More doc updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1978 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-03-04 00:16:13 +00:00 · 2005-03-04 00:16:13 +00:00 · 1984e51b64
commit 1984e51b64
parent e5f040d070
3 changed files with 25 additions and 23 deletions
--- a/Shorewall-docs2/FTP.xml
+++ b/Shorewall-docs2/FTP.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-01-03</pubdate>
+    <pubdate>2005-03-03</pubdate>

    <copyright>
      <year>2003</year>
@ -257,7 +257,7 @@ jbd                    47860   2  [ext3]
      have:</title>

      <programlisting>loadmodule ip_conntrack_ftp ports=21,49
-loadmodule ip_nat_ftp ports=21,49</programlisting>
+loadmodule ip_nat_ftp ports=21,49           # NOTE: This is not necessary with kernel 2.6.11 and later!</programlisting>

      <para><note>
          <para>you MUST include port 21 in the ports list or you may have
@ -269,7 +269,7 @@ loadmodule ip_nat_ftp ports=21,49</programlisting>
      /etc/modules.conf:</para>

      <programlisting>options ip_conntrack_ftp ports=21,49
-options ip_nat_ftp ports=21,49</programlisting>
+options ip_nat_ftp ports=21,49           # NOTE: This is not necessary with kernel 2.6.11 and later!</programlisting>

      <para><important>
          <para>Once you have made these changes to /etc/shorewall/modules
--- a/Shorewall-docs2/Shorewall_and_Routing.xml
+++ b/Shorewall-docs2/Shorewall_and_Routing.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-02-19</pubdate>
+    <pubdate>2005-03-03</pubdate>

    <copyright>
      <year>2005</year>
@ -66,11 +66,15 @@

    <graphic fileref="images/Netfilter.png" />

-    <para>The light blue boxes indicate where routing decisions are made. The
-    green boxes show where Netfilter processing takes place (as directed by
-    Shorewall). You will notice that there are two different paths through
-    this maze, depending on where the packet originates. We will look at each
-    of these separately.</para>
+    <para>The light blue boxes indicate where routing decisions are made. Upon
+    exit from one of these boxes, if the packet is being sent to another
+    system then the interface and the next hop have been uniquely
+    determined.</para>
+
+    <para>The green boxes show where Netfilter processing takes place (as
+    directed by Shorewall). You will notice that there are two different paths
+    through this maze, depending on where the packet originates. We will look
+    at each of these separately.</para>

    <section>
      <title>Packets Entering the Firewall from Outside</title>
@ -89,6 +93,14 @@
          <firstterm>alternate routing table</firstterm>; see the <ulink
          url="Shorewall_Squid_Usage.html">Shorewall Squid
          documentation</ulink> for examples.</para>
+
+          <caution>
+            <para>Marking packets then using the <emphasis>fwmark</emphasis>
+            selector in your "<emphasis role="bold">ip rule add</emphasis>"
+            commands should NOT be your first choice. In most cases, you can
+            use the <emphasis>from</emphasis> or <emphasis>dev</emphasis>
+            selector instead.</para>
+          </caution>
        </listitem>

        <listitem>
--- a/Shorewall-docs2/troubleshoot.xml
+++ b/Shorewall-docs2/troubleshoot.xml
@ -13,10 +13,10 @@
      <surname>Eastep</surname>
    </author>

-    <pubdate>2004-08-25</pubdate>
+    <pubdate>20045-03-03</pubdate>

    <copyright>
-      <year>2001-2004</year>
+      <year>2001-2005</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -326,7 +326,7 @@ ACCEPT    dmz              loc                   udp     53</programlisting>

        <programlisting>#ACTION  SOURCE          DEST                  PROTO   DEST
 #                                                      PORT(S)
-ACCEPT&nbsp;&nbsp; <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasis>&lt;destination zone&gt;</emphasis>&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; echo-request</programlisting>
+AllowPing <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasis>&lt;destination zone&gt;</emphasis></programlisting>

        <para>The ramifications of this can be subtle. For example, if you
        have the following in <filename><ulink
@ -339,16 +339,6 @@ ACCEPT&nbsp;&nbsp; <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasi
        between the zone containing the system you are pinging from and the
        zone containing 10.1.1.2, the ping requests will be dropped.</para>
      </listitem>
-
-      <listitem>
-        <para>Similarly, since Shorewall gives no special treatment to
-        <quote>ping</quote>packets, these packets are subject to logging
-        specifications in policies. This allows people pinging your firewall
-        to create large number of messages in your log. These messages can be
-        eliminated by the following rule:<programlisting>#ACTION   SOURCE           DEST                PROTO   DEST
-#                                                      PORT(S)
-DROP      net              fw                  icmp    echo-request</programlisting></para>
-      </listitem>
    </itemizedlist>
  </section>