diff --git a/Shorewall-docs2/PortKnocking.xml b/Shorewall-docs2/PortKnocking.xml
index 4c5a30146..c7266b40f 100644
--- a/Shorewall-docs2/PortKnocking.xml
+++ b/Shorewall-docs2/PortKnocking.xml
@@ -132,7 +132,7 @@ SSHKnock net loc:192.168.1.5 tcp 22 -
Limiting Per-IP Connection Rate
Suppose that you wish to limit the number of connections to port 22
- to 3/minute from internet host.
+ to 3/minute from individual internet hosts to the firewall.
@@ -156,13 +156,32 @@ run_iptables -A $CHAIN -m recent --name SSHA --seconds 60 --hitcount 3 -j reject
Add this rule to /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-SSHLimit net all tcp 22
+SSHLimit net $FW tcp 22
If you wish to log the rejects at the 'info' level then use this
rule instead:
#ACTION SOURCE DEST PROTO DEST PORT(S)
-SSHLimit:info net all tcp 22
+SSHLimit:info net $FW tcp 22
+
+
+
+ If you wish to use SSHLimit with a forwarded connection, you
+ must be using Shorewall 2.3.1 or later for fullest protection. Assume
+ that you forward port 22 from external IP address 206.124.146.178 to
+ internal system 192.168.1.5. In /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+# PORT(S) DEST
+DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
+SSHLimit net loc:192.168.1.5 tcp 22 - 206.124.146.178
+
+
+ You can use SSHLimit with DNAT on earlier releases provided
+ that you omit the ORIGINAL DEST entry on the second SSHLimit rule.
+ This rule will be quite secure provided that you specify 'norfc1918'
+ on your external interface.
+