Updates to the XML docs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1345 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-05-19 17:55:45 +00:00 · 2004-05-19 17:55:45 +00:00 · 0213183738
commit 0213183738
parent 3fde9a627f
12 changed files with 569 additions and 801 deletions
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-28</pubdate>
+    <pubdate>2004-05-15</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -128,7 +128,6 @@
      url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink
      url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
      url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink
      url="Documentation.htm#Common">common</ulink></para></listitem><listitem><para><ulink
      url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink
      url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink
      url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
--- a/Shorewall-docs2/FTP.xml
+++ b/Shorewall-docs2/FTP.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-26</pubdate>
+    <pubdate>2004-05-19</pubdate>
    <copyright>
      <year>2003</year>
@ -74,9 +74,9 @@
    <programlisting>MODULE_SUFFIX=&#34;o gz ko o.gz ko.gz&#34;</programlisting>
    <para>The version of <command>insmod</command> shipped with 10.0 also does
-    not comprehend these module files so you will also need to change
+    not comprehend these module files so you will also need Shorewall 2.0.2 or
-    <filename>/usr/share/shorewall/firewall</filename> -- replace the line
+    later OR you need to change <filename>/usr/share/shorewall/firewall</filename>
-    that reads:</para>
+    -- replace the line that reads:</para>
    <programlisting>     insmod $modulefile $*</programlisting>
@ -278,22 +278,22 @@ jbd                    47860   2  [ext3]
    <para>If your FTP helper modules are compressed and have the names
    <emphasis>ip_nat_ftp.o.gz and ip_conntrack_ftp.o.gz</emphasis> then you
    will need Shorewall 1.4.7 or later if you want Shorewall to load them for
-    you.</para>
+    you. If your helper modules have names <emphasis>ip_nat_ftp.ko.gz and
    ip_conntrack_ftp.ko.gz</emphasis> then you will need Shorewall 2.0.2 or
    later if you want Shorewall to load them for you.</para>
  </section>
-    <para>Server configuration is covered in the <ulink type=""
+  <section>
-    url="Documentation.htm#Rules">/etc/shorewall/rules documentation</ulink>,</para>
+    <title>FTP on Non-standard Ports</title>
    <para>For a client, you must open outbound TCP port 21.</para>
    <para>The above discussion about commands and responses makes it clear
    that the FTP connection-tracking and NAT helpers must scan the traffic on
    the control connection looking for PASV and PORT commands as well as PASV
    responses. If you run an FTP server on a nonstandard port or you need to
    access such a server, you must therefore let the helpers know by
-    specifying the port in /etc/shorewall/modules entries for the helpers. For
+    specifying the port in /etc/shorewall/modules entries for the helpers.
-    example, if you run an FTP server that listens on port 49 or you need to
+    <caution><para>You must have modularized FTP connection tracking support
-    access a server on the internet that listens on that port then you would
+    in order to use FTP on a non-standard port.</para></caution></para>
    have:</para>
    <example>
      <title>if you run an FTP server that listens on port 49 or you need to
@ -317,54 +317,52 @@ options ip_nat_ftp ports=21,49</programlisting>
      /etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload
      the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para>
    </example>
  </section>
-    <para>One problem that I see occasionally involves active mode and the FTP
+  <section id="Rules">
-    server in my DMZ. I see the active data connection to <emphasis
+    <title>Rules</title>
    role="bold">certain client IP addresses</emphasis> being continuously
    rejected by my firewall. It is my conjecture that there is some broken
    client out there that is sending a PORT command that is being either
    missed or mis-interpreted by the FTP connection tracking helper yet it is
    being accepted by my FTP server. My solution is to add the following rule:</para>
-    <informaltable>
+    <para>If the policy from the source zone to the destination zone is ACCEPT
-      <tgroup cols="7">
+    and you don&#39;t need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
-        <thead>
+    then <emphasis role="bold">you need no rule</emphasis>.</para>
          <row>
            <entry align="center">ACTION</entry>
-            <entry align="center">SOURCE</entry>
+    <para>Otherwise, for FTP you need exactly <emphasis role="bold">one</emphasis>
    rule:</para>
-            <entry align="center">DESTINATION</entry>
+    <programlisting>#ACTION      SOURCE     DESTINATION    PROTO     PORT(S)    SOURCE      ORIGINAL
 #                                                           PORT(S)     DESTINATION
 ACCEPT or    &#60;<emphasis>source</emphasis>&#62;   &#60;<emphasis>destination</emphasis>&#62;  tcp       21                     &#60;external IP addr&#62; if
 DNAT                                                                    ACTION = DNAT</programlisting>
-            <entry align="center">PROTOCOL</entry>
+    <para>You need an entry in the ORIGINAL DESTINATION column only if the
    ACTION is DNAT, you have multiple external IP addresses and you want a
    specific IP address to be forwarded to your server.</para>
-            <entry align="center">PORT(S)</entry>
+    <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
    with 20 (ftp-data) in the PORT(S) column. If you post your rules on the
    mailing list and they show 20 in the PORT(S) column, I will know that you
    haven&#39;t read this article and I will either ignore your post or tell
    you to RTFM.<example><title>Server running behind a Masquerading Gateway</title><para>Suppose
    that you run an FTP server on 192.168.1.5 in your local zone using the
    standard port (21). You need this rule: </para><programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
 #                                                            PORT(S)     DESTINATION
 DNAT         net        loc:192.168.1.5 tcp       21</programlisting></example><example><title>Allow
    your DMZ FTP access to the Internet</title><programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
 #                                                            PORT(S)     DESTINATION
 ACCEPT       dmz        net             tcp       21</programlisting></example></para>
-            <entry align="center">SOURCE PORT(S)</entry>
+    <para>Note that the FTP connection tracking in the kernel cannot handle
    cases where a PORT command (or PASV reply) is broken across two packets.
    When such cases occur, you will see a console message similar to this one:</para>
-            <entry align="center">ORIGINAL DESTINATION</entry>
+    <programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
          </row>
        </thead>
-        <tbody>
+    <para> I see this problem occasionally with the FTP server in my DMZ. My
-          <row>
+    solution is to add the following rule:</para>
            <entry>ACCEPT:info</entry>
-            <entry>dmz</entry>
+    <programlisting>#ACTION      SOURCE     DESTINATION     PROTO     PORT(S)    SOURCE      ORIGINAL
-
+#                                                            PORT(S)     DESTINATION
-            <entry>net</entry>
+ACCEPT:info  dmz        net             tcp       -          20</programlisting>
            <entry>tcp</entry>
            <entry>-</entry>
            <entry>20</entry>
            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>
    <para>The above rule accepts and logs all active mode connections from my
    DMZ to the net.</para>
--- a/Shorewall-docs2/Install.xml
+++ b/Shorewall-docs2/Install.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-05-09</pubdate>
+    <pubdate>2004-05-18</pubdate>
    <copyright>
      <year>2001</year>
@ -39,6 +39,21 @@
    </legalnotice>
  </articleinfo>
  <warning>
    <para><emphasis role="bold">Note to Debian Users</emphasis></para>
    <para>If you install using the .deb, you will find that your <filename
    class="directory">/etc/shorewall</filename> directory is empty. This is
    intentional. The released configuration file skeletons may be found on
    your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
    Simply copy the files you need from that directory to <filename
    class="directory">/etc/shorewall</filename> and modify the copies.</para>
    <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
    to <filename class="directory">/etc/shorewall</filename> even if you do
    not modify it.</para>
  </warning>
  <section id="Install_RPM">
    <title>Install using RPM</title>
--- a/Shorewall-docs2/errata.xml
+++ b/Shorewall-docs2/errata.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-05-10</pubdate>
+    <pubdate>2004-05-17</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -87,6 +87,42 @@
  <section>
    <title>Problems in Version 2.0</title>
    <section>
      <title>Shorewall 2.0.2</title>
      <itemizedlist>
        <listitem>
          <para>Temporary restore files with names of the form
          <filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
          /var/lib/shorewall.</para>
        </listitem>
        <listitem>
          <para>&#34;shorewall restore&#34; and &#34;shorewall -f start&#34;
          do not load kernel modules.</para>
        </listitem>
        <listitem>
          <para>Specifying a null common action in /etc/shorewall/actions
          (e.g., :REJECT) results in a startup error.</para>
        </listitem>
        <listitem>
          <para>If <filename>/var/lib/shorewall</filename> does not exist,
          <command>shorewall start</command> fails.</para>
        </listitem>
      </itemizedlist>
      <para>These problems are corrected by the <filename>firewall</filename>
      and <filename>functions</filename> files in <ulink
      url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>.
      Both files must be installed in <filename>/usr/share/shorewall/firewall</filename>
      as described above.</para>
      <para>The first two problems are also corrected in Shorewall version
      2.0.2a while all four problems are corrected in 2.0.2b.</para>
    </section>
    <section>
      <title>Shorewall 2.0.1</title>
@ -201,7 +237,9 @@
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
+    <para><revhistory><revision><revnumber>1.16</revnumber><date>2004-05-17</date><authorinitials>TE</authorinitials><revremark>Added
    null common action bug.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-05-16</date><authorinitials>TE</authorinitials><revremark>Added
    2.0.2 bugs</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
    link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add
    Alex Wilms&#39;s &#34;install.sh&#34; fix.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Add
    Stefan Engel&#39;s &#34;shorewall delete&#34; fix.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-04-28</date><authorinitials>TE</authorinitials><revremark>Add
--- a/Shorewall-docs2/kernel.xml
+++ b/Shorewall-docs2/kernel.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2003-07-20</pubdate>
+    <pubdate>2004-05-19</pubdate>
    <copyright>
-      <year>2001-2003</year>
+      <year>2001-2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -89,8 +89,8 @@
    <para>Note that I have built everything I need as modules. You can also
    build everything into your kernel but if you want to be able to deal with
-    FTP running on a non-standard port then I recommend that you modularize
+    FTP running on a non-standard port then you <emphasis role="bold">must</emphasis>
-    FTP Protocol support.</para>
+    modularize FTP Protocol support.</para>
    <para>Here&#39;s the corresponding part of my .config file:</para>
--- a/Shorewall-docs2/shorewall_setup_guide.xml
+++ b/Shorewall-docs2/shorewall_setup_guide.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-03</pubdate>
+    <pubdate>2004-05-18</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -97,7 +97,16 @@
    <filename class="directory">/etc/shorewall</filename> -- for most setups,
    you will only need to deal with a few of these as described in this guide.
    Skeleton files are created during the Shorewall <ulink url="Install.htm">Installation
-    Process</ulink>.</para>
+    Process</ulink>.<warning><para><emphasis role="bold">Note to Debian Users</emphasis></para><para>If
    you install using the .deb, you will find that your <filename
    class="directory">/etc/shorewall</filename> directory is empty. This is
    intentional. The released configuration file skeletons may be found on
    your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
    Simply copy the files you need from that directory to <filename
    class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
    that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
    to <filename class="directory">/etc/shorewall</filename> even if you do
    not modify it.</para></warning></para>
    <para>As each file is introduced, I suggest that you look through the
    actual file on your system -- each file contains detailed configuration
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-22</pubdate>
+    <pubdate>2004-05-18</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -133,6 +133,21 @@
    files to /etc/shorewall (they will replace files with the same names that
    were placed in /etc/shorewall during Shorewall installation)</emphasis>.</para>
    <warning>
      <para><emphasis role="bold">Note to Debian Users</emphasis></para>
      <para>If you install using the .deb, you will find that your <filename
      class="directory">/etc/shorewall</filename> directory is empty. This is
      intentional. The released configuration file skeletons may be found on
      your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
      Simply copy the files you need from that directory to <filename
      class="directory">/etc/shorewall</filename> and modify the copies.</para>
      <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
      to <filename class="directory">/etc/shorewall</filename> even if you do
      not modify it.</para>
    </warning>
    <para>As each file is introduced, I suggest that you look through the
    actual file on your system -- each file contains detailed configuration
    instructions and default entries.</para>
--- a/Shorewall-docs2/starting_and_stopping_shorewall.xml
+++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-05-03</pubdate>
+    <pubdate>2004-05-14</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -29,8 +29,7 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -42,7 +41,7 @@
    url="Install.htm">installation procedure</ulink> attempts to set up the
    init scripts to start the firewall in run levels 2-5 and stop it in run
    levels 1 and 6. If you want to configure your firewall differently from
-    this default, you can use your distribution's run-level editor.</para>
+    this default, you can use your distribution&#39;s run-level editor.</para>
    <caution>
      <itemizedlist>
@ -50,9 +49,8 @@
          <para>Shorewall startup is disabled by default. Once you have
          configured your firewall, you can enable startup by removing the
          file <filename>/etc/shorewall/startup_disabled</filename>. Note:
-          Users of the .deb package must edit
+          Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
-          <filename>/etc/default/shorewall</filename> and set
+          and set <quote>startup=1</quote>.</para>
          <quote>startup=1</quote>.</para>
        </listitem>
        <listitem>
@ -72,15 +70,15 @@
      <listitem>
        <para><command>shorewall [ -q ] [ -f ] start </command>- starts the
        firewall. It important to understand that when the firewall is in the
-        <emphasis role="bold">Started</emphasis> state there is <emphasis>no
+        <emphasis role="bold">Started</emphasis> state there is
-        Shorewall Program</emphasis> <emphasis>running</emphasis>. It rather
+        <emphasis>no Shorewall Program</emphasis> <emphasis>running</emphasis>.
-        means that Netfilter has been configured to handle traffic as
+        It rather means that Netfilter has been configured to handle traffic
-        described in your Shorewall configuration files. Please refer to the
+        as described in your Shorewall configuration files. Please refer to
-        <link linkend="State">Shorewall State Diagram</link> as shown at the
+        the <link linkend="State">Shorewall State Diagram</link> as shown at
-        bottom of this page for more information. The -q option was added in
+        the bottom of this page for more information. The -q option was added
-        Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. Also
+        in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced.
-        beginning with Shorewall version 2.0.2 Beta 1, the -f option may be
+        Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may
-        specified; if this option is given and the file
+        be specified; if this option is given and the file
        <filename>/var/lib/shorewall/restore</filename> is present (see
        <command>shorewall save</command> below), then that script is run to
        restore the state of the firewall to the state when
@ -93,10 +91,9 @@
        <para><command>shorewall stop</command> - stops the firewall; the only
        traffic permitted through the firewall is from systems listed in
        <filename>/etc/shorewall/routestopped</filename> (Beginning with
-        version 1.4.7, if ADMINISABSENTMINDED=Yes in
+        version 1.4.7, if ADMINISABSENTMINDED=Yes in <filename>/etc/shorewall/shorewall.conf</filename>
-        <filename>/etc/shorewall/shorewall.conf</filename> then in addition,
+        then in addition, all existing connections are permitted and any new
-        all existing connections are permitted and any new connections
+        connections originating from the firewall itself are allowed).</para>
        originating from the firewall itself are allowed).</para>
      </listitem>
      <listitem>
@ -113,8 +110,7 @@
      <listitem>
        <para><command>shorewall clear</command> - remove all rules and chains
-        installed by Shoreline Firewall. The firewall is <quote>wide
+        installed by Shoreline Firewall. The firewall is <quote>wide open</quote></para>
        open</quote></para>
      </listitem>
      <listitem>
@ -125,9 +121,9 @@
      <listitem>
        <para><command>shorewall save</command> - Beginning with Shorewall
-        2.0.2 Beta1, this command creates a script
+        2.0.2 Beta1, this command creates a script <filename>/var/lib/shorewall/restore</filename>
-        <filename>/var/lib/shorewall/restore</filename> which when run will
+        which when run will restore the state of the firewall to its current
-        restore the state of the firewall to its current state.</para>
+        state.</para>
      </listitem>
      <listitem>
@ -146,14 +142,13 @@
    <para>If you include the keyword debug as the first argument, then a shell
    trace of the command is produced as in:</para>
-    <para><programlisting>     <command>shorewall debug start 2&gt; /tmp/trace</command></programlisting>The
+    <para><programlisting>     <command>shorewall debug start 2&#62; /tmp/trace</command></programlisting>The
    above command would trace the <quote>start</quote> command and place the
    trace information in the file /tmp/trace</para>
    <para>Beginning with version 1.4.7, shorewall can give detailed help about
    each of its commands: <programlisting>     <command>shorewall help [ command | host | address ]</command></programlisting>The
-    <quote>shorewall</quote> program may also be used to monitor the
+    <quote>shorewall</quote> program may also be used to monitor the firewall.</para>
    firewall.</para>
    <itemizedlist>
      <listitem>
@ -162,24 +157,21 @@
      </listitem>
      <listitem>
-        <para><command>shorewall show &lt;chain1&gt; [ &lt;chain2&gt; ...
+        <para><command>shorewall show &#60;chain1&#62; [ &#60;chain2&#62; ...
-        ]</command> - produce a verbose report about the listed chains
+        ]</command> - produce a verbose report about the listed chains (<command>iptables
-        (<command>iptables -L chain -n -v</command>) Note: You may only list
+        -L chain -n -v</command>) Note: You may only list one chain in the
-        one chain in the show command when running Shorewall version 1.4.6 and
+        show command when running Shorewall version 1.4.6 and earlier. Version
-        earlier. Version 1.4.7 and later allow you to list multiple chains in
+        1.4.7 and later allow you to list multiple chains in one command.</para>
        one command.</para>
      </listitem>
      <listitem>
        <para><command>shorewall show nat</command> - produce a verbose report
-        about the nat table (<command>iptables -t nat -L -n
+        about the nat table (<command>iptables -t nat -L -n -v</command>)</para>
        -v</command>)</para>
      </listitem>
      <listitem>
        <para><command>shorewall show tos</command> - produce a verbose report
-        about the mangle table (<command>iptables -t mangle -L -n
+        about the mangle table (<command>iptables -t mangle -L -n -v</command>)</para>
        -v</command>)</para>
      </listitem>
      <listitem>
@ -198,18 +190,17 @@
      </listitem>
      <listitem>
-        <para><command>shorewall monitor [ &lt;delay&gt; ]</command> -
+        <para><command>shorewall monitor [ &#60;delay&#62; ]</command> -
        Continuously display the firewall status, last 20 log entries and nat.
        When the log entry display changes, an audible alarm is sounded. The
-        <emphasis>&lt;delay&gt;</emphasis> indicates the number of seconds
+        <emphasis>&#60;delay&#62;</emphasis> indicates the number of seconds
        between updates with the default being 10 seconds.</para>
      </listitem>
      <listitem>
        <para><command>shorewall hits</command> - Produces several reports
        about the Shorewall packet log messages in the current log file named
-        in the LOGFILE variable in
+        in the LOGFILE variable in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
        <filename>/etc/shorewall/shorewall.conf</filename>.</para>
      </listitem>
      <listitem>
@ -219,27 +210,21 @@
      <listitem>
        <para><command>shorewall check</command> - Performs a cursory
-        validation of the zones, interfaces, hosts, rules and policy
+        validation of the zones, interfaces, hosts, rules and policy files.<caution><para>The
-        files.<caution>
+        <quote><command>check</command></quote> command is totally unsuppored
-            <para>The <quote><command>check</command></quote> command is
+        and does not parse and validate the generated iptables commands. Even
-            totally unsuppored and does not parse and validate the generated
+        though the <quote>check</quote> command completes successfully, the
-            iptables commands. Even though the <quote>check</quote> command
+        configuration may fail to start. Problem reports that complain about
-            completes successfully, the configuration may fail to start.
+        errors that the <quote>check</quote> command does not detect will not
-            Problem reports that complain about errors that the
+        be accepted.</para><para>See the recommended way to make configuration
-            <quote>check</quote> command does not detect will not be
+        changes described below.</para></caution></para>
            accepted.</para>
            <para>See the recommended way to make configuration changes
            described below.</para>
          </caution></para>
      </listitem>
      <listitem>
-        <para><command>shorewall try
+        <para><command>shorewall try &#60;<errortype>configuration-directory</errortype>&#62;
-        &lt;<errortype>configuration-directory</errortype>&gt; [
+        [ &#60;timeout&#62; ]</command> - Restart shorewall using the
-        &lt;timeout&gt; ]</command> - Restart shorewall using the specified
+        specified configuration and if an error occurs or if the
-        configuration and if an error occurs or if the
+        <emphasis>&#60;timeout&#62;</emphasis> option is given and the new
        <emphasis>&lt;timeout&gt;</emphasis> option is given and the new
        configuration has been up for that many seconds then shorewall is
        restarted using the standard configuration.</para>
      </listitem>
@ -256,17 +241,16 @@
    <itemizedlist>
      <listitem>
-        <para><command>shorewall ipcalc [ &lt;address&gt; &lt;mask&gt; |
+        <para><command>shorewall ipcalc [ &#60;address&#62; &#60;mask&#62; |
-        &lt;address&gt;/&lt;vlsm&gt; ] </command>- displays the network
+        &#60;address&#62;/&#60;vlsm&#62; ] </command>- displays the network
        address, broadcast address, network in CIDR notation and netmask
        corresponding to the input[s].</para>
      </listitem>
      <listitem>
-        <para><command>shorewall iprange
+        <para><command>shorewall iprange &#60;address1&#62;-&#60;address2&#62;</command>
-        &lt;address1&gt;-&lt;address2&gt;</command> - Decomposes the specified
+        - Decomposes the specified range of IP addresses into the equivalent
-        range of IP addresses into the equivalent list of network/host
+        list of network/host addresses</para>
        addresses</para>
      </listitem>
    </itemizedlist>
@ -275,19 +259,19 @@
    <itemizedlist>
      <listitem>
-        <para><command>shorewall drop &lt;ip address list&gt;</command> -
+        <para><command>shorewall drop &#60;ip address list&#62;</command> -
        causes packets from the listed IP addresses to be silently dropped by
        the firewall.</para>
      </listitem>
      <listitem>
-        <para><command>shorewall reject &lt;ip address list&gt;</command> -
+        <para><command>shorewall reject &#60;ip address list&#62;</command> -
        causes packets from the listed IP addresses to be rejected by the
        firewall.</para>
      </listitem>
      <listitem>
-        <para><command>shorewall allow &lt;ip address list&gt;</command> -
+        <para><command>shorewall allow &#60;ip address list&#62;</command> -
        re-enables receipt of packets from hosts previously blacklisted by a
        drop or reject command.</para>
      </listitem>
@ -296,7 +280,7 @@
        <para><command>shorewall save</command> - save the dynamic
        blacklisting configuration so that it will be automatically restored
        the next time that the firewall is restarted. Beginning with Shorewall
-        version 2.0.2 Beta1, this command also creats the
+        version 2.0.2 Beta1, this command also creates the
        <filename>/var/lib/shorewall/restore</filename> script as described
        above.</para>
      </listitem>
@ -312,15 +296,15 @@
    <itemizedlist>
      <listitem>
-        <para><command>shorewall add &lt;interface&gt;[:&lt;host&gt;]
+        <para><command>shorewall add &#60;interface&#62;[:&#60;host&#62;]
-        &lt;zone&gt;</command> - Adds the specified interface (and host if
+        &#60;zone&#62;</command> - Adds the specified interface (and host if
        included) to the specified zone.</para>
      </listitem>
      <listitem>
-        <para><command>shorewall delete &lt;interface&gt;[:&lt;host&gt;]
+        <para><command>shorewall delete &#60;interface&#62;[:&#60;host&#62;]
-        &lt;zone&gt;</command> - Deletes the specified interface (and host if
+        &#60;zone&#62;</command> - Deletes the specified interface (and host
-        included) from the specified zone.</para>
+        if included) from the specified zone.</para>
        <para>Examples:<programlisting>     <command>shorewall add ipsec0:192.0.2.24 vpn1</command> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
     <command>shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting></para>
@ -331,11 +315,11 @@
  <section>
    <title>Error Handling</title>
-    <para>When <command>shorewall start</command>, <command>shorewall
+    <para>When <command>shorewall start</command>, <command>shorewall restart</command>
-    restart</command> or <command>shorewall refresh</command> encounter an
+    or <command>shorewall refresh</command> encounter an error, the behavior
-    error, the behavior depends on which version of Shorewall you are running
+    depends on which version of Shorewall you are running and whether there is
-    and whether there is a <filename>/var/lib/shorewall/restore</filename>
+    a <filename>/var/lib/shorewall/restore</filename> script available (see
-    script available (see <command>shorewall save</command> above).</para>
+    <command>shorewall save</command> above).</para>
    <itemizedlist>
      <listitem>
@ -347,8 +331,8 @@
      <listitem>
        <para>If you have executed a <command>shorewall save</command> command
        without a subsequent <command>shorewall forget</command>, then the
-        firewall is restored to the state when <command>shorewall
+        firewall is restored to the state when <command>shorewall save</command>
-        save</command> was executed.</para>
+        was executed.</para>
      </listitem>
    </itemizedlist>
  </section>
@ -356,23 +340,21 @@
  <section>
    <title>Alternate Configurations</title>
-    <para>The <command>shorewall start</command>, <command>shorewall
+    <para>The <command>shorewall start</command>, <command>shorewall restart</command>,
-    restart</command>, <command>shorewall check</command>, and
+    <command>shorewall check</command>, and <command>shorewall try </command>commands
-    <command>shorewall try </command>commands allow you to specify which
+    allow you to specify which Shorewall configuration to use:</para>
    Shorewall configuration to use:</para>
-    <programlisting>     <command>shorewall [ -c &lt;configuration-directory&gt; ] {start|restart|check}</command>
+    <programlisting>     <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command>
-     <command>shorewall try &lt;configuration-directory&gt;</command></programlisting>
+     <command>shorewall try &#60;configuration-directory&#62; [ &#60;timeout&#62; ]</command></programlisting>
-    <para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
+    <para>If a <emphasis>&#60;configuration-directory</emphasis>&#62; is
    specified, each time that Shorewall is going to use a file in <filename
-    class="directory">/etc/shorewall</filename> it will first look in
+    class="directory">/etc/shorewall</filename> it will first look in the<emphasis>
-    the<emphasis> &lt;configuration-directory&gt;</emphasis> . If the file is
+    &#60;configuration-directory&#62;</emphasis> . If the file is present in
-    present in the <emphasis>&lt;configuration-directory&gt;,</emphasis> that
+    the <emphasis>&#60;configuration-directory&#62;,</emphasis> that file will
-    file will be used; otherwise, the file in <filename
+    be used; otherwise, the file in <filename class="directory">/etc/shorewall</filename>
-    class="directory">/etc/shorewall</filename> will be used. When changing
+    will be used. When changing the configuration of a production firewall, I
-    the configuration of a production firewall, I recommend the
+    recommend the following:</para>
    following:</para>
    <itemizedlist>
      <listitem>
@ -384,8 +366,8 @@
      </listitem>
      <listitem>
-        <para>&lt;copy any files that you need to change from /etc/shorewall
+        <para>&#60;copy any files that you need to change from /etc/shorewall
-        to . and change them here&gt;</para>
+        to . and change them here&#62;</para>
      </listitem>
      <listitem>
@ -393,7 +375,7 @@
      </listitem>
      <listitem>
-        <para>&lt;correct any errors found by check and check again&gt;</para>
+        <para>&#60;correct any errors found by check and check again&#62;</para>
      </listitem>
      <listitem>
@ -401,10 +383,10 @@
      </listitem>
    </itemizedlist>
-    <para>If the configuration starts but doesn't work, just <quote>shorewall
+    <para>If the configuration starts but doesn&#39;t work, just
-    restart</quote> to restore the old configuration. If the new configuration
+    <quote>shorewall restart</quote> to restore the old configuration. If the
-    fails to start, the <quote>try</quote> command will automatically start
+    new configuration fails to start, the <quote>try</quote> command will
-    the old one for you.</para>
+    automatically start the old one for you.</para>
    <para>When the new configuration works then just:</para>
@ -432,8 +414,7 @@
    <para>You will note that the commands that result in state transitions use
    the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
-    That is because the actual transitions are done by
+    That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
    <command>/usr/share/shorewall/firewall</command>;
    <command>/sbin/shorewall</command> runs <quote>firewall</quote> according
    to the following table:</para>
@ -478,8 +459,7 @@
            <entry>firewall restart</entry>
-            <entry>Logically equivalent to <quote>firewall stop;firewall
+            <entry>Logically equivalent to <quote>firewall stop;firewall start</quote></entry>
            start</quote></entry>
          </row>
          <row>
@ -527,7 +507,7 @@
          <row>
            <entry>shorewall try</entry>
-            <entry>firewall -c &lt;new configuration&gt; restart If
+            <entry>firewall -c &#60;new configuration&#62; restart If
            unsuccessful then firewall start (standard configuration) If
            timeout then firewall restart (standard configuration)</entry>
@ -541,36 +521,12 @@
  <appendix>
    <title>Revision History</title>
-    <para><revhistory>
+    <para><revhistory><revision><revnumber>1.10</revnumber><date>2004-05-14</date><authorinitials>TE</authorinitials><revremark>Update
-        <revision>
+    &#34;try&#34; syntax in the alternate configuration section to include [
-          <revnumber>1.3-1.8</revnumber>
+    &#60;timeout&#62; ]</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Shorewall
-
+    2.0.2</revremark></revision><revision><revnumber>1.3-1.8</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Docbook
-          <date>2004-01-04</date>
+    standards</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
-
+    clarification about &#34;Started State&#34;</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
-          <authorinitials>TE</authorinitials>
+    Docbook conversion</revremark></revision></revhistory></para>
          <revremark>Docbook standards</revremark>
        </revision>
        <revision>
          <revnumber>1.2</revnumber>
          <date>2003-12-31</date>
          <authorinitials>TE</authorinitials>
          <revremark>Added clarification about "Started State"</revremark>
        </revision>
        <revision>
          <revnumber>1.1</revnumber>
          <date>2003-12-29</date>
          <authorinitials>TE</authorinitials>
          <revremark>Initial Docbook conversion</revremark>
        </revision>
      </revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs2/support.xml
+++ b/Shorewall-docs2/support.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-03-15</pubdate>
+    <pubdate>2004-05-16</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -214,8 +214,9 @@
      <listitem>
        <para>If an error occurs when you try to <quote><command>shorewall
-        start</command></quote>, include a trace (See the Troubleshooting
+        start</command></quote>, include a trace (See the <ulink
-        section for instructions).</para>
+        url="troubleshoot.htm">Troubleshooting section</ulink> for
        instructions).</para>
      </listitem>
      <listitem>
@ -290,7 +291,8 @@
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.4</revnumber><date>2003-03-15</date><authorinitials>TE</authorinitials><revremark>Remove
+    <para><revhistory><revision><revnumber>1.5</revnumber><date>2003-05-16</date><authorinitials>TE</authorinitials><revremark>Add
    link to the troubleshooting section</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-03-15</date><authorinitials>TE</authorinitials><revremark>Remove
    Newbies Mailing List.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-02-19</date><authorinitials>TE</authorinitials><revremark>Admonish
    against including &#34;iptables -L&#34; output.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
    .GIF and moved note about unsupported releases. Move Revision History to
--- a/Shorewall-docs2/three-interface.xml
+++ b/Shorewall-docs2/three-interface.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-04-22</pubdate>
+    <pubdate>2004-05-18</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -157,12 +157,23 @@
    <para>The configuration files for Shorewall are contained in the directory
    <filename>/etc/shorewall</filename> -- for simple setups, you will only
-    need to deal with a few of these as described in this guide. After you
+    need to deal with a few of these as described in this guide.<warning><para><emphasis
-    have installed Shorewall, download the three-interface sample, un-tar it (<command>tar
+    role="bold">Note to Debian Users</emphasis></para><para>If you install
-    <option>-zxvf</option> <filename>three-interfaces.tgz</filename></command>)
+    using the .deb, you will find that your <filename class="directory">/etc/shorewall</filename>
-    and and copy the files to <filename>/etc/shorewall</filename> (the files
+    directory is empty. This is intentional. The released configuration file
-    will replace files with the same names that were placed in
+    skeletons may be found on your system in the directory <filename
-    <filename>/etc/shorewall</filename> when Shorewall was installed).</para>
+    class="directory">/usr/share/doc/shorewall/default-config</filename>.
    Simply copy the files you need from that directory to <filename
    class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
    that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
    to /etc/shorewall even if you do not modify it.</para></warning></para>
    <para>After you have installed Shorewall, download the three-interface
    sample, un-tar it (<command>tar <option>-zxvf</option>
    <filename>three-interfaces.tgz</filename></command>) and and copy the
    files to <filename>/etc/shorewall</filename> (the files will replace files
    with the same names that were placed in <filename>/etc/shorewall</filename>
    when Shorewall was installed).</para>
    <para>As each file is introduced, I suggest that you look through the
    actual file on your system -- each file contains detailed configuration
--- a/Shorewall-docs2/two-interface.xml
+++ b/Shorewall-docs2/two-interface.xml
@ -12,7 +12,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2003-04-22</pubdate>
+    <pubdate>2003-05-18</pubdate>
    <copyright>
      <year>2002</year>
@ -146,7 +146,18 @@
    <para>The configuration files for Shorewall are contained in the directory
    <filename class="directory">/etc/shorewall</filename> -- for simple
    setups, you will only need to deal with a few of these as described in
-    this guide. <tip><para>After you have <ulink url="Install.htm">installed
+    this guide.<warning><para><emphasis role="bold">Note to Debian Users</emphasis></para><para>If
    you install using the .deb, you will find that your <filename
    class="directory">/etc/shorewall</filename> directory is empty. This is
    intentional. The released configuration file skeletons may be found on
    your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
    Simply copy the files you need from that directory to <filename
    class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
    that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
    to <filename class="directory">/etc/shorewall</filename> even if you do
    not modify it.</para></warning></para>
    <para><tip><para>After you have <ulink url="Install.htm">installed
    Shorewall</ulink>, download the <ulink
    url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
    sample</ulink>, un-tar it (<command>tar <option>-zxvf</option>