Updates to Documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/Documentation.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-06-12</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -1657,14 +1657,23 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
           addresses are specified in the ORIGINAL DEST column as a
           comma-separated list.</para>
 
+          <para>If this list begins with <quote>!</quote> then the rule will
+          only apply if the original destination address matches none of the
+          addresses listed.</para>
+
           <para>The IP address(es) may be optionally followed by
           <quote>:</quote> and a second IP address. This latter address, if
           present, is used as the source address for packets forwarded to the
           server (This is called <quote>Source NAT</quote> or SNAT.</para>
 
-          <para>If this list begins with <quote>!</quote> then the rule will
-          only apply if the original destination address matches none of the
-          addresses listed.</para>
+          <warning>
+            <para>Specifying SNAT in a DNAT rule is deprecated and this
+            feature will be removed from Shorewall in version 2.1.0. An entry
+            in <link linkend="Masq">/etc/shorewall/masq</link> can serve the
+            same purpose and is the preferred method of performing SNAT with
+            Shorewall. See <ulink url="FAQ.htm#faq2">FAQ 2</ulink> for an
+            example.</para>
+          </warning>
 
           <note>
             <para>When using SNAT, it is a good idea to qualify the source

Shorewall-docs2/FAQ.xml

@@ -17,7 +17,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-08-01</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -291,12 +291,18 @@ loc      eth1         detect       <emphasis role="bold">routeback</emphasis></p
         </listitem>
 
         <listitem>
-          <para>In <filename>/etc/shorewall/rules</filename> (Assuming that
-          your local network is 192.168.1.0/24):</para>
+          <para>In <filename>/etc/shorewall/masq</filename>:</para>
+
+          <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
+eth1                    eth1            192.168.1.254   tcp     www</programlisting>
+        </listitem>
+
+        <listitem>
+          <para>In <filename>/etc/shorewall/rules</filename>:</para>
 
           <programlisting>#ACTION    SOURCE       DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
 #                                                               PORT      DEST.
-DNAT       loc:192.168.1.0/24     loc:192.168.1.5    tcp      www         -         130.151.100.69:192.168.1.254</programlisting>
+DNAT       loc          loc:192.168.1.5    tcp      www         -         130.151.100.69</programlisting>
 
           <para>That rule only works of course if you have a static external
           IP address. If you have a dynamic IP address and are running
@@ -308,7 +314,7 @@ DNAT       loc:192.168.1.0/24     loc:192.168.1.5    tcp      www         -
 
           <programlisting>#ACTION    SOURCE        DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
 #                                                                PORT      DEST.
-DNAT       loc:192.168.1.0/24     loc:192.168.1.5    tcp      www         -         $ETH0_IP:192.168.1.254</programlisting>
+DNAT       loc           loc:192.168.1.5    tcp      www         -         $ETH0_IP</programlisting>
 
           <para>Using this technique, you will want to configure your
           DHCP/PPPoE client to automatically restart Shorewall each time that

Shorewall-docs2/NAT.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-04</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -56,9 +56,13 @@
     <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
     addresses appear to be on the upper (130.252.100.*) subnet. If we assume
     that the interface to the upper subnet is eth0, then the following
-    /etc/shorewall/NAT file would make the lower left-hand system appear to
-    have IP address 130.252.100.18 and the right-hand one to have IP address
-    130.252.100.19.</para>
+    <filename>/etc/shorewall/nat</filename> file would make the lower
+    left-hand system appear to have IP address 130.252.100.18 and the
+    right-hand one to have IP address 130.252.100.19. It should be stressed
+    that these entries in the <filename>/etc/shorewall/nat</filename> file do
+    not automatically enable traffic between the external network and the
+    internal host(s) — such traffic is still subject to your policies and
+    rules.</para>
 
     <para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
 130.252.100.18  eth0              10.1.1.2      no                 no
@@ -66,7 +70,7 @@
 
     <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
     above example) is (are) not included in any specification in
-    /etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
+    <filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/proxyarp</filename>.</para>
 
     <note>
       <para>The <quote>ALL INTERFACES</quote> column is used to specify
@@ -86,9 +90,9 @@
       <para>Shorewall will automatically add the external address to the
       specified interface unless you specify <ulink
       url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
-      (or <quote>No</quote>) in /etc/shorewall/shorewall.conf; If you do not
-      set ADD_IP_ALIASES or if you set it to <quote>Yes</quote> or
-      <quote>yes</quote> then you must NOT configure your own alias(es).</para>
+      (or <quote>No</quote>) in <filename>/etc/shorewall/shorewall.conf</filename>;
+      If you do not set ADD_IP_ALIASES or if you set it to <quote>Yes</quote>
+      or <quote>yes</quote> then you must NOT configure your own alias(es).</para>
 
       <para><important><para>Shorewall versions earlier than 1.4.6 can only
       add external addresses to an interface that is configured with a single

Shorewall-docs2/ProxyARP.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-22</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -92,7 +92,8 @@
 
     <para>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
     in the above example) are not included in any specification in
-    <filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/nat</filename>.</para>
+    <filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/nat</filename>.
+    </para>
 
     <note>
       <para>I&#39;ve used an RFC1918 IP address for eth1 - that IP address is
@@ -111,6 +112,13 @@
       this example) of the firewall.</para>
     </warning>
 
+    <note>
+      <para>It should be stressed that entries in the proxyarp file do not
+      automatically enable traffic between the external network and the
+      internal host(s) — such traffic is still subject to your policies and
+      rules.</para>
+    </note>
+
     <para>While the address given to the firewall interface is largely
     irrelevant, one approach you can take is to make that address the same as
     the address of your external interface!</para>

Shorewall-docs2/starting_and_stopping_shorewall.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-08-01</pubdate>
+    <pubdate>2004-08-10</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -57,7 +57,7 @@
       </listitem>
 
       <listitem>
-        <para><filename>/etc/shorewall</filename> ̶ The default directory
+        <para><filename>/etc/shorewall</filename> — The default directory
         where Shorewall looks for configuration files. See the section
         entitled <link linkend="AltConfig">Alternate Configuration Directories</link>
         for information about how you can direct Shorewall to look in other
@@ -66,19 +66,19 @@
 
       <listitem>
         <para><filename>/etc/init.d/shorewall</filename> (<filename>/etc/rc.d/firewall.rc</filename>
-        on Slackware) ̶ The script run by <command>init</command> (the program
+        on Slackware) — The script run by <command>init</command> (the program
         responsible for startup and shutdown of your system) to start
         Shorewall at boot time and to stop Shorewall at shutdown.</para>
       </listitem>
 
       <listitem>
-        <para><filename>/usr/share/shorewall/firewall</filename> ̶ The program
+        <para><filename>/usr/share/shorewall/firewall</filename> — The program
         responsible for configuring Netfilter based on your configuration
         files.</para>
       </listitem>
 
       <listitem>
-        <para><filename>/usr/share/shorewall/functions</filename> ̶ A library
+        <para><filename>/usr/share/shorewall/functions</filename> — A library
         of Bourne Shell functions used by both<filename> /sbin/shorewall</filename>
         and <filename>/usr/share/shorewall/firewall</filename>.</para>
       </listitem>
@@ -188,8 +188,8 @@
     <filename>/var/lib/shorewall/restore</filename>. The default may be
     changed using the RESTOREFILE option in <ulink
     url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>. A
-    different file name may also be specified in the specified in the
-    <command>save</command> command:</para>
+    different file name may also be specified in the <command>save</command>
+    command:</para>
 
     <programlisting><command>shorewall save &#60;filename&#62;</command></programlisting>