Revise instructions for disabling iptables

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-07-17 16:48:15 -07:00 · 2012-07-17 16:48:15 -07:00 · 55519bd9ac
commit 55519bd9ac
parent c0e4d4093c
3 changed files with 178 additions and 118 deletions
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@ -119,19 +119,18 @@
      <title>Conventions</title>
      <para>Points at which configuration changes are recommended are flagged
-      with <inlinegraphic fileref="images/BD21298_.gif"
+      with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
      format="GIF" />.</para>
      <para>Configuration notes that are unique to Debian and it's derivatives
      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
-      format="GIF" />.</para>
+      format="GIF"/>.</para>
    </section>
  </section>
  <section id="PPTP">
    <title>PPTP/ADSL</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If you have an <acronym>ADSL</acronym> Modem and you use
    <acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -144,7 +143,7 @@
  <section id="Concepts">
    <title>Shorewall Concepts</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The configuration files for Shorewall are contained in the directory
    <filename class="directory">/etc/shorewall</filename> -- for simple
@ -177,7 +176,7 @@
      </listitem>
      <listitem>
-        <para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
+        <para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
        you installed using a Shorewall 4.x .deb, the samples are in <emphasis
        role="bold"><filename
        class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..</emphasis>
@ -352,7 +351,7 @@ root@lists:~# </programlisting>
      the external interface.</para>
    </caution>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The Shorewall one-interface sample configuration assumes that the
    external interface is <filename class="devicefile">eth0</filename>. If
@ -460,7 +459,7 @@ root@lists:~# </programlisting>
      </listitem>
    </itemizedlist>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If you are running a distribution that logs Netfilter messages to a
    log other than <filename>/var/log/messages</filename>, then modify the
@ -500,7 +499,7 @@ root@lists:~# </programlisting>
    <filename>/usr/share/shorewall/modules</filename> then copy the file to
    <filename>/etc/shorewall</filename> and modify the copy.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
  </section>
@ -564,33 +563,16 @@ ACCEPT    net       $FW             tcp          143</programlisting></para>
 SSH(ACCEPT) net       $FW           </programlisting>
    </important>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>At this point, edit <filename>/etc/shorewall/rules</filename> to add
    other connections as desired.</para>
  </section>
  <section>
    <title>Disabling your existing Firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On Redhat/CentOS/Fedora:</para>
    <programlisting><command>service iptables stop</command></programlisting>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
    <programlisting><command>chkconfig --del iptables</command></programlisting>
  </section>
  <section id="Starting">
    <title>Starting and Stopping Your Firewall</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The <ulink url="Install.htm">installation procedure</ulink>
    configures your system to start Shorewall at system boot but startup is
@ -598,7 +580,7 @@ SSH(ACCEPT) net       $FW           </programlisting>
    configuration is complete. Once you have completed configuration of your
    firewall, you must edit /etc/shorewall/shorewall.conf and set
    STARTUP_ENABLED=Yes.<graphic align="left"
-    fileref="images/openlogo-nd-25.png" /></para>
+    fileref="images/openlogo-nd-25.png"/></para>
    <important>
      <para>Users of the .deb package must edit
@ -675,6 +657,44 @@ SSH(ACCEPT) net       $FW           </programlisting>
    </itemizedlist>
  </section>
  <section>
    <title>Disabling your existing Firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On older Redhat/CentOS/Fedora:</para>
    <programlisting><command>service iptables stop</command></programlisting>
    <para>On recent Fedora systems that run systemd, the command is:</para>
    <programlisting><command>systemctl stop iptables.service</command></programlisting>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>On other systems that use a classic SysV init system:</para>
    <programlisting><command>/etc/init.d/iptables stop</command></programlisting>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On older
    Redhat/CentOS/Fedora:</para>
    <programlisting><command>chkconfig --del iptables</command></programlisting>
    <para>On Debian systems:</para>
    <programlisting><command>update-rc.d iptables disable</command></programlisting>
    <para>On recent Fedora system running systemd:</para>
    <programlisting><command>systemctl disable iptables.service</command></programlisting>
    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
    <para>At this point, disable your existing firewall service.</para>
  </section>
  <section id="Other">
    <title>Additional Recommended Reading</title>
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@ -90,7 +90,7 @@
      <mediaobject>
        <imageobject>
-          <imagedata align="center" fileref="images/dmz1.png" format="PNG" />
+          <imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
        </imageobject>
      </mediaobject>
    </figure>
@ -147,19 +147,18 @@
      <title>Conventions</title>
      <para>Points at which configuration changes are recommended are flagged
-      with <inlinegraphic fileref="images/BD21298_.gif"
+      with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
      format="GIF" />.</para>
      <para>Configuration notes that are unique to Debian and it's derivatives
      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
-      format="GIF" />.</para>
+      format="GIF"/>.</para>
    </section>
  </section>
  <section id="PPTP">
    <title>PPTP/ADSL</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If you have an ADSL Modem and you use PPTP to communicate with a
    server in that modem, you must make the <ulink
@ -175,7 +174,7 @@
    <filename>/etc/shorewall</filename> -- for simple setups, you will only
    need to deal with a few of these as described in this guide.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>After you have installed Shorewall, locate the three-interface
    Sample configuration:</para>
@ -210,7 +209,7 @@
      </listitem>
      <listitem>
-        <para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
+        <para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
        you installed using a Shorewall 4.x .deb, the samples are in <emphasis
        role="bold"><filename
        class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
@ -363,7 +362,7 @@ $FW        loc         ACCEPT</programlisting>
    <emphasis>net</emphasis> zone even though connections are not allowed from
    the <emphasis>loc</emphasis> zone to the firewall itself.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>At this point, edit your <filename>/etc/shorewall/policy</filename>
    file and make any changes that you wish.</para>
@ -377,7 +376,7 @@ $FW        loc         ACCEPT</programlisting>
      <mediaobject>
        <imageobject>
-          <imagedata align="center" fileref="images/dmz1.png" format="PNG" />
+          <imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
        </imageobject>
      </mediaobject>
    </figure>
@ -421,7 +420,7 @@ root@lists:~# </programlisting>
      the external interface.</para>
    </caution>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>I<emphasis role="bold">f your external interface is <filename
    class="devicefile">ppp0</filename> or <filename
@ -463,7 +462,7 @@ root@lists:~# </programlisting>
      exactly one default route via your ISP's Router.</para>
    </caution>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The Shorewall three-interface sample configuration assumes that the
    external interface is <filename class="devicefile">eth0</filename>, the
@ -528,7 +527,7 @@ root@lists:~# </programlisting>
      <title>Example sub-network</title>
      <tgroup cols="2">
-        <colspec align="left" />
+        <colspec align="left"/>
        <tbody>
          <row>
@ -573,7 +572,7 @@ root@lists:~# </programlisting>
    directly. To communicate with systems outside of the subnetwork, systems
    send packets through a gateway (router).</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>Your local computers (Local Computers 1 &amp; 2) should be
    configured with their default gateway set to the IP address of the
@ -596,7 +595,7 @@ root@lists:~# </programlisting>
      <mediaobject>
        <imageobject>
-          <imagedata fileref="images/dmz2.png" />
+          <imagedata fileref="images/dmz2.png"/>
        </imageobject>
        <caption><para>The default gateway for the DMZ computers would be
@ -652,7 +651,7 @@ root@lists:~# </programlisting>
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    file.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If your external firewall interface is <filename
    class="devicefile">eth0</filename> then you do not need to modify the file
@ -665,7 +664,7 @@ root@lists:~# </programlisting>
    modify the SOURCE column to list just your local interface (10.10.10.0/24
    in the above example).</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If your external IP is static, you can enter it in the third column
    in the <filename
@ -673,7 +672,7 @@ root@lists:~# </programlisting>
    entry if you like although your firewall will work fine if you leave that
    column empty. Entering your static IP in column 3 makes processing
    outgoing packets a little more efficient.<graphic align="left"
-    fileref="images/openlogo-nd-25.png" /></para>
+    fileref="images/openlogo-nd-25.png"/></para>
    <para><emphasis role="bold">If you are using the Debian package, please
    check your <filename>shorewall.conf</filename> file to ensure that the
@ -736,7 +735,7 @@ root@lists:~# </programlisting>
      </listitem>
    </itemizedlist>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If you are running a distribution that logs netfilter messages to a
    log other than <filename>/var/log/messages</filename>, then modify the
@ -776,7 +775,7 @@ root@lists:~# </programlisting>
    <filename>/usr/share/shorewall/modules</filename> then copy the file to
    <filename>/etc/shorewall</filename> and modify the copy.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
  </section>
@ -886,7 +885,7 @@ DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</pr
        </itemizedlist></para>
    </example>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>At this point, add the DNAT and ACCEPT rules for your
    servers.</para>
@ -924,7 +923,7 @@ DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</pr
        <listitem>
          <para><inlinegraphic fileref="images/BD21298_.gif"
-          format="GIF" /></para>
+          format="GIF"/></para>
          <para>You can configure a <emphasis>Caching Name Server</emphasis>
          on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
@ -1026,7 +1025,7 @@ ACCEPT    net       $FW                 udp        53        </programlisting>
 SSH(ACCEPT) net       $FW</programlisting></para>
    </important>
-    <para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
+    <para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
    users will want to add the following two rules to be compatible with
    Jacques's Shorewall configuration: <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
 ACCEPT    loc       $FW                 udp        53
@ -1039,7 +1038,7 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
          <para>Entry 2 allows the <quote>weblet</quote> to work.</para>
        </listitem>
      </itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
-    format="GIF" /></para>
+    format="GIF"/></para>
    <para>Now modify <filename>/etc/shorewall/rules</filename> to add or
    remove other connections as required.</para>
@ -1101,27 +1100,10 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    </itemizedlist>
  </section>
  <section>
    <title>Disabling your existing Firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On Redhat/CentOS/Fedora:</para>
    <programlisting><command>service iptables stop</command></programlisting>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
    <programlisting><command>chkconfig --del iptables</command></programlisting>
  </section>
  <section id="Starting">
    <title>Starting and Stopping Your Firewall</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The <ulink url="Install.htm">installation procedure</ulink>
    configures your system to start Shorewall at system boot but startup is
@ -1130,7 +1112,7 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    firewall, you can enable Shorewall startup by editing
    <filename>/etc/shorewall/shorewall.conf</filename> and setting
    STARTUP_ENABLED=Yes.<graphic align="left"
-    fileref="images/openlogo-nd-25.png" /><important>
+    fileref="images/openlogo-nd-25.png"/><important>
        <para>Users of the <filename>.deb</filename> package must edit
        <filename>/etc/default/shorewall</filename> and set
        <varname>startup=1</varname>.</para>
@ -1151,7 +1133,7 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    Shorewall from your Netfilter configuration, use <command>shorewall
    clear</command>.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The three-interface sample assumes that you want to enable routing
    to/from <filename class="devicefile">eth1</filename> (your local network)
@ -1205,6 +1187,44 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    </itemizedlist>
  </section>
  <section>
    <title>Disabling your existing Firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On older Redhat/CentOS/Fedora:</para>
    <programlisting><command>service iptables stop</command></programlisting>
    <para>On recent Fedora systems that run systemd, the command is:</para>
    <programlisting><command>systemctl stop iptables.service</command></programlisting>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>On other systems that use a classic SysV init system:</para>
    <programlisting><command>/etc/init.d/iptables stop</command></programlisting>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On older
    Redhat/CentOS/Fedora:</para>
    <programlisting><command>chkconfig --del iptables</command></programlisting>
    <para>On Debian systems:</para>
    <programlisting><command>update-rc.d iptables disable</command></programlisting>
    <para>On recent Fedora system running systemd:</para>
    <programlisting><command>systemctl disable iptables.service</command></programlisting>
    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
    <para>At this point, disable your existing firewall service.</para>
  </section>
  <section id="Reading">
    <title>Additional Recommended Reading</title>
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -74,7 +74,7 @@
        <mediaobject>
          <imageobject>
-            <imagedata align="center" fileref="images/basics.png" format="PNG" />
+            <imagedata align="center" fileref="images/basics.png" format="PNG"/>
          </imageobject>
        </mediaobject>
      </figure> <caution>
@ -121,19 +121,18 @@
      <title>Conventions</title>
      <para>Points at which configuration changes are recommended are flagged
-      with <inlinegraphic fileref="images/BD21298_.gif"
+      with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
      format="GIF" />.</para>
      <para>Configuration notes that are unique to Debian and it's derivatives
      are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
-      format="GIF" />.</para>
+      format="GIF"/>.</para>
    </section>
  </section>
  <section id="PPTP">
    <title>PPTP/ADSL</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If you have an <acronym>ADSL</acronym> Modem and you use
    <acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -146,7 +145,7 @@
  <section id="Concepts">
    <title>Shorewall Concepts</title>
-    <para></para>
+    <para/>
    <para>The configuration files for Shorewall are contained in the directory
    <filename class="directory">/etc/shorewall</filename> -- for simple
@ -154,7 +153,7 @@
    this guide.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif"
-    format="GIF" /><important>
+    format="GIF"/><important>
        <para>After you have <ulink url="Install.htm">installed
        Shorewall</ulink>, locate the two-interfaces samples:</para>
@ -190,7 +189,7 @@
          <listitem>
            <para><graphic align="left"
-            fileref="images/openlogo-nd-25.png" />If you installed using a
+            fileref="images/openlogo-nd-25.png"/>If you installed using a
            Shorewall 4.x .deb, the samples are in <emphasis
            role="bold"><filename
            class="directory">/usr/share/doc/shorewall-common/examples/two-interfaces</filename>.</emphasis>
@ -337,7 +336,7 @@ $FW        net         ACCEPT</programlisting> The above policy will:
 loc        $FW         ACCEPT
 $FW        loc         ACCEPT</programlisting>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>At this point, edit your <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
@ -349,7 +348,7 @@ $FW        loc         ACCEPT</programlisting>
    <mediaobject>
      <imageobject>
-        <imagedata align="center" fileref="images/basics.png" format="PNG" />
+        <imagedata align="center" fileref="images/basics.png" format="PNG"/>
      </imageobject>
    </mediaobject>
@ -393,7 +392,7 @@ root@lists:~# </programlisting>
      the external interface.</para>
    </caution>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>I<emphasis role="bold">f your external interface is <filename
    class="devicefile">ppp0</filename> or <filename
@ -421,7 +420,7 @@ root@lists:~# </programlisting>
        internal interface.</emphasis> Your firewall should have exactly one
        default route via your ISP's Router.</para>
      </warning> <inlinegraphic fileref="images/BD21298_.gif"
-    format="GIF" /></para>
+    format="GIF"/></para>
    <para>The Shorewall two-interface sample configuration assumes that the
    external interface is <filename class="devicefile">eth0</filename> and the
@ -533,7 +532,7 @@ root@lists:~# </programlisting>
    directly. To communicate with systems outside of the subnetwork, systems
    send packets through a gateway (router).</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>Your local computers (computer 1 and computer 2 in the above
    diagram) should be configured with their default gateway to be the
@ -550,7 +549,7 @@ root@lists:~# </programlisting>
    <para id="Diagram">The remainder of this guide will assume that you have
    configured your network as shown here: <mediaobject>
        <imageobject>
-          <imagedata align="center" fileref="images/basics1.png" format="PNG" />
+          <imagedata align="center" fileref="images/basics1.png" format="PNG"/>
        </imageobject>
      </mediaobject> The default gateway for computer's 1 &amp; 2 would be
    <systemitem class="ipaddress">10.10.10.254</systemitem>. <warning>
@ -607,7 +606,7 @@ root@lists:~# </programlisting>
    <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
    <acronym>IP</acronym> is static.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If your external firewall interface is <filename
    class="devicefile">eth0</filename>, you do not need to modify the file
@ -616,7 +615,7 @@ root@lists:~# </programlisting>
    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
    change the first column to the name of your external interface.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If your external <acronym>IP</acronym> is static, you can enter it
    in the third column in the <filename
@ -626,7 +625,7 @@ root@lists:~# </programlisting>
    column 3 (SNAT) makes the processing of outgoing packets a little more
    efficient.</para>
-    <graphic align="left" fileref="images/openlogo-nd-25.png" />
+    <graphic align="left" fileref="images/openlogo-nd-25.png"/>
    <para>I<emphasis role="bold">f you are using the Debian package, please
    check your <filename>shorewall.conf</filename> file to ensure that the
@ -689,7 +688,7 @@ root@lists:~# </programlisting>
      </listitem>
    </itemizedlist>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If you are running a distribution that logs netfilter messages to a
    log other than <filename>/var/log/messages</filename>, then modify the
@ -729,7 +728,7 @@ root@lists:~# </programlisting>
    <filename>/usr/share/shorewall/modules</filename> then copy the file to
    <filename>/etc/shorewall</filename> and modify the copy.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
  </section>
@ -827,7 +826,7 @@ FTP(DNAT)  net       loc:10.10.10.1</programlisting> For
 DNAT       net       loc:10.10.10.2:80  tcp       5000</programlisting>
        </listitem>
      </itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
-    format="GIF" /></para>
+    format="GIF"/></para>
    <para>At this point, modify <filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename> to
@ -875,7 +874,7 @@ DNAT       net       loc:10.10.10.2:80  tcp       5000</programlisting>
        </listitem>
        <listitem>
-          <para><anchor id="cachingdns" /> You can configure a
+          <para><anchor id="cachingdns"/> You can configure a
          <emphasis>Caching Name Server</emphasis> on your firewall.
          <trademark>Red Hat</trademark> has an <acronym>RPM</acronym> for a
          caching name server (the <acronym>RPM</acronym> also requires the
@ -954,11 +953,11 @@ Web(ACCEPT) loc       $FW       </programlisting>Those two rules would of
        <programlisting>#ACTION      SOURCE    DEST               PROTO     DEST PORT(S)
 SSH(ACCEPT)  net       $FW</programlisting>
      </important> <inlinegraphic fileref="images/leaflogo.gif"
-    format="GIF" />Bering users will want to add the following two rules to be
+    format="GIF"/>Bering users will want to add the following two rules to be
    compatible with Jacques's Shorewall configuration.<programlisting>#ACTION    SOURCE    DEST    PROTO     DEST PORT(S)
 ACCEPT     loc       $FW     udp       53          #Allow DNS Cache to work
 ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</programlisting>
-    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>Now edit your <filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>
@ -1021,27 +1020,10 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    </itemizedlist>
  </section>
  <section>
    <title>Disabling your existing Firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On Redhat/CentOS/Fedora:</para>
    <programlisting><command>service iptables stop</command></programlisting>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
    <programlisting><command>chkconfig --del iptables</command></programlisting>
  </section>
  <section id="Starting">
    <title>Starting and Stopping Your Firewall</title>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The <ulink url="Install.htm">installation procedure</ulink>
    configures your system to start Shorewall at system boot but startup is
@ -1049,7 +1031,7 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    configuration is complete. Once you have completed configuration of your
    firewall, you must edit /etc/shorewall/shorewall.conf and set
    STARTUP_ENABLED=Yes.<graphic align="left"
-    fileref="images/openlogo-nd-25.png" /><important>
+    fileref="images/openlogo-nd-25.png"/><important>
        <para>Users of the .deb package must edit <filename
        class="directory">/etc/default/</filename><filename>shorewall</filename>
        and set <varname>startup=1</varname>.</para>
@ -1069,7 +1051,7 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    of Shorewall from your Netfilter configuration, use
    <quote><command>shorewall clear</command></quote>.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The two-interface sample assumes that you want to enable routing
    to/from <filename class="devicefile">eth1</filename> (the local network)
@ -1122,6 +1104,44 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    </itemizedlist>
  </section>
  <section>
    <title>Disabling your existing Firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On older Redhat/CentOS/Fedora:</para>
    <programlisting><command>service iptables stop</command></programlisting>
    <para>On recent Fedora systems that run systemd, the command is:</para>
    <programlisting><command>systemctl stop iptables.service</command></programlisting>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>On other systems that use a classic SysV init system:</para>
    <programlisting><command>/etc/init.d/iptables stop</command></programlisting>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On older
    Redhat/CentOS/Fedora:</para>
    <programlisting><command>chkconfig --del iptables</command></programlisting>
    <para>On Debian systems:</para>
    <programlisting><command>update-rc.d iptables disable</command></programlisting>
    <para>On recent Fedora system running systemd:</para>
    <programlisting><command>systemctl disable iptables.service</command></programlisting>
    <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
    <para>At this point, disable your existing firewall service.</para>
  </section>
  <section id="Reading">
    <title>Additional Recommended Reading</title>
@ -1161,9 +1181,9 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
      </caution></para>
    <para>Your new network will look similar to what is shown in the following
-    figure.<graphic align="center" fileref="images/basics2.png" /></para>
+    figure.<graphic align="center" fileref="images/basics2.png"/></para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>The first thing to note is that the computers in your wireless
    network will be in a different subnet from those on your wired local LAN.
@ -1176,7 +1196,7 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    traffic may flow freely between the local wired network and the wireless
    network.</para>
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>There are only two changes that need to be made to the Shorewall
    configuration:</para>