From 5427a928a3bfa9fc03aad65f5882946e72905653 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 7 Oct 2007 15:09:57 +0000
Subject: [PATCH] Add FAQ about init scripts

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7432 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 docs/FAQ.xml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index eeda8672e..154e934fe 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1771,6 +1771,43 @@ iptables: Invalid argument
       that command can run without error, no stateful iptables firewall will
       be able to run in your VM.</para>
     </section>
+
+    <section id="faq73">
+      <title>(FAQ 73) When I stop Shorewall, the firewall is wide open. Isn't
+      that a security risk?</title>
+
+      <para>It is important to understand that the scripts in <filename
+      class="directory">/etc/init.d</filename> are generally provided by your
+      distribution and not by the Shorewall developers. These scripts must
+      meet the requirements of the distribution's packaging system which may
+      conflict with the requirements of a tight firewall. So when you say
+      "…when I stop Shorewall…" it is necessary to distinguish between the
+      commands <command>/sbin/shorewall stop</command> and
+      <command>/etc/init.d/shorewall stop</command>.</para>
+
+      <para><command>/sbin/shorewall stop</command> places the firewall in a
+      <firstterm>safe state</firstterm>, the details of which depend on your
+      <filename>/etc/shorewall/routestopped</filename> file (<ulink
+      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(8))
+      and on the setting of ADMINISABSENTMINDED in
+      <filename>/etc/shorewall/shorewall.conf</filename> (<ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8)).</para>
+
+      <para><command>/etc/init.d/shorewall stop</command> may or may not do
+      the same thing. In the case of <trademark>Debian</trademark> systems for
+      example, that command actually executes <command>/sbin/shorewall
+      clear</command> which opens the firewall completely. In other words, in
+      the init scripts <command>stop</command> undoes the effect of
+      <command>start</command>.</para>
+
+      <para>One way to avoid these differences is to install Shorewall from
+      the tarballs available from shorewall.net. This places Shorewall outside
+      of the control of the packaging system and provides consistent behavior
+      between the init scripts and <filename>/sbin/shorewall</filename> (and
+      <filename>/sbin/shorewall-lite</filename>). For more information on the
+      tradeoffs involved when deciding whether to use the Debian package, see
+      <ulink url="???">this article</ulink>.</para>
+    </section>
   </section>
 
   <section id="MultiISP">