diff --git a/docs/FTP.xml b/docs/FTP.xml
index 15c4d0a65..b7491fdcb 100644
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -294,6 +294,131 @@ xt_tcpudp 3328 0
/etc/shorewall/shorewall.conf to point to that directory.
+
+ FTP with Kernel 3.5 and Later
+
+ Because of the potential for attackers to subvert Netfilter helpers
+ like the one for FTP, the Netfilter team are in the process of eliminating
+ the automatic association of helpers to connections. In the 3.5 kernel, it
+ is possible to disable this automatic association, and the team have
+ announced that automatic association will eventually be eliminated. While
+ it is certainly more secure to add explicit rules that create these
+ associations, for Shorewall to require users to add those rules would
+ present a gross inconvenience during a Shorewall upgrade. To make
+ Shorewall and kernel upgrades as smooth as possible, several new features
+ were added to the Shorewall 4.5.7:
+
+
+
+ Shorewall automatically disables the kernel's automatic
+ association of helpers to connections on kernel 3.5 and later.
+
+
+
+ An automatic association of helpers with connections that
+ performs the same function as in the pre-3.5 kernels has been added.
+ This automatic association is controlled by the AUTOHELPERS
+ shorewall.conf option which is set to 'Yes' by default.
+
+
+
+ A HELPERS column has been added to the /etc/shorewall/rules In
+ the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the
+ specified helper is automatically associated with the
+ connection.
+
+
+
+ HELPERS may be specified in action files, macros and in the
+ rules file itself. In the RELATED section: The rule will only match
+ related connections that have the named helper attached. - The
+ standard Macros for applications requiring a helper (FTP, IRC, etc)
+ have been modified to automatically specify the correct helper in the
+ HELPER column.
+
+
+
+ HELPER is now a valid action in /etc/shorewall/rules. This
+ action requires that a helper be present in the HELPER column and
+ causes the specified helper to be associated with connections matching
+ the rule. No destination zone should be specified in HELPER rules.
+ HELPER rules allow specification of a helper for connections that are
+ ACCEPTed by the applicable policy.
+
+ Example (loc->net policy is ACCEPT) - In
+ /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST
+FTP(HELPER) loc -
+
+ or equivalently
+
+ #ACTION SOURCE DEST PROTO DEST
+# PORT(S)
+HELPER loc - tcp 21 { helper=ftp }
+
+
+
+ The set of enabled helpers (either by AUTOHELPERS=Yes or by the
+ HELPERS column) can be taylored using the new HELPERS option in
+ shorewall.conf.
+
+
+
+ By making AUTOHELPERS=Yes the default, users can upgrade their
+ systems to a 3.5+ kernel without disrupting the operation of their
+ firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and
+ follow one of two strategies:
+
+
+
+ Use the HELPERS column in the rules file to enable helpers as
+ needed (preferred); or
+
+
+
+ Taylor the conntrack file to enable helpers on only those
+ connections that are required.
+
+
+
+ With either of these approaches, the list if available helpers can
+ be trimmed using the HELPERS option and rules can be added to the RELATED
+ section of the rules file to further restrict the effect of helpers. The
+ implementation of these new function places conditional rules in the
+ /etc/shorewall[6]/conntrack file. These rules are included conditionally
+ based in the setting of AUTOHELPERS.
+
+ Example:
+
+ #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
+# PORT(S) PORT(S) GROUP
+?if $AUTOHELPERS && __CT_TARGET
+?if __FTP_HELPER
+CT:helper:ftp all - tcp 21
+?endif
+...
+?endif
+
+ __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
+ and 'ftp' is not listed in that setting. For example, if you only need FTP
+ access from your 'loc' zone, then add this rule outside of the outer-most
+ ?if....?endif shown above.
+
+ #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
+# PORT(S) PORT(S) GROUP
+...
+CT:helper:ftp loc - tcp 21
+
+ For an overview of Netfilter Helpers and Shorewall's support for
+ dealing with them, see http://www.shorewall.net/Helpers.html.
+
+ See https://home.regit.org/netfilter-en/secure-use-of-helpers/
+ for additional information.
+
+
FTP on Non-standard Ports