diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 9b0fdb3ae..cf907db67 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -115,18 +115,6 @@
-
- (FAQ 75) I can't find the Shorewall 4.0 (or 4.2) shorewall-common
- RPM. Where is it?
-
- Answer: If you use Simon Matter's
- Redhat/Fedora/CentOS rpms, be aware that Simon calls the
- shorewall-common RPM
- shorewall. So you should download and install the
- appropriate shorewall-4.x.y RPM from his
- site.
-
-
(FAQ 14) I can't find the Shorewall 4.4 shorewall-common,
shorewall-shell and shorewall-perl packages? Where are they?
@@ -143,27 +131,11 @@
Upgrading Shorewall
- (FAQ 66) I'm trying to upgrade to Shorewall 4.0 (or 4.2); where
- is the 'shorewall' package?
+ (FAQ 66) I'm trying to upgrade to Shorewall 4.x; which of these
+ packages do I need to install?Answer: Please see the upgrade issues.
-
-
- (FAQ 66a) I'm trying to upgrade to Shorewall 4.0 (or 4.2); do I
- have to uninstall the 'shorewall' package?
-
- Answer: Please see the upgrade issues.
-
-
-
- (FAQ 66b) I'm trying to upgrade to Shorewall 4.x: which of
- these packages do I need to install?
-
- Answer: Please see the upgrade issues.
-
@@ -186,7 +158,7 @@
these issues?
Answer: Please see the upgrade issues.
+ url="upgrade_issues.htm">upgrade issues.
@@ -211,6 +183,11 @@
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf
contains the Debian default setting IP_FORWARDING=Keep; it should be
IP_FORWARDING=On.
+
+ Update: Beginning with Shorewall
+ 4.4.21, there is a shorewall update
+ command that does a smart merge of your existing shorewall.conf and the
+ new one.
@@ -617,7 +594,7 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
- (FAQ 48) How do I Set up Transparent HTTP Proxy with
+ <title>(FAQ 48) How do I Set up a Transparent HTTP Proxy with
Shorewall?Answer: See
your firewall is responding to connection requests on those
ports.
- If you would prefer to 'stealth' port 113, then copy
- /usr/share/shorewall/action.Drop to
- /etc/shorewall/ and modify the invocation of Auth
- to Auth(DROP).
+ If you would prefer to 'stealth' port 113, then:
+
+
+
+ If you are running Shorewall 4.4.20 or earlier, copy
+ /usr/share/shorewall/action.Drop to
+ /etc/shorewall/ and modify the invocation of
+ Auth to Auth(DROP).
+
+
+
+ If you are running Shorewall 4.4.21 or later, in
+ shorewall.conf, set DROP_DEFAULT=Drop(-,DROP). See the Action HOWTO to learn why that magic
+ works.
+
+ (FAQ 4a) I just ran an nmap UDP scan of my firewall and it
@@ -1866,20 +1856,6 @@ Dec 15 16:47:30 heath-desktop last message repeated 2 times</programlisting>
solution is to <emphasis role="bold">not specify the primary IP address
of an interface in the EXTERNAL column</emphasis>.</para>
</section>
-
- <section id="faq82">
- <title>(FAQ 82) When I enable USE_DEFAULT_RT, Shorewall won't
- start
-
- I get the following errors:
-
- RTNETLINK answers: Numerical result out of range
-ERROR: Command "ip -4 rule add from all table 254 pref 999" Failed
-
- Answer: This is a known kernel
- issue -- see http://lkml.org/lkml/2007/3/30/253.
-
@@ -2022,36 +1998,6 @@ iptables: Invalid argument
LOAD_HELPERS_ONLY=Yes in shorewall.conf.
-
- (FAQ 61) I just installed the latest Debian kernel and now
- "shorewall start" fails with the message "ipt_policy: matchsize 116 !=
- 308". What's wrong?
-
- Answer: Your iptables is
- incompatible with your kernel. Either
-
-
-
- rebuild iptables using the kernel headers that match your new
- kernel; or
-
-
-
- if you don't need policy match support (you are not using the
- IPSEC implementation builtinto the 2.6 kernel) then you can rename
- /lib/iptables/libipt_policy.so.
-
-
-
-
- Shorewall does not attempt to use policy match if you have no
- IPSEC zones and you have not specified the
- option on any entry in /etc/shorewall/hosts. The
- subject message will still appear in your kernel log each time that
- Shorewall determines the capabilities of your kernel/iptables.
-
-
-
(FAQ 68) I have a VM under an OpenVZ system. I can't get rid of
the following message:
@@ -2097,28 +2043,6 @@ iptables: Invalid argument
installed by the .deb.
-
- (FAQ 74) When I "<command>shorewall start</command>" or
- "<command>shorewall check</command>" on my SuSE 10.0 system, I get FATAL
- ERROR messages and/or the system crashes"
-
- Answer: These failures result
- from trying to load a particular combination of kernel modules. To work
- around the problem:
-
-
-
- Copy /usr/share/shorewall/modules to
- /etc/shorewall/modules
-
-
-
- Edit /etc/shorewall/modules and remove all entries except for
- those for the helper modules that you need.
-
-
-
-
(FAQ 78) After restart and bootup of my Debian firewall, all
traffic is blocked for hosts behind the firewall trying to connect out
@@ -2173,22 +2097,6 @@ shorewall status > /dev/null 2>&1 || shorewall start # Start Shorewall
</variablelist>
</section>
- <section id="faq87">
- <title>(FAQ 87) My firewall starts and restarts fine but if I try
- 'shorewall restore', the script fails because none of my shell variables
- from /etc/shorewall/params are set. Why?
-
- Answer: You probably need to set
- EXPORTPARAMS=Yes. During start and
- restart,
- /etc/shorewall/params is processed by the shell
- after set -a; as a result, all param
- settings become part of the shell's environment and are inherited by the
- running script. The shell does not process
- /etc/shorewall/params when processing the restore command.
-
-
(FAQ 90) Shorewall starts fine but after several minutes, it
stops. Why is it doing that?
diff --git a/docs/support.xml b/docs/support.xml
index 02a70e518..ba6640070 100644
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -60,7 +60,7 @@
The FAQ has solutions to more than
- 70 common problems.
+ 90 common problems.