diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 6fb2e858e..966094098 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -162,6 +162,18 @@
Answer: See above.
+
+
+ (faq 77c) After restart and bootup of my Debian firewall, all
+ traffic is blocked for hosts behind the firewall trying to connect out
+ onto the net or through the vpn (although i can reach the internal
+ firewall interface and obtain dumps etc). Once I issue 'shorewall
+ clear' followed by 'shorewall restart' it then works, despite the
+ config not changing
+
+ Answer: Set IP_FORWARDING=On in /etc/shorewall/shorewall.conf.
+
@@ -492,8 +504,8 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993(FAQ 30) I'm confused about when to use DNAT rules and when to
use ACCEPT rules.
- Answer: It would be a good idea to
- review the QuickStart
+ Answer: It would be a good idea
+ to review the QuickStart
Guide appropriate for your setup; the guides cover this topic in
a tutorial fashion. DNAT rules should be used for connections that need
to go the opposite direction from SNAT/MASQUERADE. So if you masquerade
@@ -627,8 +639,7 @@ DNAT loc loc:192.168.1.5 tcp www - find_first_interface_address in
/etc/shorewall/params must be preceded with
- a load of the
- Shorewall function library:. /usr/share/shorewall/functions
+ a load of the Shorewall function library:. /usr/share/shorewall/functionsETH0_IP=`find_first_interface_address eth0`
@@ -731,8 +742,8 @@ dmz eth2 192.168.2.255 routeback
following:
In /etc/shorewall/params (or in your
- <export directory>/init file if you are using
- Shorewall Lite on the firewall system):
+ <export directory>/init file if you are
+ using Shorewall Lite on the firewall system):
ETH0_IP=`find_first_interface_address eth0`
@@ -754,9 +765,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - If you are running Shorewall 3.2.6 on a Debian-based system,
the call to find_first_interface_address in
- /etc/shorewall/params
- must be preceded with a load of the Shorewall function
- library:. /usr/share/shorewall/functions
+ /etc/shorewall/params must be preceded with a
+ load of the Shorewall function library:. /usr/share/shorewall/functionsETH0_IP=`find_first_interface_address eth0`
@@ -783,10 +793,10 @@ DNAT loc dmz:192.168.2.4 tcp 80 - Blacklisting an IP address blocks incoming traffic from that IP
address. And if you set BLACKLISTNEWONLY=Yes in
- shorewall.conf, then only new connections
- from that address are disallowed;
- traffic from that address that is part of an established connection
- (such as ping replies) is allowed.
+ shorewall.conf, then only new connections from that address are disallowed; traffic from
+ that address that is part of an established connection (such as ping
+ replies) is allowed.
@@ -1070,8 +1080,9 @@ to debug/develop the newnat interface.
openlog) and you get to choose the log level (again, see
man syslog) in your policies and
- rules.
- The destination for messages logged by syslog is controlled by
+ rules. The
+ destination for messages logged by syslog is controlled by
/etc/syslog.conf (see man
syslog.conf). When you have changed
/etc/syslog.conf, be sure to restart syslogd (on a
@@ -1231,8 +1242,7 @@ teastep@ursa:~$ The first number determines the maximum log
If, on your system, the first number is 7 or greater, then the
default Shorewall configurations will cause messages to be written to
your console. The simplest solution is to add this to your
- /etc/sysctl.conf
- file:kernel.printk = 4 4 1 7
+ /etc/sysctl.conf file:kernel.printk = 4 4 1 7thensysctl -p /etc/sysctl.conf
@@ -1324,10 +1334,10 @@ teastep@ursa:~$ The first number determines the maximum log
You have a policy that
- specifies a log level and this packet is being logged under that
- policy. If you intend to ACCEPT this traffic then you need a rule to that
+ url="manpages/shorewall-policy.html">policy
+ that specifies a log level and this packet is being logged under
+ that policy. If you intend to ACCEPT this traffic then you need a
+ rule to that
effect.Beginning with Shorewall 3.3.3, packets logged out of these
@@ -1746,15 +1756,16 @@ Creating input Chains...
Why can't Shorewall detect my interfaces properly?Answer: The above output is
- perfectly normal. The Net zone is defined as all hosts that are connected
- through eth0 and the local zone
- is defined as all hosts connected through eth0 and the
+ local zone is defined as all hosts connected through eth1. You can set the routefilter option on an internal interface if
- you wish to guard against 'Martians' (a Martian is
- a packet with a source IP address that is not routed out of the interface
- on which the packet was received). If you do that, it is a good idea to
- also set the logmartians option.
+ you wish to guard against 'Martians' (a Martian
+ is a packet with a source IP address that is not routed out of the
+ interface on which the packet was received). If you do that, it is a
+ good idea to also set the logmartians
+ option.
@@ -1766,12 +1777,12 @@ Creating input Chains...
url="shorewall_extension_scripts.htm">Shorewall Extension
Scripts. Be sure that you look at the contents of the chain(s)
that you will be modifying with your commands so that the commands will
- do what is intended. Many iptables commands published in HOWTOs and other
- instructional material use the -A command which adds the rules to the end
- of the chain. Most chains that Shorewall constructs end with an
+ do what is intended. Many iptables commands published in HOWTOs and
+ other instructional material use the -A command which adds the rules to
+ the end of the chain. Most chains that Shorewall constructs end with an
unconditional DROP, ACCEPT or REJECT rule and any rules that you add
- after that will be ignored. Check man iptables and look at
- the -I (--insert) command.
+ after that will be ignored. Check man iptables and look
+ at the -I (--insert) command.
@@ -2625,4 +2636,4 @@ loc $FW ACCEPT
policies.
-
+
\ No newline at end of file