diff --git a/sec/ex-4_iptables.adoc b/sec/ex-4_iptables.adoc
index 26e6d7c..88ad099 100644
--- a/sec/ex-4_iptables.adoc
+++ b/sec/ex-4_iptables.adoc
@@ -57,10 +57,72 @@ image::basics.png[Basic Two-Interface Firewall]
 
 Assuming you're already logged in master!
 
+master is now our Firewall/Router
+
 swarmlab-sec login 
 ====
 
 
+== Shorewall Concepts
+
+The configuration files for Shorewall are contained in the directory /etc/shorewall 
+
+=== zones — Shorewall zone declaration file
+
+The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces 
+
+
+./etc/shorewall/zones
+[source,bash]
+----
+#ZONE   TYPE     OPTIONS                 IN_OPTIONS              OUT_OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+----
+
+=== interfaces — Shorewall interfaces file
+
+The interfaces file serves to define the firewall's network interfaces to Shorewall. 
+
+./etc/shorewall/interfaces
+[source,bash]
+----
+#ZONE       INTERFACE       BROADCAST      OPTIONS
+net         eth0                           dhcp,routefilter
+loc         eth1            detect
+----
+
+
+=== policy — Shorewall policy file
+
+This file defines the high-level policy for connections between zone
+
+
+./etc/shorewall/policy
+[source,bash]
+----
+#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
+loc        net         ACCEPT
+net        all         DROP        info
+all        all         REJECT      info
+----
+
+
+=== rules — Shorewall rules file
+
+Entries in this file govern connection establishment by defining exceptions to the policies
+
+
+./etc/shorewall/rules
+[source,bash]
+----
+#ACTION    SOURCE    DEST               PROTO     DPORT
+ACCEPT     $FW       net                udp       53
+ACCEPT     net       $FW         	udp       53
+ACCEPT     $FW       net                tcp       80
+ACCEPT     net       $FW         	tcp       80
+----