diff --git a/docs/Introduction.xml b/docs/Introduction.xml
index 1ecd0316d..2f0a6d5e2 100644
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -311,10 +311,22 @@ $FW net ACCEPT The above policies will:
+ A word about Shorewall logging is in order. Shorewall does not have
+ direct control over where its messages are logged; that is determined by
+ the configuration of the logging daemon (syslog, rsyslog, syslog-ng,
+ ulogd, etc.). The LOGFILE setting in /etc/shorewall/shorewall.conf
+ tells Shorewall where to find the log; it doesn't
+ determine where messages are logged. See the Shorewall logging article for more
+ information.
+
To illustrate how rules provide exceptions to policies, suppose that
you have the polices listed above but you want to be able to connect to
your firewall from the Internet using Secure Shell (SSH). Recall that SSH
- connects uses TCP port 22.
+ connects uses TCP port 22. You would add the following rule to /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
@@ -338,7 +350,7 @@ ACCEPT net $FW tcp 22
- To keep your firewall
+ Again, to keep your firewall
log from filling up with useless noise, Shorewall provides
common actions that silently discard
or reject such noise before it can be logged. As with everything in
@@ -360,9 +372,15 @@ ACCEPT net $FW tcp 22
The 'compiled' scripts are placed in the directory /var/lib/shorewall and are named to
correspond to the command being executed. For example, the command
- "/sbin/shorewall start" will generate a script named
+ /sbin/shorewall start will generate a script named
/var/lib/shorewall/.start and, if the compilation is
- error free, that script will then be executed.
+ error free, that script will then be executed. If the script executes
+ successfully, it then copies itself to
+ /var/lib/shorewall/firewall. When an
+ /sbin/shorewall stop or /sbin/shorewall
+ clear command is subsequently executed,
+ /var/lib/shorewall/firewall is run to perform the
+ requested operation.