Update two-interface guide for PDF compatibility

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1046 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs/FAQ.xml

@@ -17,14 +17,10 @@
       </author>
     </authorgroup>
 
-    <pubdate>2003-12-18</pubdate>
+    <pubdate>2003-12-31</pubdate>
 
     <copyright>
-      <year>2001</year>
+      <year>2001-2003</year>
-
-      <year>2002</year>
-
-      <year>2003</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -192,7 +188,7 @@
       </informaltable>
 
       <para>Finally, if you need to forward a range of ports, in the PORT
-      column specify the range as <emphasis>low-port:high-port</emphasis>.</para>
+      column specify the range as <emphasis>&#60;low-port&#62;:&#60;high-port&#62;</emphasis>.</para>
 
       <section id="faq1a">
         <title>(FAQ 1a) Ok -- I followed those instructions but it doesn&#39;t
@@ -722,16 +718,28 @@
       rather than dropping them. This is necessary to prevent outgoing
       connection problems to services that use the <quote>Auth</quote>
       mechanism for identifying requesting users. Shorewall also rejects TCP
-      ports 135, 137 and 139 as well as UDP ports 137-139. These are ports
+      ports 135, 137, 139 and 445 as well as UDP ports 137-139. These are
-      that are used by Windows (Windows <emphasis>can</emphasis> be configured
+      ports that are used by Windows (Windows <emphasis>can</emphasis> be
-      to use the DCE cell locator on port 135). Rejecting these connection
+      configured to use the DCE cell locator on port 135). Rejecting these
-      requests rather than dropping them cuts down slightly on the amount of
+      connection requests rather than dropping them cuts down slightly on the
-      Windows chatter on LAN segments connected to the Firewall.</para>
+      amount of Windows chatter on LAN segments connected to the Firewall.</para>
 
       <para>If you are seeing port 80 being <quote>closed</quote>, that&#39;s
       probably your ISP preventing you from running a web server in violation
       of your Service Agreement.</para>
 
+      <tip>
+        <para>You can change the default behavior of Shorewall through use of
+        an /etc/shorewall/common file. See the <ulink
+        url="shorewall_extension_scripts.htm">Extension Script Section</ulink>.</para>
+      </tip>
+
+      <tip>
+        <para>Beginning with Shorewall 1.4.9, Shorewall no longer rejects the
+        Windows SMB ports (135-139 and 445) by default and silently drops them
+        instead.</para>
+      </tip>
+
       <section id="faq4a">
         <title>(FAQ 4a) I just ran an nmap UDP scan of my firewall and it
         showed 100s of ports as open!!!!</title>
@@ -858,7 +866,7 @@
       through <ulink url="Documentation.htm#Conf">settings</ulink> in
       /etc/shorewall/shorewall.conf -- If you want to log all messages, set:</para>
 
-      <programlisting format="linespecific" xml:space="preserve">LOGLIMIT=&#34;&#34;
+      <programlisting>LOGLIMIT=&#34;&#34;
 LOGBURST=&#34;&#34;</programlisting>
 
       <para>Beginning with Shorewall version 1.3.12, you can <ulink
@@ -1867,7 +1875,8 @@ Creating input Chains...
   <appendix>
     <title>Revision History</title>
 
-    <para><revhistory><revision><revnumber>1.7</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Remove
+    <para><revhistory><revision><revnumber>1.8</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Additions
+    to FAQ 4.</revremark></revision><revision><revnumber>1.7</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Remove
     dead link from FAQ 1.</revremark></revision><revision><revnumber>1.6</revnumber><date>2003.12-18</date><authorinitials>TE</authorinitials><revremark>Add
     external link reference to FAQ 17.</revremark></revision><revision><revnumber>1.5</revnumber><date>2003-12-16</date><authorinitials>TE</authorinitials><revremark>Added
     a link to a Sys Admin article about multiple internet interfaces. Added

Shorewall-docs/standalone.xml

@@ -114,9 +114,9 @@
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> If you
     have an ADSL Modem and you use PPTP to communicate with a server in that
     modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
-    recommended here</ulink> in addition to those described in the steps
+    recommended here</ulink> <emphasis role="underline">in addition to those
-    below. ADSL with PPTP is most commonly found in Europe, notably in
+    described in the steps below</emphasis>. ADSL with PPTP is most commonly
-    Austria.</para>
+    found in Europe, notably in Austria.</para>
   </section>
 
   <section>

Shorewall-docs/starting_and_stopping_shorewall.xml

@@ -37,15 +37,11 @@
     <title>Operating Shorewall</title>
 
     <para>If you have a permanent internet connection such as DSL or Cable, I
-    recommend that you start the firewall automatically at boot. Once you have
+    recommend that you start the firewall automatically at boot. The <ulink
-    installed <quote>firewall</quote> in your init.d directory, simply type
+    url="Install.htm">installation procedure</ulink> attempts to set up the
-    <quote><command>chkconfig --add shorewall</command></quote> (<quote><command>insserv
+    init scripts to start the firewall in run levels 2-5 and stop it in run
-    -d shorewall</command></quote> if your distribution uses insserv to
+    levels 1 and 6. If you want to configure your firewall differently from
-    install startup scripts). This will start the firewall in run levels 2-5
+    this default, you can use your distribution&#39;s run-level editor.</para>
-    and stop it in run levels 1 and 6. If you want to configure your firewall
-    differently from this default, you can use the <quote>--level</quote>
-    option in chkconfig (see <quote>man chkconfig</quote>) or using your
-    favorite graphical run-level editor.</para>
 
     <caution>
       <itemizedlist>
@@ -57,20 +53,27 @@
         </listitem>
 
         <listitem>
-          <para>If you use dialup, you may want to start the firewall in your
+          <para>If you use dialup or some flavor of PPP where your IP address
+          can change arbitrarily, you may want to start the firewall in your
           <command>/etc/ppp/ip-up.local</command> script. I recommend just
-          placing <quote>shorewall restart</quote> in that script.</para>
+          placing <quote><command>/sbin/shorewall restart</command></quote> in
+          that script.</para>
         </listitem>
       </itemizedlist>
     </caution>
 
     <para>You can manually start and stop Shoreline Firewall using the
-    <quote><quote>shorewall</quote></quote> shell program. Please refer to the
+    <quote><command>/sbin/shorewall</command></quote> shell program.</para>
-    Shorewall State Diagram as shown at the bottom of this page.</para>
 
     <itemizedlist>
       <listitem>
-        <para><command>shorewall start </command>- starts the firewall</para>
+        <para><command>shorewall start </command>- starts the firewall. It
+        important to understand that when the firewall is in the <emphasis
+        role="bold">Started</emphasis> state there is <emphasis>no Shorewall
+        Program</emphasis> running. It rather means that Netfilter has been
+        configured to handle traffic as described in your Shorewall
+        configuration files. Please refer to the <link linkend="State">Shorewall
+        State Diagram</link> as shown at the bottom of this page.</para>
       </listitem>
 
       <listitem>
@@ -341,17 +344,18 @@
     </itemizedlist>
   </section>
 
-  <section>
+  <section id="State">
     <title>Shorewall State Diagram</title>
 
-    <para>The Shorewall State Diargram is depicted below.<graphic
+    <para>The Shorewall State Diargram is depicted below.</para>
-    align="center" fileref="images/State_Diagram.png" /></para>
+
+    <para><graphic align="center" fileref="images/State_Diagram.png" /></para>
 
     <para>You will note that the commands that result in state transitions use
     the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
-    That is because the actual transitions are done by
+    That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
-    /usr/share/shorewall/firewall; /sbin/shorewall runs <quote>firewall</quote>
+    <command>/sbin/shorewall</command> runs <quote>firewall</quote> according
-    according to the following table:</para>
+    to the following table:</para>
 
     <informaltable>
       <tgroup cols="3">
@@ -452,4 +456,12 @@
       </tgroup>
     </informaltable>
   </section>
+
+  <appendix>
+    <title>Revision History</title>
+
+    <para><revhistory><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
+    clarification about &#34;Started State&#34;</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
+    Docbook conversion</revremark></revision></revhistory></para>
+  </appendix>
 </article>

Shorewall-docs/two-interface.xml

@@ -129,23 +129,27 @@
   <section>
     <title>PPTP/ADSL</title>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If you
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    have an <acronym>ADSL</acronym> Modem and you use <acronym>PPTP</acronym>
+
-    to communicate with a server in that modem, you must make the changes
+    <para>If you have an <acronym>ADSL</acronym> Modem and you use
-    recommended here in addition to those detailed below. <acronym>ADSL</acronym>
+    <acronym>PPTP</acronym> to communicate with a server in that modem, you
-    with <acronym>PPTP</acronym> is most commonly found in Europe, notably in
+    must make the changes recommended <ulink url="PPTP.htm#PPTP_ADSL">here</ulink>
+    in addition to those detailed below. <acronym>ADSL</acronym> with
+    <acronym>PPTP</acronym> is most commonly found in Europe, notably in
     Austria.</para>
   </section>
 
   <section>
     <title>Shorewall Concepts</title>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    configuration files for Shorewall are contained in the directory <filename
+
-    class="directory">/etc/shorewall</filename> -- for simple setups, you will
+    <para>The configuration files for Shorewall are contained in the directory
-    only need to deal with a few of these as described in this guide.
+    <filename class="directory">/etc/shorewall</filename> -- for simple
-    <tip><para>After you have <ulink url="Install.htm">installed Shorewall</ulink>,
+    setups, you will only need to deal with a few of these as described in
-    download the <ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
+    this guide. <tip><para>After you have <ulink url="Install.htm">installed
+    Shorewall</ulink>, download the <ulink
+    url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
     sample</ulink>, un-tar it (<command>tar <option>-zxvf</option>
     <filename>two-interfaces.tgz</filename></command>) and and copy the files
     to <filename class="directory">/etc/shorewall</filename> <emphasis
@@ -222,8 +226,9 @@
     connection requests from the firewall to the internet (if you uncomment
     the additional policy)</para></listitem><listitem><para>reject all other
     connection requests.</para></listitem></itemizedlist> <inlinegraphic
-    fileref="images/BD21298_.gif" format="GIF" />At this point, edit your
+    fileref="images/BD21298_.gif" format="GIF" /></para>
-    <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
+
+    <para>At this point, edit your <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
     and make any changes that you wish.</para>
   </section>
 
@@ -250,9 +255,10 @@
     <acronym>ISDN</acronym>, your external interface will be <filename
     class="devicefile">ippp0</filename>.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    external interface is <filename class="devicefile">ppp0</filename> or
+
-    <filename class="devicefile">ippp0</filename> then you will want to set
+    <para>If your external interface is <filename class="devicefile">ppp0</filename>
+    or <filename class="devicefile">ippp0</filename> then you will want to set
     <varname>CLAMPMSS=yes</varname> in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
 
     <para>Your <emphasis>Internal Interface</emphasis> will be an ethernet
@@ -268,11 +274,13 @@
     <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
     for all interfaces connected to the common hub/switch. Using such a setup
     with a production firewall is strongly recommended against.</para></warning>
-    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The Shorewall
+    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    two-interface sample configuration assumes that the external interface is
+
-    <filename class="devicefile">eth0</filename> and the internal interface is
+    <para>The Shorewall two-interface sample configuration assumes that the
-    <filename class="devicefile">eth1</filename>. If your configuration is
+    external interface is <filename class="devicefile">eth0</filename> and the
-    different, you will have to modify the sample <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
+    internal interface is <filename class="devicefile">eth1</filename>. If
+    your configuration is different, you will have to modify the sample
+    <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
     file accordingly. While you are there, you may wish to review the list of
     options that are specified for the interfaces. Some hints: <itemizedlist
     spacing="compact"><listitem><para>If your external interface is <filename
@@ -306,10 +314,11 @@
 10.0.0.0    - 10.255.255.255
 172.16.0.0  - 172.31.255.255
 192.168.0.0 - 192.168.255.255
-		</programlisting> <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Before
+		</programlisting> <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    starting Shorewall, you should look at the IP address of your external
+
-    interface and if it is one of the above ranges, you should remove the
+    <para>Before starting Shorewall, you should look at the IP address of your
-    &#39;norfc1918&#39; option from the external interface&#39;s entry in
+    external interface and if it is one of the above ranges, you should remove
+    the &#39;norfc1918&#39; option from the external interface&#39;s entry in
     <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
 
     <para>You will want to assign your addresses from the same sub-network
@@ -345,10 +354,11 @@
     directly. To communicate with systems outside of the subnetwork, systems
     send packets through a gateway (router).</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Your
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    local computers (computer 1 and computer 2 in the above diagram) should be
+
-    configured with their default gateway to be the <acronym>IP</acronym>
+    <para>Your local computers (computer 1 and computer 2 in the above
-    address of the firewall&#39;s internal interface.</para>
+    diagram) should be configured with their default gateway to be the
+    <acronym>IP</acronym> address of the firewall&#39;s internal interface.</para>
 
     <para>The foregoing short discussion barely scratches the surface
     regarding subnetting and routing. If you are interested in learning more
@@ -405,24 +415,28 @@
     <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
     <acronym>IP</acronym> is static.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    external firewall interface is <filename class="devicefile">eth0</filename>,
+
+    <para>If your external firewall interface is <filename class="devicefile">eth0</filename>,
     you do not need to modify the file provided with the sample. Otherwise,
     edit <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
     and change the first column to the name of your external interface and the
     second column to the name of your internal interface.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    external <acronym>IP</acronym> is static, you can enter it in the third
+
-    column in the <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
+    <para>If your external <acronym>IP</acronym> is static, you can enter it
+    in the third column in the <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
     entry if you like although your firewall will work fine if you leave that
     column empty. Entering your static <acronym>IP</acronym> in column 3 makes
     processing outgoing packets a little more efficient.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If you
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    are using the Debian package, please check your <filename>shorewall.conf</filename>
+
-    file to ensure that the following are set correctly; if they are not,
+    <para>If you are using the Debian package, please check your
-    change them appropriately: <itemizedlist spacing="compact"><listitem><para><varname>NAT_ENABLED=Yes</varname>
+    <filename>shorewall.conf</filename> file to ensure that the following are
+    set correctly; if they are not, change them appropriately: <itemizedlist
+    spacing="compact"><listitem><para><varname>NAT_ENABLED=Yes</varname>
     (Shorewall versions earlier than 1.4.6)</para></listitem><listitem><para><varname>IP_FORWARDING=On</varname></para></listitem></itemizedlist></para>
   </section>
 
@@ -448,9 +462,9 @@
     class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
     <informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
     cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(s)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
     align="left"><varname>loc:&#60;server local ip address&#62; [:&#60;server
     port&#62;]</varname></entry><entry align="left"><varname>&#60;protocol&#62;</varname></entry><entry
@@ -460,9 +474,9 @@
     to that system: <informaltable frame="all" label="rules" pgwide="0"><tgroup
     align="left" cols="7"><thead valign="middle"><row valign="middle"><entry
     align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
-    align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
+    align="left">DEST</entry><entry align="left">PROTO</entry><entry
-    align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
+    align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
-    align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
     align="left"><varname>loc:10.10.10.2</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
     align="left"><varname>80</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></example>
@@ -471,9 +485,9 @@
     incoming <acronym>TCP</acronym> port 21 to that system: <informaltable
     frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
     valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
     align="left"><varname>loc:10.10.10.1</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
     align="left"><varname>21</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
@@ -494,17 +508,18 @@
     url="FAQ.htm#faq2">Shorewall FAQ #2</ulink>.</para></listitem><listitem><para>Many
     <acronym>ISP</acronym>s block incoming connection requests to port 80. If
     you have problems connecting to your web server, try the following rule
-    and try connecting to port 5000. <informaltable frame="all" label="rules"
+    and try connecting to port 5000. </para></listitem></itemizedlist><informaltable
-    pgwide="0"><tgroup align="left" cols="7"><thead valign="middle"><row
+    frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
-    valign="middle"><entry align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
+    valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
     align="left"><varname>loc:10.10.10.2:80</varname></entry><entry
-    align="left"><varname>tcp</varname></entry><entry align="left"><varname>5000</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></listitem></itemizedlist>
+    align="left"><varname>tcp</varname></entry><entry align="left"><varname>5000</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
-    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />At this point,
+    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
+
+    <para>At this point, modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
     to add any <acronym>DNAT</acronym> rules that you require.</para>
   </section>
 
@@ -543,9 +558,9 @@
     class="directory">/etc/shorewall/</filename><filename>rules</filename>.
     <informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
     cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
     align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
     align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
@@ -560,9 +575,9 @@
     <para>The two-interface sample includes the following rules:
     <informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
     cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>fw</varname></entry><entry
     align="left"><varname>net</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
     align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
@@ -576,9 +591,9 @@
     <para>The sample also includes: <informaltable frame="all" label="rules"
     pgwide="0"><tgroup align="left" cols="7"><thead valign="middle"><row
     valign="middle"><entry align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
-    align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
+    align="left">DEST</entry><entry align="left">PROTO</entry><entry
-    align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
+    align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
-    align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
     align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
     align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
@@ -589,9 +604,9 @@
     other systems, the general format is: <informaltable frame="all"
     label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
     valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>&#60;source
     zone&#62;</varname></entry><entry align="left"><varname>&#60;destination
     zone&#62;</varname></entry><entry align="left"><varname>&#60;protocol&#62;</varname></entry><entry
@@ -602,9 +617,9 @@
     colname="c2" /><colspec colname="c3" /><colspec colname="c4" /><colspec
     colname="c5" /><colspec colname="c6" /><colspec colname="c7" /><thead
     valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
     align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
     align="left"><varname>80</varname></entry><entry nameend="c7" namest="c6">#Allow
@@ -619,15 +634,15 @@
     url="ports.htm">here</ulink>. <important><para>I don&#39;t recommend
     enabling <command>telnet</command> to/from the internet because it uses
     clear text (even for login!). If you want shell access to your firewall
-    from the internet, use <acronym>SSH</acronym>: <informaltable frame="all"
+    from the internet, use <acronym>SSH</acronym>: </para></important><informaltable
-    label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
+    frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
     valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
-    align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
+    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
-    align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
+    align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
-    align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
     align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
-    align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></important>
+    align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
     <inlinegraphic fileref="images/leaflogo.gif" format="GIF" />Bering users
     will want to add the following two rules to be compatible with
     Jacques&#39;s Shorewall configuration. <informaltable frame="all"
@@ -636,9 +651,9 @@
     colname="c4" /><colspec colname="c5" /><colspec colname="c6" /><colspec
     colname="c7" /><thead valign="middle"><row valign="middle"><entry
     align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
-    align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
+    align="left">DEST</entry><entry align="left">PROTO</entry><entry
-    align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
+    align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
-    align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
+    align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
     align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
     align="left"><varname>fw</varname></entry><entry align="left"><varname>udp</varname></entry><entry
     align="left"><varname>53</varname></entry><entry nameend="c7" namest="c6">#Allow
@@ -646,21 +661,23 @@
     align="left"><varname>loc</varname></entry><entry align="left"><varname>fw</varname></entry><entry
     align="left"><varname>tcp</varname></entry><entry align="left"><varname>80</varname></entry><entry
     nameend="c7" namest="c6">#Allow weblet to work</entry></row></tbody></tgroup></informaltable>
-    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Now edit your
+    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
+
+    <para>Now edit your <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
     file to add or delete other connections as required.</para>
   </section>
 
   <section>
     <title>Starting and Stopping Your Firewall</title>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    <ulink url="Install.htm">installation procedure</ulink> configures your
+
-    system to start Shorewall at system boot but beginning with Shorewall
+    <para>The <ulink url="Install.htm">installation procedure</ulink>
-    version 1.3.9 startup is disabled so that your system won&#39;t try to
+    configures your system to start Shorewall at system boot but beginning
-    start Shorewall before configuration is complete. Once you have completed
+    with Shorewall version 1.3.9 startup is disabled so that your system
-    configuration of your firewall, you can enable Shorewall startup by
+    won&#39;t try to start Shorewall before configuration is complete. Once
-    removing the file <filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.
+    you have completed configuration of your firewall, you can enable
+    Shorewall startup by removing the file <filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.
     <important><para>Users of the .deb package must edit <filename
     class="directory">/etc/default/</filename><filename>shorewall</filename>
     and set <varname>startup=1</varname>.</para></important> The firewall is
@@ -674,10 +691,11 @@
     of Shorewall from your Netfilter configuration, use <quote><command>shorewall
     clear</command></quote>.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-    two-interface sample assumes that you want to enable routing to/from
+
-    <filename class="devicefile">eth1</filename> (the local network) when
+    <para>The two-interface sample assumes that you want to enable routing
-    Shorewall is stopped. If your local network isn&#39;t connected to
+    to/from <filename class="devicefile">eth1</filename> (the local network)
+    when Shorewall is stopped. If your local network isn&#39;t connected to
     <filename class="devicefile">eth1</filename> or if you wish to enable
     access to/from other hosts, change <filename class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
     accordingly. <warning><para>If you are connected to your firewall from the

Shorewall-docs/useful_links.xml

@@ -13,7 +13,7 @@
       <surname>Eastep</surname>
     </author>
 
-    <pubdate>2003/12/22</pubdate>
+    <pubdate>2003/12/30</pubdate>
 
     <copyright>
       <year>2003</year>
@@ -60,7 +60,7 @@
 
         <row rowsep="0" valign="middle">
           <entry align="left">Debian apt-get sources for Shorewall: <ulink
-          url="http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian</ulink></entry>
+          url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
         </row>
       </tbody>
     </tgroup>