер Доменных Имен (Domain Name Server -
DNS)</a></span></dt><dt><span class="section"><a href="#idm490">Другие
соединения</a></span></dt><dt><span class="section"><a href="#idm542">Что нужно
помнить</a></span></dt><dt><span class="section"><a href="#idm575">Запуск и
останов Вашего файервола</a></span></dt><dt><span class="section"><a
href="#idm622">Дополнительно рекоммендуемая литература</a></span></dt><dt><span
class="section"><a href="#idm626">Добавление сегмента беспроводной связи к
Вашему файерволу с двумя
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#idm19">Введение</a></span></dt><dd><dl><dt><span
class="section"><a href="#idm43">Системные требования</a></span></dt><dt><span
class="section"><a href="#idm54">Перед тем как начать</a></span></dt><dt><span
class="section"><a href="#idm73">Соглашения</a></span></dt></dl></dd><dt><span
class="section"><a href="#idm79">PPTP/ADSL</a></span></dt><dt><span
class="section"><a href="#idm92">Концепции Shorewall</a></span></dt><dt><span
class="section"><a href="#idm175">Сетевые интерфейсы</a></span></dt><dt><span
class="section"><a href="#idm245">IP-адреса</a></span></dt><dt><span
class="section"><a href="#idm334">IP-маскарадинг
(SNAT)</a></span></dt><dt><span class="section"><a
href="#idm385">Перенаправление портов (DNAT)</a></span></dt><dt><span
class="section"><a href="#idm451">Сервер Доменных Имен (Domain Name Server -
DNS)</a></span></dt><dt><span class="section"><a href="#idm490">Другие
соединения</a></span></dt><dt><span class="section"><a href="#idm542">Что нужно
помнить</a></span></dt><dt><span class="section"><a href="#idm575">Запуск и
останов Вашего файервола</a></span></dt><dt><span class="section"><a
href="#idm622">Дополнительно рекоммендуемая литература</a></span></dt><dt><span
class="section"><a href="#idm626">Добавление сегмента беспроводной связи к
Вашему файерволу с двумя
интерфейсами</a></span></dt></dl></div><div class="caution"
style="margin-left: 0.5in; margin-right: 0.5in;"><h3
class="title">Caution</h3><p><span class="bold"><strong>Эта статья применима
для Shorewall версии 3.0
и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall
3.0.0, тогда смотрите документацию для этого
выпуска.</strong></span></p></div><div class="section"><div
class="titlepage"><div><div><h2 class="title" style="clear: both"><a
id="idm19"></a>Введение</h2></div></div></div><p>Установка Linux системы как
файервола для небольшой сети довольно
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/upgrade_issues.htm
new/shorewall-docs-html-5.2.3.3/upgrade_issues.htm
--- old/shorewall-docs-html-5.2.3.1/upgrade_issues.htm 2019-02-26
19:01:53.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/upgrade_issues.htm 2019-04-12
04:09:14.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="copyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Important">Important</a></span></dt><dt><span
class="section"><a href="#idm42">Version &gt;= 5.0.0</a></span></dt><dt><span
class="section"><a href="#idm46">Version &gt;= 4.6.0</a></span></dt><dt><span
class="section"><a href="#idm121">Versions &gt;= 4.5.0</a></span></dt><dt><span
class="section"><a href="#idm259">Versions &gt;= 4.4.0</a></span></dt><dt><span
class="section"><a href="#idm393">Versions &gt;= 4.2.0</a></span></dt><dt><span
class="section"><a href="#V4.0.0">Versions &gt;=
4.0.0-Beta7</a></span></dt><dt><span class="section"><a href="#V3.4.0">Versions
&gt;= 3.4.0-Beta1</a></span></dt><dt><span class="section"><a
href="#V3.2.0">Version &gt;= 3.2.0</a></span></dt><dt><span class="section"><a
href="#V3.0.0">Version &gt;= 3.0.0</a></span></dt><dt><span class="section"><a
href="#V2.4.0">Version &gt;= 2.4.0</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Important"></a>Important</h2></div></div></div><p>It
is important that you read all of the sections on this page where
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span
class="section"><a href="#Important">Important</a></span></dt><dt><span
class="section"><a href="#idm42">Version &gt;= 5.0.0</a></span></dt><dt><span
class="section"><a href="#idm46">Version &gt;= 4.6.0</a></span></dt><dt><span
class="section"><a href="#idm121">Versions &gt;= 4.5.0</a></span></dt><dt><span
class="section"><a href="#idm259">Versions &gt;= 4.4.0</a></span></dt><dt><span
class="section"><a href="#idm393">Versions &gt;= 4.2.0</a></span></dt><dt><span
class="section"><a href="#V4.0.0">Versions &gt;=
4.0.0-Beta7</a></span></dt><dt><span class="section"><a href="#V3.4.0">Versions
&gt;= 3.4.0-Beta1</a></span></dt><dt><span class="section"><a
href="#V3.2.0">Version &gt;= 3.2.0</a></span></dt><dt><span class="section"><a
href="#V3.0.0">Version &gt;= 3.0.0</a></span></dt><dt><span class="section"><a
href="#V2.4.0">Version &gt;= 2.4.0</a></span></dt></dl></div><div
class="section"><div class="titlepage"><div><div><h2 class="title"
style="clear: both"><a id="Important"></a>Important</h2></div></div></div><p>It
is important that you read all of the sections on this page where
the version number mentioned in the section title is later than what you
are currently running.</p><p>In the descriptions that follows, the term
<span class="emphasis"><em>group</em></span> refers to a particular
network or subnetwork
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-docs-html-5.2.3.1/useful_links.html
new/shorewall-docs-html-5.2.3.3/useful_links.html
--- old/shorewall-docs-html-5.2.3.1/useful_links.html 2019-02-26
19:01:54.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/useful_links.html 2019-04-12
04:09:15.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="GnuCopyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><div
class="informaltable"><table class="informaltable" border="0"><colgroup><col
/></colgroup><tbody valign="middle"><tr><td align="left" valign="middle">NIST
<span class="emphasis"><em>Guide on Firewalls and Firewall
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><div
class="informaltable"><table class="informaltable" border="0"><colgroup><col
/></colgroup><tbody valign="middle"><tr><td align="left" valign="middle">NIST
<span class="emphasis"><em>Guide on Firewalls and Firewall
Policy</em></span> - <a class="ulink"
href="http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf";
target="_top">http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf</a></td></tr><tr><td
align="left" valign="middle">PPPPPPPS ( or, Paul's Principles for Practical
Provision of
Packet Processing with Shorewall ) <a class="ulink"
href="http://linuxman.wikispaces.com/PPPPPPS";
target="_top">http://linuxman.wikispaces.com/PPPPPPS</a></td></tr><tr
valign="middle"><td align="left" valign="middle">Netfilter Site: <a
class="ulink" href="http://www.netfilter.org/";
target="_top">http://www.netfilter.org/</a></td></tr><tr valign="middle"><td
align="left" valign="middle">Linux Advanced Routing and Traffic Control
Howto: <a class="ulink" href="http://lartc.org/";
target="_top">http://lartc.org/</a></td></tr><tr valign="middle"><td
align="left" valign="middle">Clustering Shorewall: <a class="ulink"
href="http://linuxman.wikispaces.com/Clustering+Shorewall";
target="_top">http://linuxman.wikispaces.com/Clustering+Shorewall</a></td></tr><tr
valign="middle"><td align="left" valign="middle">Iproute Downloads: <a
class="ulink" href="https://www.kernel.org/pub/linux/utils/net/iproute2/";
target="_top">https://www.kernel.org/pub/linux/utils/net/iproute2/</a></td></tr><tr
valign="middle"><td align="left" valign="middle">LEAF Site: <a class="ulink"
href="http://leaf.sourceforge.net";
target="_top">http://leaf.sourceforge.net</a></td></tr><tr valign="middle"><td
align="left" valign="middle">Bering uClibc LEAF Distribution: <a class="ulink"
href="http://leaf.sourceforge.net/bering-uclibc/";
target="_top">http://leaf.sourceforge.net/bering-uclibc/</a></td></tr><tr
valign="middle"><td align="left" valign="middle">Iptables Tutorial: <a
class="ulink" href="https://www.frozentux.net/documents/iptables-tutorial/";
target="_top">https://www.frozentux.net/documents/iptables-tutorial/</a></td></tr><tr
valign="middle"><td align="left" valign="middle">Debian apt-get sources for
Shorewall: <a class="ulink" href="http://people.connexer.com/~roberto/debian/";
target="_top">http://people.connexer.com/~roberto/debian/</a></td></tr><tr
valign="middle"><td align="left" valign="middle">About the Shorewall Author: <a
class="ulink" href="http://www.shorewall.net/shoreline.htm";
target="_top">http://www.shorewall.net/shoreline.htm</a></td></tr><tr
valign="middle"><td align="left" valign="middle">Tom's 2005 LinuxFest NW
Presentation - "Shorewall and Native
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/shorewall-docs-html-5.2.3.1/whitelisting_under_shorewall.htm
new/shorewall-docs-html-5.2.3.3/whitelisting_under_shorewall.htm
--- old/shorewall-docs-html-5.2.3.1/whitelisting_under_shorewall.htm
2019-02-26 19:01:55.000000000 +0100
+++ new/shorewall-docs-html-5.2.3.3/whitelisting_under_shorewall.htm
2019-04-12 04:09:16.000000000 +0200
@@ -5,7 +5,7 @@
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<span class="quote">“<span class="quote"><a class="ulink"
href="copyright.htm" target="_top">GNU Free Documentation
- License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/02/26</p></div></div><hr /></div><p>White lists are most
often used to give special privileges to a set of
+ License</a></span>”</span>.</p></div></div><div><p
class="pubdate">2019/04/11</p></div></div><hr /></div><p>White lists are most
often used to give special privileges to a set of
hosts within an organization. Let us suppose that we have the following
environment:</p><div class="itemizedlist"><ul class="itemizedlist compact"
style="list-style-type: bullet; "><li class="listitem" style="list-style-type:
disc"><p>A firewall with three interfaces -- one to the Internet, one to a
local network and one to a <acronym
class="acronym">DMZ</acronym>.</p></li><li class="listitem"
style="list-style-type: disc"><p>The local network uses <acronym
class="acronym">SNAT</acronym> to the Internet and

++++++ shorewall-init-5.2.3.1.tar.bz2 -> shorewall-init-5.2.3.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-init-5.2.3.1/changelog.txt
new/shorewall-init-5.2.3.3/changelog.txt
--- old/shorewall-init-5.2.3.1/changelog.txt 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-init-5.2.3.3/changelog.txt 2019-04-12 04:05:49.000000000
+0200
@@ -1,3 +1,15 @@
+Changes in 5.2.3.3
+
+1) Update release documents.
+
+2) Document fix for an ipset in the SPORT column.
+
+Changes in 5.2.3.2
+
+1) Update release documents.
+
+2) Document fix for masq file auto-update.
+
Changes in 5.2.3.1

1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-init-5.2.3.1/configure
new/shorewall-init-5.2.3.3/configure
--- old/shorewall-init-5.2.3.1/configure 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-init-5.2.3.3/configure 2019-04-12 04:05:49.000000000
+0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.2.3.1
+VERSION=5.2.3.3

case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-init-5.2.3.1/configure.pl
new/shorewall-init-5.2.3.3/configure.pl
--- old/shorewall-init-5.2.3.1/configure.pl 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-init-5.2.3.3/configure.pl 2019-04-12 04:05:49.000000000
+0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.2.3.1'
+ VERSION => '5.2.3.3'
};

my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-init-5.2.3.1/install.sh
new/shorewall-init-5.2.3.3/install.sh
--- old/shorewall-init-5.2.3.1/install.sh 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-init-5.2.3.3/install.sh 2019-04-12 04:05:49.000000000
+0200
@@ -27,7 +27,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
#

-VERSION=5.2.3.1
+VERSION=5.2.3.3
PRODUCT=shorewall-init
Product="Shorewall Init"

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-init-5.2.3.1/releasenotes.txt
new/shorewall-init-5.2.3.3/releasenotes.txt
--- old/shorewall-init-5.2.3.1/releasenotes.txt 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-init-5.2.3.3/releasenotes.txt 2019-04-12 04:05:49.000000000
+0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 2 . 3 . 1
+ S H O R E W A L L 5 . 2 . 3 . 3
-------------------------------
- F E B R U A R Y 2 6 , 2 0 1 9
+ A P R I L 1 2 , 2 0 1 9
----------------------------------------------------------------------------

I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,6 +14,29 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------

+5.2.3.3
+
+1) Previously, if an ipset was specified in an SPORT column, the
+ compiler would raise an error similar to:
+
+ ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
+
+ That has been corrected.
+
+5.2.3.2
+
+1) Shorewall 5.2 automatically converts and existing 'masq' file to an
+ equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
+ automatic update, such that the following error message was issued:
+
+ Use of uninitialized value $Shorewall::Nat::raw::currentline in
+ pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
+ line 511, <$currentfile> line nnn.
+
+ and the generted 'masq' file contains only initial comments.
+
+ That has been corrected.
+
5.2.3.1

1) An issue in the implementation of policy file zone exclusion,
@@ -79,7 +102,7 @@
----------------------------------------------------------------------------

If you are migrating from Shorewall 4.6.x or earlier, please see
-
http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
+
http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt

Immediately after installing Shorewall 5.2.x, we recommend that you run
'shorewall[6] update'. This command will handle many of the migration
@@ -205,7 +228,7 @@
With these changes, the Drop and Reject policy actions are now
deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
- the reader to http://www.shorewall.net/Actions.html#Default.
+ the reader to http://www.shorewall.org/Actions.html#Default.

This issue is partially handled by 'shorewall update' - see
the 5.2 issues below.
@@ -863,7 +886,7 @@

6) For installing into a Sandbox, the file shorewallrc.sandbox has
been added to Shorewall-core. See
- http://www.shorewall.net/install.htm#idm327.
+ http://www.shorewall.org/install.htm#idm327.

7) The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
and has been deleted. This removal has introduced a new
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-init-5.2.3.1/shorewall-init.spec
new/shorewall-init-5.2.3.3/shorewall-init.spec
--- old/shorewall-init-5.2.3.1/shorewall-init.spec 2019-02-26
18:58:36.000000000 +0100
+++ new/shorewall-init-5.2.3.3/shorewall-init.spec 2019-04-12
04:05:49.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-init
%define version 5.2.3
-%define release 1
+%define release 3

Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@@ -10,7 +10,7 @@
Packager: Tom Eastep <teastep@xxxxxxxxxxxxx>
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
+URL: http://www.shorewall.org/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: shoreline_firewall >= 4.5.0
@@ -135,6 +135,10 @@
%doc COPYING changelog.txt releasenotes.txt

%changelog
+* Thu Apr 11 2019 Tom Eastep tom@xxxxxxxxxxxxx
+- Updated to 5.2.3-3
+* Sun Mar 17 2019 Tom Eastep tom@xxxxxxxxxxxxx
+- Updated to 5.2.3-2
* Tue Feb 26 2019 Tom Eastep tom@xxxxxxxxxxxxx
- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@xxxxxxxxxxxxx
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-init-5.2.3.1/uninstall.sh
new/shorewall-init-5.2.3.3/uninstall.sh
--- old/shorewall-init-5.2.3.1/uninstall.sh 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-init-5.2.3.3/uninstall.sh 2019-04-12 04:05:49.000000000
+0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall

-VERSION=5.2.3.1
+VERSION=5.2.3.3
PRODUCT=shorewall-init
Product="Shorewall Init"


++++++ shorewall-lite-5.2.3.1.tar.bz2 -> shorewall-lite-5.2.3.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/changelog.txt
new/shorewall-lite-5.2.3.3/changelog.txt
--- old/shorewall-lite-5.2.3.1/changelog.txt 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-lite-5.2.3.3/changelog.txt 2019-04-12 04:05:49.000000000
+0200
@@ -1,3 +1,15 @@
+Changes in 5.2.3.3
+
+1) Update release documents.
+
+2) Document fix for an ipset in the SPORT column.
+
+Changes in 5.2.3.2
+
+1) Update release documents.
+
+2) Document fix for masq file auto-update.
+
Changes in 5.2.3.1

1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/configure
new/shorewall-lite-5.2.3.3/configure
--- old/shorewall-lite-5.2.3.1/configure 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-lite-5.2.3.3/configure 2019-04-12 04:05:49.000000000
+0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.2.3.1
+VERSION=5.2.3.3

case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/configure.pl
new/shorewall-lite-5.2.3.3/configure.pl
--- old/shorewall-lite-5.2.3.1/configure.pl 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-lite-5.2.3.3/configure.pl 2019-04-12 04:05:49.000000000
+0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.2.3.1'
+ VERSION => '5.2.3.3'
};

my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/install.sh
new/shorewall-lite-5.2.3.3/install.sh
--- old/shorewall-lite-5.2.3.1/install.sh 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-lite-5.2.3.3/install.sh 2019-04-12 04:05:49.000000000
+0200
@@ -22,7 +22,7 @@
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#

-VERSION=5.2.3.1
+VERSION=5.2.3.3

usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/manpages/shorewall-lite.8
new/shorewall-lite-5.2.3.3/manpages/shorewall-lite.8
--- old/shorewall-lite-5.2.3.1/manpages/shorewall-lite.8 2019-02-11
23:50:09.000000000 +0100
+++ new/shorewall-lite-5.2.3.3/manpages/shorewall-lite.8 2019-04-12
04:07:42.000000000 +0200
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 02/11/2019
+.\" Date: 04/11/2019
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "02/11/2019" "Administrative Commands"
"Administrative Commands"
+.TH "SHOREWALL\-LITE" "8" "04/11/2019" "Administrative Commands"
"Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -50,5 +50,5 @@
.IP " 1." 4
shorewall
.RS 4
-\%http://www.shorewall.net/manpages/shorewall.html
+\%http://www.shorewall.org/manpages/shorewall.html
.RE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/releasenotes.txt
new/shorewall-lite-5.2.3.3/releasenotes.txt
--- old/shorewall-lite-5.2.3.1/releasenotes.txt 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-lite-5.2.3.3/releasenotes.txt 2019-04-12 04:05:49.000000000
+0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 2 . 3 . 1
+ S H O R E W A L L 5 . 2 . 3 . 3
-------------------------------
- F E B R U A R Y 2 6 , 2 0 1 9
+ A P R I L 1 2 , 2 0 1 9
----------------------------------------------------------------------------

I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,6 +14,29 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------

+5.2.3.3
+
+1) Previously, if an ipset was specified in an SPORT column, the
+ compiler would raise an error similar to:
+
+ ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
+
+ That has been corrected.
+
+5.2.3.2
+
+1) Shorewall 5.2 automatically converts and existing 'masq' file to an
+ equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
+ automatic update, such that the following error message was issued:
+
+ Use of uninitialized value $Shorewall::Nat::raw::currentline in
+ pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
+ line 511, <$currentfile> line nnn.
+
+ and the generted 'masq' file contains only initial comments.
+
+ That has been corrected.
+
5.2.3.1

1) An issue in the implementation of policy file zone exclusion,
@@ -79,7 +102,7 @@
----------------------------------------------------------------------------

If you are migrating from Shorewall 4.6.x or earlier, please see
-
http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
+
http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt

Immediately after installing Shorewall 5.2.x, we recommend that you run
'shorewall[6] update'. This command will handle many of the migration
@@ -205,7 +228,7 @@
With these changes, the Drop and Reject policy actions are now
deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
- the reader to http://www.shorewall.net/Actions.html#Default.
+ the reader to http://www.shorewall.org/Actions.html#Default.

This issue is partially handled by 'shorewall update' - see
the 5.2 issues below.
@@ -863,7 +886,7 @@

6) For installing into a Sandbox, the file shorewallrc.sandbox has
been added to Shorewall-core. See
- http://www.shorewall.net/install.htm#idm327.
+ http://www.shorewall.org/install.htm#idm327.

7) The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
and has been deleted. This removal has introduced a new
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/shorewall-lite.spec
new/shorewall-lite-5.2.3.3/shorewall-lite.spec
--- old/shorewall-lite-5.2.3.1/shorewall-lite.spec 2019-02-26
18:58:36.000000000 +0100
+++ new/shorewall-lite-5.2.3.3/shorewall-lite.spec 2019-04-12
04:05:49.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-lite
%define version 5.2.3
-%define release 1
+%define release 3
%define initdir /etc/init.d

Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux
systems.
@@ -11,7 +11,7 @@
Packager: Tom Eastep <teastep@xxxxxxxxxxxxx>
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
+URL: http://www.shorewall.org/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables iproute shorewall-core
@@ -114,6 +114,10 @@
%doc COPYING changelog.txt releasenotes.txt

%changelog
+* Thu Apr 11 2019 Tom Eastep tom@xxxxxxxxxxxxx
+- Updated to 5.2.3-3
+* Sun Mar 17 2019 Tom Eastep tom@xxxxxxxxxxxxx
+- Updated to 5.2.3-2
* Tue Feb 26 2019 Tom Eastep tom@xxxxxxxxxxxxx
- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@xxxxxxxxxxxxx
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/shorewall-lite-5.2.3.1/uninstall.sh
new/shorewall-lite-5.2.3.3/uninstall.sh
--- old/shorewall-lite-5.2.3.1/uninstall.sh 2019-02-26 18:58:36.000000000
+0100
+++ new/shorewall-lite-5.2.3.3/uninstall.sh 2019-04-12 04:05:49.000000000
+0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall

-VERSION=5.2.3.1
+VERSION=5.2.3.3

usage() # $1 = exit status
{

++++++ shorewall-5.2.3.1.tar.bz2 -> shorewall6-5.2.3.3.tar.bz2 ++++++
++++ 121596 lines of diff (skipped)

++++++ shorewall-lite-5.2.3.1.tar.bz2 -> shorewall6-lite-5.2.3.3.tar.bz2 ++++++
++++ 3052 lines of diff (skipped)


< Previous Next >
This Thread
  • No further messages