diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index eeda8672e..154e934fe 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1771,6 +1771,43 @@ iptables: Invalid argument
that command can run without error, no stateful iptables firewall will
be able to run in your VM.
+
+
+ (FAQ 73) When I stop Shorewall, the firewall is wide open. Isn't
+ that a security risk?
+
+ It is important to understand that the scripts in /etc/init.d are generally provided by your
+ distribution and not by the Shorewall developers. These scripts must
+ meet the requirements of the distribution's packaging system which may
+ conflict with the requirements of a tight firewall. So when you say
+ "…when I stop Shorewall…" it is necessary to distinguish between the
+ commands /sbin/shorewall stop and
+ /etc/init.d/shorewall stop.
+
+ /sbin/shorewall stop places the firewall in a
+ safe state, the details of which depend on your
+ /etc/shorewall/routestopped file (shorewall-routestopped(8))
+ and on the setting of ADMINISABSENTMINDED in
+ /etc/shorewall/shorewall.conf (shorewall.conf(8)).
+
+ /etc/init.d/shorewall stop may or may not do
+ the same thing. In the case of Debian systems for
+ example, that command actually executes /sbin/shorewall
+ clear which opens the firewall completely. In other words, in
+ the init scripts stop undoes the effect of
+ start.
+
+ One way to avoid these differences is to install Shorewall from
+ the tarballs available from shorewall.net. This places Shorewall outside
+ of the control of the packaging system and provides consistent behavior
+ between the init scripts and /sbin/shorewall (and
+ /sbin/shorewall-lite). For more information on the
+ tradeoffs involved when deciding whether to use the Debian package, see
+ this article.
+