More documentation changes for Lite

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4082 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-22 07:33:43 +01:00 · 2006-06-13 00:07:00 +00:00 · 2006-06-13 00:07:00 +00:00 · 467e62de62
commit 467e62de62
parent 90ad8341ba
8 changed files with 181 additions and 116 deletions
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2005-11-02</pubdate>
+    <pubdate>2006-06-12</pubdate>
    <copyright>
-      <year>2003-2005</year>
+      <year>2003-2002</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -44,9 +44,9 @@
  <para>Shorewall accounting rules are described in the file
  /etc/shorewall/accounting. By default, the accounting rules are placed in a
  chain called <quote>accounting</quote> and can thus be displayed using
-  <quote>shorewall show accounting</quote>. All traffic passing into, out of
+  <quote>shorewall[-lite] show accounting</quote>. All traffic passing into,
-  or through the firewall traverses the accounting chain including traffic
+  out of or through the firewall traverses the accounting chain including
-  that will later be rejected by interface options such as
+  traffic that will later be rejected by interface options such as
  <quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
  support the connection tracking match extension (Kernel 2.4.21) then some
  traffic rejected under <quote>norfc1918</quote> will not traverse the
@ -184,8 +184,9 @@
        web:COUNT       -       eth1    eth0            tcp             -               443
        DONE            web</programlisting>
-  <para>Now <quote>shorewall show web</quote> will give you a breakdown of
+  <para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
-  your web traffic:</para>
+  for Shorewall Lite users) will give you a breakdown of your web
  traffic:</para>
  <programlisting>     [root@gateway shorewall]# shorewall show web
     Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
@ -212,8 +213,9 @@
        COUNT           web     eth0    eth1
        COUNT           web     eth1    eth0</programlisting>
-  <para>Now <quote>shorewall show web</quote> simply gives you a breakdown by
+  <para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
-  input and output:</para>
+  for Shorewall Lite users) simply gives you a breakdown by input and
  output:</para>
  <programlisting>     [root@gateway shorewall]# shorewall show accounting web
     Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2006-06-10</pubdate>
+    <pubdate>2006-06-12</pubdate>
    <copyright>
      <year>2006</year>
@ -39,15 +39,9 @@
    <para>Beginning with Shorewall version 3.1, Shorewall has the capability
    to compile a Shorewall configuration and produce a runnable firewall
-    program script. The script is a complete program which can be placed in
+    program script. The script is a complete program which can be placed on a
-    the /etc/init.d/ directory on a system without Shorewall installed and can
+    system with <emphasis>Shorewall Lite</emphasis> installed and can serve as
-    serve as the firewall creation script for that system.</para>
+    the firewall creation script for that system.</para>
    <para>Compiled programs can also be created to instantiate special
    configurations during parts of the day; for example, to disallow web
    browsing between the hours of 9pm and 7AM. The program can be run as a
    cron job at 9PM and another program run at 6AM to restore normal
    operation.</para>
    <section>
      <title>Restrictions</title>
@ -197,7 +191,7 @@
          <para>The firewall systems do <emphasis role="bold">NOT</emphasis>
          need to have the full Shorewall product installed but rather only
          the Shorewall Lite product. Shorewall and Shorewall LIte may be
-          installed on the same system.</para>
+          installed on the same system but that isn't encouraged.</para>
        </note>
      </listitem>
@ -225,6 +219,15 @@
            directory appropriately. It's a good idea to include the IP
            address of the administrative system in the
            <filename>routestopped</filename> file.</para>
            <para>It is important to understand that with Shorewall Lite, the
            firewall's configuration directory on the administrative system
            acts as <filename class="directory">/etc/shorewall</filename> for
            that firewall. So when the Shorewall documentation gives
            instructions for placing entries in files in the firewall's
            <filename class="directory">/etc/shorewall</filename>, when using
            Shorewall Lite you make those changes in the firewall's
            configuration directory on the administrative system.</para>
          </listitem>
          <listitem>
@ -348,15 +351,12 @@
          <programlisting><command>shorewall stop</command></programlisting>
-          <para><emphasis role="bold">We strongly recommend that you uninstall
+          <para><emphasis role="bold">We recommend that you uninstall
          Shorewall at this point.</emphasis></para>
        </listitem>
        <listitem>
-          <para>Install Shorewall Lite on the firewall system; <emphasis
+          <para>Install Shorewall Lite on the firewall system.</para>
          role="bold">If you did not uninstall Shorewall in the previous step,
          then you must switch <filename>/sbin/shorewall</filename> to
          Shorewall Lite as described above.</emphasis></para>
        </listitem>
        <listitem>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@ -193,8 +193,8 @@ DNAT    net    loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>
          </listitem>
          <listitem>
-            <para>As root type <quote> <command>shorewall show nat</command>
+            <para>As root type <quote> <command>shorewall[-lite] show
-            </quote></para>
+            nat</command> </quote></para>
          </listitem>
          <listitem>
@ -244,11 +244,11 @@ DNAT    net    loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>
            the connection is being dropped or rejected. If it is, then you
            may have a zone definition problem such that the server is in a
            different zone than what is specified in the DEST column. At a
-            root promt, type "<command>shorewall show zones</command>" then be
+            root promt, type "<command>shorewall[-lite] show zones</command>"
-            sure that in the DEST column you have specified the <emphasis
+            then be sure that in the DEST column you have specified the
-            role="bold">first</emphasis> zone in the list that matches
+            <emphasis role="bold">first</emphasis> zone in the list that
-            OUT=&lt;dev&gt; and DEST= &lt;ip&gt;from the REJECT/DROP log
+            matches OUT=&lt;dev&gt; and DEST= &lt;ip&gt;from the REJECT/DROP
-            message.</para>
+            log message.</para>
          </listitem>
        </itemizedlist>
      </section>
@ -550,8 +550,9 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         $ETH0
        <warning>
          <para>With dynamic IP addresses, you probably don't want to use
-          <ulink url="starting_and_stopping_shorewall.htm"><command>shorewall
+          <ulink
-          save</command> and <command>shorewall
+          url="starting_and_stopping_shorewall.htm"><command>shorewall[-lite]
          save</command> and <command>shorewall[-lite]
          restore</command></ulink>.</para>
        </warning>
      </section>
@ -1063,8 +1064,8 @@ LOGBURST=""</programlisting>
          <listitem>
            <para>The packet has a source IP address that isn't in any of your
-            defined zones (<quote>shorewall check</quote> and look at the
+            defined zones (<quote>shorewall[-lite] show zones</quote> and look
-            printed zone definitions) or the chain is FORWARD and the
+            at the printed zone definitions) or the chain is FORWARD and the
            destination IP isn't in any of your defined zones. If the chain is
            FORWARD and the IN and OUT interfaces are the same, then you
            probably need the <emphasis role="bold">routeback</emphasis>
@ -1083,8 +1084,8 @@ LOGBURST=""</programlisting>
          <listitem>
            <para>The packet has a destination IP address that isn't in any of
-            your defined zones("shorewall check" and look at the printed zone
+            your defined zones("shorewall show zones" and look at the printed
-            definitions).</para>
+            zone definitions).</para>
          </listitem>
        </varlistentry>
@ -1247,9 +1248,9 @@ LOGBURST=""</programlisting>
    </section>
    <section id="faq52">
-      <title>(FAQ 52) When I blacklist an IP address with "shorewall drop
+      <title>(FAQ 52) When I blacklist an IP address with "shorewall[-lite]
-      www.xxx.yyy.zzz", why does my log still show REDIRECT and DNAT entries
+      drop www.xxx.yyy.zzz", why does my log still show REDIRECT and DNAT
-      from that address?</title>
+      entries from that address?</title>
      <para>I blacklisted the address 130.252.100.59 using <command>shorewall
      drop 130.252.100.59</command> but I am still seeing these log
@ -1312,7 +1313,7 @@ LOGBURST=""</programlisting>
    <title>Starting and Stopping</title>
    <section id="faq7">
-      <title>(FAQ 7) When I stop Shorewall using <quote>shorewall
+      <title>(FAQ 7) When I stop Shorewall using <quote>shorewall[-lite]
      stop</quote>, I can't connect to anything. Why doesn't that command
      work?</title>
@ -1320,7 +1321,7 @@ LOGBURST=""</programlisting>
      to place your firewall into a safe state whereby only those hosts listed
      in <filename>/etc/shorewall/routestopped</filename>' are activated. If
      you want to totally open up your firewall, you must use the <quote>
-      <command>shorewall clear</command> </quote> command.</para>
+      <command>shorewall[-lite] clear</command> </quote> command.</para>
    </section>
    <section id="faq8">
@ -1512,8 +1513,8 @@ Creating input Chains...
    </section>
    <section id="faq45">
-      <title>(FAQ 45) Why does "shorewall start fail" when trying to set up
+      <title>(FAQ 45) Why does "shorewall[-lite] start" fail when trying to
-      SNAT/Masquerading?</title>
+      set up SNAT/Masquerading?</title>
      <para><command>shorewall start</command> produces the following
      output:</para>
@ -1595,12 +1596,12 @@ iptables: Invalid argument
    </section>
    <section id="faq25">
-      <title>(FAQ 25) How to I tell which version of Shorewall I am
+      <title>(FAQ 25) How to I tell which version of Shorewall or Shorewall
-      running?</title>
+      Lite I am running?</title>
      <para>At the shell prompt, type:</para>
-      <programlisting><command>/sbin/shorewall version</command>      </programlisting>
+      <programlisting><command>/sbin/shorewall[-lite] version</command>      </programlisting>
    </section>
    <section id="faq31">
@ -1988,7 +1989,7 @@ REJECT    fw            net:216.239.39.99    all</programlisting>Given that
      support?</title>
      <para><emphasis role="bold">Answer</emphasis>: Use the
-      <command>shorewall show capabilities</command> command at a root
+      <command>shorewall[-lite] show capabilities</command> command at a root
      prompt.</para>
      <programlisting>gateway:~# shorewall show capabilities
--- a/docs/Install.xml
+++ b/docs/Install.xml
@ -15,12 +15,12 @@
      </author>
    </authorgroup>
-    <pubdate>2005-11-23</pubdate>
+    <pubdate>2006-06-12</pubdate>
    <copyright>
      <year>2001-</year>
-      <year>2005</year>
+      <year>2006</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2006-03-23</pubdate>
+    <pubdate>2006-06-12</pubdate>
    <copyright>
      <year>2002-2006</year>
@ -157,7 +157,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
    <title>Dynamic Blacklisting</title>
    <para>Dynamic blacklisting doesn't use any configuration parameters but is
-    rather controlled using /sbin/shorewall commands:</para>
+    rather controlled using /sbin/shorewall[-lite] commands:</para>
    <itemizedlist>
      <listitem>
@ -219,7 +219,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
    <example>
      <title>Ignore packets from a pair of systems</title>
-      <programlisting>    <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>
+      <programlisting>    <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
      <para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
    </example>
@ -227,7 +227,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
    <example>
      <title>Re-enable packets from a system</title>
-      <programlisting>    <command>shorewall allow 192.0.2.125</command></programlisting>
+      <programlisting>    <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
      <para>Re-enables traffic from 192.0.2.125.</para>
    </example>
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2006-06-04</pubdate>
+    <pubdate>2006-06-12</pubdate>
    <copyright>
      <year>2004</year>
@ -589,6 +589,13 @@
      respectively. The default level of verbosity is determined by the
      setting of the VERBOSITY option in
      <filename>/etc/shorewall/shorewall.conf</filename>.</para>
      <para>For Shorewall Lite, the general command form is:</para>
      <para><command>shorewall-lite [ &lt;options&gt; ] &lt;command&gt; [
      &lt;command options&gt; ] [ &lt;argument&gt; ... ]</command></para>
      <para>where the options are the same as with Shorewall.</para>
    </blockquote>
    <para>Following in alphabetical order are the supported commands. Except
@ -773,7 +780,8 @@
        <term>drop</term>
        <listitem>
-          <para><command>shorewall drop &lt;address&gt; ...</command></para>
+          <para><command>shorewall[-lite] drop &lt;address&gt;
          ...</command></para>
          <para>Causes packets from the specified
          &lt;<emphasis>address</emphasis>&gt; to be ignored</para>
@ -784,7 +792,7 @@
        <term>dump</term>
        <listitem>
-          <para><command>shorewall [ -x ] dump</command></para>
+          <para><command>shorewall[-lite] [ -x ] dump</command></para>
          <para>Produce a verbose report about the firewall.</para>
@ -797,7 +805,7 @@
        <term>forget</term>
        <listitem>
-          <para><command>shorewall forget [ &lt;filename&gt;
+          <para><command>shorewall[-lite] forget [ &lt;filename&gt;
          ]</command></para>
          <para>Deletes<filename>
@ -813,8 +821,8 @@
        <term>help</term>
        <listitem>
-          <para><command>shorewall help [&lt;command&gt; | host | address
+          <para><command>shorewall[-lite] help [&lt;command&gt; | host |
-          ]</command></para>
+          address ]</command></para>
          <para>Display helpful information about the shorewall
          commands.</para>
@ -825,7 +833,7 @@
        <term>hits</term>
        <listitem>
-          <para><command>hits</command></para>
+          <para><command>shorewall[-lite] hits</command></para>
          <para>Produces several reports about the Shorewall packet log
          messages in the current log file specified by the LOGFILE option in
@ -838,8 +846,8 @@
        <term>ipcalc</term>
        <listitem>
-          <para><command>shorewall ipcalc { &lt;address&gt; &lt;mask&gt; |
+          <para><command>shorewall[-lite] ipcalc { &lt;address&gt;
-          &lt;address&gt;/&lt;vlsm&gt; }</command></para>
+          &lt;mask&gt; | &lt;address&gt;/&lt;vlsm&gt; }</command></para>
          <para>Ipcalc displays the network address, broadcast address,
          network in CIDR notation and netmask corresponding to the
@ -847,7 +855,8 @@
          <para>Example:</para>
-          <para><command>ipcalc 192.168.1.0/24</command></para>
+          <para><command>shorewall[-lite] ipcalc
          192.168.1.0/24</command></para>
        </listitem>
      </varlistentry>
@ -855,7 +864,7 @@
        <term>iprange</term>
        <listitem>
-          <para><command>shorewall iprange
+          <para><command>shorewall[-lite] iprange
          &lt;address1&gt;-&lt;address2&gt;</command></para>
          <para>Iprange decomposes the specified range of IP addresses into
@ -867,7 +876,7 @@
        <term>logdrop</term>
        <listitem>
-          <para><command>shorewall logdrop &lt;address&gt;
+          <para><command>shorewall[-lite] logdrop &lt;address&gt;
          ...</command></para>
          <para>Causes packets from the specified
@ -879,7 +888,7 @@
        <term>logwatch</term>
        <listitem>
-          <para><command>shorewall logwatch [ -m ] [&lt;refresh
+          <para><command>shorewall[-lite] logwatch [ -m ] [&lt;refresh
          interval&gt;]</command></para>
          <para>Monitors the log file specified by theLOGFILE option in <ulink
@ -897,7 +906,7 @@
        <term>logreject</term>
        <listitem>
-          <para><command>shorewall logreject &lt;address&gt;
+          <para><command>shorewall[-lite] logreject &lt;address&gt;
          ...</command></para>
          <para>Causes packets from the specified
@ -926,7 +935,8 @@
        <term>reject</term>
        <listitem>
-          <para><command>shorewall reject &lt;address&gt; ...</command></para>
+          <para><command>shorewall[-lite] reject &lt;address&gt;
          ...</command></para>
          <para>Causes packets from the specified
          &lt;<emphasis>address</emphasis>&gt;s to be rejected</para>
@ -937,7 +947,7 @@
        <term>reset</term>
        <listitem>
-          <para><command>shorewall reset</command></para>
+          <para><command>shorewall[-lite] reset</command></para>
          <para>All the packet and byte counters in the firewall are
          reset.</para>
@ -948,7 +958,7 @@
        <term>restart</term>
        <listitem>
-          <para><command>shorewall [ -q ] restart
+          <para><command>shorewall[-lite] [ -q ] restart
          &lt;configuration-directory&gt;</command></para>
          <para>Restart is similar to <command>shorewall stop</command>
@ -962,7 +972,7 @@
        <term>restore</term>
        <listitem>
-          <para><command>shorewall [ -q ] restore [ &lt;filename&gt;
+          <para><command>shorewall[-lite] [ -q ] restore [ &lt;filename&gt;
          ]</command></para>
          <para>Restore Shorewall to a state saved using the
@ -1016,15 +1026,16 @@
        <term>save</term>
        <listitem>
-          <para><command>shorewall save [ &lt;filename&gt; ]</command></para>
+          <para><command>shorewall[-lite] save [ &lt;filename&gt;
          ]</command></para>
          <para>The dynamic data is stored in /var/lib/shorewall/save. The
          state of the firewall is stored in
          <filename>/var/lib/shorewall/&lt;filename&gt;</filename> for use by
-          the <command>shorewall restore</command> and <command>shorewall -f
+          the <command>shorewall[-lite] restore</command> and
-          start</command> commands. If &lt;<emphasis>filename</emphasis>&gt;
+          <command>shorewall[-lite] -f start</command> commands. If
-          is not given then the state is saved in the file specified by the
+          &lt;<emphasis>filename</emphasis>&gt; is not given then the state is
-          RESTOREFILE option in <ulink
+          saved in the file specified by the RESTOREFILE option in <ulink
          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
        </listitem>
      </varlistentry>
@ -1033,40 +1044,52 @@
        <term>show</term>
        <listitem>
-          <para><command>shorewall [ -x ] show [ &lt;chain&gt; [ &lt;chain&gt;
+          <para><command>shorewall [ -x ] show actions (Not supported by
-          ...] |classifiers|connections|log|nat|tc|tos]</command></para>
+          Shorewall Lite)</command> — produces a list of actions available on
          the system.</para>
-          <para><command>shorewall [ -x ] show &lt;chain&gt; [ &lt;chain&gt;
+          <para><command>shorewall[-lite] [ -x ] show [ &lt;chain&gt; [
-          ... ] </command> - produce a verbose report about the Netfilter
+          &lt;chain&gt; ...]
-          chain(s). (<command>iptables -L chain -n -v</command>)</para>
+          |classifiers|connections|log|nat|tc|tos]</command></para>
-          <para><command>shorewall [ -x ] show mangle</command> - produce a
+          <para><command>shorewall[-lite] [ -x ] show &lt;chain&gt; [
-          verbose report about the mangle table. (<command>iptables -t mangle
+          &lt;chain&gt; ... ] </command> - produce a verbose report about the
-          -L -n -v</command>)</para>
+          Netfilter chain(s). (<command>iptables -L chain -n
          <para><command>shorewall [ -x ] show nat</command> - produce a
          verbose report about the nat table. (<command>iptables -t nat -L -n
          -v</command>)</para>
-          <para><command>shorewall show [- m ] log</command> - display the
+          <para><command>shorewall[-lite] [ -x ] show mangle</command> -
-          last 20 packet log entries. The '-m' option is available in
+          produce a verbose report about the mangle table. (<command>iptables
          -t mangle -L -n -v</command>)</para>
          <para><command>shorewall[-lite] [ -x ] show nat</command> - produce
          a verbose report about the nat table. (<command>iptables -t nat -L
          -n -v</command>)</para>
          <para><command>shorewall[-lite] show [- m ] log</command> - display
          the last 20 packet log entries. The '-m' option is available in
          Shorewall version 3.2.0 Beta5 and later and causes the MAC address
          of each packet source to be displayed if that information is
          available.</para>
-          <para><command>shorewall show capabilities</command> - Displays your
+          <para><command>shorewall[-lite] show capabilities</command> -
-          kernel/iptables capabilities</para>
+          Displays your kernel/iptables capabilities</para>
-          <para><command>shorewall show connections</command> - displays the
+          <para><command>shorewall[-lite] show connections</command> -
-          IP connections currently being tracked by the firewall.</para>
+          displays the IP connections currently being tracked by the
          firewall.</para>
-          <para><command>shorewall show classifiers</command> - displays
+          <para><command>shorewall[-lite] show classifiers</command> -
-          information about the traffic control/shaping classifiers.</para>
+          displays information about the traffic control/shaping
          classifiers.</para>
-          <para><command>shorewall show tc</command> - displays information
+          <para><command>shorewall [ -x ] show macros (Not supported by
-          about the traffic control/shaping configuration.</para>
+          Shorewall Lite)</command> — produces a list of macros available on
          the system.</para>
-          <para><command>shorewall show zones</command> — Displays the
+          <para><command>shorewall[-lite] show tc</command> - displays
          information about the traffic control/shaping configuration.</para>
          <para><command>shorewall[-lite] show zones</command> — Displays the
          composition of each zone.</para>
          <para>When -x is given, that option is also passed to iptables to
@ -1078,7 +1101,7 @@
        <term>start</term>
        <listitem>
-          <para><command>shorewall [ -q ] [ -f ] start [
+          <para><command>shorewall[-lite] [ -q ] [ -f ] start [
          &lt;configuration-directory&gt; ]</command></para>
          <para>Start shorewall. Existing connections through shorewall
@ -1096,7 +1119,7 @@
        <term>stop</term>
        <listitem>
-          <para><command>shorewall stop</command></para>
+          <para><command>shorewall[-lite] stop</command></para>
          <para>Stops the firewall. All existing connections, except those
          listed in <filename><ulink
@ -1114,7 +1137,7 @@
        <term>status</term>
        <listitem>
-          <para><command>shorewall status</command></para>
+          <para><command>shorewall[-lite] status</command></para>
          <para>Produce a short report about the firewall's status and state
          relative to <link linkend="State">the diagram below</link>.</para>
@ -1146,7 +1169,7 @@
        <term>version</term>
        <listitem>
-          <para><command>shorewall version</command></para>
+          <para><command>shorewall[-lite] version</command></para>
          <para>Show the current shorewall version</para>
        </listitem>
@ -1161,13 +1184,6 @@
    <para><graphic align="center" fileref="images/State_Diagram.png" /></para>
    <para>You will note that mose of the commands that result in state
    transitions use the word <quote>firewall</quote> rather than
    <quote>shorewall</quote>. That is because the actual transitions are done
    by <command>/usr/share/shorewall/firewall</command>;
    <command>/sbin/shorewall</command> runs <quote>firewall</quote> according
    to the following table:</para>
    <informaltable>
      <tgroup cols="3">
        <thead>
@ -1268,11 +1284,11 @@
    </informaltable>
    <para>The only time that a program other than
-    <command>/usr/share/shorewall/firewall</command> performs a state
+    <command>/usr/share/shorewall[-lite[/firewall</command> performs a state
-    transition itself is when it executes the <command>shorewall
+    transition itself is when it executes the <command>shorewall[-lite]
    restore</command> command is executed. In that case, the
-    <command>/var/lib/shorewall/restore</command> program sets the state to
+    <command>/var/lib/shorewall[-lite]/restore</command> program sets the
-    "Started".</para>
+    state to "Started".</para>
    <section>
      <title>Notes for Shorewall 3.2.0 and Later</title>
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@ -191,6 +191,52 @@
          </listitem>
        </orderedlist>
      </listitem>
      <listitem>
        <para> Beginning with this release, the way in which packet marking in
        the PREROUTING chain interracts with the 'track' option in
        /etc/shorewall/providers has changed in two ways:</para>
        <orderedlist numeration="loweralpha">
          <listitem>
            <para>Packets arriving on a tracked interface are now passed to
            the PREROUTING marking chain so that they may be marked with a
            mark other than the 'track' mark (the connection still retains the
            'track' mark).</para>
          </listitem>
          <listitem>
            <para>When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on
            packets in the PREROUTING chain (i.e., you can specify a mark
            value of zero).</para>
          </listitem>
        </orderedlist>
      </listitem>
      <listitem>
        <para> Kernel version 2.6.16 introduces 'xtables', a new common packet
        filtering and connection tracking facility that supports both IPv4 and
        IPv6. Because a different set of kernel modules must be loaded for
        xtables, Shorewall now includes two 'modules' files:</para>
        <orderedlist numeration="loweralpha">
          <listitem>
            <para><filename>/usr/share/shorewall/modules</filename> -- the
            former <filename>/etc/shorewall/modules</filename></para>
          </listitem>
          <listitem>
            <para>/usr/share/shorewall/xmodules -- a new file that support
            xtables.</para>
          </listitem>
        </orderedlist>
        <para>If you wish to use the new file, then simply execute this
        command:</para>
        <para><command>cp -f /usr/share/shorewall/xmodules
        /etc/shorewall/modules</command></para>
      </listitem>
    </orderedlist>
  </section>
--- a/tools/build/makeshorewall
+++ b/tools/build/makeshorewall
@ -59,7 +59,7 @@ DIR=$PWD
 #
 # location and options for GnuPG
 #
-GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
+GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
 ################################################################################
 #                               V A R I A B L E S
 ################################################################################