From 7c22d6f6e9d7430cde6f2ff985de6ab25e9db797 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Mon, 22 Jul 2019 13:12:39 +0300
Subject: README: insert warning on firewall

---
 README.md | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d0a412e..97c8c62 100644
--- a/README.md
+++ b/README.md
@@ -115,6 +115,15 @@ rc-service lighttpd start
 
 ## Setting Up a Hub
 
+*Warning*: This procedure will automatically set up the `iptables` firewall
+using `awall`. If you require any additional rules, such as allowing SSH access
+to the host, you should configure those first. The easiest way to do so is to
+use the `setup-firewall` utility:
+
+<pre>apk add awall-policies
+setup-firewall
+</pre>
+
 Install the `dmvpn` package on the host to be configured as a DMVPN hub. It is
 assumed that the network configuration of the host is already in place.
 
@@ -130,9 +139,9 @@ maximum length should be given.
 <pre>setup-dmvpn &lt;pfx file&gt;
 </pre>
 
-The hub is now operational. The tool sets up the `iptables` firewall
-automatically using `awall`. Firewall for IPv6 (`ip6tables`) is set up only if
-IPv6 addresses are defined for the VPN.
+The hub is now operational and its firewall has been set up. Firewall for IPv6
+(`ip6tables`) is set up by `setup-dmvpn` only if IPv6 addresses are defined for
+the VPN. (`setup-firewall` sets it up if IPv6 is enabled in the kernel.)
 
 Due to an unresolved issue, you may have to reboot the host if VPN tunnels are
 not established within a reasonable time.
-- 
cgit v1.2.3