Updates to Documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/Documentation.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-06-12</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -1657,14 +1657,23 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
           addresses are specified in the ORIGINAL DEST column as a
           comma-separated list.</para>
 
+          <para>If this list begins with <quote>!</quote> then the rule will
+          only apply if the original destination address matches none of the
+          addresses listed.</para>
+
           <para>The IP address(es) may be optionally followed by
           <quote>:</quote> and a second IP address. This latter address, if
           present, is used as the source address for packets forwarded to the
           server (This is called <quote>Source NAT</quote> or SNAT.</para>
 
-          <para>If this list begins with <quote>!</quote> then the rule will
-          only apply if the original destination address matches none of the
-          addresses listed.</para>
+          <warning>
+            <para>Specifying SNAT in a DNAT rule is deprecated and this
+            feature will be removed from Shorewall in version 2.1.0. An entry
+            in <link linkend="Masq">/etc/shorewall/masq</link> can serve the
+            same purpose and is the preferred method of performing SNAT with
+            Shorewall. See <ulink url="FAQ.htm#faq2">FAQ 2</ulink> for an
+            example.</para>
+          </warning>
 
           <note>
             <para>When using SNAT, it is a good idea to qualify the source
@@ -2410,7 +2419,7 @@ eth0                  eth1            206.124.146.176</programlisting>
         <listitem>
           <para>(Added at Version 2.0.6) - Normally Shorewall attempts to use
           the iptables packet type match extension to determine broadcast and
-          multicast packets. </para>
+          multicast packets.</para>
 
           <orderedlist>
             <listitem>
@@ -2429,7 +2438,7 @@ eth0                  eth1            206.124.146.176</programlisting>
           <para>If you are experiencing either of these problems, setting
           PKTTYPE=No will prevent Shorewall from trying to use the packet type
           match extension and to use IP address matching to determine which
-          packets are broadcasts or multicasts. </para>
+          packets are broadcasts or multicasts.</para>
         </listitem>
       </varlistentry>
 

Shorewall-docs2/FAQ.xml

@@ -17,7 +17,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-08-01</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -291,12 +291,18 @@ loc      eth1         detect       <emphasis role="bold">routeback</emphasis></p
         </listitem>
 
         <listitem>
-          <para>In <filename>/etc/shorewall/rules</filename> (Assuming that
-          your local network is 192.168.1.0/24):</para>
+          <para>In <filename>/etc/shorewall/masq</filename>:</para>
 
-          <programlisting>#ACTION    SOURCE                 DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
-#                                                                         PORT      DEST.
-DNAT       loc:192.168.1.0/24     loc:192.168.1.5    tcp      www         -         130.151.100.69:192.168.1.254</programlisting>
+          <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
+eth1                    eth1            192.168.1.254   tcp     www</programlisting>
+        </listitem>
+
+        <listitem>
+          <para>In <filename>/etc/shorewall/rules</filename>:</para>
+
+          <programlisting>#ACTION    SOURCE       DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
+#                                                               PORT      DEST.
+DNAT       loc          loc:192.168.1.5    tcp      www         -         130.151.100.69</programlisting>
 
           <para>That rule only works of course if you have a static external
           IP address. If you have a dynamic IP address and are running
@@ -306,9 +312,9 @@ DNAT       loc:192.168.1.0/24     loc:192.168.1.5    tcp      www         -
 
           <para>and make your DNAT rule:</para>
 
-          <programlisting>#ACTION    SOURCE                 DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
-#                                                                         PORT      DEST.
-DNAT       loc:192.168.1.0/24     loc:192.168.1.5    tcp      www         -         $ETH0_IP:192.168.1.254</programlisting>
+          <programlisting>#ACTION    SOURCE        DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
+#                                                                PORT      DEST.
+DNAT       loc           loc:192.168.1.5    tcp      www         -         $ETH0_IP</programlisting>
 
           <para>Using this technique, you will want to configure your
           DHCP/PPPoE client to automatically restart Shorewall each time that

Shorewall-docs2/NAT.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -56,9 +56,13 @@
     <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
     addresses appear to be on the upper (130.252.100.*) subnet. If we assume
     that the interface to the upper subnet is eth0, then the following
-    /etc/shorewall/NAT file would make the lower left-hand system appear to
-    have IP address 130.252.100.18 and the right-hand one to have IP address
-    130.252.100.19.</para>
+    <filename>/etc/shorewall/nat</filename> file would make the lower
+    left-hand system appear to have IP address 130.252.100.18 and the
+    right-hand one to have IP address 130.252.100.19. It should be stressed
+    that these entries in the <filename>/etc/shorewall/nat</filename> file do
+    not automatically enable traffic between the external network and the
+    internal host(s) — such traffic is still subject to your policies and
+    rules.</para>
 
     <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
 130.252.100.18  eth0              10.1.1.2      no                 no
@@ -66,7 +70,7 @@
 
     <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
     above example) is (are) not included in any specification in
-    /etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
+    <filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/proxyarp</filename>.</para>
 
     <note>
       <para>The <quote>ALL INTERFACES</quote> column is used to specify
@@ -86,9 +90,9 @@
       <para>Shorewall will automatically add the external address to the
       specified interface unless you specify <ulink
       url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
-      (or <quote>No</quote>) in /etc/shorewall/shorewall.conf; If you do not
-      set ADD_IP_ALIASES or if you set it to <quote>Yes</quote> or
-      <quote>yes</quote> then you must NOT configure your own alias(es).</para>
+      (or <quote>No</quote>) in <filename>/etc/shorewall/shorewall.conf</filename>;
+      If you do not set ADD_IP_ALIASES or if you set it to <quote>Yes</quote>
+      or <quote>yes</quote> then you must NOT configure your own alias(es).</para>
 
       <para><important><para>Shorewall versions earlier than 1.4.6 can only
       add external addresses to an interface that is configured with a single

Shorewall-docs2/ProxyARP.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-22</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -68,7 +68,7 @@
   pass ARP requests and other network packets in both directions between the
   server machine and the PUBNET network, making the server machine appear to
   be connected to the PUBNET network even though it is on the PRIVNET network
-  hidden behind the router. </para>
+  hidden behind the router.</para>
 
   <para>Before you try to use this technique, I strongly recommend that you
   read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
@@ -92,7 +92,8 @@
 
     <para>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
     in the above example) are not included in any specification in
-    <filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/nat</filename>.</para>
+    <filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/nat</filename>.
+    </para>
 
     <note>
       <para>I&#39;ve used an RFC1918 IP address for eth1 - that IP address is
@@ -103,7 +104,7 @@
     their subnet mask and default gateway configured exactly the same way that
     the Firewall system&#39;s eth0 is configured. In other words, they should
     be configured just like they would be if they were parallel to the
-    firewall rather than behind it.</para>
+    firewall rather than behind it. </para>
 
     <warning>
       <para>Do not add the Proxy ARP&#39;ed address(es) (130.252.100.18 and
@@ -111,6 +112,13 @@
       this example) of the firewall.</para>
     </warning>
 
+    <note>
+      <para>It should be stressed that entries in the proxyarp file do not
+      automatically enable traffic between the external network and the
+      internal host(s) — such traffic is still subject to your policies and
+      rules.</para>
+    </note>
+
     <para>While the address given to the firewall interface is largely
     irrelevant, one approach you can take is to make that address the same as
     the address of your external interface!</para>

Shorewall-docs2/starting_and_stopping_shorewall.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-08-01</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -57,7 +57,7 @@
       </listitem>
 
       <listitem>
-        <para><filename>/etc/shorewall</filename> ̶ The default directory
+        <para><filename>/etc/shorewall</filename> — The default directory
         where Shorewall looks for configuration files. See the section
         entitled <link linkend="AltConfig">Alternate Configuration Directories</link>
         for information about how you can direct Shorewall to look in other
@@ -66,19 +66,19 @@
 
       <listitem>
         <para><filename>/etc/init.d/shorewall</filename> (<filename>/etc/rc.d/firewall.rc</filename>
-        on Slackware) ̶ The script run by <command>init</command> (the program
+        on Slackware) — The script run by <command>init</command> (the program
         responsible for startup and shutdown of your system) to start
         Shorewall at boot time and to stop Shorewall at shutdown.</para>
       </listitem>
 
       <listitem>
-        <para><filename>/usr/share/shorewall/firewall</filename> ̶ The program
+        <para><filename>/usr/share/shorewall/firewall</filename> — The program
         responsible for configuring Netfilter based on your configuration
         files.</para>
       </listitem>
 
       <listitem>
-        <para><filename>/usr/share/shorewall/functions</filename> ̶ A library
+        <para><filename>/usr/share/shorewall/functions</filename> — A library
         of Bourne Shell functions used by both<filename> /sbin/shorewall</filename>
         and <filename>/usr/share/shorewall/firewall</filename>.</para>
       </listitem>
@@ -188,8 +188,8 @@
     <filename>/var/lib/shorewall/restore</filename>. The default may be
     changed using the RESTOREFILE option in <ulink
     url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>. A
-    different file name may also be specified in the specified in the
-    <command>save</command> command:</para>
+    different file name may also be specified in the <command>save</command>
+    command:</para>
 
     <programlisting><command>shorewall save &#60;filename&#62;</command></programlisting>