Fiddle with the document about my configuration

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2922 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-10-22 17:37:38 +00:00 · 2005-10-22 17:37:38 +00:00 · abf477019c
commit abf477019c
parent 1fb2827f7e
10 changed files with 225 additions and 127 deletions
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@ -23,7 +23,7 @@
      <holder>Thomas M. Eastep</holder>
    </copyright>
-    <edition>2.4.0</edition>
+    <edition>3.0.0</edition>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
@ -134,20 +134,6 @@
  Please review the appropriate guide before trying to use this documentation
  directly.</para>
  <caution>
    <para>Are you running Shorewall on <ulink
    url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark>
    Linux</ulink> with a two-interface setup?</para>
    <para>If so and if you configured your system while running a Mandrake
    release earlier than 10.0 final then this documentation will not apply
    directly to your environment. If you want to use the documentation that
    you find here, you will want to consider uninstalling what you have and
    installing a configuration that matches this documentation. See the <ulink
    url="two-interface.htm">Two-interface QuickStart Guide</ulink> for
    details.</para>
  </caution>
  <orderedlist>
    <listitem>
      <para><ulink url="Kernel2.6.html">2.6 Kernel</ulink></para>
@ -617,6 +603,11 @@
      <para><ulink url="samba.htm">SMB</ulink></para>
    </listitem>
    <listitem>
      <para><ulink url="Shorewall_Squid_Usage.html">Squid with
      Shorewall</ulink></para>
    </listitem>
    <listitem>
      <para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
      the Firewall</ulink><itemizedlist>
@ -631,12 +622,11 @@
    </listitem>
    <listitem>
-      <para><ulink url="Shorewall_Squid_Usage.html">Squid with
+      <para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
      Shorewall</ulink></para>
    </listitem>
    <listitem>
-      <para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
+      <para><ulink url="support.htm">Support</ulink></para>
    </listitem>
    <listitem>
--- a/Shorewall-docs2/OPENVPN.xml
+++ b/Shorewall-docs2/OPENVPN.xml
@ -5,7 +5,7 @@
  <!--$Id$-->
  <articleinfo>
-    <title>OpenVPN Tunnels</title>
+    <title>OpenVPN Tunnels and Bridges</title>
    <authorgroup>
      <author>
@ -21,7 +21,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-10-18</pubdate>
+    <pubdate>2005-10-19</pubdate>
    <copyright>
      <year>2003</year>
--- a/Shorewall-docs2/bridge.xml
+++ b/Shorewall-docs2/bridge.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-10-02</pubdate>
+    <pubdate>2005-10-21</pubdate>
    <copyright>
      <year>2004</year>
@ -83,6 +83,11 @@
  <section>
    <title>Requirements</title>
    <para>Note that if you need a bridge but do not need to restrict the
    traffic through the bridge then any version of Shorewall will work. See
    the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
    details.</para>
    <para>In order to use Shorewall as a bridging firewall:</para>
    <itemizedlist>
@ -112,11 +117,6 @@
        installed.</para>
      </listitem>
    </itemizedlist>
    <para>Note that if you need a bridge but do not need to restrict the
    traffic through the bridge then any version of Shorewall will work. See
    the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
    details.</para>
  </section>
  <section>
--- a/Shorewall-docs2/configuration_file_basics.xml
+++ b/Shorewall-docs2/configuration_file_basics.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-09-29</pubdate>
+    <pubdate>2005-10-20</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -127,8 +127,8 @@
        </listitem>
        <listitem>
-          <para><filename>/etc/shorewall/tunnels</filename> - defines IPSEC,
+          <para><filename>/etc/shorewall/tunnels</filename> - defines tunnels
-          GRE and IPIP tunnels with end-points on the firewall system.</para>
+          (VPN) with end-points on the firewall system.</para>
        </listitem>
        <listitem>
@ -173,7 +173,8 @@
        <listitem>
          <para><filename>/etc/shorewall/actions</filename> and
-          <filename>/usr/share/shorewall/action.template</filename>.</para>
+          <filename>/usr/share/shorewall/action.template</filename> allow
          user-defined actions.</para>
        </listitem>
        <listitem>
@ -227,13 +228,13 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
    <title>Line Continuation</title>
    <para>You may continue lines in the configuration files using the usual
-    backslash (<quote>\</quote>) followed immediately by a new line
+    backslash (<quote>\</quote>) followed immediately by a new line character
-    character.</para>
+    (Enter key).</para>
    <example>
      <title>Line Continuation</title>
-      <programlisting>ACCEPT  net     $FW      tcp \
+      <programlisting>ACCEPT  net     $FW      tcp \↵
 smtp,www,pop3,imap  #Services running on the firewall</programlisting>
    </example>
  </section>
@ -488,7 +489,8 @@ Shorewall has detected the following iptables/netfilter capabilities:
   Packet Type Match: Not available
   Policy Match: Available
   Physdev Match: Available
-   <emphasis role="bold">IP range Match: Available &lt;-------------- </emphasis></programlisting>
+   <emphasis role="bold">IP range Match: Available &lt;-------------- 
 </emphasis></programlisting>
  </section>
  <section id="Ports">
--- a/Shorewall-docs2/dhcp.xml
+++ b/Shorewall-docs2/dhcp.xml
@ -33,7 +33,8 @@
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
@ -42,8 +43,8 @@
    at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
    cannot be used effectively to police DHCP. The <quote>dhcp</quote>
    interface option described in this article allows for Netfilter to stay
-    out of DHCP&#39;s way for those operations that can be controlled by
+    out of DHCP's way for those operations that can be controlled by Netfilter
-    Netfilter and prevents unwanted logging of DHCP-related traffic by
+    and prevents unwanted logging of DHCP-related traffic by
    Shorewall-generated Netfilter logging rules.</para>
  </note>
@ -65,8 +66,6 @@
        modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
      </listitem>
    </itemizedlist>
    <para></para>
  </section>
  <section>
@ -75,22 +74,25 @@
    <itemizedlist>
      <listitem>
        <para>Specify the <quote>dhcp</quote> option for this interface in the
-        <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
+        <ulink
-        file.&#x00A0;This will generate rules that will allow DHCP to and from
+        url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
        file.&nbsp;This will generate rules that will allow DHCP to and from
        your firewall system.</para>
      </listitem>
      <listitem>
        <para>If you know that the dynamic address is always going to be in
-        the same subnet, you can specify the subnet address in the
+        the same subnet, you can specify the subnet address in the interface's
-        interface&#39;s entry in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
+        entry in the <ulink
        url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
        file.</para>
      </listitem>
      <listitem>
-        <para>If you don&#39;t know the subnet address in advance, you should
+        <para>If you don't know the subnet address in advance, you should
-        specify <quote>detect</quote> for the interface&#39;s subnet address
+        specify <quote>detect</quote> for the interface's subnet address in
-        in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
+        the <ulink
        url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
        file and start Shorewall after the interface has started.</para>
      </listitem>
@ -98,7 +100,7 @@
        <para>In the event that the subnet address might change while
        Shorewall is started, you need to arrange for a <quote>shorewall
        refresh</quote> command to be executed when a new dynamic IP address
-        gets assigned to the interface. Check your DHCP client&#39;s
+        gets assigned to the interface. Check your DHCP client's
        documentation.</para>
      </listitem>
    </itemizedlist>
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-10-13</pubdate>
+    <pubdate>2005-10-22</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -52,15 +52,16 @@
      releases.</para>
    </caution>
-    <para>I have DSL service and have 5 static IP addresses
+    <para>I have DSL service with 5 static IP addresses (206.124.146.176-180).
-    (206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200) is
+    My DSL <quote>modem</quote> (Westell 2200) is connected to eth2 and has IP
-    connected to eth2 and has IP address 192.168.1.1 (factory default). The
+    address 192.168.1.1 (factory default). The modem is configured in
-    modem is configured in <quote>bridge</quote> mode so PPPoE is not
+    <quote>bridge</quote> mode so PPPoE is not involved. I have a local
-    involved. I have a local network connected to eth3 (subnet
+    network connected to eth3 which is bridged to interface tun0 via bridge
-    192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0,
+    br0 (subnet 192.168.1.0/24), a wireless network (192.168.3.0/24) connected
-    and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure
+    to eth0, and a DMZ connected to eth1 (206.124.146.176/32). Note that I
-    the same IP address on both <filename class="devicefile">eth1</filename>
+    configure the same IP address on both <filename
-    and <filename class="devicefile">eth2</filename>.</para>
+    class="devicefile">eth1</filename> and <filename
    class="devicefile">eth2</filename>.</para>
    <para>In this configuration:</para>
@ -80,7 +81,7 @@
      <listitem>
        <para>I use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP
        system <quote>Tarry</quote>, my <firstterm>crash and burn</firstterm>
-        system "Wookie", and our SuSE 10.0 laptop <quote>Tipper</quote> which
+        system "Wookie", our SuSE 10.0 laptop <quote>Tipper</quote> which
        connects through the Wireless Access Point (wap) via a Wireless Bridge
        (wet), and my work laptop (eastepnc6000) when it is not docked in my
        office.<note>
@ -113,13 +114,13 @@
    WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
    (64-bit with the 24-bit preamble), I use <ulink
    url="MAC_Validation.html">MAC verification</ulink> and <ulink
-    url="OPENVPN.html">OpenVPN</ulink>.</para>
+    url="OPENVPN.html">OpenVPN</ulink> in bridge mode.</para>
    <para>The single system in the DMZ (address 206.124.146.177) runs postfix,
-    Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
+    Courier IMAP (imap and imaps), DNS (Bind 9), a Web server (Apache) and an
-    server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail to
+    FTP server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail
-    fetch our email from our old and current ISPs. That server is accessible
+    to fetch our email from our old and current ISPs. That server is
-    from the Internet through <ulink url="ProxyARP.htm">Proxy
+    accessible from the Internet through <ulink url="ProxyARP.htm">Proxy
    ARP</ulink>.</para>
    <para>The firewall system itself runs a DHCP server that serves the local
@ -144,11 +145,10 @@
    /etc/network/interfaces file (see below) adds a host route to
    206.124.146.177 through eth1 when that interface is brought up.</para>
-    <para>The firewall is configured with OpenVPN for VPN access from our
+    <para>In addition to the Openvpn bridge, the firewall hosts an OpenVPN
-    second home in <ulink url="http://www.omakchamber.com/">Omak,
+    Tunnel server for VPN access from our second home in <ulink
-    Washington</ulink> or when we are otherwise out of town. We run a second
+    url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
-    instance of OpenVPN that is used to <ulink url="OPENVPN.html">bridge the
+    otherwise out of town.</para>
    wireless laptops in the Wifi zone to the local lan</ulink>.</para>
    <para><graphic align="center" fileref="images/network.png" /><note>
        <para>Eastepnc6000 is shown in both the local LAN and in the Wifi zone
@ -624,15 +624,25 @@ $EXT_IF         1.5mbit         384kbit
      <title>/etc/shorewall/tcclasses</title>
      <blockquote>
-        <para>My traffic shaping configuration is the "WonderShaper" <ulink
+        <para>My traffic shaping configuration is basically the "WonderShaper"
        <ulink
        url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall">example
-        from tc4shorewall</ulink>.</para>
+        from tc4shorewall</ulink> with a little tweaking.</para>
        <programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
 $EXT_IF         10      full            ful             1               tcp-ack,tos-minimize-delay
 $EXT_IF         20      9*full/10       9*full/10       2               default
 $EXT_IF         30      6*full/10       6*full/10       3
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <programlisting>
 Sent 3144472390 bytes 4019424 pkts (dropped 0, overlimits 0)
 Device tun0:
 qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 </programlisting>
      </blockquote>
    </section>
@ -644,17 +654,69 @@ $EXT_IF         30      6*full/10       6*full/10       3
        throttled and rsync gets throttled even more.</para>
        <note>
-          <para>The class id for tc4shorewall-generated classes is 1:&lt;100 +
+          <para>The class id for tc4shorewall-generated classes is
-          mark value&gt;. The rules below are using the Netfilter CLASSIFY
+          &lt;<emphasis>device number</emphasis>&gt;:&lt;<emphasis>100 + mark
-          target to classify the traffic directly without having to first mark
+          value</emphasis>&gt; where the first device in
-          then classify based on the marks.</para>
+          <filename>/etc/shorewall/tcdevices</filename> is device number 1,
          the second is device number 2 and so on. The rules below are using
          the Netfilter CLASSIFY target to classify the traffic directly
          without having to first mark then classify based on the
          marks.</para>
        </note>
        <programlisting>#MARK           SOURCE                  DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                                       PORT(S)
 1:110           192.168.0.0/22          $EXT_IF
-1:130           206.124.146.177         $EXT_IF         tcp     -       873
+1:130           206.124.146.177         $EXT_IF         tcp     -       873 #Rsync to the Mirrors
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para>Here is the output of <command>shorewall show tc</command> while
        the Shorewall mirrors were receiving updates via rsync and the link
        was otherwise idle. Note the rate limiting imposed by the 1:30
        Class.</para>
        <programlisting>Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005
 ...
 Device eth2:
 qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17
 Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779)
 backlog 20p
 qdisc ingress ffff: ----------------
 Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0)
 qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
 qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
 qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
 backlog 20p
 class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0
 Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
 rate 424bit
 lended: 417516 borrowed: 0 giants: 0
 tokens: 36864 ctokens: 36864
 class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7
 Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0)
 rate 231568bit 19pps
 lended: 0 borrowed: 0 giants: 0
 tokens: -26280 ctokens: -26280
 class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0
 Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
 <emphasis role="bold">rate 230848bit 19pps backlog 18p</emphasis>
 lended: 48784 borrowed: 0 giants: 0
 tokens: -106401 ctokens: -106401
 class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0
 Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
 rate 1000bit
 lended: 177773 borrowed: 0 giants: 0
 tokens: 41126 ctokens: 41126
 ...</programlisting>
      </blockquote>
    </section>
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-09-30</pubdate>
+    <pubdate>2005-10-20</pubdate>
    <copyright>
      <year>2002-2005</year>
@ -132,12 +132,29 @@
    <filename class="directory">/etc/shorewall</filename> -- for simple
    setups, you only need to deal with a few of these as described in this
    guide. After you have <ulink url="Install.htm">installed
-    Shorewall</ulink>, <emphasis role="bold">download the <ulink
+    Shorewall</ulink>, you can find the Samples as follows:</para>
-    url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
+
-    sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
+    <orderedlist>
-    files to /etc/shorewall (they will replace files with the same names that
+      <listitem>
-    were placed in /etc/shorewall during Shorewall
+        <para>If you installed using an RPM, the samples will be in the
-    installation)</emphasis>.</para>
+        Samples/one-interface/ subdirectory of the Shorewall documentation
        directory. If you don't know where the Shorewall documentation
        directory is, you can find the samples using this command:</para>
        <programlisting>~# rpm -ql shorewall | fgrep one-interface
 /usr/share/doc/packages/shorewall/Samples/one-interface
 /usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
 /usr/share/doc/packages/shorewall/Samples/one-interface/policy
 /usr/share/doc/packages/shorewall/Samples/one-interface/rules
 /usr/share/doc/packages/shorewall/Samples/one-interface/zones
 ~#</programlisting>
      </listitem>
      <listitem>
        <para>If you installed using the tarball, the samples are in the
        Samples/one-interface directory in the tarball.</para>
      </listitem>
    </orderedlist>
    <warning>
      <para><emphasis role="bold">Note to Debian Users</emphasis></para>
--- a/Shorewall-docs2/three-interface.xml
+++ b/Shorewall-docs2/three-interface.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-10-03</pubdate>
+    <pubdate>2005-10-20</pubdate>
    <copyright>
      <year>2002-2005</year>
@ -192,14 +192,32 @@
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    <para>After you have installed Shorewall, <emphasis role="bold">download
+    <para>After you have installed Shorewall, locate the three-interface
-    the <ulink
+    Sample configuration:</para>
-    url="http://shorewall.net/pub/shorewall/Samples">three-interface
+
-    sample</ulink>, un-tar it</emphasis> (<command>tar <option>-zxvf</option>
+    <orderedlist>
-    <filename>three-interfaces.tgz</filename></command>) and and copy the
+      <listitem>
-    files to <filename>/etc/shorewall</filename> (the files will replace files
+        <para>If you installed using an RPM, the samples will be in the
-    with the same names that were placed in
+        Samples/three-interfaces/ subdirectory of the Shorewall documentation
-    <filename>/etc/shorewall</filename> when Shorewall was installed).</para>
+        directory. If you don't know where the Shorewall documentation
        directory is, you can find the samples using this command:</para>
        <programlisting>~# rpm -ql shorewall | fgrep three-interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
 ~#</programlisting>
      </listitem>
      <listitem>
        <para>If you installed using the tarball, the samples are in the
        Samples/three-interfaces directory in the tarball.</para>
      </listitem>
    </orderedlist>
    <para>As each file is introduced, I suggest that you look through the
    actual file on your system -- each file contains detailed configuration
--- a/Shorewall-docs2/two-interface.xml
+++ b/Shorewall-docs2/two-interface.xml
@ -12,7 +12,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2005-10-03</pubdate>
+    <pubdate>2005-10-21</pubdate>
    <copyright>
      <year>2002-</year>
@ -78,33 +78,7 @@
            <imagedata fileref="images/basics.png" format="PNG" />
          </imageobject>
        </mediaobject>
-      </figure> <tip>
+      </figure> <caution>
        <title>Shorewall and <trademark>Mandrake</trademark> 9.0+</title>
        <para>If you are running Shorewall under
        <trademark>Mandrake</trademark> 9.0 or later, you can easily configure
        the above setup using the <trademark>Mandrake</trademark>
        <quote>Internet Connection Sharing</quote> applet. From the
        <emphasis><interface>Mandrake Control Center</interface></emphasis>,
        select <quote><guimenuitem>Network</guimenuitem> &amp;
        <guisubmenu>Internet</guisubmenu></quote> then
        <quote><interface>Connection Sharing</interface></quote>.</para>
        <para>Note however, that the Shorewall configuration produced by
        <emphasis>Mandrake Internet Connection Sharing</emphasis> is strange
        and is apt to confuse you if you use the rest of this documentation
        (it has two local zones; <varname>loc</varname> and
        <varname>masq</varname> where <varname>loc</varname> is empty; this
        conflicts with this documentation which assumes a single local zone
        <varname>loc</varname>). We therefore recommend that once you have set
        up this sharing that you uninstall the <trademark>Mandrake</trademark>
        Shorewall RPM and install the one from the <ulink
        url="download.htm">download</ulink> page then follow the instructions
        in this Guide.</para>
      </tip><note>
        <para><emphasis role="bold">The above Shorewall Issue is corrected in
        Mandrake 10.0 and later.</emphasis></para>
      </note> <caution>
        <para>If you edit your configuration files on a
        <trademark>Windows</trademark> system, you must save them as
        <trademark>Unix</trademark> files if your editor supports that option
@ -199,14 +173,32 @@
    <para><inlinegraphic fileref="images/BD21298_.gif"
    format="GIF" /><important>
        <para>After you have <ulink url="Install.htm">installed
-        Shorewall</ulink>, <emphasis role="bold">download the <ulink
+        Shorewall</ulink>, locate the two-interfaces samples:</para>
-        url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
+
-        sample</ulink>, un-tar it </emphasis>(<command>tar
+        <orderedlist>
-        <option>-zxvf</option>
+          <listitem>
-        <filename>two-interfaces.tgz</filename></command>) and and copy the
+            <para>If you installed using an RPM, the samples will be in the
-        files to <filename class="directory">/etc/shorewall</filename>
+            Samples/two-interfaces/ subdirectory of the Shorewall
-        <emphasis role="bold">(these files will replace files with the same
+            documentation directory. If you don't know where the Shorewall
-        name)</emphasis>.</para>
+            documentation directory is, you can find the samples using this
            command:</para>
            <programlisting>~# rpm -ql shorewall | fgrep two-interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
 ~#</programlisting>
          </listitem>
          <listitem>
            <para>If you installed using the tarball, the samples are in the
            Samples/two-interfaces directory in the tarball.</para>
          </listitem>
        </orderedlist>
      </important> As each file is introduced, I suggest that you look through
    the actual file on your system -- each file contains detailed
    configuration instructions and default entries.</para>
--- a/Shorewall-docs2/useful_links.xml
+++ b/Shorewall-docs2/useful_links.xml
@ -65,6 +65,21 @@
          <entry>Iptables Tutorial: <ulink
          url="http://iptables-tutorial.frozentux.net/">http://iptables-tutorial.frozentux.net/</ulink></entry>
        </row>
        <row rowsep="0" valign="middle">
          <entry>Debian apt-get sources for Shorewall: <ulink
          url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
        </row>
        <row rowsep="0" valign="middle">
          <entry>About the Shorewall Author: <ulink
          url="http://www.shorewall.net/shoreline.htm">http://www.shorewall.net/shoreline.htm</ulink></entry>
        </row>
        <row rowsep="0" valign="middle">
          <entry>Tom's 2005 LinuxFest NW Presentation: <ulink
          url="http://www.shorewall.net/LinuxFest.pdf">http://www.shorewall.net/LinuxFest.pdf</ulink></entry>
        </row>
      </tbody>
    </tgroup>
  </informaltable>