diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index a031195c3..8dcec5717 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -399,7 +399,9 @@ DNAT net fw:192.168.1.1:22 tcp 4104
192.168.1.0/24, then:All traffic redirected through use of this hack will look to
the server as if it came from the firewall (192.168.1.254) rather
- than from the original client!
+ than from the original client! So the server's access logs will be
+ useless for determining which local hosts are accessing the
+ server.
@@ -605,8 +607,8 @@ to debug/develop the newnat interface.
Open Ports
-
- (FAQ 0) How do I Open Ports in Shorewall?
+
+ (FAQ 51) How do I Open Ports in Shorewall?Answer: No one who has installed
Shorewall using one of the /usr/share/shorewall/action.Drop which in turn
invokes the Auth macro (defined in
/usr/share/shorewall/macro.Auth) specifying the
- DROP action (i.e., Auth/DROP). This is necessary to prevent outgoing
- connection problems to services that use the Auth
- mechanism for identifying requesting users. That is the only service
- which the default setup rejects.
+ REJECT action (i.e., Auth/REJECT). This is necessary to prevent
+ outgoing connection problems to services that use the
+ Auth mechanism for identifying requesting users. That is
+ the only service which the default setup rejects.
If you are seeing closed TCP ports other than 113 (auth) then
either you have added rules to REJECT those ports or a router outside of
@@ -712,26 +714,6 @@ to debug/develop the newnat interface.
PortSentry.
-
-
- (FAQ 51) How do I "Open a Port" with Shorewall
-
- Answer: It depends…
-
- If the application serving the port is running on the same system
- as Shorewall then add this rule:
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-ACCEPT net $FW <protocol> <port number>
-
- Where <protocol> is either tcp or
- udp and <port number> is the port that you
- wish to "open".
-
- If the application serving the port is running on one of the
- systems in your local network then please see FAQ
- 1.
-
@@ -1618,6 +1600,16 @@ iptables: Invalid argument
+
+
+ (FAQ 59) After I start Shorewall, there are lots of unused
+ Netfilter modules loaded. How do I avoid that?
+
+ Answer: Copy /usr/share/shorewall/modules (or
+ /usr/share/shorewall/xmodules if appropriate) to
+ /etc/shorewall/modules and modify the copy to
+ include only the modules that you need.
+
@@ -1664,7 +1656,7 @@ iptables: Invalid argument
About Shorewall
- (FAQ 10) What Distributions does it work with?
+ (FAQ 10) What Distributions does Shorewall work with?Shorewall works with any GNU/Linux distribution that includes the
proper
@@ -1672,7 +1664,7 @@ iptables: Invalid argument
- (FAQ 11) What Features does it have?
+ (FAQ 11) What Features does Shorewall have?Answer: See the Shorewall Feature List.
@@ -1681,8 +1673,9 @@ iptables: Invalid argument
(FAQ 12) Is there a GUI?
- Answer: Yes. Shorewall support is
- included in Webmin 1.060 and later versions. See Answer: Yes and No. Shorewall
+ support is included in Webmin 1.060 and later versions but the support
+ is woefully out of date. See http://www.webmin.com
@@ -1707,7 +1700,7 @@ iptables: Invalid argument
- (FAQ 25) How to I tell which version of Shorewall or Shorewall
+ <title>(FAQ 25) How do I tell which version of Shorewall or Shorewall
Lite I am running?At the shell prompt, type:
@@ -1859,10 +1852,10 @@ iptables: Invalid argument
Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
- Answer: The fact that the message is being logged from the
- OUTPUT chain means that the destination IP address is not in any
- defined zone (see FAQ 17). You need
- to:
+ Answer: The fact that the
+ message is being logged from the OUTPUT chain means that the
+ destination IP address is not in any defined zone (see FAQ 17). You need to:
@@ -1907,7 +1900,7 @@ ACCEPT loc modem tcp 80
eth0 eth1 # eth1 = interface to local network
For an example of this when the ADSL/Cable modem is bridged, see
- my configuration. In that case, I
+ my configuration. In that case, I
masquerade using the IP address of my local interface!
@@ -1962,7 +1955,7 @@ eth0 eth1 # eth1 = interface to local netwo
shorewall.net, the two laptop systems have the full Shorewall product
installed as does my personal Linux desktop system. All other Linux
systems that run a firewall use Shorewall Lite and have their
- configuration directories on my desktop.
+ configuration directories on my desktop system.
@@ -2095,13 +2088,13 @@ REJECT fw net:216.239.39.99 allGiven that
name-based multiple hosting is a common practice (another example:
lists.shorewall.net and www1.shorewall.net are both hosted on the same
system with a single IP address), it is not possible to filter
- connections to a particular name by examiniation of protocol headers
+ connections to a particular name by examination of protocol headers
alone. While some protocols such as FTP
require the firewall to examine and possibly modify packet payload,
parsing the payload of individual packets doesn't always work because
the application-level data stream can be split across packets in
arbitrary ways. This is one of the weaknesses of the 'string match'
- Netfilter extension available in Patch-O-Matic. The only sure way to
+ Netfilter extension available in Patch-O-Matic-ng. The only sure way to
filter on packet content is to proxy the connections in question -- in
the case of HTTP, this means running something like Squid. Proxying allows the