diff --git a/docs/three-interface.xml b/docs/three-interface.xml
index c870cf498..6fc9d169c 100644
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -460,6 +460,12 @@ root@lists:~# </programlisting>
       against</emphasis>.</para>
     </caution>
 
+    <caution>
+      <para><emphasis role="bold">Do not configure a default route on your
+      internal and DMZ interfaces.</emphasis> Your firewall should have
+      exactly one default route via your ISP's Router.</para>
+    </caution>
+
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
 
     <para>The Shorewall three-interface sample configuration assumes that the
@@ -1135,4 +1141,4 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
     url="starting_and_stopping_shorewall.htm">Operating Shorewall and
     Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
   </section>
-</article>
\ No newline at end of file
+</article>
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index a419d9daf..978b41475 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -418,6 +418,10 @@ root@lists:~# </programlisting>
         for all interfaces connected to the common hub/switch. <emphasis
         role="bold">Using such a setup with a production firewall is strongly
         recommended against</emphasis>.</para>
+      </warning><warning>
+        <para><emphasis role="bold">Do not configure a default route on your
+        internal interface.</emphasis> Your firewall should have exactly one
+        default route via your ISP's Router.</para>
       </warning> <inlinegraphic fileref="images/BD21298_.gif"
     format="GIF" /></para>
 
@@ -1142,4 +1146,4 @@ eth0                 wlan0</programlisting>
     requires the rules listed in the <ulink url="samba.htm">Shorewall/Samba
     documentation</ulink>.</para>
   </section>
-</article>
\ No newline at end of file
+</article>