Tweak FAQ

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5056 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-12-05 18:25:40 +00:00 · 2006-12-05 18:25:40 +00:00 · c9758d4e19
commit c9758d4e19
parent 5aaa1492f5
1 changed files with 80 additions and 50 deletions
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@ -56,7 +56,7 @@
    <section id="faq37">
      <title>(FAQ 37) I just installed Shorewall on Debian and the
-      /etc/shorewall directory is empty!!!</title>
+      /etc/shorewall directory is almost empty!!!</title>
      <para><emphasis role="bold">Answer</emphasis>:</para>
@ -71,19 +71,13 @@
      </important>
      <para>If you install using the .deb, you will find that your <filename
-      class="directory">/etc/shorewall</filename> directory is empty. This is
+      class="directory">/etc/shorewall</filename> directory is almost empty.
-      intentional. The released configuration file skeletons may be found on
+      This is intentional. The released configuration file skeletons may be
-      your system in the directory <filename
+      found on your system in the directory <filename
      class="directory">/usr/share/doc/shorewall/default-config</filename>.
      Simply copy the files you need from that directory to <filename
      class="directory">/etc/shorewall</filename> and modify the
      copies.</para>
      <para>Note that you must copy <filename
      class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
      and <filename>/usr/share/doc/shorewall/default-config/modules</filename>
      to <filename class="directory">/etc/shorewall</filename> even if you do
      not modify those files.</para>
    </section>
    <section id="faq44">
@ -135,6 +129,13 @@ DNAT       net      loc:192.168.1.5  udp      7777</programlisting>
 #                                                                            PORT    DEST.
 DNAT    net    loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;]  &lt;<emphasis>protocol</emphasis>&gt;  &lt;<emphasis>port #</emphasis>&gt;   -       &lt;<emphasis>external IP</emphasis>&gt;</programlisting>
      <para>If you want to forward requests from a particular internet address
      ( <emphasis>&lt;address&gt;</emphasis> ):</para>
      <programlisting>#ACTION SOURCE        DEST                                   PROTO       DEST PORT  SOURCE  ORIGINAL
 #                                                                                   PORT    DEST.
 DNAT    net:<emphasis>&lt;address&gt;</emphasis> loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;]  &lt;<emphasis>protocol</emphasis>&gt;  &lt;<emphasis>port #</emphasis>&gt;   -</programlisting>
      <para>Finally, if you need to forward a range of ports, in the DEST PORT
      column specify the range as
      <emphasis>&lt;low-port&gt;:&lt;high-port&gt;</emphasis>.</para>
@ -358,7 +359,7 @@ DNAT    net     fw:192.168.1.1:22       tcp     4104</programlisting>
    </section>
    <section id="faq48">
-      <title>(FAQ 48) How do I Set up Transparent Proxy with
+      <title>(FAQ 48) How do I Set up Transparent HTTP Proxy with
      Shorewall?</title>
      <para><emphasis role="bold">Answer</emphasis>: See <ulink
@ -433,7 +434,9 @@ DNAT       loc          loc:192.168.1.5    tcp      www         -         130.15
          <para>That rule only works of course if you have a static external
          IP address. If you have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename>:</para>
+          <filename>/etc/shorewall/params</filename> (or your
          <filename>&lt;export directory&gt;/init</filename> file if you are
          using Shorewall Lite on the firewall system):</para>
          <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>        </programlisting>
@ -444,8 +447,8 @@ DNAT       loc          loc:192.168.1.5    tcp      www         -         130.15
 DNAT       loc           loc:192.168.1.5    tcp      www         -         $ETH0_IP</programlisting>
          <para>Using this technique, you will want to configure your
-          DHCP/PPPoE client to automatically restart Shorewall each time that
+          DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
-          you get a new IP address.</para>
+          time that you get a new IP address.</para>
        </listitem>
      </itemizedlist>
@ -478,8 +481,8 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         $ETH0
        addresses and can be accessed externally and internally using the same
        address.</para>
-        <para>If you don't like those solutions and prefer to stupidly route
+        <para>If you don't like those solutions and prefer, incredibly, to
-        all Z-&gt;Z traffic through your firewall then:</para>
+        route all Z-&gt;Z traffic through your firewall then:</para>
        <orderedlist>
          <listitem>
@ -495,7 +498,7 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         $ETH0
        <example>
          <title>Example:</title>
-          <literallayout>Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24 Address: 192.168.2.254</literallayout>
+          <literallayout>Zone: dmz, Interface: eth2, Subnet: 192.168.2.0/24, Address: 192.168.2.254</literallayout>
          <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
@ -510,7 +513,7 @@ dmz      eth2         192.168.2.255   <emphasis role="bold">routeback</emphasis>
          <programlisting>#INTERFACE    SUBNETS     ADDRESS
 eth2          eth2        192.168.2.254</programlisting>
-          <para>Like the idiotic hack in FAQ 2 above, this will make all
+          <para>Like the silly hack in FAQ 2 above, this will make all
          dmz-&gt;dmz traffic appear to originate on the firewall.</para>
        </example>
      </section>
@ -545,7 +548,9 @@ DNAT       loc      dmz:192.168.2.4     tcp      80              -           206
        <para>If your external IP address is dynamic, then you must do the
        following:</para>
-        <para>In <filename>/etc/shorewall/params</filename>:</para>
+        <para>In <filename>/etc/shorewall/params (or in your
        <filename>&lt;export directory&gt;/init</filename> file if you are
        using Shorewall Lite on the firewall system)</filename>:</para>
        <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>  </programlisting>
@ -762,7 +767,8 @@ to debug/develop the newnat interface.</programlisting></para>
        <listitem>
          <para>The DNS settings on the local systems are wrong or the user is
          running a DNS server on the firewall and hasn't enabled UDP and TCP
-          port 53 from the firewall to the internet.</para>
+          port 53 from the local net to the firewall or from the firewall to
          the internet.</para>
        </listitem>
        <listitem>
@ -862,9 +868,34 @@ LOGBURST=""</programlisting>
          <ulink url="http://home.regit.org/ulogd-php.html">http://home.regit.org/ulogd-php.html</ulink>
        </literallayout>
-        <para>I personally use Logwatch. It emails me a report each day from
+        <para>I personally use <ulink
-        my various systems with each report summarizing the logged activity on
+        url="http://www.logwatch.org">Logwatch</ulink>. It emails me a report
-        the corresponding system.</para>
+        each day from my various systems with each report summarizing the
        logged activity on the corresponding system. I use the brief report
        format; here's a sample:</para>
        <blockquote>
          <programlisting> --------------------- iptables firewall Begin ------------------------ 
 Dropped 111 packets on interface eth0
   From 58.20.162.142 - 5 packets to tcp(1080) 
   From 62.163.19.50 - 1 packet to udp(6348) 
   From 66.111.45.60 - 9 packets to tcp(192) 
   From 69.31.82.50 - 18 packets to tcp(3128) 
   From 72.232.183.102 - 2 packets to tcp(3128) 
   From 82.96.96.3 - 6 packets to tcp(808,1080,1978,7600,65506) 
   From 128.48.51.209 - 5 packets to tcp(143) 
   From 164.77.223.150 - 12 packets to tcp(873) 
   From 165.233.109.23 - 8 packets to tcp(22) 
   From 202.99.172.175 - 4 packets to udp(2,4081) 
   From 206.59.41.101 - 2 packets to tcp(5900) 
   From 217.91.30.224 - 24 packets to tcp(873) 
   From 218.87.47.114 - 6 packets to tcp(3128) 
   From 220.110.219.234 - 4 packets to tcp(22) 
   From 220.133.116.173 - 5 packets to tcp(3128) 
 ---------------------- iptables firewall End -------------------------</programlisting>
        </blockquote>
      </section>
      <section id="faq6b">
@ -1136,9 +1167,10 @@ DROP      net       fw      udp      10619</programlisting>
            <filename> <ulink
            url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>.</filename></para>
-            <para>In Shorewall 3.3.3 and later versions, such packets may also
+            <para>In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in
-            be logged out of a &lt;zone&gt;2all chain or the all2all
+            <ulink url="Documentation.htm#Conf">shorewall.conf</ulink>, such
-            chain.</para>
+            packets may also be logged out of a &lt;zone&gt;2all chain or the
            all2all chain.</para>
          </listitem>
        </varlistentry>
@ -1150,8 +1182,10 @@ DROP      net       fw      udp      10619</programlisting>
            your defined zones(<command>shorewall[-lite] show zones</command>
            and look at the printed zone definitions).</para>
-            <para>In Shorewall 3.3.3 and later versions, such packets may also
+            <para>In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in
-            be logged out of the fw2all chain or the all2all chain.</para>
+            <ulink url="Documentation.htm#Conf">shorewall.conf</ulink>, such
            packets may also be logged out of the fw2all chain or the all2all
            chain.</para>
          </listitem>
        </varlistentry>
@ -1357,8 +1391,8 @@ modprobe: Can't locate module iptable_raw</programlisting>
      different ISPs. How do I set this up in Shorewall?</title>
      <para><emphasis role="bold">Answer</emphasis>: See <ulink
-      url="MultiISP.html">this article on Shorewall and
+      url="MultiISP.html">this article on Shorewall and Multiple
-      Routing</ulink>.</para>
+      ISPs</ulink>.</para>
    </section>
    <section id="faq49">
@ -1428,10 +1462,6 @@ Perhaps iptables or your kernel needs to be upgraded.</programlisting>
 chkconfig --delete ipchains
 rmmod ipchains</command></programlisting>
      <para>Also, be sure to check the <ulink url="errata.htm">errata</ulink>
      for problems concerning the version of iptables (v1.2.3) shipped with
      RH7.2.</para>
      <section id="faq8a">
        <title>(FAQ 8a) When I try to start Shorewall on RedHat I get a
        message referring me to FAQ #8</title>
@ -1497,13 +1527,13 @@ Creating input Chains...
    </section>
    <section id="faq34">
-      <title>(FAQ 34) How can I speed up start (restart)?</title>
+      <title>(FAQ 34) How can I speed up Shorewall start (restart)?</title>
      <para><emphasis role="bold">Answer</emphasis>:Using a light-weight shell
-      such as <command>ash</command> can dramatically decrease the time
+      such as <command>ash</command> or <command>dash</command> can
-      required to <emphasis role="bold">start</emphasis> or <emphasis
+      dramatically decrease the time required to <emphasis
-      role="bold">restart</emphasis> Shorewall. See the SHOREWALL_SHELL
+      role="bold">start</emphasis> or <emphasis role="bold">restart</emphasis>
-      variable in <filename> <ulink
+      Shorewall. See the SHOREWALL_SHELL variable in <filename> <ulink
      url="Documentation.htm#Conf">shorewall.conf</ulink> </filename>.</para>
      <para>Use a fast terminal emulator -- in particular the KDE konsole
@ -1637,8 +1667,7 @@ iptables: Invalid argument
      Netfilter modules loaded. How do I avoid that?</title>
      <para><emphasis role="bold">Answer</emphasis>: Copy
-      <filename>/usr/share/shorewall/modules</filename> (or
+      <filename>/usr/share/shorewall[-lite]/modules</filename> to
      <filename>/usr/share/shorewall/xmodules</filename> if appropriate) to
      <filename>/etc/shorewall/modules </filename>and modify the copy to
      include only the modules that you need.</para>
    </section>
@ -2047,7 +2076,7 @@ eth0               eth1                        # eth1 = interface to local netwo
              <entry align="center">Shorewall Lite 3.2.2</entry>
-              <entry align="center">Shorewall Lite 3.2.3</entry>
+              <entry align="center">Shorewall Lite 3.2.3 and later</entry>
            </row>
          </thead>
@ -2089,7 +2118,8 @@ eth0               eth1                        # eth1 = interface to local netwo
            </row>
            <row>
-              <entry><emphasis role="bold">Shorewall 3.2.3</emphasis></entry>
+              <entry><emphasis role="bold">Shorewall 3.2.3 and
              later</emphasis></entry>
              <entry align="center">P1</entry>
@ -2241,12 +2271,12 @@ REJECT    fw            net:216.239.39.99    all</programlisting>Given that
      parsing the payload of individual packets doesn't always work because
      the application-level data stream can be split across packets in
      arbitrary ways. This is one of the weaknesses of the 'string match'
-      Netfilter extension available in Patch-O-Matic-ng. The only sure way to
+      Netfilter extension available in later Linux kernel releases. The only
-      filter on packet content is to proxy the connections in question -- in
+      sure way to filter on packet content is to proxy the connections in
-      the case of HTTP, this means running something like <ulink
+      question -- in the case of HTTP, this means running something like
-      url="Shorewall_Squid_Usage.html">Squid</ulink>. Proxying allows the
+      <ulink url="Shorewall_Squid_Usage.html">Squid</ulink>. Proxying allows
-      proxy process to assemble complete application-level messages which can
+      the proxy process to assemble complete application-level messages which
-      then be accurately parsed and decisions can be made based on the
+      can then be accurately parsed and decisions can be made based on the
      result.</para>
    </section>
@ -2296,7 +2326,7 @@ gateway:~#</programlisting>
 $FW                loc                     ACCEPT
 loc                $FW                     ACCEPT           </programlisting>
-      <para>You can also delete any ACCEPT rules from $FW-&gt;loc and
+      <para>You should also delete any ACCEPT rules from $FW-&gt;loc and
      loc-&gt;$FW since those rules are redundant with the above
      policies.</para>
    </section>