Documentation updates for my configs, the FAQ and error messages

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1987 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/ErrorMessages.xml

@@ -15,11 +15,13 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-10-06</pubdate>
+    <pubdate>2005-03-08</pubdate>
 
     <copyright>
       <year>2004</year>
 
+      <year>2005</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -485,8 +487,8 @@
   <section>
     <title>Warnings</title>
 
-    <para>This sections describes some of the more warnings generated by
-    Shorewall.</para>
+    <para>This sections describes some of the more common warnings generated
+    by Shorewall.</para>
 
     <glosslist>
       <glossentry>
@@ -500,6 +502,18 @@
           SUBNET columns reversed.</para>
         </glossdef>
       </glossentry>
+
+      <glossentry>
+        <glossterm>Warning: Zone &lt;zone&gt; is empty</glossterm>
+
+        <glossdef>
+          <para>This warning alerts you to the fact tha &lt;zone&gt; is
+          defined in <filename>/etc/shorewall/zones</filename> but has no
+          corresponding entries in
+          <filename>/etc/shorewall/interfaces</filename> or in
+          <filename>/etc/shorewall/hosts</filename>. </para>
+        </glossdef>
+      </glossentry>
     </glosslist>
   </section>
 </article>

Shorewall-docs2/VPN.xml

@@ -15,13 +15,15 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-10-27</pubdate>
+    <pubdate>2005-03-08</pubdate>
 
     <copyright>
       <year>2002</year>
 
       <year>2004</year>
 
+      <year>2005</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -58,9 +60,21 @@
     available at <ulink
     url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
 
-    <para>If IPSEC is being used then only one system may connect to the
-    remote gateway and there are firewall configuration requirements as
-    follows:</para>
+    <para>If IPSEC is being used, you should configure IPSEC to use
+    <firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC
+    packets (protocol 50 or 51) are encapsulated in UDP packets with
+    destination port 4500. Additionally, <firstterm>keep-alive
+    messages</firstterm> are sent frequently so that NATing gateways between
+    the end-points will retain their connection-tracking entries. This is the
+    way that I connect to the HP Intranet and it works flawlessly without
+    anything in Shorewall other than my ACCEPT loc-&gt;net policy. NAT
+    traversal is available as a patch for Windows 2K and is a standard feature
+    of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
+    pulldown.</para>
+
+    <para>Alternatively, if IPSEC is being used then you can try the
+    following: only one system may connect to the remote gateway and there are
+    firewall configuration requirements as follows:</para>
 
     <table>
       <title>/etc/shorewall/rules</title>
@@ -120,21 +134,13 @@
       </tgroup>
     </table>
 
+    <para>The above may or may not work — your milage may vary. NAT Traversal
+    is definitely a better solution.</para>
+
     <para>If you want to be able to give access to all of your local systems
     to the remote network, you should consider running a VPN client on your
     firewall. As starting points, see <ulink
     url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
     or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
-
-    <para>Alternatively, you should configure IPSEC to use <firstterm>NAT
-    Traversal</firstterm> -- Under NAT traversal the IPSEC packets (protocol
-    50 or 51) are encapsulated in UDP packets with destination port 4500.
-    Additionally, <firstterm>keep-alive messages</firstterm> are sent
-    frequently so that NATing gateways between the end-points will retain
-    their connection-tracking entries. This is the way that I connect to the
-    HP Intranet and it works flawlessly without anything in Shorewall other
-    than my ACCEPT loc-&gt;net policy. NAT traversal is available as a patch
-    for Windows 2K and is a standard feature of Windows XP -- simply select
-    "L2TP IPSec VPN" from the "Type of VPN" pulldown.</para>
   </section>
 </article>

Shorewall-docs2/myfiles.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-02-25</pubdate>
+    <pubdate>2005-03-08</pubdate>
 
     <copyright>
       <year>2001-2005</year>
@@ -248,7 +248,7 @@ vpn     OpenVPN         Open VPN Clients
 
         <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 net     $EXT_IF         206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
-loc     $INT_IF         detect          dhcp
+loc     $INT_IF         192.168.1.255   dhcp
 dmz     $DMZ_IF         -
 vpn     tun+            -
 Wifi    $WIFI_IF        -               maclist,dhcp
@@ -361,14 +361,22 @@ all             all             REJECT          $LOG
 
       <blockquote>
         <para>Although most of our internal systems use one-to-one NAT, my
-        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
-        does our laptop (192.168.1.8) and visitors with laptops.</para>
+        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
+        our wireless network systems and visitors with laptops.</para>
 
         <para>The first entry allows access to the DSL modem and uses features
         introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
         rule to be placed before rules generated by the /etc/shorewall/nat
-        file below. The double colons ("::") causes the entry to be exempt
-        from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
+        file below. The double colons ("::") cause the entry to be exempt from
+        ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
+
+        <note>
+          <para>My use of ADD_SNAT_ALIASES=Yes is an anachronism. I previously
+          used 206.124.146.179 as the SNAT address before I configured a
+          system outside the firewall with that IP address.
+          ADD_SNAT_ALIASES=Yes was used to add 206.124.146.179 as an IP
+          address on the external interface.</para>
+        </note>
 
         <programlisting>#INTERFACE              SUBNET          ADDRESS
 +$EXT_IF::192.168.1.1      0.0.0.0/0       192.168.1.254
@@ -732,11 +740,11 @@ syslogsync 1</programlisting>
       <title>/etc/racoon/racoon.conf</title>
 
       <blockquote>
-        <programlisting> 
-listen
+        <programlisting>listen
 {
         isakmp 206.124.146.176 ;
         isakmp 192.168.3.254 ;
+        isakmp_natt 206.124.146.176 [4500] ;
         adminsock "/usr/local/var/racoon/racoon.sock" "root" "operator" 0660 ;
 }
 #