diff --git a/docs/Actions.xml b/docs/Actions.xml
index 17b3f8f11..06f3ec281 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -74,8 +74,8 @@
class="directory">/usr/share/shorewall. Each
action.* file has a comment at the beginning of
the file that describes what the action does. As an example, here is
- the definition of the AllowSMB standard
- action.
+ the definition of the AllowSMB standard action
+ from Shorewall version 2.2.
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
@@ -96,6 +96,10 @@ ACCEPT - - tcp 135,139,445
the definition in /usr/share/shorewall. Rather, copy the file to
/etc/shorewall (or somewhere
else on your CONFIG_PATH) and modify the copy.
+
+ Standard Actions have been largely replaced by macros in Shorewall 3.0 and later major
+ versions.
diff --git a/docs/Documentation.xml b/docs/Documentation.xml
index bb0d04956..949206f22 100644
--- a/docs/Documentation.xml
+++ b/docs/Documentation.xml
@@ -3699,6 +3699,35 @@ LOGBURST=5
/etc/shorewall/tos Configuration
+
+ This Shorewall feature is somewhat broken -- while it shouldn't
+ hurt anything to use it, it may not do what you want either.
+
+ In versions of Shorewall prior to 3.2.4, it is only safe to
+ specify "all" in the SOURCE and DEST columns. In 3.2.4 and later
+ versions:
+
+
+
+ It continues to work fine if you specify "all" in both the
+ SOURCE and DEST columns.
+
+
+
+ It mostly works when you specify zone names in either column
+ (provided that you have Mangle table FORWARD chain support in your
+ kernel) but it doesn't work with dynamic zones and it doesn't work
+ with IPSEC zones.
+
+
+
+ If you specify a zone name together with an address in the
+ SOURCE or DEST column, the generated rule ignores the zone name and
+ simply matches on the source or destination address.
+
+
+
+
The /etc/shorewall/tos file allows you to set
the Type of Service field in packet headers based on packet source, packet
destination, protocol, source port and destination port. In order for this
@@ -3728,9 +3757,8 @@ LOGBURST=5
The destination zone. May be qualified by following the zone
name with a colon (:
) and either an IP address or an
- IP subnet. Because packets are marked prior to routing, you may not
- specify the name of an interface. This column may also contain
- all
to indicate any destination.
+ IP subnet. This column may also contain all
to
+ indicate any destination.
diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index d8edee32f..ac4db1ec0 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -342,9 +342,11 @@ DNAT net fw:192.168.1.1:22 tcp 4104
to go the opposite direction from SNAT/MASQUERADE. So if you masquerade
or use SNAT from your local network to the internet then you will need
to use DNAT rules to allow connections from the internet to your local
- network. In all other cases, you use ACCEPT unless you need to hijack
- connections as they go through your firewall and handle them on the
- firewall box itself; in that case, you use a REDIRECT rule.
+ network. You also want to use DNAT rules when you intentionally want to
+ rewrite the destination IP address or port number. In all other cases,
+ you use ACCEPT unless you need to hijack connections as they go through
+ your firewall and handle them on the firewall box itself; in that case,
+ you use a REDIRECT rule.