diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 785ad9234..2d700432c 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -623,8 +623,8 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
clients or use Bind
Version 9 views
on your main name server)
such that www.mydomain.com resolves to 130.141.100.69 externally and
- 192.168.1.5 internally. That's what I do here at shorewall.net for
- my local systems that use one-to-one NAT.
+ 192.168.1.5 internally. I use a separate DNS server (dnsmasq) here
+ at shorewall.net.
@@ -641,8 +641,8 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
url="SplitDNS.html">check
here.
- But if you are the type of person who prefers quick and dirty
- hacks to "doing it right", then proceed as described below.
+ If you really want to route traffic between two internal systems
+ through your firewall, then proceed as described below.
All traffic redirected through use of this hack will look to
the server as if it originated on the firewall rather than on the
original client! So the server's access logs will be useless for
@@ -666,6 +666,15 @@ loc eth1 detect routeback
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
eth1:192.168.1.5 eth1 192.168.1.254 tcp www
+
+ Note: The technique described here is known as
+ hairpinning NAT and is described in section 6
+ of RFC
+ 4787. There it is recommended that the external IP
+ address be used as the source:
+
+ #INTERFACE SOURCE ADDRESS PROTO PORT(S)
+eth1:192.168.1.5 eth1 130.151.100.69 tcp www
@@ -675,8 +684,9 @@ loc eth1 detect routeback
# PORT DEST.
DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69
- That rule only works of course if you have a static external
- IP address. If you have a dynamic IP address then include this in
+ That rule (and the second one in the previous bullet) only
+ works of course if you have a static external IP address. If you
+ have a dynamic IP address then include this in
/etc/shorewall/params (or your
<export directory>/init file if you are
using Shorewall Lite on the firewall system):