Update FAQ and MultiISP

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4718 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-22 12:41:19 +01:00 · 2006-10-20 15:41:54 +00:00 · 2006-10-20 15:41:54 +00:00 · 9e4691cb7d
commit 9e4691cb7d
parent 63d7b7adb0
2 changed files with 51 additions and 11 deletions
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@ -1035,6 +1035,12 @@ DROP      net       fw      udp      10619</programlisting>
            level and this packet is being logged under that policy. If you
            intend to ACCEPT this traffic then you need a <ulink
            url="Documentation.htm#Rules">rule</ulink> to that effect.</para>
+
+            <para>Beginning with Shorewall 3.3.3, packets logged out of these
+            chains may have a source and/or destination that is not in any
+            defined zone (see the output of <command>shorewall[-lite] show
+            zones</command>). Remember that zone membership involves both a
+            firewall interface and an ip address.</para>
          </listitem>
        </varlistentry>

@ -1119,18 +1125,22 @@ DROP      net       fw      udp      10619</programlisting>

          <listitem>
            <para>The packet has a source IP address that isn't in any of your
-            defined zones (<quote>shorewall[-lite] show zones</quote> and look
-            at the printed zone definitions) or the chain is FORWARD and the
-            destination IP isn't in any of your defined zones. If the chain is
-            FORWARD and the IN and OUT interfaces are the same, then you
-            probably need the <emphasis role="bold">routeback</emphasis>
-            option on that interface in <filename> <ulink
+            defined zones (<quote><command>shorewall[-lite] show
+            zones</command></quote> and look at the printed zone definitions)
+            or the chain is FORWARD and the destination IP isn't in any of
+            your defined zones. If the chain is FORWARD and the IN and OUT
+            interfaces are the same, then you probably need the <emphasis
+            role="bold">routeback</emphasis> option on that interface in
+            <filename> <ulink
            url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>
            </filename> or you need the <emphasis
            role="bold">routeback</emphasis> option in the relevant entry in
            <filename> <ulink
-            url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>
-            </filename>.</para>
+            url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>.</filename></para>
+
+            <para>In Shorewall 3.3.3 and later versions, such packets may also
+            be logged out of a &lt;zone&gt;2all chain or the all2all chain.
+            </para>
          </listitem>
        </varlistentry>

@ -1139,8 +1149,11 @@ DROP      net       fw      udp      10619</programlisting>

          <listitem>
            <para>The packet has a destination IP address that isn't in any of
-            your defined zones("shorewall show zones" and look at the printed
-            zone definitions).</para>
+            your defined zones(<command>shorewall[-lite] show zones</command>
+            and look at the printed zone definitions).</para>
+
+            <para>In Shorewall 3.3.3 and later versions, such packets may also
+            be logged out of the fw2all chain or the all2all chain.</para>
          </listitem>
        </varlistentry>

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -653,7 +653,8 @@ eth1             eth2              130.252.99.27</programlisting>
        <para>Entries in <filename>/etc/shorewall/masq</filename> have no
        effect on which ISP a particular connection will be sent through. That
        is rather the purpose of entries in
-        <filename>/etc/shorewall/tcrules</filename>.</para>
+        <filename>/etc/shorewall/tcrules</filename> or
+        <filename>/etc/shorewall/route_rules</filename>.</para>
      </warning>

      <para>Now suppose that you want to route all outgoing SMTP traffic from
@ -668,6 +669,32 @@ eth1             eth2              130.252.99.27</programlisting>
 2:P             &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>
    </section>

+    <section>
+      <title>Applications running on the Firewall</title>
+
+      <para>Experience has shown that in some cases, problems occur with
+      applications running on the firewall itself. When this happens, it is
+      suggested that you have the application use specific local IP addresses
+      rather than 0.</para>
+
+      <para>Examples:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Squid: In <filename>squid.conf</filename>, set <emphasis
+          role="bold">tcp_outgoing_address</emphasis> to the IP address of the
+          interface that you want Squid to use.</para>
+        </listitem>
+
+        <listitem>
+          <para>In OpenVPN, set <emphasis role="bold">local
+          </emphasis>(<emphasis role="bold">--local</emphasis> on the command
+          line) to the IP address that you want the server to receive
+          connections on.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+
    <section>
      <title>/etc/shorewall/route_rules</title>