diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index d61c2c521..e69964d18 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -730,6 +730,14 @@
and restart commands will succeed even if no DNS
server is reachable (assuming that the configuration hasn't changed
since the compiled script was last generated).
+
+
+ When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS
+ change makes it necessary to recompile an existing firewall
+ script, the option must be used with the
+ reload or restart command to
+ force recompilation.
+
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index b9809e06e..52965b11a 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -2498,27 +2498,63 @@ gmail-pop.l.google.com. 300 IN A 209.85.2
#ACTION SOURCE DEST PROTO DPORT
POP(ACCEPT) loc net:pop.gmail.com
- If your firewall rules include DNS names then:
+ There are two options in shorewall[6].conf(5) that
+ affect the use of DNS names in Shorewall[6] config files:
+
+
+
+ DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
+ compile time; when set to Yes, DNS Names are resolved at
+ runtime.
+
+
+
+ AUTOMAKE - When set to Yes, start,
+ restart and reload only result
+ in compilation if one of the files on the CONFIG_PATH has changed
+ since the the last compilation.
+
+
+
+ So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
+ will only take place at boot time if a change had been make to the config
+ but no restart or reload had taken
+ place. This is clearly spelled out in the shorewall.conf manpage. So with
+ these settings, so long as a 'reload' or 'restart' takes place after the
+ Shorewall configuration is changes, there should be no DNS-related
+ problems at boot time.
+
+
+ When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
+ makes it necessary to recompile an existing firewall script, the
+ option must be used with the
+ reload or restart command to force
+ recompilation.
+
+
+ If your firewall rules include DNS names then, even if
+ DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:If your /etc/resolv.conf is wrong then your
- firewall won't start.
+ firewall may not start.
If your /etc/nsswitch.conf is wrong then
- your firewall won't start.
+ your firewall may not start.
- If your Name Server(s) is(are) down then your firewall won't
+ If your Name Server(s) is(are) down then your firewall may not
start.If your startup scripts try to start your firewall before
- starting your DNS server then your firewall won't start.
+ starting your DNS server then your firewall may not start.
@@ -2528,7 +2564,7 @@ POP(ACCEPT) loc net:pop.gmail.com
You must bring up your network interfaces prior to starting your
- firewall.
+ firewall, or the firewall may not start.