diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index ef787ed6f..4cb603c0c 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -853,7 +853,7 @@ to debug/develop the newnat interface.
Answer: The default Shorewall
setup invokes the Drop action prior to
- enforcing a DROP policy and the default policy to all zone from the
+ enforcing a DROP policy and the default policy to all zones from the
internet is DROP. The Drop action is defined in
/usr/share/shorewall/action.Drop which in turn
invokes the Auth macro (defined in
@@ -1017,9 +1017,12 @@ to debug/develop the newnat interface.
This kernel change, while necessary, means that Shorewall zones
may no longer be defined in terms of bridge ports. See the new bridging documentation
- for information about configuring a bridge/firewall under kernel 2.6.20
- and later.
+ url="bridge-Shorewall-perl.html">the new Shorewall-shell bridging
+ documentation for information about configuring a
+ bridge/firewall under kernel 2.6.20 and later with Shoreawall shell or
+ the Shorewall-perl bridging
+ documentation if you use Shorewall-perl
+ (highly-recommended).
Following the instructions in the new bridging documentation
will not prevent the above message from being issued.
@@ -1375,7 +1378,8 @@ DROP net fw udp 10619
- interface_mac
+ interface_mac or
+ interface_rec
The packet is being logged under the
role="bold">routeback option on that interface in
/etc/shorewall/interfaces
- or you need the you need the routeback option in the relevant entry in
/etc/shorewall/hosts.
+ url="manpages/shorewall-hosts.html">/etc/shorewall/hosts
+ or you've done something silly like define a default route out of
+ an internal interface.
In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in
shorewall.conf,
@@ -1496,7 +1502,9 @@ DROP net fw udp 10619
When a DNAT rule is logged, there will never be an OUT=
shown because the packet is being logged before it is routed.
Also, DNAT logging will show the original
- destination IP address and destination port number.
+ destination IP address and destination port number. When a
+ REDIRECT rule is logged, the message will also show the
+ original destination IP address and port number.
@@ -2401,8 +2409,8 @@ eth0 eth1 # eth1 = interface to local netwo
(FAQ 72) Can I switch to using Shorewall-perl without changing my
Shorewall configuration?
- Answer: Probably not. See the
- Shorewall Perl article for a list of the
+ Answer: Maybe yes, maybe no. See
+ the Shorewall Perl article for a list of the
incompatibilities between Shorewall-shell and Shorewall-perl.
diff --git a/docs/Introduction.xml b/docs/Introduction.xml
index 4d7b9d756..ce9d7421a 100644
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -68,6 +68,26 @@
a much more efficient way to install a ruleset than running the
iptables utility once for each rule in the ruleset.
+
+
+ ifconfig - An obsolete program included in the net-utils
+ package. ifconfig was used to configure network interfaces.
+
+
+
+ route - An obsolete program included in the net-utils package.
+ route was used to configure routing.
+
+
+
+ ip - A program included in the iproute2 package. ip replaces
+ ifconfig and route in modern Linux systems.
+
+
+
+ tc - A program included in the iproute2 package. tc is used to
+ configure QOS/Traffic Shaping on Linux systems.
+
@@ -78,16 +98,17 @@
Shorewall
, is high-level tool for configuring Netfilter.
You describe your firewall/gateway requirements using entries in a set
of configuration files. Shorewall reads those configuration files and
- with the help of the iptables and iptables-restore utilities, Shorewall
- configures Netfilter to match your requirements. Shorewall can be used
- on a dedicated firewall system, a multi-function gateway/router/server
- or on a standalone GNU/Linux system. Shorewall does not use Netfilter's
- ipchains compatibility mode and can thus take advantage of Netfilter's
- connection state tracking capabilities.
+ with the help of the iptables, iptables-restore, ip and tc utilities,
+ Shorewall configures Netfilter and the Linux networking subsystem to
+ match your requirements. Shorewall can be used on a dedicated firewall
+ system, a multi-function gateway/router/server or on a standalone
+ GNU/Linux system. Shorewall does not use Netfilter's ipchains
+ compatibility mode and can thus take advantage of Netfilter's connection
+ state tracking capabilities.
- Shorewall is not a daemon. Once Shorewall has configured
- Netfilter, its job is complete and there is no Shorewall
- process
left running in your system. The Shorewall is not a daemon. Once Shorewall has configured the Linux
+ networking subsystem, its job is complete and there is no
+ Shorewall process
left running in your system. The /sbin/shorewall program can be
used at any time to monitor the Netfilter firewall.
@@ -166,12 +187,13 @@ net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect
- The above file defines the net zone as all IPv4 hosts interfacing to
- the firewall through eth0, the loc zone as all IPv4 hosts interfacing
- through eth1 and the dmz as all IPv4 hosts interfacing through eth2. It is
- important to note that the composition of a zone is defined in terms of a
- combination of addresses and interfaces.
- When using the The above file defines the net zone as all IPv4
+ hosts interfacing to the firewall through eth0, the
+ loc zone as all IPv4 hosts interfacing through eth1
+ and the dmz as all IPv4 hosts interfacing through
+ eth2. It is important to note that the composition of a zone is defined in
+ terms of a combination of addresses and
+ interfaces. When using the /etc/shorewall/interfaces
file to define a zone, all addresses are included; when you want to define
a zone that contains a limited subset of the IPv4 address space, you use
@@ -204,8 +226,8 @@ dmz eth2 detect
Connection request logging may be specified as part of a
- policy and it is conventional to log DROP and REJECT
- policies.
+ policy and it is conventional (and highly recommended) to log DROP
+ and REJECT policies.
@@ -217,11 +239,11 @@ dmz eth2 detect
You only need concern yourself with connection requests. You
- don't need to define rules for how traffic that is part of an
- established connection is handled and in most cases you don't have
- to worry about how related connections are handled (ICMP error
- packets and related TCP connection requests
- such as used by FTP).
+ don't need to define rules for handling traffic that is part of an
+ established connection is and in most cases you don't have to worry
+ about how related connections are handled (ICMP error packets and
+ related TCP connection requests such as used
+ by FTP).
For each connection request entering the firewall, the
request is first checked against the The above policy will:
Drop (ignore) all connection requests from the internet to
- your firewall or local network; these ignored connection requests
+ your firewall or local networks; these ignored connection requests
will be logged using the info syslog priority
(log level).
@@ -337,9 +359,9 @@ ACCEPT net $FW tcp 22
- Shorewall. This package must be
- installed on at least one system in your network. That system must
- also have Shorewall-shell and/or Shorewall-perl installed.
+ Shorewall-common. This package
+ must be installed on at least one system in your network. That system
+ must also have Shorewall-shell and/or Shorewall-perl installed.