diff --git a/docs/Documentation.xml b/docs/Documentation.xml
index 3b3b1cf66..3bddc0c2d 100644
--- a/docs/Documentation.xml
+++ b/docs/Documentation.xml
@@ -1426,17 +1426,16 @@ DNAT net loc:192.168.1.5 tcp www
#ACTION SOURCE DEST PROTO DEST PORT(S)
...
-DNAT sam $FW tcp ssh
+ACCEPT+ sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those
in the sam zone should have their connection port
- forwarded to 192.168.1.3. If you need to exclude more than one zone in
- this way, you can list the zones separated by commas (e.g.,
- net!sam,joe,fred). This technique also may be used when the ACTION is
- REDIRECT.
+ forwarded to 192.168.1.3. If you need to exclude more than one zone,
+ simply use multiple ACCEPT+ rules. This technique also may be used when
+ the ACTION is REDIRECT.
@@ -1697,11 +1696,16 @@ DNAT net loc:192.168.1.3 tcp ssh
url="Shorewall_and_Kazaa.html">Kazaa filtering.
- When the protocol specified in the PROTO column is TCP
+ With Shorewall versions prior to 3.2.0, when the
+ protocol specified in the PROTO column is TCP
(tcp, TCP or
6), Shorewall will only pass connection
requests (SYN packets) to user space. This is for
compatibility with ftwall.
+
+ With Shorewall version 3.2.0 and later, this special
+ treatment no longer applies. Rather, use tcp:syn in the
+ PROTOCOL column to acheive this behavior.
@@ -1779,11 +1783,7 @@ ACCEPT:info - - tc
Describes the source hosts to which the rule applies.. The
contents of this field must begin with the name of a zone defined in
- /etc/shorewall/zones, $FW, all or "none". If the
- ACTION is DNAT or REDIRECT, sub-zones may be excluded from the rule
- by following the initial zone name with ! and a
- comma-separated list of those sub-zones to be excluded. There is an
- example above.
+ /etc/shorewall/zones, $FW, all or "none".
If the source is "none" then the rule is ignored. This is most
commonly used with