Add DNAT testing/troubleshooting tips to QuickStart Guides

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2774 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/ErrorMessages.xml

@@ -143,6 +143,18 @@
           name an executable file.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>ERROR: /var/lib/shorewall/&lt;file&gt; exists and is not a saved
+        Shorewall configuration</term>
+
+        <listitem>
+          <para>The restore file (&lt;file&gt;) specified or implied in a
+          <command>shorewall save</command> command already exists but is not
+          executable (and hence cannot be a value restore file). Either
+          remove/rename the file or specify a different file name.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </section>
 

Shorewall-docs2/IPP2P.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-09-03</pubdate>
+    <pubdate>2005-10-02</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -36,6 +36,13 @@
     </legalnotice>
   </articleinfo>
 
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    3.0.0 then please see the documentation for that
+    release.</emphasis></para>
+  </caution>
+
   <section>
     <title>Introduction</title>
 
@@ -79,8 +86,7 @@
   </section>
 
   <section>
-    <title>Example (assumes that you are running Shorewall 2.2.0 Beta 3 or
-    later):</title>
+    <title>Example:</title>
 
     <para>Example 2 in the ipp2p documentation recommends the following
     iptables rules:</para>

Shorewall-docs2/shorewall_setup_guide.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-09-30</pubdate>
+    <pubdate>2005-10-03</pubdate>
 
     <copyright>
       <year>2001-2005</year>
@@ -1430,6 +1430,15 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
         You can use another of your public IP addresses (place it in the
         ORIGINAL DEST column in the rule above) but Shorewall will not add
         that address to the firewall's external interface for you.</para>
+
+        <important>
+          <para>When testing DNAT rules like those shown above, you must test
+          from a client OUTSIDE YOUR FIREWALL (in the 'net' zone). You cannot
+          test these rules from inside the firewall!</para>
+
+          <para>For DNAT troubleshooting tips, <ulink url="FAQ.htm#faq1a">see
+          FAQs 1a and 1b</ulink>.</para>
+        </important>
       </section>
 
       <section id="ProxyARP">

Shorewall-docs2/starting_and_stopping_shorewall.xml

@@ -365,13 +365,12 @@
      <command>shorewall try &lt;configuration-directory&gt; [ &lt;timeout&gt; ]</command></programlisting>
 
     <para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
-    specified, each time that Shorewall is going to use a file in <filename
-    class="directory">/etc/shorewall</filename> it will first look in
-    the<emphasis> &lt;configuration-directory&gt;</emphasis> . If the file is
-    present in the <emphasis>&lt;configuration-directory&gt;,</emphasis> that
-    file will be used; otherwise, the file in <filename
-    class="directory">/etc/shorewall</filename> will be used. When changing
-    the configuration of a production firewall, I recommend the
+    specified, each time that Shorewall is going to read a file, it will first
+    look in the<emphasis> &lt;configuration-directory&gt;</emphasis> . If the
+    file is present in the
+    <emphasis>&lt;configuration-directory&gt;,</emphasis> that file will be
+    used; otherwise, the directories in the CONFIG_PATH will be searched. When
+    changing the configuration of a production firewall, I recommend the
     following:</para>
 
     <itemizedlist>

Shorewall-docs2/three-interface.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-09-30</pubdate>
+    <pubdate>2005-10-03</pubdate>
 
     <copyright>
       <year>2002-2005</year>
@@ -689,6 +689,15 @@ DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</pr
 
     <para>At this point, add the DNAT and ACCEPT rules for your
     servers.</para>
+
+    <important>
+      <para>When testing DNAT rules like those shown above, you must test from
+      a client OUTSIDE YOUR FIREWALL (in the 'net' zone). You cannot test
+      these rules from inside the firewall!</para>
+
+      <para>For DNAT troubleshooting tips, <ulink url="FAQ.htm#faq1a">see FAQs
+      1a and 1b</ulink>.</para>
+    </important>
   </section>
 
   <section>

Shorewall-docs2/two-interface.xml

@@ -12,7 +12,7 @@
       <surname>Eastep</surname>
     </author>
 
-    <pubdate>2005-09-30</pubdate>
+    <pubdate>2005-10-03</pubdate>
 
     <copyright>
       <year>2002-</year>
@@ -642,6 +642,15 @@ DNAT       net       loc:10.10.10.2:80  tcp       5000</programlisting>
     <para>At this point, modify <filename
     class="directory">/etc/shorewall/</filename><filename>rules</filename> to
     add any <acronym>DNAT</acronym> rules that you require.</para>
+
+    <important>
+      <para>When testing DNAT rules like those shown above, you must test from
+      a client OUTSIDE YOUR FIREWALL (in the 'net' zone). You cannot test
+      these rules from inside the firewall!</para>
+
+      <para>For DNAT troubleshooting tips, <ulink url="FAQ.htm#faq1a">see FAQs
+      1a and 1b</ulink>.</para>
+    </important>
   </section>
 
   <section>