From 6f1bcedcfd3d48947b6f1a6b880cc1ac374649ee Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 18 May 2006 16:07:10 +0000
Subject: [PATCH] Add additional DNAT debugging advice to the FAQ

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3921 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 docs/FAQ.xml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 0d1f8c905..88809ead7 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -17,7 +17,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2006-03-14</pubdate>
+    <pubdate>2006-05-18</pubdate>
 
     <copyright>
       <year>2001-2006</year>
@@ -238,6 +238,17 @@ DNAT    net    loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>
               </listitem>
             </itemizedlist>
           </listitem>
+
+          <listitem>
+            <para>If the packet count is non-zero, check your log to see if
+            the connection is being dropped or rejected. If it is, then you
+            may have a zone definition problem such that the server is in a
+            different zone than what is specified in the DEST column. At a
+            root promt, type "<command>shorewall show zones</command>" then be
+            sure that you have specified in the DEST column the first zone in
+            the list that matches the OUT=&lt;dev&gt; and the DEST=
+            &lt;ip&gt;from the REJECT/DROP log message.</para>
+          </listitem>
         </itemizedlist>
       </section>