More 3.0 Doc updates -- Error Messages are not yet complete

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2771 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/Actions.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-09-12</pubdate>
+    <pubdate>2005-10-02</pubdate>
 
     <copyright>
       <year>2005</year>
@@ -159,6 +159,11 @@ Reject:REJECT   #Common Action for REJECT policy</programlisting>
   <section>
     <title>Defining your own Actions</title>
 
+    <para>Before defining a new action, you should evaluate whether your goal
+    can be best accomplished using an action or a
+    <firstterm>macro</firstterm>. See <ulink url="Macros.html">this
+    article</ulink> for details.</para>
+
     <para>To define a new action:</para>
 
     <orderedlist>

Shorewall-docs2/ErrorMessages.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-04-10</pubdate>
+    <pubdate>2005-10-02</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -50,71 +50,100 @@
     <para>Some error messages are produced by the /sbin/shorewall utility.
     These messages are detailed in this section.</para>
 
-    <glosslist>
+    <variablelist>
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: &lt;label&gt; must specify a simple file name:
+        <term>ERROR: &lt;label&gt; must specify a simple file name:
-        &lt;name&gt;</glossterm>
+        &lt;name&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>This means that you have specified a restore file name with a
           "/". Restore files must be simple file names with no slashes.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Shorewall is not properly installed</glossterm>
+        <term>ERROR: Shorewall is not properly installed</term>
 
-        <glossdef>
+        <listitem>
           <para>The files <filename>/usr/share/shorewall/firewall</filename>
           and/or <filename>/usr/share/shorewall/version</filename> do not
           exist.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: &lt;file name&gt; exists and is not a saved
+        <term>ERROR: &lt;file name&gt; exists and is not a saved Shorewall
-        Shorewall configuration</glossterm>
+        configuration</term>
 
-        <glossdef>
+        <listitem>
           <para>The named file in <filename>/var/lib/shorewall</filename>
           exists but is not executable.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Reserved file name: &lt;file name&gt;</glossterm>
+        <term>ERROR: Reserved file name: &lt;file name&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>You have specified either <filename>save</filename> or
           <filename>restore-base</filename> as the name of a restore file --
           those names are reserved for use by Shorewall.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Currently-running Configuration Not
+        <term>ERROR: Currently-running Configuration Not Saved</term>
-        Saved</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>During processing of a <command>shorewall save</command>
           command, the <command>iptables-save</command> command failed.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: /var/lib/shorewall/restore-base does not
+        <term>ERROR: /var/lib/shorewall/restore-base does not exist</term>
-        exist</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>The <command>shorewall start</command> and <command>shorewall
           restart</command> commands create a file called
           <filename>/var/lib/shorewall/restore-base</filename> which forms the
           basis for creating a restore file using <command>shorewall
           save</command>. This error message is issued when <command>shorewall
           save</command> is not able to find that file.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
-    </glosslist>
+
+      <varlistentry>
+        <term>ERROR: The program specified in IPTABLES does not exist or is
+        not executable</term>
+
+        <listitem>
+          <para>The IPTABLES option in
+          <filename>/etc/shorewall/shorewall.conf</filename> specifies a file
+          that is not executable.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ERROR: Can't find iptables executable</term>
+
+        <listitem>
+          <para>There is no executable file named "iptables" in any directory
+          in $PATH.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ERROR: The program specified in SHOREWALL_SHELL does not exist
+        or is not executable</term>
+
+        <listitem>
+          <para>The SHOREWALL_SHELL option in
+          <filename>/etc/shorewall/shorewall.conf</filename> names does not
+          name an executable file.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
   </section>
 
   <section>
@@ -125,141 +154,138 @@
     and changing the Netfilter configuration. Some of the error messages
     generated by this program are listed below.</para>
 
-    <glosslist>
+    <variablelist>
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Invalid zone definition for zone
+        <term>ERROR: Invalid zone definition for zone &lt;zone&gt;</term>
-        &lt;zone&gt;</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>The zone named in the message is defined to be associated with
           an interface in <filename>/etc/shorewall/interfaces</filename> yet
           it also has an entry for that same interface in
           <filename>/etc/shorewall/hosts</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Invalid zone (&lt;zone&gt;) in record
+        <term>ERROR: Invalid zone (&lt;zone&gt;) in record
-        "&lt;record&gt;"</glossterm>
+        "&lt;record&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The zone named in the ZONE column of the listed record from
           <filename>/etc/shorewall/interfaces</filename> or
           <filename>/etc/shorewall/hosts</filename> is not defined in
           <filename>/etc/shorewall/zones</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Duplicate Interface &lt;interface&gt;</glossterm>
+        <term>ERROR: Duplicate Interface &lt;interface&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>The named interface has two entries in
           <filename>/etc/shorewall/interfaces</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Invalid Interface Name:
+        <term>ERROR: Invalid Interface Name: &lt;interface&gt;</term>
-        &lt;interface&gt;</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>The interface name contains a colon (":") or is "+". If the
           name includes a ":", you probably need to read <ulink
           url="Shorewall_and_Aliased_Interfaces.xml">this
           article</ulink>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Unknown interface (&lt;interface&gt;) in record
+        <term>ERROR: Unknown interface (&lt;interface&gt;) in record
-        "&lt;record&gt;"</glossterm>
+        "&lt;record&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The <emphasis>&lt;interface&gt;</emphasis> name listed in the
           <emphasis>&lt;record&gt;</emphasis> from
           <filename>/etc/shorewall/hosts</filename> was not defined in
           <filename>/etc/shorewall/interfaces</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Bridged interfaces may not be defined in
+        <term>ERROR: Bridged interfaces may not be defined in
-        /etc/shorewall/interfaces:
+        /etc/shorewall/interfaces: &lt;interface&gt;[:&lt;address&gt;]</term>
-        &lt;interface&gt;[:&lt;address&gt;]</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>The named interface appears in /etc/shorewall/hosts and
           appears as a bridge port (after a colon) but is also defined in
           <filename>/etc/shorewall/interfaces</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Your kernel and/or iptables does not support policy
+        <term>ERROR: Your kernel and/or iptables does not support policy
-        match: ipsec</glossterm>
+        match: ipsec</term>
 
-        <glossdef>
+        <listitem>
           <para>You have specified the <emphasis role="bold">ipsec</emphasis>
           option in an <filename>/etc/shorewall/hosts</filename> record but
           your kernel and/or iptables is missing policy match support. That
           support in turn requires a set of ipsec-netfilter patches in order
           to work correctly.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Undefined zone &lt;zone&gt;</glossterm>
+        <term>ERROR: Undefined zone &lt;zone&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>The named zone appears in the /etc/shorewall/policy file but
           not in the /etc/shorewall/zones file.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Can't determine the IP address of
+        <term>ERROR: Can't determine the IP address of
-        &lt;interface&gt;</glossterm>
+        &lt;interface&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>You have specified DETECT_DNAT_ADDRS=Yes in
           /etc/shorewall/shorewall.conf and Shorewall is unablee to determine
           the IP address of the named <emphasis>&lt;interface&gt;</emphasis>.
           Be sure that the interface is started before starting Shorewall or
           set DETECT_DNAT_ADDRS=No.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Invalid gateway zone (&lt;zone&gt;) -- Tunnel
+        <term>ERROR: Invalid gateway zone (&lt;zone&gt;) -- Tunnel
-        "&lt;record&gt;</glossterm>
+        "&lt;record&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>The listed <emphasis>&lt;zone&gt;</emphasis> name appears in
           the GATEWAY ZONE column of the listed
           <emphasis>&lt;record&gt;</emphasis> from
           <filename>/etc/shorewall/tunnels</filename> but is not defined in
           <filename>/etc/shorewall/zones</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Your kernel and/or iptables does not support policy
+        <term>ERROR: Your kernel and/or iptables does not support policy
-        match</glossterm>
+        match</term>
 
-        <glossdef>
+        <listitem>
           <para>Your /etc/shorewall/ipsec file is non-empty but your kernel
           and/or iptables do not include policy match support. That support in
           turn requires a set of ipsec-netfilter patches in order to work
           correctly.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: No hosts on &lt;interface&gt; have the maclist
+        <term>ERROR: No hosts on &lt;interface&gt; have the maclist option
-        option specified</glossterm>
+        specified</term>
 
-        <glossdef>
+        <listitem>
           <para>The named <emphasis>&lt;interface&gt;</emphasis> appears in a
           record in <filename>/etc/shorewall/maclist</filename> yet that
           interface's record in <filename>/etc/shorewall/interfaces</filename>
@@ -267,131 +293,130 @@
           and no record in <filename>/etc/shorewall/hosts</filename> that
           names that interface includes the <emphasis
           role="bold">maclist</emphasis> option.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Interface &lt;interface&gt; must be up before
+        <term>ERROR: Interface &lt;interface&gt; must be up before Shorewall
-        Shorewall can start</glossterm>
+        can start</term>
 
-        <glossdef>
+        <listitem>
           <para>You have specified the <emphasis
           role="bold">maclist</emphasis> option for this interface but the
           command <command>ip list show &lt;interface&gt;</command>
           fails.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Unknown interface &lt;interface&gt;</glossterm>
+        <term>ERROR: Unknown interface &lt;interface&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>The interface appears in a configuration file but is not
           defined in <filename>/etc/shorewall/interfaces</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: BRIDGING=Yes requires Physdev Match support in your
+        <term>ERROR: BRIDGING=Yes requires Physdev Match support in your
-        Kernel and iptables</glossterm>
+        Kernel and iptables</term>
 
-        <glossdef>
+        <listitem>
           <para>You have set BRIDGING=Yes in
           <filename>/etc/shorewall/shorewall.conf</filename> but it appears
           that your kernel and/or iptables do not have physdev match
           support.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Unknown interface &lt;interface&gt; in rule:
+        <term>ERROR: Unknown interface &lt;interface&gt; in rule:
-        "&lt;rule&gt;"</glossterm>
+        "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>You have BRIDGING=No in
           <filename>/etc/shorewall/shorewall.conf</filename> and the
           <emphasis>&lt;interface&gt;</emphasis> given in a rule does not
           match an entry in
           <filename>/etc/shorewall/interfaces</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: SNAT may no longer be specified in a DNAT rule; use
+        <term>ERROR: SNAT may no longer be specified in a DNAT rule; use
-        /etc/shorewall/masq instead</glossterm>
+        /etc/shorewall/masq instead</term>
 
-        <glossdef>
+        <listitem>
           <para>In earlier Shorewall versions, the ORIGINAL DEST column
           allowed following the original destination IP address with ":" and
           an address to use as the source of the forwarded connection request.
           Now that /etc/shorewall/masq supports qualification of SNAT rules by
           protocol and port, this feature is no longer required and has been
           deimplemented.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: "Invalid Source in rule "&lt;rule&gt;"</glossterm>
+        <term>ERROR: "Invalid Source in rule "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The SOURCE column has the firewall zone name immediately
           followed by "!". This syntax is use to exclude a subzone and
           Shorewall currently doesn't support subzones of the firewall
           zone.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Rule "&lt;rule&gt;" - Destination may not be
+        <term>ERROR: Rule "&lt;rule&gt;" - Destination may not be specified by
-        specified by MAC Address</glossterm>
+        MAC Address</term>
 
-        <glossdef>
+        <listitem>
           <para>Netfilter (and hence Shorewall) does not allow qualification
           of a rule by destination source IP address.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Destination interface not allowed with
+        <term>ERROR: Destination interface not allowed with
-        &lt;action&gt;</glossterm>
+        &lt;action&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>The named <emphasis>&lt;action&gt;</emphasis> will be ACCEPT+
           or NONAT. These actions are inforced in part in the PREROUTING nat
           chain where the destination interface is not yet known (because the
           packet has not yet been routed). As a result, the DESTINATION column
           may not contain an interface name.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Only DNAT and REDIRECT rules may specify destination
+        <term>ERROR: Only DNAT and REDIRECT rules may specify destination
-        mapping; rule "&lt;rule&gt;"</glossterm>
+        mapping; rule "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The <emphasis>&lt;rule&gt;</emphasis> specifies a server
           address that is different from the ORIGINAL DEST address and/or it
           specifies a server port that is different from the destination port
           but the ACTION is neither DNAT[-] nor REJECT[-].</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Empty source zone or qualifier: rule
+        <term>ERROR: Empty source zone or qualifier: rule
-        "&lt;rule&gt;"</glossterm>
+        "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The SOURCE column is of one of the forms
           <emphasis>&lt;zone&gt;</emphasis>:,
           :<emphasis>&lt;qualifier&gt;</emphasis> or :.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Exclude list only allowed with DNAT or
+        <term>ERROR: Exclude list only allowed with DNAT or REDIRECT</term>
-        REDIRECT</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the
           form
           <emphasis>&lt;zone&gt;</emphasis>:<emphasis>&lt;net1&gt;</emphasis>!<emphasis>&lt;net2&gt;</emphasis>.
@@ -399,78 +424,76 @@
           <emphasis>&lt;zone&gt;</emphasis> zone <emphasis role="bold">except
           for</emphasis> <emphasis>&lt;net2&gt;</emphasis>. This syntax is not
           available with other ACTIONs.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Invalid use of a user-qualification: rule
+        <term>ERROR: Invalid use of a user-qualification: rule
-        "&lt;rule&gt;"</glossterm>
+        "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The USER/GROUP column may only have and entry if the SOURCE is
           the firewall zone.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Empty destination zone or qualifier: rule
+        <term>ERROR: Empty destination zone or qualifier: rule
-        "&lt;rule&gt;"</glossterm>
+        "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The DEST column is of one of the forms
           <emphasis>&lt;zone&gt;</emphasis>:,
           :<emphasis>&lt;qualifier&gt;</emphasis> or :.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Undefined Client Zone in rule
+        <term>ERROR: Undefined Client Zone in rule "&lt;rule&gt;"</term>
-        "&lt;rule&gt;"</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>The zone given in the SOURCE column was not defined in
           <filename>/etc/shorewall/zones</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Undefined Server Zone in rule
+        <term>ERROR: Undefined Server Zone in rule "&lt;rule&gt;"</term>
-        "&lt;rule&gt;"</glossterm>
 
-        <glossdef>
+        <listitem>
           <para>The zone given in the DEST column was not defined in
           <filename>/etc/shorewall/zones</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Rules may not override a NONE policy: rule
+        <term>ERROR: Rules may not override a NONE policy: rule
-        "&lt;rule&gt;"</glossterm>
+        "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>If the policy from zone z1 to zone z2 is NONE that means that
           Shorewall sets up no infrastructure to handle traffic from z1 to z2.
           Consequently, you cannot have any rules that control traffic from z1
           to z2.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Invalid Action in rule "&lt;rule&gt;"</glossterm>
+        <term>ERROR: Invalid Action in rule "&lt;rule&gt;"</term>
 
-        <glossdef>
+        <listitem>
           <para>The ACTION column contains an action that is not one of the
           built-in actions and it is not defined in
           <filename>/etc/shorewall/actions</filename> or in
           <filename>/usr/share/shorewall/actions.std</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: Unable to determine the routes through interface
+        <term>ERROR: Unable to determine the routes through interface
-        &lt;interface&gt;</glossterm>
+        &lt;interface&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>You have specified <emphasis>&lt;interface&gt;</emphasis> in
           the SUBNET column of <filename>/etc/shorewall/masq</filename> which
           means that Shorewall is supposed to determine the network(s) routed
@@ -479,21 +502,21 @@
           failed. This usually means that you are trying to start Shorewall
           before the <emphasis>&lt;interface&gt;</emphasis> is brought
           up.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>ERROR: No appropriate chain for zone &lt;z1&gt; to zone
+        <term>ERROR: No appropriate chain for zone &lt;z1&gt; to zone
-        &lt;z2&gt;</glossterm>
+        &lt;z2&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>There is no policy defined in
           <filename>/etc/shorewall/policy</filename> for connections from zone
           <emphasis>&lt;z1&gt;</emphasis> to zone
           <emphasis>&lt;z2&gt;</emphasis>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
-    </glosslist>
+    </variablelist>
   </section>
 
   <section>
@@ -502,31 +525,41 @@
     <para>This sections describes some of the more common warnings generated
     by Shorewall.</para>
 
-    <glosslist>
+    <variablelist>
-      <glossentry>
+      <varlistentry>
-        <glossterm>Warning: default route ignored on interface
+        <term>Warning: default route ignored on interface
-        &lt;interface&gt;</glossterm>
+        &lt;interface&gt;</term>
 
-        <glossdef>
+        <listitem>
           <para>This means that the interface named in the SUBNET column of
           <filename>/etc/shorewall/masq</filename> has the default route. This
           almost always means that you have the contents of the INTERFACE and
           SUBNET columns reversed.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
 
-      <glossentry>
+      <varlistentry>
-        <glossterm>Warning: Zone &lt;zone&gt; is empty</glossterm>
+        <term>Warning: Zone &lt;zone&gt; is empty</term>
 
-        <glossdef>
+        <listitem>
           <para>This warning alerts you to the fact tha &lt;zone&gt; is
           defined in <filename>/etc/shorewall/zones</filename> but has no
           corresponding entries in
           <filename>/etc/shorewall/interfaces</filename> or in
           <filename>/etc/shorewall/hosts</filename>.</para>
-        </glossdef>
+        </listitem>
-      </glossentry>
+      </varlistentry>
-    </glosslist>
+
+      <varlistentry>
+        <term>WARNING: Shorewall startup is disabled. To enable startup, set
+        STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf</term>
+
+        <listitem>
+          <para>If you need help understanding that warning message then you
+          probably need to take up another hobby or line of work. </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
   </section>
 
   <section>

Shorewall-docs2/bridge.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-09-30</pubdate>
+    <pubdate>2005-10-02</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -69,8 +69,13 @@
       </listitem>
 
       <listitem>
-        <para>A router cannot forward broadcast packets while a bridge
+        <para>In most configurations, routers don't forward broadcast packets
-        can.</para>
+        while a bridges do.</para>
+
+        <note>
+          <para>Section 4 of RFC 1812 describes the conditions under which a
+          router may or must forward broadcasts.</para>
+        </note>
       </listitem>
     </orderedlist>
   </section>
@@ -172,7 +177,7 @@
     configuration information may be found at <ulink
     url="http://bridge.sf.net">http://bridge.sf.net</ulink>.</para>
 
-    <para>Unfortunately, Linux distributions don't have good bridge
+    <para>Unfortunately, many Linux distributions don't have good bridge
     configuration tools and the network configuration GUIs don't detect the
     presence of bridge devices. Here is an excerpt from a Debian
     <filename>/etc/network/interfaces</filename> file for a two-port bridge

Shorewall-docs2/starting_and_stopping_shorewall.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-09-11</pubdate>
+    <pubdate>2005-10-04</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -222,7 +222,7 @@
             <para>Shorewall startup is disabled by default. Once you have
             configured your firewall, you can enable startup by editing
             <filename>/etc/shorewall/shorewall.conf</filename> and setting
-            STARTUP_ENABLED=Yes.. Note: Users of the .deb package must also
+            STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather
             edit <filename>/etc/default/shorewall</filename> and set
             <quote>startup=1</quote>.</para>
           </listitem>
@@ -343,8 +343,8 @@
 
     <programlisting>CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall</programlisting>
 
-    <para>The above is the setting that I use and it allows me to place all of
+    <para>The above is the setting that I once used to allow me to place all
-    my user-defined 'action.' files in <filename
+    of my user-defined 'action.' files in <filename
     class="directory">/etc/shorewall/actiondir</filename>.</para>
   </section>