Tweak the FAQ

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/FAQ.xml

@@ -853,7 +853,7 @@ to debug/develop the newnat interface.</programlisting></para>
 
       <para><emphasis role="bold">Answer:</emphasis> The default Shorewall
       setup invokes the <emphasis role="bold">Drop</emphasis> action prior to
-      enforcing a DROP policy and the default policy to all zone from the
+      enforcing a DROP policy and the default policy to all zones from the
       internet is DROP. The Drop action is defined in
       <filename>/usr/share/shorewall/action.Drop</filename> which in turn
       invokes the <emphasis role="bold">Auth</emphasis> macro (defined in
@@ -1017,9 +1017,12 @@ to debug/develop the newnat interface.</programlisting></para>
 
       <para>This kernel change, while necessary, means that Shorewall zones
       may no longer be defined in terms of bridge ports. See <ulink
-      url="bridge-Shorewall-perl.html">the new bridging documentation</ulink>
+      url="bridge-Shorewall-perl.html">the new Shorewall-shell bridging
-      for information about configuring a bridge/firewall under kernel 2.6.20
+      documentation</ulink> for information about configuring a
-      and later.<note>
+      bridge/firewall under kernel 2.6.20 and later with Shoreawall shell or
+      the<ulink url="bridge-Shorewall-perl.html"> Shorewall-perl bridging
+      documentation</ulink> if you use Shorewall-perl
+      (highly-recommended).<note>
           <para>Following the instructions in the new bridging documentation
           will not prevent the above message from being issued.</para>
         </note></para>
@@ -1375,7 +1378,8 @@ DROP      net       fw      udp      10619</programlisting>
         </varlistentry>
 
         <varlistentry>
-          <term><emphasis>interface</emphasis>_mac</term>
+          <term><emphasis>interface</emphasis>_mac or
+          <emphasis>interface</emphasis>_rec</term>
 
           <listitem>
             <para>The packet is being logged under the <emphasis
@@ -1409,10 +1413,12 @@ DROP      net       fw      udp      10619</programlisting>
             role="bold">routeback</emphasis> option on that interface in
             <filename> <ulink
             url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>
-            </filename> or you need the <emphasis
+            , </filename>you need the <emphasis
             role="bold">routeback</emphasis> option in the relevant entry in
             <filename> <ulink
-            url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink>.</filename></para>
+            url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink>
+            or you've done something silly like define a default route out of
+            an internal interface.</filename></para>
 
             <para>In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in
             <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>,
@@ -1496,7 +1502,9 @@ DROP      net       fw      udp      10619</programlisting>
                 <para>When a DNAT rule is logged, there will never be an OUT=
                 shown because the packet is being logged before it is routed.
                 Also, DNAT logging will show the <emphasis>original</emphasis>
-                destination IP address and destination port number.</para>
+                destination IP address and destination port number. When a
+                REDIRECT rule is logged, the message will also show the
+                original destination IP address and port number.</para>
               </note>
             </listitem>
           </varlistentry>
@@ -2401,8 +2409,8 @@ eth0               eth1                        # eth1 = interface to local netwo
       <title>(FAQ 72) Can I switch to using Shorewall-perl without changing my
       Shorewall configuration?</title>
 
-      <para><emphasis role="bold">Answer</emphasis>: Probably not. See the
+      <para><emphasis role="bold">Answer</emphasis>: Maybe yes, maybe no. See
-      <ulink url="???">Shorewall Perl article</ulink> for a list of the
+      the <ulink url="???">Shorewall Perl article</ulink> for a list of the
       incompatibilities between Shorewall-shell and Shorewall-perl.</para>
     </section>
   </section>

docs/Introduction.xml

@@ -68,6 +68,26 @@
           a much more efficient way to install a ruleset than running the
           iptables utility once for each rule in the ruleset.</para>
         </listitem>
+
+        <listitem>
+          <para>ifconfig - An obsolete program included in the net-utils
+          package. ifconfig was used to configure network interfaces.</para>
+        </listitem>
+
+        <listitem>
+          <para>route - An obsolete program included in the net-utils package.
+          route was used to configure routing.</para>
+        </listitem>
+
+        <listitem>
+          <para>ip - A program included in the iproute2 package. ip replaces
+          ifconfig and route in modern Linux systems.</para>
+        </listitem>
+
+        <listitem>
+          <para>tc - A program included in the iproute2 package. tc is used to
+          configure QOS/Traffic Shaping on Linux systems.</para>
+        </listitem>
       </itemizedlist>
     </section>
 
@@ -78,16 +98,17 @@
       <quote>Shorewall</quote>, is high-level tool for configuring Netfilter.
       You describe your firewall/gateway requirements using entries in a set
       of configuration files. Shorewall reads those configuration files and
-      with the help of the iptables and iptables-restore utilities, Shorewall
+      with the help of the iptables, iptables-restore, ip and tc utilities,
-      configures Netfilter to match your requirements. Shorewall can be used
+      Shorewall configures Netfilter and the Linux networking subsystem to
-      on a dedicated firewall system, a multi-function gateway/router/server
+      match your requirements. Shorewall can be used on a dedicated firewall
-      or on a standalone GNU/Linux system. Shorewall does not use Netfilter's
+      system, a multi-function gateway/router/server or on a standalone
-      ipchains compatibility mode and can thus take advantage of Netfilter's
+      GNU/Linux system. Shorewall does not use Netfilter's ipchains
-      connection state tracking capabilities.</para>
+      compatibility mode and can thus take advantage of Netfilter's connection
+      state tracking capabilities.</para>
 
-      <para>Shorewall is not a daemon. Once Shorewall has configured
+      <para>Shorewall is not a daemon. Once Shorewall has configured the Linux
-      Netfilter, its job is complete and there is no <quote>Shorewall
+      networking subsystem, its job is complete and there is no
-      process</quote> left running in your system. The <ulink
+      <quote>Shorewall process</quote> left running in your system. The <ulink
       url="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be
       used at any time to monitor the Netfilter firewall</ulink>.</para>
 
@@ -166,12 +187,13 @@ net        eth0          detect        dhcp,routefilter,norfc1918
 loc        eth1          detect
 dmz        eth2          detect</programlisting>
 
-    <para>The above file defines the net zone as all IPv4 hosts interfacing to
+    <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
-    the firewall through eth0, the loc zone as all IPv4 hosts interfacing
+    hosts interfacing to the firewall through eth0, the
-    through eth1 and the dmz as all IPv4 hosts interfacing through eth2. It is
+    <emphasis>loc</emphasis> zone as all IPv4 hosts interfacing through eth1
-    important to note that the composition of a zone is defined in terms of a
+    and the <emphasis>dmz</emphasis> as all IPv4 hosts interfacing through
-    combination of addresses <emphasis role="bold">and</emphasis> interfaces.
+    eth2. It is important to note that the composition of a zone is defined in
-    When using the <ulink
+    terms of a combination of addresses <emphasis role="bold">and</emphasis>
+    interfaces. When using the <ulink
     url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
     file to define a zone, all addresses are included; when you want to define
     a zone that contains a limited subset of the IPv4 address space, you use
@@ -204,8 +226,8 @@ dmz        eth2          detect</programlisting>
           </itemizedlist>
 
           <para>Connection request logging may be specified as part of a
-          policy and it is conventional to log DROP and REJECT
+          policy and it is conventional (and highly recommended) to log DROP
-          policies.</para>
+          and REJECT policies.</para>
         </listitem>
 
         <listitem>
@@ -217,11 +239,11 @@ dmz        eth2          detect</programlisting>
 
         <listitem>
           <para>You only need concern yourself with connection requests. You
-          don't need to define rules for how traffic that is part of an
+          don't need to define rules for handling traffic that is part of an
-          established connection is handled and in most cases you don't have
+          established connection is and in most cases you don't have to worry
-          to worry about how related connections are handled (ICMP error
+          about how related connections are handled (ICMP error packets and
-          packets and <ulink url="FTP.html">related TCP connection requests
+          <ulink url="FTP.html">related TCP connection requests such as used
-          such as used by FTP</ulink>).</para>
+          by FTP</ulink>).</para>
         </listitem>
       </itemizedlist>For each connection request entering the firewall, the
     request is first checked against the <filename
@@ -258,7 +280,7 @@ $FW        net         ACCEPT</programlisting> The above policy will:
 
         <listitem>
           <para>Drop (ignore) all connection requests from the internet to
-          your firewall or local network; these ignored connection requests
+          your firewall or local networks; these ignored connection requests
           will be logged using the <emphasis>info</emphasis> syslog priority
           (log level).</para>
         </listitem>
@@ -337,9 +359,9 @@ ACCEPT     net           $FW       tcp        22</programlisting>
 
     <orderedlist>
       <listitem>
-        <para><emphasis role="bold">Shorewall</emphasis>. This package must be
+        <para><emphasis role="bold">Shorewall-common</emphasis>. This package
-        installed on at least one system in your network. That system must
+        must be installed on at least one system in your network. That system
-        also have Shorewall-shell and/or Shorewall-perl installed.</para>
+        must also have Shorewall-shell and/or Shorewall-perl installed.</para>
       </listitem>
 
       <listitem>