diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 7e956a4fd..58076f405 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -157,7 +157,7 @@ DNAT net:<address> loc:<local IP addr
<low-port>:<high-port>.
- (FAQ 1a) Ok -- I followed those instructions but it doesn't
+ <title>(FAQ 1a) Okay -- I followed those instructions but it doesn't
work
Answer: That is usually the
@@ -177,7 +177,8 @@ DNAT net:<address> loc:<local IP addr
- Your ISP is blocking that particular port inbound.
+ Your ISP is blocking that particular port inbound or, for
+ TCP, your ISP is dropping the outbound SYN,ACK response.
@@ -201,9 +202,10 @@ DNAT net:<address> loc:<local IP addr
- As root, type iptables -t nat -Z
-
. This clears the NetFilter counters in the nat
- table.
+ As root, type shorewall reset
+
("shorewall-lite reset", if you are
+ running Shorewall Lite). This clears all NetFilter
+ counters.
@@ -212,8 +214,9 @@ DNAT net:<address> loc:<local IP addr
- As root type shorewall[-lite] show
- nat
+ As root type shorewall show nat
+
("shorewall-lite show nat", if you are
+ running Shorewall Lite).
@@ -263,20 +266,21 @@ DNAT net:<address> loc:<local IP addr
the connection is being dropped or rejected. If it is, then you
may have a zone definition problem such that the server is in a
different zone than what is specified in the DEST column. At a
- root promt, type "shorewall[-lite] show zones"
- then be sure that in the DEST column you have specified the
- first zone in the list that
- matches OUT=<dev> and DEST= <ip>from the REJECT/DROP
- log message.
+ root promt, type "shorewall show zones"
+ ("shorewall-lite show zones") then be sure that
+ in the DEST column you have specified the first zone in the list that matches
+ OUT=<dev> and DEST= <ip>from the REJECT/DROP log
+ message.
If everything seems to be correct according to these tests
but the connection doesn't work, it may be that your ISP is
blocking SYN,ACK responses. This technique allows your ISP to
- detect when you are running a server (in violation of your service
- agreement) and to stop connections to that server from being
- established.
+ detect when you are running a server (usually in violation of your
+ service agreement) and to stop connections to that server from
+ being established.
@@ -325,7 +329,7 @@ DNAT loc dmz:192.168.2.4 tcp 80 - 206
In /etc/shorewall/params:
- ETH0_IP=`find_interface_address eth0`
+ ETH0_IP=`find_interface_address eth0`
For users of Shorewall 2.1.0 and later:
@@ -425,15 +429,17 @@ DNAT net fw:192.168.1.1:22 tcp 4104
+ But if you are the type of person who prefers quick and dirty
+ hacks to "doing it right", then proceed as described below.
+ All traffic redirected through use of this hack will look to
+ the server as if it originated on the firewall rather than on the
+ original client! So the server's access logs will be useless for
+ determining which local hosts are accessing the server.
+
+
Assuming that your external interface is eth0 and your internal
interface is eth1 and that eth1 has IP address 192.168.1.254 with subnet
- 192.168.1.0/24, then:
- All traffic redirected through use of this hack will look to
- the server as if it came from the firewall (192.168.1.254) rather
- than from the original client! So the server's access logs will be
- useless for determining which local hosts are accessing the
- server.
-
+ 192.168.1.0/24, then:
@@ -447,7 +453,7 @@ loc eth1 detect routeback
In /etc/shorewall/masq:
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
-eth1:192.168.1.5 eth1 192.168.1.254 tcp www
+eth1:192.168.1.5 eth1 192.168.1.254 tcp www
@@ -455,7 +461,7 @@ eth1:192.168.1.5 eth1 192.168.1.254 tcp www#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
-DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69
+DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69
That rule only works of course if you have a static external
IP address. If you have a dynamic IP address then include this in
@@ -469,7 +475,8 @@ DNAT loc loc:192.168.1.5 tcp www - 130.15
#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
-DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP
+DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP
Using this technique, you will want to configure your
DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
@@ -536,7 +543,7 @@ dmz eth2 192.168.2.255 routeback
In /etc/shorewall/masq:
#INTERFACE SUBNETS ADDRESS
-eth2 eth2 192.168.2.254
+eth2 eth2 192.168.2.254
Like the silly hack in FAQ 2 above, this will make all
dmz->dmz traffic appear to originate on the firewall.
@@ -568,7 +575,7 @@ eth2 eth2 192.168.2.254
#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT DEST
-DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176
+DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176
If your external IP address is dynamic, then you must do the
following:
@@ -583,7 +590,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - 206
#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
-DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP
+DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP
With dynamic IP addresses, you probably don't want to use
diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml
index 13e2e5b6e..6d96ad936 100644
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -532,7 +532,7 @@ loc net ACCEPT
- Perl Getopts::Long Module
+ Perl Getopt::Long Module