Update Documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/FAQ.xml

@@ -17,7 +17,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-14</pubdate>
+    <pubdate>2004-08-01</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -65,7 +65,7 @@
   </section>
 
   <section>
-    <title>Port Forwarding</title>
+    <title>Port Forwarding (Port Redirection)</title>
 
     <section id="faq1">
       <title>(FAQ 1) I want to forward UDP port 7777 to my my personal PC with

Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml

@@ -111,7 +111,7 @@ Device "eth0:0" does not exist.
 
 case $1 in
     eth0)
-        /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0
+        /sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
         ;;
 esac</programlisting>
 

Shorewall-docs2/bridge.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-06-11</pubdate>
+    <pubdate>2004-07-31</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -159,12 +159,11 @@
 
     <para>Unfortunately, Linux distributions don&#39;t have good bridge
     configuration tools and the network configuration GUIs don&#39;t detect
-    the presence of bridge devices. You may refer to <ulink
+    the presence of bridge devices. You may refer to <ulink url="myfiles.htm">my
-    url="http://shorewall.net/2.0/myfiles.htm">my configuration files</ulink>
+    configuration files</ulink> for an example of configuring a three-port
-    for an example of configuring a three-port bridge at system boot under
+    bridge at system boot under <trademark>SuSE</trademark>. Here is an
-    <trademark>SuSE</trademark>. Here is an excerpt from a Debian
+    excerpt from a Debian <filename>/etc/network/interfaces</filename> file
-    <filename>/etc/network/interfaces</filename> file for a two-port bridge
+    for a two-port bridge with a static IP address:</para>
-    with a static IP address:</para>
 
     <blockquote>
       <programlisting>auto br0
@@ -294,6 +293,36 @@ exit 0</programlisting>
 INTERFACES=&#34;eth0 eth1&#34;        #The physical interfaces to be bridged</programlisting>
     </blockquote>
 
+    <para>Andrzej Szelachowski contributed the following.</para>
+
+    <blockquote>
+      <programlisting>Here is how I configured bridge in Slackware:
+
+1) I had to compile bridge-utils (It&#39;s not in the standard distribution)
+2) I&#39;ve created rc.bridge in /etc/rc.d:
+
+#########################
+#! /bin/sh
+
+ifconfig eth0 0.0.0.0
+ifconfig eth1 0.0.0.0
+#ifconfig lo 127.0.0.1 #this line should be uncommented if you don&#39;t use rc.inet1
+
+brctl addbr most
+
+brctl addif most eth0
+brctl addif most eth1
+
+ifconfig most 192.168.1.31 netmask 255.255.255.0 up 
+#route add default gw 192.168.1.1 metric 1 #this line should be uncommented if
+                                           #you don&#39;t use rc.inet1
+#########################
+
+3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local
+
+/etc/rc.d/rc.bridge </programlisting>
+    </blockquote>
+
     <para>Users who successfully configure bridges on other distributions,
     with static or dynamic IP addresses, are encouraged to send <ulink
     url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I

Shorewall-docs2/errata.xml

@@ -13,7 +13,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-29</pubdate>
+    <pubdate>2004-07-30</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -87,6 +87,22 @@
   <section>
     <title>Problems in Version 2.0</title>
 
+    <section>
+      <title>Shorewall 2.0.3a through 2.0.7</title>
+
+      <itemizedlist>
+        <listitem>
+          <para>Entries in the USER/GROUP column of an action file (made from
+          action.template) may be ignored or cause odd errors. </para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Corrected in <ulink
+      url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
+      firewall script</ulink> which may be installed in
+      /usr/share/shorewall/firewall as described above.</para>
+    </section>
+
     <section>
       <title>Shorewall 2.0.3a through 2.0.4</title>
 

Shorewall-docs2/myfiles.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-13</pubdate>
+    <pubdate>2004-08-05</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -29,7 +29,8 @@
       1.2 or any later version published by the Free Software Foundation; with
       no Invariant Sections, with no Front-Cover, and with no Back-Cover
       Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
     </legalnotice>
   </articleinfo>
 
@@ -40,9 +41,9 @@
       <para>I use a combination of One-to-one NAT and Proxy ARP, neither of
       which are relevant to a simple configuration with a single public IP
       address. If you have just a single public IP address, most of what you
-      see here won&#39;t apply to your setup so beware of copying parts of
+      see here won't apply to your setup so beware of copying parts of this
-      this configuration and expecting them to work for you. What you copy may
+      configuration and expecting them to work for you. What you copy may or
-      or may not work for you.</para>
+      may not work for you.</para>
     </caution>
 
     <caution>
@@ -75,19 +76,21 @@
       </listitem>
 
       <listitem>
-        <para>I use SNAT through 206.124.146.179 for&#x00A0; my SuSE 9.0 Linux
+        <para>I use SNAT through 206.124.146.179 for&nbsp; my SuSE 9.0 Linux
-        system <quote>Wookie</quote>, my Wife&#39;s Windows XP system
+        system <quote>Wookie</quote>, my Wife's Windows XP system
-        <quote>Tarry</quote>, and our&#x00A0; dual-booting (Windows
+        <quote>Tarry</quote>, and our&nbsp; dual-booting (Windows XP/SuSE 9.1)
-        XP/Mandrake 10.0 Official) laptop <quote>Tipper</quote> which connects
+        laptop <quote>Tipper</quote> which connects through the Wireless
-        through the Wireless Access Point (wap) via a Wireless Bridge (wet).<note><para>While
+        Access Point (wap) via a Wireless Bridge (wet).<note>
-        the distance between the WAP and where I usually use the laptop
+            <para>While the distance between the WAP and where I usually use
-        isn&#39;t very far (25 feet or so), using a WAC11 (CardBus wireless
+            the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
-        card) has proved very unsatisfactory (lots of lost connections). By
+            wireless card) has proved very unsatisfactory (lots of lost
-        replacing the WAC11 with the WET11 wireless bridge, I have virtually
+            connections). By replacing the WAC11 with the WET11 wireless
-        eliminated these problems (Being an old radio tinkerer (K7JPV), I was
+            bridge, I have virtually eliminated these problems (Being an old
-        also able to eliminate the disconnects by hanging a piece of aluminum
+            radio tinkerer (K7JPV), I was also able to eliminate the
-        foil on the family room wall. Needless to say, my wife Tarry rejected
+            disconnects by hanging a piece of aluminum foil on the family room
-        that as a permanent solution :-).</para></note></para>
+            wall. Needless to say, my wife Tarry rejected that as a permanent
+            solution :-).</para>
+          </note></para>
       </listitem>
     </itemizedlist>
 
@@ -98,16 +101,17 @@
       </listitem>
     </itemizedlist>
 
-    <para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
+    <para>The firewall runs on a 256MB PII/233 with Debian Sarge
+    (Testing).</para>
 
     <para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para>
 
-    <para>The wireless network connects to Wookie&#39;s eth2 via a LinkSys
+    <para>The wireless network connects to Wookie's eth2 via a LinkSys
-    WAP11.&#x00A0; In additional to using the rather weak WEP 40-bit
+    WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
-    encryption (64-bit with the 24-bit preamble), I use <ulink
+    (64-bit with the 24-bit preamble), I use <ulink
     url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
     combination and if I lived near a wireless <quote>hot spot</quote>, I
-    would probably add IPSEC or something similar to my WiFi-&#62;local
+    would probably add IPSEC or something similar to my WiFi-&gt;local
     connections.</para>
 
     <para>The single system in the DMZ (address 206.124.146.177) runs postfix,
@@ -132,13 +136,14 @@
     in the DMZ.</para>
 
     <para>The ethernet interface in the Server is configured with IP address
-    206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway
+    206.124.146.177, netmask 255.255.255.0. The server's default gateway is
-    is 206.124.146.254 (Router at my ISP. This is the same default gateway
+    206.124.146.254 (Router at my ISP. This is the same default gateway used
-    used by the firewall itself). On the firewall, an entry in my
+    by the firewall itself). On the firewall, an entry in my
     /etc/network/interfaces file (see below) adds a host route to
     206.124.146.177 through eth1 when that interface is brought up.</para>
 
-    <para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.</para>
+    <para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior
+    access.</para>
 
     <para><graphic align="center" fileref="images/network.png" /></para>
   </section>
@@ -162,7 +167,7 @@ RFC1918_LOG_LEVEL=$LOG
 SMURF_LOG_LEVEL=
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/ash
-SUBSYSLOCK=               #I run Debian which doesn&#39;t use service locks
+SUBSYSLOCK=               #I run Debian which doesn't use service locks
 STATEDIR=/var/state/shorewall
 MODULESDIR=
 FW=fw
@@ -189,9 +194,9 @@ TCP_FLAGS_DISPOSITION=DROP
       <title>Params File (Edited)</title>
 
       <blockquote>
-        <para><programlisting>MIRRORS=&#60;list of shorewall mirror ip addresses&#62;
+        <para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
-NTPSERVERS=&#60;list of the NTP servers I sync with&#62;
+NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
-TEXAS=&#60;ip address of gateway in Plano&#62;
+TEXAS=&lt;ip address of gateway in Plano&gt;
 LOG=info</programlisting></para>
       </blockquote>
     </section>
@@ -230,7 +235,7 @@ dmz     eth1            -
 
       <blockquote>
         <programlisting>#ZONE           HOST(S)                 OPTIONS
-tx&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; texas:192.168.8.0/22
+tx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; texas:192.168.8.0/22
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
       </blockquote>
     </section>
@@ -284,14 +289,14 @@ eth2            -
 
       <blockquote>
         <programlisting>#SOURCE         DESTINATION     POLICY          LOG LEVEL       BURST:LIMIT
-fw              fw              ACCEPT                                    # For testing fw-&#62;fw rules
+fw              fw              ACCEPT                                    # For testing fw-&gt;fw rules
 loc             net             ACCEPT                                    # Allow all net traffic from local net
 $FW             loc             ACCEPT                                    # Allow local access from the firewall
 $FW             tx              ACCEPT                                    # Allow firewall access to texas
 loc             tx              ACCEPT                                    # Allow local net access to texas
-loc             fw              REJECT          $LOG                      # Reject loc-&#62;fw and log
+loc             fw              REJECT          $LOG                      # Reject loc-&gt;fw and log
 net             all             DROP            $LOG            10/sec:40 # Rate limit and
-                                                                          # DROP net-&#62;all
+                                                                          # DROP net-&gt;all
 all             all             REJECT          $LOG                      # Reject and log the rest
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
       </blockquote>
@@ -302,16 +307,15 @@ all             all             REJECT          $LOG                      # Reje
 
       <blockquote>
         <para>Although most of our internal systems use one-to-one NAT, my
-        wife&#39;s system (192.168.1.4) uses IP Masquerading (actually SNAT)
+        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
-        as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
+        my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors
-        visitors with laptops.</para>
+        with laptops.</para>
 
         <para>The first entry allows access to the DSL modem and uses features
-        introduced in Shorewall 2.1.1. The leading plus sign (&#34;+_&#34;)
+        introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
-        causes the rule to be placed before rules generated by the
+        rule to be placed before rules generated by the /etc/shorewall/nat
-        /etc/shorewall/nat file below. The double colons (&#34;::&#34;) causes
+        file below. The double colons ("::") causes the entry to be exempt
-        the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf
+        from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
-        file above.</para>
 
         <programlisting>#INTERFACE              SUBNET          ADDRESS
 +eth0::192.168.1.1      0.0.0.0/0       192.168.1.254
@@ -344,7 +348,8 @@ eth0:2                  eth2            206.124.146.179
     </section>
 
     <section>
-      <title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title>
+      <title>Tunnels File (Shell variable TEXAS set in
+      /etc/shorewall/params)</title>
 
       <blockquote>
         <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY ZONE    PORT
@@ -369,7 +374,8 @@ Mirrors             #Accept traffic from the Shorewall Mirror sites
       <blockquote>
         <para>The $MIRRORS variable expands to a list of approximately 10 IP
         addresses. So moving these checks into a separate chain reduces the
-        number of rules that most net-&#62;dmz traffic needs to traverse.</para>
+        number of rules that most net-&gt;dmz traffic needs to
+        traverse.</para>
 
         <programlisting>#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
 #                                               PORT    PORT(S)    DEST         LIMIT
@@ -416,14 +422,15 @@ RejectSMB
 DropUPnP
 dropNotSyn
 DropDNSrep
-DROP      loc:eth2:!192.168.1.0/24       #So that my braindead Windows[tm] XP system doesn&#39;t flood my log
+DROP      loc:eth2:!192.168.1.0/24       #So that my braindead Windows[tm] XP system doesn't flood my log
                                          #with NTP requests with a source address in 16.0.0.0/8 (address of
                                          #its PPTP tunnel to HP).</programlisting>
       </blockquote>
     </section>
 
     <section>
-      <title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
+      <title>Rules File (The shell variables are set in
+      /etc/shorewall/params)</title>
 
       <blockquote>
         <programlisting>###############################################################################################################################################################################
@@ -477,7 +484,7 @@ Mirrors		net				dmz			tcp	rsync
 #
 # Net to Local
 #
-# When I&#39;m &#34;on the road&#34;, the following two rules allow me VPN access back home.
+# When I'm "on the road", the following two rules allow me VPN access back home.
 #
 DNAT		net				loc:192.168.1.4		tcp	1723	-
 DNAT		net:!4.3.113.178		loc:192.168.1.4		gre	-
@@ -510,12 +517,12 @@ ACCEPT		dmz				net:$POPSERVERS		tcp	pop3
 #ACCEPT		dmz				net:66.216.26.115	tcp	pop3
 #
 # Something is wrong with the FTP connection tracking code or there is some client out there
-# that is sending a PORT command which that code doesn&#39;t understand. Either way,
+# that is sending a PORT command which that code doesn't understand. Either way,
 # the following works around the problem.
 #
 ACCEPT:$LOG	dmz				net			tcp	1024:					20
 ###############################################################################################################################################################################
-# DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth
+# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
 #
 ACCEPT		dmz				fw			udp	ntp					ntp
 ACCEPT		dmz				fw			tcp	161,ssh
@@ -568,7 +575,8 @@ ACCEPT		tx				loc:192.168.1.5		all
         displayed in <emphasis role="bold">bold type</emphasis>) add a route
         to my DSL modem when eth0 is brought up and a route to my DMZ server
         when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
-        the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
+        the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP
+        file</link>.</para>
 
         <programlisting>...
 auto auto eth0
@@ -594,13 +602,13 @@ iface eth1 inet static
   <section>
     <title>Bridge (Wookie) Configuration</title>
 
-    <para>As mentioned above, Wookie acts as a bridge. It&#39;s view of the
+    <para>As mentioned above, Wookie acts as a bridge. It's view of the
     network is diagrammed in the following figure.</para>
 
     <graphic fileref="images/network1.png" />
 
-    <para>I&#39;ve included the files that I used to configure that system --
+    <para>I've included the files that I used to configure that system -- some
-    some of them are SuSE-specific.</para>
+    of them are SuSE-specific.</para>
 
     <para>The configuration on Wookie can be modified to test various bridging
     features -- otherwise, it serves to isolate the Wireless network from the
@@ -681,10 +689,9 @@ WiFi            br0:eth2                        maclist
         my bridge/firewall. Squid listens on port 3128.</para>
 
         <para>The remaining rules protect the local systems and bridge from
-        the WiFi network. Note that we don&#39;t restrict WiFi→net traffic
+        the WiFi network. Note that we don't restrict WiFi→net traffic since
-        since the only directly-accessible system in the net zone is the
+        the only directly-accessible system in the net zone is the firewall
-        firewall (Wookie and the Firewall are connected by a cross-over
+        (Wookie and the Firewall are connected by a cross-over cable).</para>
-        cable).</para>
 
         <programlisting>#ACTION    SOURCE          DEST            PROTO   DEST    SOURCE  ORIGINAL
 #                                          PORT            PORT(S) DEST
@@ -758,7 +765,7 @@ br0:eth2                00:0b:c1:53:cc:97       192.168.1.8     #TIPPER
 PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
 
 do_stop() {
-    echo &#34;Stopping Bridge&#34;
+    echo "Stopping Bridge"
     brctl delbr br0
     ip link set eth0 down
     ip link set eth1 down
@@ -767,7 +774,7 @@ do_stop() {
 
 do_start() {
 
-      echo &#34;Starting Bridge&#34;
+      echo "Starting Bridge"
       ip link set eth0 up
       ip link set eth1 up
       ip link set eth2 up
@@ -777,7 +784,7 @@ do_start() {
       brctl addif br0 eth2
 }
 
-case &#34;$1&#34; in
+case "$1" in
   start)
       do_start
     ;;
@@ -790,7 +797,7 @@ case &#34;$1&#34; in
       do_start
     ;;
   *)
-    echo &#34;Usage: $0 {start|stop|restart}&#34;
+    echo "Usage: $0 {start|stop|restart}"
     exit 1
 esac
 exit 0</programlisting>
@@ -803,16 +810,16 @@ exit 0</programlisting>
       <blockquote>
         <para>This file is SuSE-specific</para>
 
-        <programlisting>BOOTPROTO=&#39;static&#39;
+        <programlisting>BOOTPROTO='static'
-BROADCAST=&#39;192.168.1.255&#39;
+BROADCAST='192.168.1.255'
-IPADDR=&#39;192.168.1.3&#39;
+IPADDR='192.168.1.3'
-NETWORK=&#39;192.168.1.0&#39;
+NETWORK='192.168.1.0'
-NETMASK=&#39;255.255.255.0&#39;
+NETMASK='255.255.255.0'
-REMOTE_IPADDR=&#39;&#39;
+REMOTE_IPADDR=''
-STARTMODE=&#39;onboot&#39;
+STARTMODE='onboot'
-UNIQUE=&#39;3hqH.MjuOqWfSZ+C&#39;
+UNIQUE='3hqH.MjuOqWfSZ+C'
-WIRELESS=&#39;no&#39;
+WIRELESS='no'
-MTU=&#39;&#39;</programlisting>
+MTU=''</programlisting>
       </blockquote>
     </section>
 

Shorewall-docs2/ports.xml

@@ -13,7 +13,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-05-28</pubdate>
+    <pubdate>2004-07-31</pubdate>
 
     <copyright>
       <year>2001-2002</year>
@@ -54,7 +54,7 @@
       zone:</para>
 
       <programlisting>#ACTION         SOURCE        DESTINATION
-AllowDNS       dmz           net</programlisting>
+AllowDNS        dmz           net</programlisting>
     </note>
 
     <note>
@@ -107,7 +107,7 @@ ACCEPT     dmz       net              tcp        53</programlisting>
     <note>
       <para>Recursive Resolution means that if the server itself can&#39;t
       resolve the name presented to it, the server will attempt to resolve the
-      name with the help of other servers. </para>
+      name with the help of other servers.</para>
     </note>
   </section>
 
@@ -303,6 +303,17 @@ ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62
 ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        443      #Secure HTTP</programlisting>
   </section>
 
+  <section>
+    <title>X/XDMCP</title>
+
+    <para>Assume that the Choser and/or X Server are running at &#60;<emphasis>chooser</emphasis>&#62;
+    and the Display Manager/X applications are running at &#60;<emphasis>apps</emphasis>&#62;.</para>
+
+    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
+ACCEPT     &#60;<emphasis>chooser</emphasis>&#62; &#60;<emphasis>apps</emphasis>&#62;           udp        177         #XDMCP
+ACCEPT     &#60;<emphasis>apps</emphasis>&#62;    &#60;<emphasis>chooser</emphasis>&#62;        tcp        6000:6009   #X Displays 0-9</programlisting>
+  </section>
+
   <section>
     <title>Other Source of Port Information</title>
 

Shorewall-docs2/quotes.xml

@@ -13,7 +13,7 @@
       <surname>Eastep</surname>
     </author>
 
-    <pubdate>2004-03-28</pubdate>
+    <pubdate>2004-07-31</pubdate>
 
     <copyright>
       <year>2003</year>
@@ -36,6 +36,18 @@
   <section>
     <title>What Users are saying...</title>
 
+    <blockquote>
+      <attribution>AS, Poland</attribution>
+
+      <para><emphasis>I want to say that Shorewall documentation is the best
+      I&#39;ve ever found on the net. It&#39;s helped me a lot in
+      understanding how network is working. It is the best of breed. It
+      contains not only Shorewall specific topics with the assumption that all
+      the rest is well known, but also gives some very useful background
+      information. Thank you very much for this wonderful piece of work.
+      </emphasis></para>
+    </blockquote>
+
     <blockquote>
       <attribution>ES, Phoenix AZ, USA</attribution>
 

Shorewall-docs2/shorewall_setup_guide.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-22</pubdate>
+    <pubdate>2004-07-31</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -232,7 +232,7 @@
 
     <programlisting>#SOURCE ZONE     DESTINATION ZONE    POLICY     LOG     LIMIT:BURST
 #                                               LEVEL
-fw               net                 ACCEPT
+loc              net                 ACCEPT
 net              all                 DROP       info
 all              all                 REJECT     info</programlisting>
 
@@ -2170,12 +2170,14 @@ localhost 86400   IN A    127.0.0.1
 firewall       86400   IN A    192.0.2.176
 www            86400   IN A    192.0.2.177
 ns1            86400   IN A    192.0.2.177
-www            86400   IN A    192.0.2.177
+mail           86400   IN A    192.0.2.178 
 
-gateway              86400   IN A    192.168.201.1
+gateway        86400   IN A    192.168.201.1
-winken               86400   IN A    192.168.201.2
+winken         86400   IN A    192.168.201.2
-blinken              86400   IN A    192.168.201.3
+blinken        86400   IN A    192.168.201.3
-nod                  86400   IN A    192.168.201.4</programlisting>
+nod            86400   IN A    192.168.201.4
+
+dmz            86400   IN A    192.168.202.1</programlisting>
 
     <para><filename>ext/db.foobar </filename>- Forward zone for external
     clients.</para>

Shorewall-docs2/support.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-25</pubdate>
+    <pubdate>2004-07-29</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -78,7 +78,7 @@
     <title>Problem Reporting Guidelines</title>
 
     <note>
-      <para>Shorewall versions earlier that 1.3.0 are no longer supported.</para>
+      <para>Shorewall versions earlier that 1.4.0 are no longer supported.</para>
     </note>
 
     <itemizedlist>

Shorewall-docs2/template.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title></title>
+    <title>Operating Shorewall</title>
 
     <authorgroup>
       <author>
@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-MM-DD</pubdate>
+    <pubdate>2004-07-31</pubdate>
 
     <copyright>
       <year>2004</year>

Shorewall-docs2/three-interface.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-14</pubdate>
+    <pubdate>2004-07-31</pubdate>
 
     <copyright>
       <year>2002-2004</year>
@@ -169,12 +169,12 @@
     and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even
     if you do not modify those files.</para></warning></para>
 
-    <para>After you have installed Shorewall, download the three-interface
+    <para>After you have installed Shorewall, download the <ulink
-    sample, un-tar it (<command>tar <option>-zxvf</option>
+    url="http://shorewall.net/pub/shorewall/Samples">three-interface sample</ulink>,
-    <filename>three-interfaces.tgz</filename></command>) and and copy the
+    un-tar it (<command>tar <option>-zxvf</option> <filename>three-interfaces.tgz</filename></command>)
-    files to <filename>/etc/shorewall</filename> (the files will replace files
+    and and copy the files to <filename>/etc/shorewall</filename> (the files
-    with the same names that were placed in <filename>/etc/shorewall</filename>
+    will replace files with the same names that were placed in
-    when Shorewall was installed).</para>
+    <filename>/etc/shorewall</filename> when Shorewall was installed).</para>
 
     <para>As each file is introduced, I suggest that you look through the
     actual file on your system -- each file contains detailed configuration
@@ -372,13 +372,10 @@ fw         net         ACCEPT</programlisting>
     </tip>
 
     <tip>
-      <para>If you specify <emphasis>norfc1918</emphasis> for your external
+      <para>If you specify <emphasis>nobogons</emphasis> for your external
       interface, you will want to check the <ulink url="errata.htm">Shorewall
-      Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/rfc1918
+      Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/bogons
-      file</filename>. Alternatively, you can copy <filename>/usr/share/shorewall/rfc1918</filename>
+      file</filename>.</para>
-      to <filename>/etc/shorewall/rfc1918</filename> then <ulink
-      url="myfiles.htm#RFC1918">strip down your <filename>/etc/shorewall/rfc1918</filename>
-      file as I do</ulink>.</para>
     </tip>
   </section>
 

Shorewall-docs2/traffic_shaping.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-14</pubdate>
+    <pubdate>2004-08-05</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -29,7 +29,8 @@
       1.2 or any later version published by the Free Software Foundation; with
       no Invariant Sections, with no Front-Cover, and with no Back-Cover
       Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
     </legalnotice>
   </articleinfo>
 
@@ -40,8 +41,8 @@
     management itself but it does contain some facilities to intergrate with
     traffic shaping/control solutions. In order to use traffic shaping with
     Shorewall, it is essential that you get a copy of the <ulink
-    url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>,
+    url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
-    version 0.3.0 or later or <ulink
+    HOWTO</ulink>, version 0.3.0 or later or <ulink
     url="http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/">The Traffic Control
     HOWTO</ulink>. It is also necessary to be running Linux Kernel 2.4.18 or
     later. Shorewall traffic shaping support consists of the following:</para>
@@ -63,14 +64,15 @@
       <listitem>
         <para><emphasis role="bold">/etc/shorewall/tcrules</emphasis> - A file
         where you can specify firewall marking of packets. The firewall mark
-        value may be used to classify packets for traffic shaping/control.</para>
+        value may be used to classify packets for traffic
+        shaping/control.</para>
       </listitem>
 
       <listitem>
         <para><emphasis role="bold">/etc/shorewall/tcstart </emphasis>- A
-        user-supplied file that is sourced by Shorewall during <quote>shorewall
+        user-supplied file that is sourced by Shorewall during
-        start</quote> and which you can use to define your traffic shaping
+        <quote>shorewall start</quote> and which you can use to define your
-        disciplines and classes. I have provided a <ulink
+        traffic shaping disciplines and classes. I have provided a <ulink
         url="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</ulink> that
         does table-driven CBQ shaping but if you read the traffic shaping
         sections of the HOWTO mentioned above, you can probably code your own
@@ -93,17 +95,18 @@
         README). <emphasis role="bold">WARNING</emphasis>: If you use use
         Masquerading or SNAT (i.e., you only have one external IP address)
         then listing internal hosts in the NOPRIOHOSTSRC variable in the
-        wshaper[.htb] script won&#39;t work. Traffic shaping occurs after SNAT
+        wshaper[.htb] script won't work. Traffic shaping occurs after SNAT has
-        has already been applied so when traffic shaping happens, all outbound
+        already been applied so when traffic shaping happens, all outbound
         traffic will have as a source address the IP addresss of your
-        firewall&#39;s external interface.</para>
+        firewall's external interface.</para>
       </listitem>
 
       <listitem>
         <para><emphasis role="bold">/etc/shorewall/tcclear</emphasis> - A
         user-supplied file that is sourced by Shorewall when it is clearing
-        traffic shaping. This file is normally not required as Shorewall&#39;s
+        traffic shaping. This file is normally not required as Shorewall's
-        method of clearing qdisc and filter definitions is pretty general.</para>
+        method of clearing qdisc and filter definitions is pretty
+        general.</para>
       </listitem>
     </itemizedlist>
 
@@ -161,7 +164,7 @@
   <section>
     <title>Kernel Configuration</title>
 
-    <para>This screen shot show how I&#39;ve configured QoS in my Kernel:<graphic
+    <para>This screen shot show how I've configured QoS in my Kernel:<graphic
     align="center" fileref="images/QoS.png" /></para>
   </section>
 
@@ -233,7 +236,8 @@
         generating the output is running under the effective user and/or
         group. It may contain :</para>
 
-        <para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]</para>
+        <para>[&lt;user name or number&gt;]:[&lt;group name or
+        number&gt;]</para>
 
         <para>The colon is optionnal when specifying only a user.</para>
 
@@ -303,7 +307,8 @@ run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit
 run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1
 echo <quote>   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit</quote>
 
-run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
+run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
+run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
 run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
 echo <quote>   Enabled PFIFO on Second Level Classes</quote>