Documentation Updages

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1492 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/Documentation_Index.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-16</pubdate>
+    <pubdate>2004-07-20</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -243,8 +243,7 @@
     </listitem>
 
     <listitem>
-      <para><ulink url="NAT.htm">One-to-one NAT</ulink> (Formerly referred to
+      <para><ulink url="NAT.htm">One-to-one NAT</ulink> (Static NAT)</para>
-      as Static NAT)</para>
     </listitem>
 
     <listitem>
@@ -344,6 +343,10 @@
       <para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para>
     </listitem>
 
+    <listitem>
+      <para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
+    </listitem>
+
     <listitem>
       <para><ulink url="Accounting.html">Traffic Accounting</ulink></para>
     </listitem>

Shorewall-docs2/ProxyARP.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-02-14</pubdate>
+    <pubdate>2004-07-22</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -33,10 +33,45 @@
     </legalnotice>
   </articleinfo>
 
-  <para>Proxy ARP allows you to insert a firewall in front of a set of servers
+  <para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
-  without changing their IP addresses and without having to re-subnet. Before
+  one network appear to be logically part of a different physical network
-  you try to use this technique, I strongly recommend that you read the <ulink
+  connected to the same router/firewall. Typically it allows us to hide a
-  url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
+  machine with a public IP address on a private network behind a router, and
+  still have the machine appear to be on the public network &#34;in front
+  of&#34; the router. The router &#34;proxys&#34; ARP requests and all network
+  traffic to and from the hidden machine to make this fiction possible.</para>
+
+  <para>Consider a router with two interface cards, one connected to a public
+  network PUBNET and one connected to a private network PRIVNET. We want to
+  hide a server machine on the PRIVNET network but have it accessible from the
+  PUBNET network. The IP address of the server machine lies in the PUBNET
+  network, even though we are placing the machine on the PRIVNET network
+  behind the router.</para>
+
+  <para>By enabling proxy ARP on the router, any machine on the PUBNET network
+  that issues an ARP &#34;who has&#34; request for the server&#39;s MAC
+  address will get a proxy ARP reply from the router containing the
+  router&#39;s MAC address. This tells machines on the PUBNET network that
+  they should be sending packets destined for the server via the router. The
+  router forwards the packets from the machines on the PUBNET network to the
+  server on the PRIVNET network.</para>
+
+  <para>Similarly, when the server on the PRIVNET network issues a &#34;who
+  has&#34; request for any machines on the PUBNET network, the router provides
+  its own MAC address via proxy ARP. This tells the server to send packets for
+  machines on the PUBNET network via the router. The router forwards the
+  packets from the server on the PRIVNET network to the machines on the PUBNET
+  network.</para>
+
+  <para>The proxy ARP provided by the router allows the server on the
+  PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
+  pass ARP requests and other network packets in both directions between the
+  server machine and the PUBNET network, making the server machine appear to
+  be connected to the PUBNET network even though it is on the PRIVNET network
+  hidden behind the router. </para>
+
+  <para>Before you try to use this technique, I strongly recommend that you
+  read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
 
   <section>
     <title>Example</title>

Shorewall-docs2/ReleaseModel.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-03</pubdate>
+    <pubdate>2004-07-21</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -54,12 +54,14 @@
 
       <listitem>
         <para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
-        <firstterm>Stable Releases</firstterm>. No new features are added to
+        <firstterm>Stable Releases</firstterm>. No major new features are
-        stable releases and new minor releases of a stable release will only
+        added to stable releases and new minor releases of a stable release
-        contain bug fixes. Installing a new minor release for the major
+        will only contain bug fixes and simple low-risk enhancements.
-        release that you are currently running involves no migration issues
+        Installing a new minor release for the major release that you are
-        (for example, if you are running 1.4.10 and I release 1.4.11, your
+        currently running involves no migration issues unless you want to take
-        current configuration is 100% compatible with the new release).</para>
+        advantage of an enhancement (for example, if you are running 1.4.10
+        and I release 1.4.11, your current configuration is 100% compatible
+        with the new release).</para>
       </listitem>
 
       <listitem>
@@ -123,9 +125,9 @@
   <section>
     <title>Old Release Model</title>
 
-    <para>This release model described above was adopted on 2003-07-03. Prior
+    <para>This release model described above was adopted on 2004-07-03 and
-    to that time, a different release model was followed. Highlights of that
+    modified 2004-07-21. Prior to 2004-07-03, a different release model was
-    model were:</para>
+    followed. Highlights of that model were:</para>
 
     <orderedlist>
       <listitem>
@@ -134,9 +136,9 @@
       </listitem>
 
       <listitem>
-        <para>New functionality was added in minor releases of the current
+        <para>Major new functionality was added in minor releases of the
-        major release. There was no concept of Stable vs Development major
+        current major release. There was no concept of Stable vs Development
-        releases.</para>
+        major releases.</para>
       </listitem>
 
       <listitem>
@@ -144,8 +146,8 @@
         of a major release and had identifications of the form
         <emphasis>x.y.zX</emphasis> (e.g., 2.0.3c) where <emphasis>X</emphasis>=1,b,c,...
         . Consequently, if a user required a bug fix but was not running the
-        last minor release of the associated major release then it was
+        last minor release of the associated major release then it might be
-        necessary to accept new functionailty along with the bug fix.</para>
+        necessary to accept major new functionailty along with the bug fix.</para>
       </listitem>
     </orderedlist>
   </section>

Shorewall-docs2/Shorewall_Squid_Usage.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-16</pubdate>
+    <pubdate>2004-07-20</pubdate>
 
     <copyright>
       <year>2003-2004</year>
@@ -80,6 +80,13 @@ MANGLE_ENABLED=Yes</programlisting>
         </listitem>
       </itemizedlist>
     </caution>
+
+    <caution>
+      <para>In the instructions below, only TCP Port 80 is opened from the
+      system running Squid to the internet. If your users require browsing
+      sites that use a port other than 80 (e.g., http://www.domain.tld:<emphasis
+      role="bold">8080</emphasis>) then you must open those ports as well.</para>
+    </caution>
   </section>
 
   <section>
@@ -301,7 +308,7 @@ chkconfig --level 35 iptables on</command></programlisting>
 
     <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
 ACCEPT    Z        SZ     tcp     SP
-ACCEPT    SZ       net    tcp     80</programlisting>
+ACCEPT    SZ       net    tcp     80,443</programlisting>
 
     <example>
       <title>Squid on the firewall listening on port 8080 with access from the
@@ -309,7 +316,7 @@ ACCEPT    SZ       net    tcp     80</programlisting>
 
       <para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
 ACCEPT    loc      fw     tcp      8080
-ACCEPT    fw       net    tcp      80</programlisting></para>
+ACCEPT    fw       net    tcp      80,443</programlisting></para>
     </example>
   </section>
 </article>

Shorewall-docs2/shorewall_setup_guide.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-15</pubdate>
+    <pubdate>2004-07-22</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -1365,18 +1365,23 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
 
           <listitem>
             <para>The firewall responds to ARP <quote>who has</quote> requests
-            for <emphasis role="bold">A</emphasis>.</para>
+            for <emphasis role="bold">A</emphasis> from machines outside of
+            the firewall.</para>
           </listitem>
 
           <listitem>
-            <para>When <emphasis role="bold">H</emphasis> <emphasis
+            <para>When <emphasis role="bold">H</emphasis> issues an ARP
-            role="bold">A </emphasis>andissues an ARP <quote>who has</quote>
+            <quote>who has</quote> request for a machine with an address in
-            request for an address in the subnetwork defined by <emphasis
+            the network defined by <emphasis role="bold">M</emphasis> where
-            role="bold">M</emphasis>, the firewall will respond (with the MAC
+            the target machine is outside of the firewall, the firewall will
-            if the firewall interface) to <emphasis role="bold">H</emphasis>.</para>
+            respond to <emphasis role="bold">H</emphasis> (with the MAC of the
+            firewall interface).</para>
           </listitem>
         </itemizedlist>
 
+        <para>For a more complete description of how Proxy ARP works, please
+        see the <ulink url="ProxyARP.htm">Shorewall Proxy Documentation</ulink>.</para>
+
         <para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
         example network.</para>
 

Shorewall-docs2/troubleshoot.xml

@@ -410,9 +410,9 @@ DROP      net              fw                  icmp    echo-request</programlist
   <appendix>
     <title>Revision History</title>
 
-    <para><revhistory><revision><revnumber>1.8</revnumber><date>2005-04-03</date><authorinitials>TE</authorinitials><revremark>Point
+    <para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-03</date><authorinitials>TE</authorinitials><revremark>Point
-    out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2005-02-02</date><authorinitials>TE</authorinitials><revremark>Add
+    out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-02</date><authorinitials>TE</authorinitials><revremark>Add
-    hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
+    hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-01-06</date><authorinitials>TE</authorinitials><revremark>Add
     pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
     information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
     Docbook Conversion</revremark></revision></revhistory></para>