More 2.0 Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1864 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/myfiles.xml

@@ -166,7 +166,7 @@
       <title>Shorewall.conf</title>
 
       <blockquote>
-        <programlisting>LOGFILE=/var/log/messages
+        <programlisting>LOGFILE=/var/log/ulog/syslogemu.log
 LOGFORMAT="Shorewall:%s:%s "
 LOGRATE=
 LOGBURST=
@@ -216,7 +216,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
         <para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
 NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
 TEXAS=&lt;ip address of gateway in Plano&gt;
-LOG=info
+LOG=ULOGD
 EXT_IF=eth1
 INT_IF=eth2
 DMZ_IF=eth0</programlisting></para>
@@ -665,6 +665,20 @@ iface eth2 inet static
 </programlisting>
       </blockquote>
     </section>
+
+    <section>
+      <title>/etc/ulogd.conf</title>
+
+      <para>This is the default /etc/ulogd.conf from the Debian package. Only
+      the relevant entries are shown.</para>
+
+      <blockquote>
+        <programlisting># where to write to
+syslogfile /var/log/ulog/syslogemu.log
+# do we want to fflush() the file after each write?
+syslogsync 1</programlisting>
+      </blockquote>
+    </section>
   </section>
 
   <section>
@@ -839,7 +853,7 @@ remote 192.168.3.8
         verify_identifier on ;
         lifetime time 24 hour ;
         proposal {
-                encryption_algorithm 3des;
+                encryption_algorithm blowfish ;
                 hash_algorithm sha1;
                 authentication_method rsasig ;
                 dh_group 2 ;
@@ -850,7 +864,7 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
 {
         pfs_group 2;
         lifetime time 12 hour ;
-        encryption_algorithm 3des, blowfish, des, rijndael ;
+        encryption_algorithm blowfish ;
         authentication_algorithm hmac_sha1, hmac_md5 ;
         compression_algorithm deflate ;
 }</programlisting>
@@ -986,7 +1000,7 @@ remote 192.168.3.254
         verify_identifier on ;
         lifetime time 24 hour ;
         proposal {
-                encryption_algorithm 3des;
+                encryption_algorithm blowfish ;
                 hash_algorithm sha1;
                 authentication_method rsasig ;
                 dh_group 2 ;
@@ -997,7 +1011,7 @@ sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
 {
         pfs_group 2;
         lifetime time 12 hour ;
-        encryption_algorithm 3des, blowfish, des, rijndael ;
+        encryption_algorithm blowfish ;
         authentication_algorithm hmac_sha1, hmac_md5 ;
         compression_algorithm deflate ;
 }</programlisting>

Shorewall-docs2/shorewall_logging.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-15</pubdate>
+    <pubdate>2004-12-27</pubdate>
 
     <copyright>
       <year>2001 - 2004</year>
@@ -29,7 +29,8 @@
       1.2 or any later version published by the Free Software Foundation; with
       no Invariant Sections, with no Front-Cover, and with no Back-Cover
       Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
     </legalnotice>
   </articleinfo>
 
@@ -56,9 +57,11 @@
       <listitem>
         <para>The packet is rejected because of an option in <ulink
         url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink> or
-        <ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
+        <ulink
+        url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
         These packets can be logged by setting the appropriate logging-related
-        option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
+        option in <ulink
+        url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
       </listitem>
 
       <listitem>
@@ -66,25 +69,29 @@
         url="Documentation.htm#Rules">/etc/shorewall/rules</ulink>. By
         including a syslog level (see below) in the ACTION column of a rule
         (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net fw tcp
-        22</quote>), the connection attempt will be logged at that level.</para>
+        22</quote>), the connection attempt will be logged at that
+        level.</para>
       </listitem>
 
       <listitem>
-        <para>The packet doesn&#39;t match a rule so it is handled by a policy
+        <para>The packet doesn't match a rule so it is handled by a policy
-        defined in <ulink url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>.
+        defined in <ulink
-        These may be logged by specifying a syslog level in the LOG LEVEL
+        url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>. These
-        column of the policy&#39;s entry (e.g., <quote>loc net ACCEPT
+        may be logged by specifying a syslog level in the LOG LEVEL column of
-        <emphasis role="bold">info</emphasis></quote>).</para>
+        the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
+        role="bold">info</emphasis></quote>).</para>
       </listitem>
     </orderedlist>
   </section>
 
   <section>
-    <title>Where the Traffic is Logged and How to Change the Destination</title>
+    <title>Where the Traffic is Logged and How to Change the
+    Destination</title>
 
     <para>By default, Shorewall directs NetFilter to log using syslog (8).
     Syslog classifies log messages by a <emphasis>facility</emphasis> and a
-    <emphasis>priority</emphasis> (using the notation <emphasis>facility.priority</emphasis>).</para>
+    <emphasis>priority</emphasis> (using the notation
+    <emphasis>facility.priority</emphasis>).</para>
 
     <para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
     daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
@@ -108,7 +115,8 @@
         <member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
         messages)</member>
 
-        <member>6 - <emphasis role="bold">info</emphasis> (Informational)</member>
+        <member>6 - <emphasis role="bold">info</emphasis>
+        (Informational)</member>
 
         <member>5 - <emphasis role="bold">notice</emphasis> (Normal but
         significant Condition)</member>
@@ -116,7 +124,8 @@
         <member>4 - <emphasis role="bold">warning</emphasis> (Warning
         Condition)</member>
 
-        <member>3 - <emphasis role="bold">err</emphasis> (Error Condition)</member>
+        <member>3 - <emphasis role="bold">err</emphasis> (Error
+        Condition)</member>
 
         <member>2 - <emphasis role="bold">crit</emphasis> (Critical
         Conditions)</member>
@@ -139,6 +148,10 @@
       pairs to log files is done in /etc/syslog.conf (5). If you make changes
       to this file, you must restart syslogd before the changes can take
       effect.</para>
+
+      <para>Syslog may also write to your system console. See <ulink
+      url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
+      Shorewall messages written to the console.</para>
     </section>
 
     <section>
@@ -148,9 +161,9 @@
 
       <orderedlist>
         <listitem>
-          <para>If you give, for example, kern.info it&#39;s own log
+          <para>If you give, for example, kern.info it's own log destination
-          destination then that destination will also receive all kernel
+          then that destination will also receive all kernel messages of
-          messages of levels 5 (notice) through 0 (emerg).</para>
+          levels 5 (notice) through 0 (emerg).</para>
         </listitem>
 
         <listitem>
@@ -164,67 +177,28 @@
       specify a log level of ULOG (must be all caps). When ULOG is used,
       Shorewall will direct netfilter to log the related messages via the ULOG
       target which will send them to a process called <quote>ulogd</quote>.
-      The ulogd program is available from <ulink
+      The ulogd program is included in most distributions and is also
-      url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>
+      available from <ulink
-      and can be configured to log all Shorewall message to their own log
+      url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>.
+      Ulogd can be configured to log all Shorewall messages to their own log
       file.</para>
 
       <note>
-        <para>The ULOG logging mechanism is <emphasis role="underline">completely
+        <para>The ULOG logging mechanism is <emphasis
-        separate</emphasis> from syslog. Once you switch to ULOG, the settings
+        role="underline">completely separate</emphasis> from syslog. Once you
-        in /etc/syslog.conf have absolutely no effect on your Shorewall
+        switch to ULOG, the settings in /etc/syslog.conf have absolutely no
-        logging (except for Shorewall status messages which still go to
+        effect on your Shorewall logging (except for Shorewall status messages
-        syslog).</para>
+        which still go to syslog).</para>
       </note>
 
-      <para>You will need to have the kernel source available to compile
+      <para>Once you have installed ulogd, edit /etc/ulogd.conf
-      ulogd.</para>
+      (<filename>/usr/local/etc/ulogd.conf</filename> if you built ulogd
-
+      yourself) and set:</para>
-      <para>Download the ulog tar file and:</para>
 
       <orderedlist>
         <listitem>
-          <para>Be sure that /usr/src/linux is linked to your kernel source
+          <para>syslogfile &lt;<emphasis>the file that you wish to log
-          tree</para>
+          to</emphasis>&gt;</para>
-        </listitem>
-
-        <listitem>
-          <para>cd /usr/local/src (or whereever you do your builds)</para>
-        </listitem>
-
-        <listitem>
-          <para>tar -zxf <emphasis>source-tarball-that-you-downloaded</emphasis></para>
-        </listitem>
-
-        <listitem>
-          <para>cd ulod-<emphasis>version</emphasis></para>
-        </listitem>
-
-        <listitem>
-          <para>./configure</para>
-        </listitem>
-
-        <listitem>
-          <para>make</para>
-        </listitem>
-
-        <listitem>
-          <para>make install</para>
-        </listitem>
-      </orderedlist>
-
-      <para>If you are like me and don&#39;t have a development environment on
-      your firewall, you can do the first six steps on another system then
-      either NFS mount your /usr/local/src directory or tar up the
-      /usr/local/src/ulogd-<emphasis>version</emphasis> directory and move it
-      to your firewall system.</para>
-
-      <para>Now on the firewall system, edit /usr/local/etc/ulogd.conf and
-      set:</para>
-
-      <orderedlist>
-        <listitem>
-          <para>syslogfile &#60;<emphasis>the file that you wish to log to</emphasis>&#62;</para>
         </listitem>
 
         <listitem>
@@ -235,34 +209,34 @@
       <para>Also on the firewall system:</para>
 
       <simplelist>
-        <member>touch &#60;<emphasis>the file that you wish to log to</emphasis>&#62;</member>
+        <member>touch &lt;<emphasis>the file that you wish to log
+        to</emphasis>&gt;</member>
       </simplelist>
 
-      <para>I also copied the file /usr/local/src/ulogd-<emphasis>version</emphasis>/ulogd.init
+      <para>Your distribution's ulogd package may include a logrotate file in
-      to /etc/init.d/ulogd. I had to edit the line that read <quote>daemon
+      /etc/logrotate.d. If you change the log file location, be sure to change
-      /usr/local/sbin/ulogd</quote> to read <quote>daemon
+      that logrotate file accordingly.</para>
-      /usr/local/sbin/ulogd -d</quote>. On a RedHat system, a simple
-      <quote>chkconfig --level 3 ulogd on</quote> starts ulogd during boot up.
-      Your init system may need something else done to activate the script.</para>
 
       <para>You will need to change all instances of log levels (usually
-      <quote>info</quote>) in your configuration files to <quote>ULOG</quote>
+      <quote>info</quote>) in your Shorewall configuration files to
-      - this includes entries in the policy, rules and shorewall.conf files.
+      <quote>ULOG</quote> - this includes entries in the policy, rules and
-      Here&#39;s what I have:</para>
+      shorewall.conf files. Here's what I have:</para>
 
-      <programlisting>     [root@gateway shorewall]# grep ULOG *
+      <programlisting>     [root@gateway shorewall]# grep LOG * | grep -v ^\#
-     policy:loc fw  REJECT ULOG
+     params:LOG=ULOG
-     policy:net all DROP   ULOG    10/sec:40
+     policy:loc fw  REJECT $LOG
-     policy:all all REJECT ULOG
+     policy:net all DROP   $LOG    10/sec:40
-     rules:REJECT:ULOG loc net tcp 6667
+     policy:all all REJECT $LOG
-     shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG
+     rules:REJECT:$LOG loc net tcp 6667
-     shorewall.conf:RFC1918_LOG_LEVEL=ULOG
+     shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG
+     shorewall.conf:RFC1918_LOG_LEVEL=$LOG
      [root@gateway shorewall]#</programlisting>
 
-      <para>Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=&#60;<emphasis>file
+      <para>Finally edit /etc/shorewall/shorewall.conf and set
-      that you wish to log to</emphasis>&#62;. This tells the /sbin/shorewall
+      LOGFILE=&lt;<emphasis>file that you wish to log to</emphasis>&gt;. This
-      program where to look for the log when processing its <quote>show log</quote>,
+      tells the /sbin/shorewall program where to look for the log when
-      <quote>logwatch</quote> and <quote>monitor</quote> commands.</para>
+      processing its <quote>show log</quote>, <quote>logwatch</quote> and
+      <quote>monitor</quote> commands.</para>
     </section>
   </section>
 
@@ -270,7 +244,7 @@
     <title>Syslog-ng</title>
 
     <para><ulink
-    url="http://marc.theaimsgroup.com/?l=gentoo-security&#38;amp;m=106040714910563&#38;amp;w=2">Here</ulink>
+    url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;amp;m=106040714910563&amp;amp;w=2">Here</ulink>
     is a post describing configuring syslog-ng to work with Shorewall.</para>
   </section>
 
@@ -278,9 +252,10 @@
     <title>Understanding the Contents of Shorewall Log Messages</title>
 
     <para>For general information on the contents of Netfilter log messages,
-    see <ulink url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3</ulink>.</para>
+    see <ulink
+    url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3</ulink>.</para>
 
-    <para>For Shorewall-specific information, see <ulink url="FAQ.htm#faq17">FAQ
+    <para>For Shorewall-specific information, see <ulink
-    #17</ulink>.</para>
+    url="FAQ.htm#faq17">FAQ #17</ulink>.</para>
   </section>
 </article>

Shorewall-docs2/shorewall_setup_guide.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-11-19</pubdate>
+    <pubdate>2004-12-27</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -219,11 +219,11 @@ dmz     DMZ             Demilitarized zone</programlisting>
 
     <orderedlist>
       <listitem>
-        <para>Identify the source zone.</para>
+        <para>Identify the source (client) zone.</para>
       </listitem>
 
       <listitem>
-        <para>Identify destination zone.</para>
+        <para>Identify destination (server) zone.</para>
       </listitem>
 
       <listitem>
@@ -251,12 +251,12 @@ dmz     DMZ             Demilitarized zone</programlisting>
     first checked against the <filename>/etc/shorewall/rules</filename> file.
     If no rule in that file matches the connection request then the first
     policy in <filename>/etc/shorewall/policy</filename> that matches the
-    request is applied. If that policy is REJECT or DROP the request is first
+    request is applied after the request is passed to the appropriate <ulink
-    checked against the rules in
+    url="User_defined_Actions.html">common action</ulink> (if any). </para>
-    <filename>/etc/shorewall/common.def</filename>.</para>
 
-    <para>The default <filename>/etc/shorewall/policy</filename> file has the
+    <para>Prior to Shorewall 2.2.0, the default
-    following policies:</para>
+    <filename>/etc/shorewall/policy</filename> file had the following
+    policies:</para>
 
     <programlisting>#SOURCE ZONE     DESTINATION ZONE    POLICY     LOG     LIMIT:BURST
 #                                               LEVEL
@@ -264,7 +264,13 @@ loc              net                 ACCEPT
 net              all                 DROP       info
 all              all                 REJECT     info</programlisting>
 
-    <para>The above policy will:</para>
+    <important>
+      <para>Beginning with Shorewall 2.2.0, the released policy file is empty.
+      You can copy and paste the above entries to create a starting point from
+      which to customize your policies.</para>
+    </important>
+
+    <para>The above policies will:</para>
 
     <orderedlist>
       <listitem>
@@ -291,12 +297,6 @@ all              all                 REJECT     info</programlisting>
 
     <para>At this point, edit your <filename>/etc/shorewall/policy
     </filename>and make any changes that you wish.</para>
-
-    <important>
-      <para>Beginning with Shorewall 2.2.0, the released policy file is empty.
-      You can copy and paste the above entries to create a starting point from
-      which to customize your policies.</para>
-    </important>
   </section>
 
   <section id="Interfaces">
@@ -329,9 +329,9 @@ all              all                 REJECT     info</programlisting>
 
     <graphic align="center" fileref="images/dmz3.png" />
 
-    <para>The simplest way to define zones is to simply associate the zone
+    <para>The simplest way to define zones is to associate the zone name
-    name (previously defined in /etc/shorewall/zones) with a network
+    (previously defined in /etc/shorewall/zones) with a network interface.
-    interface. This is done in the <ulink
+    This is done in the <ulink
     url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink> file.
     The firewall illustrated above has three network interfaces. Where
     Internet connectivity is through a cable or DSL <quote>Modem</quote>, the
@@ -431,7 +431,10 @@ loc      eth2           detect</programlisting>
 
     <para>You may define more complicated zones using the<filename> <ulink
     url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink></filename> file
-    but in most cases, that isn't necessary.</para>
+    but in most cases, that isn't necessary. See <ulink
+    url="Shorewall_and_Aliased_Interfaces.html">Shorewall_and_Aliased_Interfaces.html</ulink>
+    and <ulink url="Multiple_Zones.html">Multiple_Zones.html</ulink> for
+    examples.</para>
   </section>
 
   <section id="Addressing">
@@ -534,8 +537,8 @@ loc      eth2           detect</programlisting>
       ones.</para>
 
       <para>Since n is a power of two, we can easily calculate the
-      <emphasis>Natural Logarithm</emphasis> (log2) of n. For the more common
+      <emphasis>Base-2 Logarithm</emphasis> (log2) of n. For the more common
-      subnet sizes, the size and its natural logarithm are given in the
+      subnet sizes, the size and its base-2 logarithm are given in the
       following table:</para>
 
       <table>
@@ -1112,8 +1115,7 @@ tcpdump: listening on eth2
 ? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
 ? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
 ? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
-? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
+? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</programlisting>
-</programlisting>
 
       <para>The leading question marks are a result of my having specified the
       <quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
@@ -1145,10 +1147,15 @@ tcpdump: listening on eth2
 192.168.0.0 - 192.168.255.255</programlisting>
 
       <para>The addresses reserved by RFC 1918 are sometimes referred to as
-      non-routable because the Internet backbone routers don't forward packets
+      <firstterm>non-routable</firstterm> because the Internet backbone
-      which have an RFC-1918 destination address. This is understandable given
+      routers don't forward packets which have an RFC-1918 destination
-      that anyone can select any of these addresses for their private
+      address. This is understandable given that anyone can select any of
-      use.</para>
+      these addresses for their private use but the term non-routable is
+      somewhat unfortunate because it leads people to the erroneous conclusion
+      that traffic destined for one of these addresses can't be sent through a
+      router. This is definitely not true; private routers (including your
+      Shorewall-based firewall) can forward RFC 1918 addresed traffic just
+      fine.</para>
 
       <para>When selecting addresses from these ranges, there's a couple of
       things to keep in mind:</para>
@@ -1171,14 +1178,15 @@ tcpdump: listening on eth2
       using (or are planning to use) private addresses before you decide the
       addresses that you are going to use.</para>
 
-      <note>
+      <warning>
         <para><emphasis role="bold">In this document, external
         <quote>real</quote> IP addresses are of the form 192.0.2.x.
         192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
-        printed examples. These addresses are not to be confused with
+        printed examples and test networks. These "real" addresses are not to
-        addresses in 192.168.0.0/16; as described above, these addresses are
+        be confused with addresses in 192.168.0.0/16; as described above,
-        reserved by RFC 1918 for private use.</emphasis></para>
+        those addresses are reserved by RFC 1918 for private
-      </note>
+        use.</emphasis></para>
+      </warning>
     </section>
   </section>
 
@@ -1406,8 +1414,9 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
         role="bold">A</emphasis>.</para>
 
         <para>This example used the firewall's external IP address for DNAT.
-        You can use another of your public IP addresses but Shorewall will not
+        You can use another of your public IP addresses (place it in the
-        add that address to the firewall's external interface for you.</para>
+        ORIGINAL DEST column in the rule above) but Shorewall will not add
+        that address to the firewall's external interface for you.</para>
       </section>
 
       <section id="ProxyARP">
@@ -1436,7 +1445,8 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
             the network defined by <emphasis role="bold">M</emphasis> where
             the target machine is outside of the firewall, the firewall will
             respond to <emphasis role="bold">H</emphasis> (with the MAC of the
-            firewall interface).</para>
+            firewall interface that <emphasis role="bold">H</emphasis> is
+            connected to).</para>
           </listitem>
         </itemizedlist>
 
@@ -1676,12 +1686,13 @@ ACCEPT   net     loc:192.168.201.4  tcp    www</programlisting>
 
       <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
 
-      <para>With the default policies, your local systems (Local 1-3) can
+      <para>With the default policies described earlier in this document, your
-      access any servers on the internet and the DMZ can't access any other
+      local systems (Local 1-3) can access any server on the internet and the
-      host (including the firewall). With the exception of DNAT rules which
+      DMZ can't access any other host (including the firewall). With the
-      cause address translation and allow the translated connection request to
+      exception of DNAT rules which cause address translation and allow the
-      pass through the firewall, the way to allow connection requests through
+      translated connection request to pass through the firewall, the way to
-      your firewall is to use ACCEPT rules.</para>
+      allow connection requests through your firewall is to use ACCEPT
+      rules.</para>
 
       <note>
         <para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in

Shorewall-docs2/upgrade_issues.xml

@@ -62,7 +62,7 @@
   </section>
 
   <section>
-    <title>Version &gt;= 2.2.0 Beta 1</title>
+    <title>Version &gt;= 2.2.0</title>
 
     <para></para>
 
@@ -164,6 +164,22 @@ DNAT     loc      loc:192.168.1.12 tcp     80          -       130.252.100.69</p
         <para>The 'logunclean' and 'dropunclean' options that were deprecated
         in Shorewall 2.0 have now been removed completely.</para>
       </listitem>
+
+      <listitem>
+        <para>The default port for 'openvpn' tunnels (/etc/shorewall/tunnels)
+        has been changed to 1194 to match a similar change in the OpenVPN
+        product. The IANA has registered port 1194 for use by OpenVPN.</para>
+      </listitem>
+
+      <listitem>
+        <para> A new IPTABLES variable has been added to shorewall.conf. This
+        variable names the iptables executable that Shorewall will use. The
+        variable is set to "/sbin/iptables". If you use the new
+        shorewall.conf, you may need to change this setting to maintain
+        compabibility with your current setup (if you use your existing
+        shorewall.conf that does not set IPTABLES then you should experience
+        no change in behavior).</para>
+      </listitem>
     </orderedlist>
   </section>