diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 444889d7f..f5d0e9e87 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -406,6 +406,14 @@ DNAT       net      loc:192.168.1.3:22  tcp      1022</programlisting>
         the net. Is it possible to only redirect 4104 to the localhost port 22
         and have connection attempts to port 22 from the net dropped?</title>
 
+        <important>
+          <para>On systems with the "Extended Conntrack Match"
+          (NEW_CONNTRACK_MATCH) capability (see the output of
+          <command>shorewall show capabilities</command>), port 22 is opened
+          only to connections whose original destination port is 4104 and this
+          FAQ does not apply.</para>
+        </important>
+
         <para><emphasis role="bold">Answer </emphasis>courtesy of Ryan: Assume
         that the IP address of your local firewall interface is 192.168.1.1.
         If you configure SSHD to only listen on that address and add the