From 8faf756113efa2a66277b74fc8e09bde352c4ed3 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 8 Dec 2013 08:33:58 -0800
Subject: [PATCH] Add note about non-ACCEPT fw->loc policy.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 docs/UPnP.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/UPnP.xml b/docs/UPnP.xml
index df9c43684..82597e581 100644
--- a/docs/UPnP.xml
+++ b/docs/UPnP.xml
@@ -22,6 +22,8 @@
 
       <year>2010</year>
 
+      <year>2013</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -120,6 +122,14 @@ forwardUPnP        net     loc</programlisting>
       <para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
       added by linux-idg over a <command>shorewall restart</command>.</para>
     </caution>
+
+    <para>If your firewall-&gt;loc policy is not ACCEPT, then you also need to
+    allow UDP traffic from the fireawll to the local zone.</para>
+
+    <programlisting>ACCEPT      $FW          loc        udp            -         &lt;<replaceable>dynamic port range</replaceable>&gt;</programlisting>
+
+    <para>The dynamic port range is obtained by <emphasis role="bold">cat
+    /proc/sys/net/ip_local_port_range</emphasis>.</para>
   </section>
 
   <section>