From 08f88eedae94f5cc82d3e94568b4c9ba5b5a9307 Mon Sep 17 00:00:00 2001
From: Joachim Wiberg <troglobit@gmail.com>
Date: Mon, 6 Sep 2021 07:50:41 +0200
Subject: [PATCH] Move example earlier and add caveat, not a firewall
 replacement

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
---
 README.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a8804ed..9d0f556 100644
--- a/README.md
+++ b/README.md
@@ -3,12 +3,19 @@
 Service access control (ACL) by wrapping the Linux `accept()`, `recv()`,
 `recvfrom()`, and `recvmsg()` system calls, for TCP and UDP.
 
+**Example:** drop connections from WAN interface for your web server and
+	SNMP agent, without involving weird `iptables` or `nft` commands.
+
 The accept guard wrapper allows access to services based on a list of
 interfaces and ports.  It is loaded using the `LD_PRELOAD` environment
 variable, controlled by the environment variable `ACCEPT_GUARD_ACL`
 
-**Example:** drop connections from WAN interface for your web server and
-	SNMP agent, without involving weird `iptables` or `nft` commands.
+> **Note:** the accept guard is not a replacement for a real firewall.
+>   It is a poor man's "good enough" interface filtering mechanism.
+>   This is reflected in much of the defaults and fallbacks in the code,
+>   e.g., if inbound interface cannot be determined (TCP/UDP), the
+>   connection is allowed.  This to not prevent `AF_UNIX` and other
+>   types of conmmunication that uses the `recv()` family of syscalls.
 
 
 ## Syntax