From 12c0c5b40c2d3c99beda53a7348896504ef5a8d3 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 10 Nov 2005 18:45:06 +0000
Subject: [PATCH] Add note about connections vs. packet flow in the
 multi-interface QuickStart Guides

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2986 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-docs2/three-interface.xml | 10 +++++++++-
 Shorewall-docs2/two-interface.xml   | 12 ++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml
index b74f25d84..6f7021d05 100755
--- a/Shorewall-docs2/three-interface.xml
+++ b/Shorewall-docs2/three-interface.xml
@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-12-02</pubdate>
+    <pubdate>2005-11-10</pubdate>
 
     <copyright>
       <year>2002-2005</year>
@@ -312,6 +312,14 @@ $FW        net         ACCEPT</programlisting>
       </listitem>
     </orderedlist>
 
+    <para>It is important to note that Shorewall policies (and rules) refer to
+    <emphasis role="bold">connections</emphasis> and not packet flow. With the
+    policies defined in the <filename
+    class="directory">/etc/shorewall/policy</filename> file shown above,
+    connections are allowed from the <emphasis>loc</emphasis> zone to the
+    <emphasis>net</emphasis> zone even though connections are not allowed from
+    the <emphasis>loc</emphasis> zone to the firewall itself.</para>
+
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
 
     <para>At this point, edit your <filename>/etc/shorewall/policy</filename>
diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml
index f51ff3002..f0c6dd97b 100644
--- a/Shorewall-docs2/two-interface.xml
+++ b/Shorewall-docs2/two-interface.xml
@@ -12,7 +12,7 @@
       <surname>Eastep</surname>
     </author>
 
-    <pubdate>2005-11-02</pubdate>
+    <pubdate>2005-11-10</pubdate>
 
     <copyright>
       <year>2002-</year>
@@ -260,7 +260,7 @@ loc     ipv4</programlisting>Zones are defined in the <ulink
     <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
 loc        net         ACCEPT
 net        all         DROP        info
-all        all         REJECT      info</programlisting> In the two-interface
+all        all         REJECT      info</programlisting>In the two-interface
     sample, the line below is included but commented out. If you want your
     firewall system to have full access to servers on the internet, uncomment
     that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
@@ -287,6 +287,14 @@ $FW        net         ACCEPT</programlisting> The above policy will:
       </itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
     format="GIF" /></para>
 
+    <para>It is important to note that Shorewall policies (and rules) refer to
+    <emphasis role="bold">connections</emphasis> and not packet flow. With the
+    policies defined in the <filename
+    class="directory">/etc/shorewall/policy</filename> file shown above,
+    connections are allowed from the <emphasis>loc</emphasis> zone to the
+    <emphasis>net</emphasis> zone even though connections are not allowed from
+    the <emphasis>loc</emphasis> zone to the firewall itself.</para>
+
     <para>At this point, edit your <filename
     class="directory">/etc/shorewall/</filename><filename>policy</filename>
     and make any changes that you wish.</para>