diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index a66eb2671..8c6a088a0 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1600,20 +1600,6 @@ teastep@ursa:~$ The first number determines the maximum log
and FORWARD chains which aren't traversed until later.
-
- (FAQ 56) When I start or restart Shorewall, I see these messages
- in my log. Are they harmful?
-
-
- modprobe: Can't locate module ipt_physdev
-modprobe: Can't locate module iptable_raw
-
-
- Answer: No. These occur when
- Shorewall probes your system to determine the features that it support.
- They are completely harmless.
-
-
(FAQ 81) logdrop and logreject don't log.
@@ -1636,7 +1622,7 @@ modprobe: Can't locate module iptable_raw
different ISPs. How do I set this up in Shorewall?
Answer: See this article on Shorewall and Multiple
+ url="MultiISP.html">this article about Shorewall and Multiple
ISPs.
@@ -1699,38 +1685,6 @@ ERROR: Command "ip -4 rule add from all table 254 pref 999" Failedshorewall[-lite] clear command.
-
- (FAQ 8) When I try to start Shorewall on RedHat, I get messages
- about insmod failing -- what's wrong?
-
- Answer: The output you will see
- looks something like this:
-
- /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
-Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
-/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
-/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
-/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
-iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
-Perhaps iptables or your kernel needs to be upgraded.
-
- This problem is usually corrected through the following sequence
- of commands
-
- service ipchains stop
-chkconfig --delete ipchains
-rmmod ipchains
-
-
- (FAQ 8a) When I try to start Shorewall on RedHat I get a
- message referring me to FAQ #8
-
- Answer: This is usually cured
- by the sequence of commands shown above in .
-
-
-
(FAQ 9) Why can't Shorewall detect my interfaces properly at
startup?
@@ -1873,16 +1827,6 @@ iptables: Invalid argument
-
- (FAQ 62) I have unexplained 30-second pauses during "shorewall
- [re]start". What causes that?
-
- Answer: This usually happens when
- the firewall uses LDAP Authentication. The solution is to list your LDAP
- server(s) as critical in /etc/shorewall/routestopped.
-
-
(FAQ 68) I have a VM under an OpenVZ system. I can't get rid of
the following message:
@@ -1892,7 +1836,7 @@ iptables: Invalid argument
Answer: At a root shell prompt,
type the iptables command shown in the error message. If the command
- fails, you OpenVZ Netfilter/iptables configuration is incorrect. Until
+ fails, your OpenVZ Netfilter/iptables configuration is incorrect. Until
that command can run without error, no stateful iptables firewall will
be able to run in your VM.
@@ -1962,7 +1906,7 @@ iptables: Invalid argument
traffic is blocked for hosts behind the firewall trying to connect out
onto the net or through the vpn (although i can reach the internal
firewall interface and obtain dumps etc). Once I issue 'shorewall clear'
- followed by 'shorewall restart' it then works, despite the config not
+ followed by 'shorewall start' it then works, despite the config not
changing
Answer: Set IP_FORWARDING=On in
@@ -2040,6 +1984,8 @@ We have an error talking to the kernel
you may be able to resolve the problem by loading the act_police kernel module. Other kernel modules
that you will need include:
+ cls_fw
+
cls_u32
sch_htb
@@ -2138,11 +2084,9 @@ We have an error talking to the kernel
broadcast address as the source address?
- Answer: Shorewall can be
- configured to do that using the blacklisting facility.
- Shorewall versions 2.0.0 and later filter these packets under the
- nosmurfs interface option in Answer: Shorwall filters
+ these packets under the nosmurfs interface
+ option in /etc/shorewall/interfaces.
@@ -2162,11 +2106,7 @@ We have an error talking to the kernel
DOS: - SYN Dos - ICMP Dos - Per-host Dos protection
- Answer: Shorewall has
- facilities for limiting SYN and ICMP packets. Netfilter as
- included in standard Linux kernels doesn't support per-remote-host
- limiting except by explicit rule that specifies the host IP
- address; that form of limiting is supported by Shorewall.
+ Answer: Yes.