diff --git a/docs/Introduction.xml b/docs/Introduction.xml
index 30af119db..17b5b470f 100644
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -130,12 +130,47 @@ dmz Demilitarized Zone
Zones are declared and given a type in the /etc/shorewall/zones
- file.
+ file.Here is the /etc/shorewall/zones
+ file from the three-interface sample:
+
+ #ZONE TYPE OPTIONS IN OUT
+# OPTIONS OPTIONS
+fw firewall
+net ipv4
+loc ipv4
+dmz ipv4
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Note that Shorewall recognizes the firewall system as its own zone.
- The name of the zone designating the firewall itself is stored in the
- shell variable $FW which may be used throughout the
- Shorewall configuration to refer to the firewall zone.
+ The name of the zone designating the firewall itself (usually 'fw' as
+ shown in the above file) is stored in the shell variable
+ $FW which may be used throughout the Shorewall
+ configuration to refer to the firewall zone.
+
+ The simplest way to define the hosts in a zone is to associate the
+ zone with a network interface using the /etc/shorewall/interfaces
+ file. In the three-interface sample, the three zones are defined using
+ that file as follows:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 detect dhcp,routefilter,norfc1918
+loc eth1 detect
+dmz eth2 detect
+
+ The above file defines the net zone as all IPv4 hosts interfacing to
+ the firewall through eth0, the loc zone as all IPv4 hosts interfacing
+ through eth1 and the dmz as all IPv4 hosts interfacing through eth2. It is
+ important to note that the composition of a zone is defined in terms of a
+ combination of addresses and interfaces.
+ When using the /etc/shorewall/interfaces
+ file to define a zone, all addresses are included; when you want to define
+ a zone that contains a limited subset of the IPv4 address space, you use
+ the /etc/shorewall/hosts
+ file.
Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.
@@ -232,21 +267,6 @@ $FW net ACCEPT The above policy will:
- The simplest way to define the hosts in a zone is to associate the
- zone with a network interface using the /etc/shorewall/interfaces
- file. In the three-interface sample, the three zones are defined using
- that file as follows:
-
- #ZONE INTERFACE BROADCAST OPTIONS
-net eth0 detect dhcp,routefilter,norfc1918
-loc eth1 detect
-dmz eth2 detect
-
- The above file defines the net zone as all hosts interfacing to the
- firewall through eth0, the loc zone as all hosts interfacing through eth1
- and the dmz as all hosts interfacing through eth2.
-
To illustrate how rules provide exceptions to policies, suppose that
you have the polcies listed above but you want to be able to connect to
your firewall from the internet using Secure Shell (SSH). Recall that SSH