From 84dd22a4ebee19bfa07ec8eb9228fe2a4746cfa4 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 11 Dec 2006 15:57:41 +0000
Subject: [PATCH] Add note about ISPs blocking SYN,ACK

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5094 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 docs/FAQ.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 50a6dc9e0..92e7aa5ef 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -253,6 +253,15 @@ DNAT    net:<emphasis>&lt;address&gt;</emphasis> loc:&lt;l<emphasis>ocal IP addr
             matches OUT=&lt;dev&gt; and DEST= &lt;ip&gt;from the REJECT/DROP
             log message.</para>
           </listitem>
+
+          <listitem>
+            <para>If everything seems to be correct according to these tests
+            but the connection doesn't work, it may be that your ISP is
+            blocking SYN,ACK responses. This technique allows your ISP to
+            detect when you are running a server (in violation of your service
+            agreement) and to stop connections to that server from being
+            established. </para>
+          </listitem>
         </itemizedlist>
       </section>