Note that mss= in zones file should be accompanied by FASTACCEPT=No

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7165 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/Documentation_Index.xml

@@ -55,7 +55,7 @@
       <tgroup align="left" cols="3">
         <tbody>
           <row>
-            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
+            <entry></entry>
 
             <entry><ulink url="PortKnocking.html#Limit">Limiting per-IPaddress
             Connection Rate</ulink></entry>
@@ -65,7 +65,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Actions.html">Actions</ulink></entry>
+            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
 
             <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
 
@@ -74,8 +74,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
+            <entry><ulink url="Actions.html">Actions</ulink></entry>
-            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
 
             <entry><ulink url="Macros.html">Macros</ulink></entry>
 
@@ -84,8 +83,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
+            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
-            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
+            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
 
             <entry><ulink url="MAC_Validation.html">MAC
             Verification</ulink></entry>
@@ -95,8 +94,8 @@
           </row>
 
           <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
+            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
-            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
 
             <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
 
@@ -104,6 +103,16 @@
             Guide</ulink></entry>
           </row>
 
+          <row>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
+            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+
+            <entry><ulink
+            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
+
+            <entry><ulink url="samba.htm">SMB</ulink></entry>
+          </row>
+
           <row>
             <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
             (<ulink
@@ -113,7 +122,9 @@
             from a Single Firewall</ulink> (<ulink
             url="MultiISP_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink url="samba.htm">SMB</ulink></entry>
+            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
+            (<firstterm>Source Network Address
+            Translation</firstterm>)</entry>
           </row>
 
           <row>
@@ -182,8 +193,9 @@
           </row>
 
           <row>
-            <entry><ulink url="two-interface.htm#DNAT">DNAT</ulink> (Port
+            <entry><ulink url="two-interface.htm#DNAT">DNAT</ulink>
-            Forwarding)</entry>
+            (<firstterm>Destination Network Address
+            Translation</firstterm>)</entry>
 
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
@@ -197,6 +209,9 @@
 
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
+
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -206,8 +221,7 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="upgrade_issues.htm">Upgrade
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
-            Issues</ulink></entry>
           </row>
 
           <row>
@@ -216,7 +230,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -225,8 +240,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            Creation</ulink></entry>
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -235,8 +250,8 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            DomU</ulink></entry>
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>
@@ -246,8 +261,7 @@
             <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
             of the 'Recent Match'</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            <entry></entry>
-            Xen Dom0</ulink></entry>
           </row>
 
           <row>

docs/IPSEC-2.6.xml

@@ -460,6 +460,10 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
 #                                       OPTIONS                 OPTIONS
 sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
+        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
+        that both the SYN and SYN,ACK packets have their MSS field
+        adjusted.</para>
+
         <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
         isn't effective with the 2.6 native IPSEC implementation because there
         is no separate ipsec device with a lower mtu as there was under the

docs/Introduction.xml

@@ -16,7 +16,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2003-2006</year>
+      <year>2003-2007</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -108,6 +108,11 @@
           <para><ulink
           url="http://www.fs-security.com/">http://www.fs-security.com/</ulink></para>
         </listitem>
+
+        <listitem>
+          <para><ulink
+          url="http://www.fs-security.com/">http://www.fs-security.com/</ulink></para>
+        </listitem>
       </itemizedlist>
 
       <para>If you are looking for a Linux firewall solution that can handle

docs/two-interface.xml

@@ -578,20 +578,22 @@ root@lists:~# </programlisting>
     <title>IP Masquerading (SNAT)</title>
 
     <para>The addresses reserved by RFC 1918 are sometimes referred to as
-    non-routable because the Internet backbone routers don't forward packets
+    <firstterm>non-routable</firstterm> because the Internet backbone routers
-    which have an RFC-1918 destination address. When one of your local systems
+    don't forward packets which have an RFC-1918 destination address. When one
-    (let's assume computer 1) sends a connection request to an internet host,
+    of your local systems (let's assume computer 1 in the <link
-    the firewall must perform <emphasis>Network Address Translation</emphasis>
+    linkend="Diagram">above diagram</link>) sends a connection request to an
-    (<acronym>NAT</acronym>). The firewall rewrites the source address in the
+    internet host, the firewall must perform <emphasis>Network Address
-    packet to be the address of the firewall's external interface; in other
+    Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the
-    words, the firewall makes it look as if the firewall itself is initiating
+    source address in the packet to be the address of the firewall's external
-    the connection. This is necessary so that the destination host will be
+    interface; in other words, the firewall makes it appear to the destination
-    able to route return packets back to the firewall (remember that packets
+    internet host as if the firewall itself is initiating the connection. This
-    whose destination address is reserved by RFC 1918 can't be routed across
+    is necessary so that the destination host will be able to route return
-    the internet so the remote host can't address its response to computer 1).
+    packets back to the firewall (remember that packets whose destination
-    When the firewall receives a return packet, it rewrites the destination
+    address is reserved by RFC 1918 can't be routed across the internet so the
-    address back to <systemitem class="ipaddress">10.10.10.1</systemitem> and
+    remote host can't address its response to computer 1). When the firewall
-    forwards the packet on to computer 1.</para>
+    receives a return packet, it rewrites the destination address back to
+    <systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the
+    packet on to computer 1.</para>
 
     <para>On Linux systems, the above process is often referred to as
     <emphasis>IP Masquerading</emphasis> but you will also see the term
@@ -611,8 +613,8 @@ root@lists:~# </programlisting>
         </listitem>
       </itemizedlist> In Shorewall, both <emphasis>Masquerading</emphasis> and
     <emphasis><acronym>SNAT</acronym></emphasis> are configured with entries
-    in the <filename
+    in the <ulink url="manpages/shorewall-masq.html"><filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename>
+    class="directory">/etc/shorewall/</filename><filename>masq</filename></ulink>
     file. You will normally use Masquerading if your external
     <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
     <acronym>IP</acronym> is static.</para>
@@ -621,7 +623,8 @@ root@lists:~# </programlisting>
 
     <para>If your external firewall interface is <filename
     class="devicefile">eth0</filename>, you do not need to modify the file
-    provided with the sample. Otherwise, edit <filename
+    provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
+    <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename> and
     change the first column to the name of your external interface and the
     second column to the name of your internal interface.</para>
@@ -632,8 +635,9 @@ root@lists:~# </programlisting>
     in the third column in the <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename>
     entry if you like although your firewall will work fine if you leave that
-    column empty. Entering your static <acronym>IP</acronym> in column 3 makes
+    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
-    processing outgoing packets a little more efficient.</para>
+    column 3 (SNAT) makes the processing of outgoing packets a little more
+    efficient.</para>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
 

manpages/shorewall-zones.xml

@@ -167,7 +167,11 @@ c:a,b     ipv4</programlisting>
               role="bold">mss=</emphasis><emphasis>number</emphasis></term>
 
               <listitem>
-                <para>sets the MSS field in TCP packets</para>
+                <para>sets the MSS field in TCP packets. If you supply this
+                option, you should also set FASTACCEPT=No in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(8) to insure
+                that both the SYN and SYN,ACK packets have their MSS field
+                adjusted.</para>
               </listitem>
             </varlistentry>