From 16de6e1b86f3ab9082f0acea1a3349d28d4cf9f8 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 20 May 2003 23:21:38 +0000 Subject: [PATCH] Shorewall 1.4.3a Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/changelog.txt | 2 + STABLE/common.def | 1 + STABLE/documentation/NAT.htm | 167 +- STABLE/documentation/News.htm | 4519 +++++++++-------- STABLE/documentation/images/network.png | Bin 53638 -> 52379 bytes .../documentation/seattlefirewall_index.htm | 362 +- STABLE/documentation/sourceforge_index.htm | 378 +- STABLE/fallback.sh | 2 +- STABLE/firewall | 71 +- STABLE/install.sh | 2 +- STABLE/releasenotes.txt | 16 + STABLE/shorewall.spec | 4 +- STABLE/uninstall.sh | 2 +- 13 files changed, 2833 insertions(+), 2693 deletions(-) diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index ad9088bef..29425d6ba 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -9,3 +9,5 @@ Changes since 1.4.2 4. Return more appropriate ICMP responses if the systems supports them. +5. Silently drop UDP 135 in common.def. + diff --git a/STABLE/common.def b/STABLE/common.def index ef0b4a554..5e1ce0657 100644 --- a/STABLE/common.def +++ b/STABLE/common.def @@ -16,6 +16,7 @@ run_iptables -A common -p icmp -j icmpdef ############################################################################ # NETBIOS chatter # +run_iptables -A common -p udp --dport 135 -j reject run_iptables -A common -p udp --dport 137:139 -j reject run_iptables -A common -p udp --dport 445 -j reject run_iptables -A common -p tcp --dport 139 -j reject diff --git a/STABLE/documentation/NAT.htm b/STABLE/documentation/NAT.htm index b45526c6e..eb4530c3a 100644 --- a/STABLE/documentation/NAT.htm +++ b/STABLE/documentation/NAT.htm @@ -1,114 +1,117 @@ - + Shorewall NAT - + - + - -
+ +
- - - + + - - - + + + +
+

Static NAT

-
- -

IMPORTANT: If all you want to do is forward - ports to servers behind your firewall, you do NOT want to use static -NAT. Port forwarding can be accomplished with simple entries in the - rules file.

- -

Static NAT is a way to make systems behind a firewall and configured -with private IP addresses (those reserved for private use in RFC1918) -appear to have public IP addresses. Before you try to use this technique, + +

IMPORTANT: If all you want to do is forward + ports to servers behind your firewall, you do NOT want to use static +NAT. Port forwarding can be accomplished with simple entries in the + rules file.

+ +

Static NAT is a way to make systems behind a firewall and configured +with private IP addresses (those reserved for private use in RFC1918) +appear to have public IP addresses. Before you try to use this technique, I strongly recommend that you read the Shorewall Setup Guide.

- +

The following figure represents a static NAT environment.

- +

-

- +

+
- -

Static NAT can be used to make the systems with the - 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If -we assume that the interface to the upper subnet is eth0, then the following - /etc/shorewall/NAT file would make the lower left-hand system appear -to have IP address 130.252.100.18 and the right-hand one to have IP address - 130.252.100.19.

- + +

Static NAT can be used to make the systems with the 10.1.1.* +addresses appear to be on the upper (130.252.100.*) subnet. If we assume +that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT +file would make the lower left-hand system appear to have IP address +130.252.100.18 and the right-hand one to have IP address 130.252.100.19.

+ - - - - - - - - + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + +
EXTERNALINTERFACEINTERNALALL INTERFACESLOCAL
130.252.100.18eth010.1.1.2yesyes
130.252.100.19eth010.1.1.3yesyes
EXTERNALINTERFACEINTERNALALL INTERFACESLOCAL
130.252.100.18eth010.1.1.2yesyes
130.252.100.19eth010.1.1.3yesyes
- -

Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above - example) is (are) not included in any specification in /etc/shorewall/masq + +

Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above + example) is (are) not included in any specification in /etc/shorewall/masq or /etc/shorewall/proxyarp.

- -

Note 1: The "ALL INTERFACES" column -is used to specify whether access to the external IP from all firewall - interfaces should undergo NAT (Yes or yes) or if only access from the - interface in the INTERFACE column should undergo NAT. If you leave this - column empty, "Yes" is assumed. The ALL INTERFACES column was added -in version 1.1.6.

- -

Note 2: Shorewall will automatically add the external address to the + +

Note 1: The "ALL INTERFACES" column is used +to specify whether access to the external IP from all firewall interfaces +should undergo NAT (Yes or yes) or if only access from the interface in +the INTERFACE column should undergo NAT. If you leave this column empty, +"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.

+ +

Note 2: Shorewall will automatically add the external address to the specified interface unless you specify ADD_IP_ALIASES="no" (or "No") in -/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if -you set it to "Yes" or "yes" then you must NOT configure your own alias(es).

- -

Note 3: The contents of the "LOCAL" column -determine whether packets originating on the firewall itself and destined -for the EXTERNAL address are redirected to the internal ADDRESS. If this -column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains -"Yes" or "yes") then such packets are redirected; otherwise, such packets + href="Documentation.htm#Aliases">ADD_IP_ALIASES="no" (or "No") in +/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if +you set it to "Yes" or "yes" then you must NOT configure your own alias(es). + RESTRICTION: Shorewall can only add external addresses to an interface +that is configured with a single subnetwork -- if your external interface +has addresses in more than one subnetwork, Shorewall can only add addresses +to the first one.

+ +

Note 3: The contents of the "LOCAL" column +determine whether packets originating on the firewall itself and destined +for the EXTERNAL address are redirected to the internal ADDRESS. If this +column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains +"Yes" or "yes") then such packets are redirected; otherwise, such packets are not redirected. The LOCAL column was added in version 1.1.8.

-
- +
+
- -

Last updated 1/11/2003 - Last updated 4/11/2003 - Tom Eastep

- Copyright © Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm index ce8c60946..43bd19380 100644 --- a/STABLE/documentation/News.htm +++ b/STABLE/documentation/News.htm @@ -4,7 +4,7 @@ - + Shorewall News @@ -13,947 +13,943 @@ - + - + - + - - - + + - + + - - + +
+
- +

Shorewall News Archive

-
- -

5/18/2003 - Shorewall 1.4.3
-

-     Problems Corrected:
- -
    -
  1. There were several cases where Shorewall would fail to remove a temporary -directory from /tmp. These cases have been corrected.
    2. -
  2. The rules for allowing all traffic via the loopback interface have -been moved to before the rule that drops status=INVALID packets. This insures -that all loopback traffic is allowed even if Netfilter connection tracking -is confused.
    3. -
-     New Features:
- -
    -
  1.  IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels -file.
    2. -
  2. Shorewall can now be easily integrated with fireparse (http://www.fireparse.com) - by setting LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. Note: You may - not use ULOG with fireparse unless you modify fireparse.
    3. -
-

5/10/2003 - Shorewall Mirror in Asia
-

- -

Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
-

- -

5/8/2003 - Shorewall Mirror in Chile

- Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile. + +

5/20/2003 - Shorewall-1.4.3a
+

+This version primarily corrects the documentation included in the .tgz and +in the .rpm. In addition:
-

4/21/2003 - Samples updated for Shorewall version 1.4.2

- -

Thanks to Francesca Smith, the sample configurations are now upgraded to -Shorewall version 1.4.2.

- -

4/9/2003 - Shorewall 1.4.2
-

- -

    Problems Corrected:

- -
-
    -
  1. TCP connection requests rejected out of the common chain - are now properly rejected with TCP RST; previously, some of these requests - were rejected with an ICMP port-unreachable response.
    2. -
  2. 'traceroute -I' from behind the firewall previously timed out - on the first hop (e.g., to the firewall). This has been worked around.
    3. - -
-
- -

    New Features:

-
    -
  1. Where an entry in the/etc/shorewall/hosts file specifies a particular - host or network, Shorewall now creates an intermediate chain for handling - input from the related zone. This can substantially reduce the number of - rules traversed by connections requests from such zones.
    -
    -
    2. -
  2. Any file may include an INCLUDE directive. An INCLUDE directive - consists of the word INCLUDE followed by a file name and causes the contents - of the named file to be logically included into the file containing the -INCLUDE. File names given in an INCLUDE directive are assumed to reside -in /etc/shorewall or in an alternate configuration directory if one has -been specified for the command.
    -  
    -    Examples:
    -    shorewall/params.mgmt:
    -    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
    -    TIME_SERVERS=4.4.4.4
    -    BACKUP_SERVERS=5.5.5.5
    -    ----- end params.mgmt -----
    -  
    -  
    -    shorewall/params:
    -    # Shorewall 1.3 /etc/shorewall/params
    -    [..]
    -    #######################################
    -  
    -    INCLUDE params.mgmt   
    -  
    -    # params unique to this host here
    -    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    -    ----- end params -----
    -  
    -  
    -    shorewall/rules.mgmt:
    -    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22
    -    ACCEPT $FW          net:$TIME_SERVERS    udp    123
    -    ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22
    -    ----- end rules.mgmt -----
    -  
    -    shorewall/rules:
    -    # Shorewall version 1.3 - Rules File
    -    [..]
    -    #######################################
    -  
    -    INCLUDE rules.mgmt    
    -  
    -    # rules unique to this host here
    -    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    -    ----- end rules -----
    -  
    - INCLUDE's may be nested to a level of 3 -- further nested INCLUDE -directives are ignored with a warning message.
    -
    -
    3. -
  3. Routing traffic from an interface back out that interface continues - to be a problem. While I firmly believe that this should never happen, -people continue to want to do it. To limit the damage that such nonsense -produces, I have added a new 'routeback' option in /etc/shorewall/interfaces -and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE' - column may not contain '-'; in other words, 'routeback' can't be used as - an option for a multi-zone interface. The 'routeback' option CAN be specified - however on individual group entries in /etc/shorewall/hosts.
    -  
    - The 'routeback' option is similar to the old 'multi' option with two - exceptions:
    -  
    -    a) The option pertains to a particular zone,interface,address tuple.
    -  
    -    b) The option only created infrastructure to pass traffic from -(zone,interface,address) tuples back to themselves (the 'multi' option -affected all (zone,interface,address) tuples associated with the given -'interface').
    -  
    - See the 'Upgrade Issues' for information - about how this new option may affect your configuration.
    -
    4. - +
  4. (This change is in 1.4.3 but is not documented) If you are running iptables +1.2.7a and kernel 2.4.20, then Shorewall will return reject replies as follows:
    +    a) tcp - RST
    +    b) udp - ICMP port unreachable
    +    c) icmp - ICMP host unreachable
    +    d) Otherwise - ICMP host prohibited
    + If you are running earlier software, Shorewall will follow it's traditional +convention:
    +    a) tcp - RST
    +    b) Otherwise - ICMP port unreachable
    5. +
  5. UDP port 135 is now silently dropped in the common.def chain. Remember +that this chain is traversed just before a DROP or REJECT policy is enforced.
    +
- -

3/24/2003 - Shorewall 1.4.1

- - - - - - - - - - - - - - - - - - - - -

This release follows up on 1.4.0. It corrects a problem introduced in -1.4.0 and removes additional warts.
-
- Problems Corrected:
+

5/18/2003 - Shorewall 1.4.3

- +     Problems Corrected:
+
    -
  1. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), - it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn - file is empty. That problem has been corrected so that ECN disabling rules - are only added if there are entries in /etc/shorewall/ecn.
    2. +
  2. There were several cases where Shorewall would fail to remove a temporary +directory from /tmp. These cases have been corrected.
    3. +
  3. The rules for allowing all traffic via the loopback interface have +been moved to before the rule that drops status=INVALID packets. This insures +that all loopback traffic is allowed even if Netfilter connection tracking +is confused.
    4. + +
+     New Features:
+ +
    +
  1.  IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels + file.
    2. +
  2. Shorewall can now be easily integrated with fireparse (http://www.fireparse.com) + by setting LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. Note: You may + not use ULOG with fireparse unless you modify fireparse.
    3. + +
+ +

5/10/2003 - Shorewall Mirror in Asia
+

+ +

Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
+

+ +

5/8/2003 - Shorewall Mirror in Chile

+ Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago +Chile. +

4/21/2003 - Samples updated for Shorewall version 1.4.2

+ +

Thanks to Francesca Smith, the sample configurations are now upgraded +to Shorewall version 1.4.2.

+ +

4/9/2003 - Shorewall 1.4.2
+

+ +

    Problems Corrected:

+ +
+
    +
  1. TCP connection requests rejected out of the common chain + are now properly rejected with TCP RST; previously, some of these requests + were rejected with an ICMP port-unreachable response.
    2. +
  2. 'traceroute -I' from behind the firewall previously timed out + on the first hop (e.g., to the firewall). This has been worked around.
    3. + +
+
+ +

    New Features:

+ +
    +
  1. Where an entry in the/etc/shorewall/hosts file specifies a particular + host or network, Shorewall now creates an intermediate chain for handling + input from the related zone. This can substantially reduce the number +of rules traversed by connections requests from such zones.
    +
    +
    2. +
  2. Any file may include an INCLUDE directive. An INCLUDE directive + consists of the word INCLUDE followed by a file name and causes the contents + of the named file to be logically included into the file containing the +INCLUDE. File names given in an INCLUDE directive are assumed to reside +in /etc/shorewall or in an alternate configuration directory if one has +been specified for the command.
    +  
    +    Examples:
    +    shorewall/params.mgmt:
    +    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
    +    TIME_SERVERS=4.4.4.4
    +    BACKUP_SERVERS=5.5.5.5
    +    ----- end params.mgmt -----
    +  
    +  
    +    shorewall/params:
    +    # Shorewall 1.3 /etc/shorewall/params
    +    [..]
    +    #######################################
    +  
    +    INCLUDE params.mgmt   
    +  
    +    # params unique to this host here
    +    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    +    ----- end params -----
    +  
    +  
    +    shorewall/rules.mgmt:
    +    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22
    +    ACCEPT $FW          net:$TIME_SERVERS    udp    123
    +    ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22
    +    ----- end rules.mgmt -----
    +  
    +    shorewall/rules:
    +    # Shorewall version 1.3 - Rules File
    +    [..]
    +    #######################################
    +  
    +    INCLUDE rules.mgmt    
    +  
    +    # rules unique to this host here
    +    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    +    ----- end rules -----
    +  
    + INCLUDE's may be nested to a level of 3 -- further nested INCLUDE +directives are ignored with a warning message.
    +
    +
    3. +
  3. Routing traffic from an interface back out that interface continues + to be a problem. While I firmly believe that this should never happen, + people continue to want to do it. To limit the damage that such nonsense + produces, I have added a new 'routeback' option in /etc/shorewall/interfaces + and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the +'ZONE' column may not contain '-'; in other words, 'routeback' can't +be used as an option for a multi-zone interface. The 'routeback' option +CAN be specified however on individual group entries in /etc/shorewall/hosts.
    +  
    + The 'routeback' option is similar to the old 'multi' option with +two exceptions:
    +  
    +    a) The option pertains to a particular zone,interface,address +tuple.
    +  
    +    b) The option only created infrastructure to pass traffic from +(zone,interface,address) tuples back to themselves (the 'multi' option +affected all (zone,interface,address) tuples associated with the given +'interface').
    +  
    + See the 'Upgrade Issues' for information + about how this new option may affect your configuration.
    +
- New Features:
- -
Note: In the list that follows, the term group refers to -a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a -host address) accessed through a particular interface. Examples:
- + +

3/24/2003 - Shorewall 1.4.1

+ + + + + + + + + + + + + + + + + + + + +

This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 +and removes additional warts.
+
+ Problems Corrected:
+

+ +
    +
  1. When Shorewall 1.4.0 is run under the ash shell (such as on +Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn + file is empty. That problem has been corrected so that ECN disabling rules + are only added if there are entries in /etc/shorewall/ecn.
    2. + +
+ New Features:
+ +
Note: In the list that follows, the term group refers +to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be +a host address) accessed through a particular interface. Examples:
+
eth0:0.0.0.0/0
- eth2:192.168.1.0/24
- eth3:192.0.2.123
-
- You can use the "shorewall check" command to see the groups associated - with each of your zones.
-
- + eth2:192.168.1.0/24
+ eth3:192.0.2.123
+
+ You can use the "shorewall check" command to see the groups associated + with each of your zones.
+ +
    -
  1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than - one group then if there is no explicit Z to Z policy and there are - no rules governing traffic from Z to Z then Shorewall will permit all traffic - between the groups in the zone.
    2. -
  2. Beginning with Shorewall 1.4.1, Shorewall will never create rules - to handle traffic from a group to itself.
    3. -
  3. A NONE policy is introduced in 1.4.1. When a policy of NONE is - specified from Z1 to Z2:
    4. - +
  4. Beginning with Shorewall 1.4.1, if a zone Z comprises more than + one group then if there is no explicit Z to Z policy and there +are no rules governing traffic from Z to Z then Shorewall will permit all +traffic between the groups in the zone.
    5. +
  5. Beginning with Shorewall 1.4.1, Shorewall will never create +rules to handle traffic from a group to itself.
    6. +
  6. A NONE policy is introduced in 1.4.1. When a policy of NONE +is specified from Z1 to Z2:
    7. +
- +
    -
  • There may be no rules created that govern connections from Z1 -to Z2.
    • -
  • Shorewall will not create any infrastructure to handle traffic +
  • There may be no rules created that govern connections from Z1 + to Z2.
    • +
  • Shorewall will not create any infrastructure to handle traffic from Z1 to Z2.
    • - +
- See the upgrade issues for a discussion - of how these changes may affect your configuration. + See the upgrade issues for a discussion + of how these changes may affect your configuration.

3/17/2003 - Shorewall 1.4.0

- Shorewall 1.4 represents - the next step in the evolution of Shorewall. The main thrust of the - initial release is simply to remove the cruft that has accumulated in + Shorewall 1.4 represents + the next step in the evolution of Shorewall. The main thrust of the + initial release is simply to remove the cruft that has accumulated in Shorewall over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute package - ('ip' utility).
-
- Function from 1.3 that has been omitted from this version -include:
- +
+ IMPORTANT: Shorewall 1.4.0 requires the iproute package + ('ip' utility).
+
+ Function from 1.3 that has been omitted from this version + include:
+
    -
  1. The MERGE_HOSTS variable in shorewall.conf is no +
  2. The MERGE_HOSTS variable in shorewall.conf is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
    -
    -
    3. -
  3. Interface names of the form <device>:<integer> - in /etc/shorewall/interfaces now generate an error.
    -
    -
    4. -
  4. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will specification - of the 'noping' or 'filterping' interface options.
    -
    -
    5. -
  5. The 'routestopped' option in the /etc/shorewall/interfaces - and /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified.
    -
    -
    6. -
  6. The Shorewall 1.2 syntax for DNAT and REDIRECT rules -is no longer accepted.
    -
    -
    7. -
  7. The ALLOWRELATED variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
    -
    -
    8. -
  8. The icmp.def file has been removed.
    -
    9. - -
- Changes for 1.4 include:
- -
    -
  1. The /etc/shorewall/shorewall.conf file has been completely - reorganized into logical sections.
    -
    -
    2. -
  2. LOG is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
    3. -
  3. The firewall script and version file are now installed - in /usr/share/shorewall.
    -
    -
    4. -
  4. Late arriving DNS replies are now silently dropped in - the common chain by default.
    -
    -
    5. -
  5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall - 1.4 no longer unconditionally accepts outbound ICMP packets. So if -you want to 'ping' from the firewall, you will need the appropriate rule -or policy.
    -
    -
    6. -
  6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
    7. -
  7. 802.11b devices with names of the form wlan<n> now support - the 'maclist' option.
    -
    -
    8. -
  8. Explicit Congestion Notification (ECN - RFC 3168) may now -be turned off on a host or network basis using the new /etc/shorewall/ecn - file. To use this facility:
    -
    -    a) You must be running kernel 2.4.20
    -    b) You must have applied the patch in
    -    http://www.shorewall/net/pub/shorewall/ecn/patch.
    -    c) You must have iptables 1.2.7a installed.
    -
    -
    9. -
  9. The /etc/shorewall/params file is now processed first so that - variables may be used in the /etc/shorewall/shorewall.conf file.
    -
    -
    10. -
  10. Shorewall now gives a more helpful diagnostic when - the 'ipchains' compatibility kernel module is loaded and a 'shorewall -start' command is issued.
    -
    -
    11. -
  11. The SHARED_DIR variable has been removed from shorewall.conf. - This variable was for use by package maintainers and was not documented - for general use.
    -
    -
    12. -
  12. Shorewall now ignores 'default' routes when detecting masq'd - networks.
    13. - -
- -

3/10/2003 - Shoreall 1.3.14a

- -

A roleup of the following bug fixes and other updates:

- -
    -
  • There is an updated rfc1918 file that reflects the resent allocation - of 222.0.0.0/8 and 223.0.0.0/8.
    • - -
- -
    -
  • The documentation for the routestopped file claimed that a comma-separated - list could appear in the second column while the code only supported - a single host or network address.
    • -
  • Log messages produced by 'logunclean' and 'dropunclean' were -not rate-limited.
    • -
  • 802.11b devices with names of the form wlan<n> -don't support the 'maclist' interface option.
    • -
  • Log messages generated by RFC 1918 filtering are not rate limited.
    • -
  • The firewall fails to start in the case where you have "eth0 -eth1" in /etc/shorewall/masq and the default route is through eth1
    • - -
- -

2/8/2003 - Shoreawall 1.3.14

- -

New features include

- -
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been - (see http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled - via rules and policies just like any other connection request. - The FORWARDPING=Yes option in shorewall.conf and the 'noping' -and 'filterping' options in /etc/shorewall/interfaces will all -generate an error.
    -
    -
    2. -
  2. It is now possible to direct Shorewall to create -a "label" such as  "eth0:0" for IP addresses that it creates under - ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying - the label instead of just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
    3. -
  3. Support for OpenVPN Tunnels.
    -
    -
    4. -
  4. Support for VLAN devices with names of the form -$DEV.$VID (e.g., eth0.0)

    5. -
  5. In /etc/shorewall/tcrules, the MARK value may be optionally - followed by ":" and either 'F' or 'P' to designate that the marking - will occur in the FORWARD or PREROUTING chains respectively. If this - additional specification is omitted, the chain used to mark packets -will be determined by the setting of the MARK_IN_FORWARD_CHAIN option -in shorewall.conf.
    -
    -
    6. -
  6. When an interface name is entered in the SUBNET -column of the /etc/shorewall/masq file, Shorewall previously masqueraded - traffic from only the first subnet defined on that interface. It - did not masquerade traffic from:
    -  
    -    a) The subnets associated with other addresses -on the interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an -interface name in the SUBNET column, shorewall will use the firewall's -routing table to construct the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    - - - 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    - - - 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    -  
    - When upgrading to Shorewall 1.3.14, if you have multiple - local subnets connected to an interface that is specified in -the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq - file will need changing. In most cases, you will simply be able to -remove redundant entries. In some cases though, you might want to change -from using the interface name to listing specific subnetworks if the -change described above will cause masquerading to occur on subnetworks - that you don't wish to masquerade.
    -  
    - Example 2 -- Suppose that your current config is -as follows:
    -   
    - - - 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, the second entry in /etc/shorewall/masq - is no longer required.
    -  
    - Example 3 -- What if your current configuration is - like this?
    -  
    - - - 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, you would want to change the entry - in  /etc/shorewall/masq to:
    - - - 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    7. - +
  7. Interface names of the form <device>:<integer> + in /etc/shorewall/interfaces now generate an error.
    +
    +
    8. +
  8. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. + OLD_PING_HANDLING=Yes will generate an error at startup as will specification + of the 'noping' or 'filterping' interface options.
    +
    +
    9. +
  9. The 'routestopped' option in the /etc/shorewall/interfaces + and /etc/shorewall/hosts files is no longer supported and will generate + an error at startup if specified.
    +
    +
    10. +
  10. The Shorewall 1.2 syntax for DNAT and REDIRECT rules + is no longer accepted.
    +
    +
    11. +
  11. The ALLOWRELATED variable in shorewall.conf is no longer + supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
    +
    +
    12. +
  12. The icmp.def file has been removed.
    +
    13. +
- -


- 2/5/2003 - Shorewall Support included in Webmin 1.060

- -

Webmin version 1.060 now has Shorewall support included as standard. See - http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1

- -

Includes the Beta 2 content plus support for OpenVPN tunnels.

- -

1/28/2003 - Shorewall 1.3.14-Beta2

- -

Includes the Beta 1 content plus restores VLAN device names of the form - $dev.$vid (e.g., eth0.1)

- -

1/25/2003 - Shorewall 1.3.14-Beta1
-

- -

The Beta includes the following changes:
-

- + Changes for 1.4 include:
+
    -
  1. An OLD_PING_HANDLING option has been added -to shorewall.conf. When set to Yes, Shorewall ping handling is -as it has always been (see http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled - via rules and policies just like any other connection request. - The FORWARDPING=Yes option in shorewall.conf and the 'noping' -and 'filterping' options in /etc/shorewall/interfaces will all -generate an error.
    -
    -
    2. -
  2. It is now possible to direct Shorewall to create - a "label" such as  "eth0:0" for IP addresses that it creates under - ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying - the label instead of just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
    3. -
  3. When an interface name is entered in the SUBNET - column of the /etc/shorewall/masq file, Shorewall previously masqueraded - traffic from only the first subnet defined on that interface. It - did not masquerade traffic from:
    -  
    -    a) The subnets associated with other addresses -on the interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an -interface name in the SUBNET column, shorewall will use the firewall's +
  4. The /etc/shorewall/shorewall.conf file has been completely + reorganized into logical sections.
    +
    +
    5. +
  5. LOG is now a valid action for a rule (/etc/shorewall/rules).
    +
    +
    6. +
  6. The firewall script and version file are now installed + in /usr/share/shorewall.
    +
    +
    7. +
  7. Late arriving DNS replies are now silently dropped +in the common chain by default.
    +
    +
    8. +
  8. In addition to behaving like OLD_PING_HANDLING=No, +Shorewall 1.4 no longer unconditionally accepts outbound ICMP packets. +So if you want to 'ping' from the firewall, you will need the appropriate +rule or policy.
    +
    +
    9. +
  9. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
    +
    +
    10. +
  10. 802.11b devices with names of the form wlan<n> now +support the 'maclist' option.
    +
    +
    11. +
  11. Explicit Congestion Notification (ECN - RFC 3168) may now +be turned off on a host or network basis using the new /etc/shorewall/ecn + file. To use this facility:
    +
    +    a) You must be running kernel 2.4.20
    +    b) You must have applied the patch in
    +    http://www.shorewall/net/pub/shorewall/ecn/patch.
    +    c) You must have iptables 1.2.7a installed.
    +
    +
    12. +
  12. The /etc/shorewall/params file is now processed first so +that variables may be used in the /etc/shorewall/shorewall.conf file.
    +
    +
    13. +
  13. Shorewall now gives a more helpful diagnostic when + the 'ipchains' compatibility kernel module is loaded and a 'shorewall + start' command is issued.
    +
    +
    14. +
  14. The SHARED_DIR variable has been removed from shorewall.conf. + This variable was for use by package maintainers and was not documented + for general use.
    +
    +
    15. +
  15. Shorewall now ignores 'default' routes when detecting masq'd + networks.
    16. + +
+ +

3/10/2003 - Shoreall 1.3.14a

+ +

A roleup of the following bug fixes and other updates:

+ +
    +
  • There is an updated rfc1918 file that reflects the resent allocation + of 222.0.0.0/8 and 223.0.0.0/8.
    • + +
+ +
    +
  • The documentation for the routestopped file claimed that a +comma-separated list could appear in the second column while the +code only supported a single host or network address.
    • +
  • Log messages produced by 'logunclean' and 'dropunclean' were + not rate-limited.
    • +
  • 802.11b devices with names of the form wlan<n> +don't support the 'maclist' interface option.
    • +
  • Log messages generated by RFC 1918 filtering are not rate limited.
    • +
  • The firewall fails to start in the case where you have "eth0 + eth1" in /etc/shorewall/masq and the default route is through eth1
    • + +
+ +

2/8/2003 - Shoreawall 1.3.14

+ +

New features include

+ +
    +
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been + (see http://www.shorewall.net/ping.html).
    +
    + When OLD_PING_HANDLING=No, icmp echo (ping) is handled + via rules and policies just like any other connection request. + The FORWARDPING=Yes option in shorewall.conf and the 'noping' and + 'filterping' options in /etc/shorewall/interfaces will all generate + an error.
    +
    +
    2. +
  2. It is now possible to direct Shorewall to create + a "label" such as  "eth0:0" for IP addresses that it creates under + ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying + the label instead of just the interface name:
    +  
    +    a) In the INTERFACE column of /etc/shorewall/masq
    +    b) In the INTERFACE column of /etc/shorewall/nat
    +  
    3. +
  3. Support for OpenVPN Tunnels.
    +
    +
    4. +
  4. Support for VLAN devices with names of the form +$DEV.$VID (e.g., eth0.0)
    +
    +
    5. +
  5. In /etc/shorewall/tcrules, the MARK value may be +optionally followed by ":" and either 'F' or 'P' to designate that +the marking will occur in the FORWARD or PREROUTING chains respectively. +If this additional specification is omitted, the chain used to mark +packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN +option in shorewall.conf.
    +
    +
    6. +
  6. When an interface name is entered in the SUBNET +column of the /etc/shorewall/masq file, Shorewall previously masqueraded + traffic from only the first subnet defined on that interface. +It did not masquerade traffic from:
    +  
    +    a) The subnets associated with other addresses + on the interface.
    +    b) Subnets accessed through local routers.
    +  
    + Beginning with Shorewall 1.3.14, if you enter an +interface name in the SUBNET column, shorewall will use the firewall's routing table to construct the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    +  
    + Example 1 -- This is how it works in 1.3.14.
    +   
    - + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    - - 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    -  
    - When upgrading to Shorewall 1.3.14, if you have multiple - local subnets connected to an interface that is specified in -the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq - file will need changing. In most cases, you will simply be able to -remove redundant entries. In some cases though, you might want to change -from using the interface name to listing specific subnetworks if the -change described above will cause masquerading to occur on subnetworks - that you don't wish to masquerade.
    -  
    - Example 2 -- Suppose that your current config is -as follows:
    -   
    - + + 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    +  
    + When upgrading to Shorewall 1.3.14, if you have +multiple local subnets connected to an interface that is specified +in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq + file will need changing. In most cases, you will simply be able to +remove redundant entries. In some cases though, you might want to change +from using the interface name to listing specific subnetworks if the change + described above will cause masquerading to occur on subnetworks that you + don't wish to masquerade.
    +  
    + Example 2 -- Suppose that your current config is +as follows:
    +   
    + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, the second entry in /etc/shorewall/masq - is no longer required.
    -  
    - Example 3 -- What if your current configuration is - like this?
    -  
    - + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    +  
    +    In this case, the second entry in /etc/shorewall/masq + is no longer required.
    +  
    + Example 3 -- What if your current configuration +is like this?
    +  
    + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - - 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -  
    -    In this case, you would want to change the entry - in  /etc/shorewall/masq to:
    - + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    +  
    +    In this case, you would want to change the entry + in  /etc/shorewall/masq to:
    + + + 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    7. - + +
+ +


+ 2/5/2003 - Shorewall Support included in Webmin 1.060

+ +

Webmin version 1.060 now has Shorewall support included as standard. See + http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1

+ +

Includes the Beta 2 content plus support for OpenVPN tunnels.

+ +

1/28/2003 - Shorewall 1.3.14-Beta2

+

Includes the Beta 1 content plus restores VLAN device names of the form + $dev.$vid (e.g., eth0.1)

+ +

1/25/2003 - Shorewall 1.3.14-Beta1
+

+ +

The Beta includes the following changes:
+

+ +
    +
  1. An OLD_PING_HANDLING option has been added +to shorewall.conf. When set to Yes, Shorewall ping handling is +as it has always been (see http://www.shorewall.net/ping.html).
    +
    + When OLD_PING_HANDLING=No, icmp echo (ping) is handled + via rules and policies just like any other connection request. + The FORWARDPING=Yes option in shorewall.conf and the 'noping' and + 'filterping' options in /etc/shorewall/interfaces will all generate + an error.
    +
    +
    2. +
  2. It is now possible to direct Shorewall to +create a "label" such as  "eth0:0" for IP addresses that it creates +under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done +by specifying the label instead of just the interface name:
    +  
    +    a) In the INTERFACE column of /etc/shorewall/masq
    +    b) In the INTERFACE column of /etc/shorewall/nat
    +  
    3. +
  3. When an interface name is entered in the SUBNET + column of the /etc/shorewall/masq file, Shorewall previously masqueraded + traffic from only the first subnet defined on that interface. It + did not masquerade traffic from:
    +  
    +    a) The subnets associated with other addresses + on the interface.
    +    b) Subnets accessed through local routers.
    +  
    + Beginning with Shorewall 1.3.14, if you enter an +interface name in the SUBNET column, shorewall will use the firewall's +routing table to construct the masquerading/SNAT rules.
    +  
    + Example 1 -- This is how it works in 1.3.14.
    +   
    + + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + + + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    + + + + 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    +  
    + When upgrading to Shorewall 1.3.14, if you have +multiple local subnets connected to an interface that is specified +in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq + file will need changing. In most cases, you will simply be able to +remove redundant entries. In some cases though, you might want to change +from using the interface name to listing specific subnetworks if the change + described above will cause masquerading to occur on subnetworks that you + don't wish to masquerade.
    +  
    + Example 2 -- Suppose that your current config is +as follows:
    +   
    + + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + + + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    +  
    +    In this case, the second entry in /etc/shorewall/masq + is no longer required.
    +  
    + Example 3 -- What if your current configuration +is like this?
    +  
    + + + + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + + + + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    +  
    +    In this case, you would want to change the entry + in  /etc/shorewall/masq to:
    + + + + 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    +
    4. + +
+

1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. + +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. the PDF may be downloaded from

-     ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/ - +     http://slovakia.shorewall.net/pub/shorewall/pdf/ +

1/17/2003 - shorewall.net has MOVED 

- +

Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net -are now hosted on a system in Bellevue, Washington. A big thanks to Alex -for making this happen.
-

- + href="http://www.rettc.com">Rett Consulting, www.shorewall.net and +ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A +big thanks to Alex for making this happen.
+

+

1/13/2003 - Shorewall 1.3.13
-

- +

+

Just includes a few things that I had on the burner:
-

- +

+
    -
  1. A new 'DNAT-' action has been added for -entries in the /etc/shorewall/rules file. DNAT- is intended for -advanced users who wish to minimize the number of rules that connection - requests must traverse.
    -
    - A Shorewall DNAT rule actually generates two -iptables rules: a header rewriting rule in the 'nat' table and -an ACCEPT rule in the 'filter' table. A DNAT- rule only generates -the first of these rules. This is handy when you have several DNAT +
  2. A new 'DNAT-' action has been added for + entries in the /etc/shorewall/rules file. DNAT- is intended +for advanced users who wish to minimize the number of rules that +connection requests must traverse.
    +
    + A Shorewall DNAT rule actually generates two +iptables rules: a header rewriting rule in the 'nat' table and +an ACCEPT rule in the 'filter' table. A DNAT- rule only generates +the first of these rules. This is handy when you have several DNAT rules that would generate the same ACCEPT rule.
    -
    -    Here are three rules from my previous rules +
    +    Here are three rules from my previous rules file:
    -
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - - 206.124.146.178
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - - 206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
    -
    -    These three rules ended up generating _three_ +
    +         DNAT   net  dmz:206.124.146.177 tcp +smtp - 206.124.146.178
    +         DNAT   net  dmz:206.124.146.177 tcp +smtp - 206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp +www,smtp,ftp,...
    +
    +    These three rules ended up generating _three_ copies of
    -
    -          ACCEPT net  dmz:206.124.146.177 tcp +
    +          ACCEPT net  dmz:206.124.146.177 tcp smtp
    -
    -    By writing the rules this way, I end up with - only one copy of the ACCEPT rule.
    -
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp - -  206.124.146.178
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp - -  206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
    -
    -
    3. -
  3. The 'shorewall check' command now prints +
    +    By writing the rules this way, I end up with + only one copy of the ACCEPT rule.
    +
    +         DNAT-  net  dmz:206.124.146.177 tcp +smtp -  206.124.146.178
    +         DNAT-  net  dmz:206.124.146.177 tcp +smtp -  206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp +www,smtp,ftp,....
    +
    +
    4. +
  4. The 'shorewall check' command now prints out the applicable policy between each pair of zones.
    -
    -
    5. -
  5. A new CLEAR_TC option has been added to -shorewall.conf. If this option is set to 'No' then Shorewall won't -clear the current traffic control rules during [re]start. This -setting is intended for use by people that prefer to configure traffic -shaping when the network interfaces come up rather than when the firewall -is started. If that is what you want to do, set TC_ENABLED=Yes and -CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, - your traffic shaping rules can still use the 'fwmark' classifier based -on packet marking defined in /etc/shorewall/tcrules.
    -
    -
    6. -
  6. A new SHARED_DIR variable has been added - that allows distribution packagers to easily move the shared -directory (default /usr/lib/shorewall). Users should never have -a need to change the value of this shorewall.conf setting.
    -
    7. - +
    + +
  7. A new CLEAR_TC option has been added to + shorewall.conf. If this option is set to 'No' then Shorewall +won't clear the current traffic control rules during [re]start. +This setting is intended for use by people that prefer to configure +traffic shaping when the network interfaces come up rather than when +the firewall is started. If that is what you want to do, set TC_ENABLED=Yes + and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. +That way, your traffic shaping rules can still use the 'fwmark' classifier + based on packet marking defined in /etc/shorewall/tcrules.
    +
    +
    8. +
  8. A new SHARED_DIR variable has been added + that allows distribution packagers to easily move the shared directory + (default /usr/lib/shorewall). Users should never have a need +to change the value of this shorewall.conf setting.
    +
    9. +
- -

1/6/2003 - BURNOUT -

- -

Until further notice, I will not be involved in either Shorewall Development - or Shorewall Support

- + +

1/6/2003 - BURNOUT +

+ +

Until further notice, I will not be involved in either Shorewall Development + or Shorewall Support

+

-Tom Eastep
-

- +

+

12/30/2002 - Shorewall Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. + +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. the PDF may be downloaded from

- +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

+

- +

12/27/2002 - Shorewall 1.3.12 Released

- +

Features include:
-

- +

+
    -
  1. "shorewall refresh" now reloads the +
  2. "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart).
    3. -
  3. "shorewall debug [re]start" now turns - off debugging after an error occurs. This places the point - of the failure near the end of the trace rather than up in the +
  4. "shorewall debug [re]start" now turns + off debugging after an error occurs. This places the point + of the failure near the end of the trace rather than up in the middle of it.
    5. -
  5. "shorewall [re]start" has been speeded - up by more than 40% with my configuration. Your milage may vary.
    6. -
  6. A "shorewall show classifiers" command - has been added which shows the current packet classification - filters. The output from this command is also added as a separate - page in "shorewall monitor"
    7. -
  7. ULOG (must be all caps) is now accepted - as a valid syslog level and causes the subject packets to -be logged using the ULOG target rather than the LOG target. -This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) +
  8. "shorewall [re]start" has been speeded + up by more than 40% with my configuration. Your milage may +vary.
    9. +
  9. A "shorewall show classifiers" command + has been added which shows the current packet classification + filters. The output from this command is also added as a +separate page in "shorewall monitor"
    10. +
  10. ULOG (must be all caps) is now accepted + as a valid syslog level and causes the subject packets to +be logged using the ULOG target rather than the LOG target. This + allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) and log all Shorewall messages to a separate log file.
    11. -
  11. If you are running a kernel that has -a FORWARD chain in the mangle table ("shorewall show mangle" - will show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This allows - for marking input packets based on their destination even -when you are using Masquerading or SNAT.
    12. -
  12. I have cluttered up the /etc/shorewall - directory with empty 'init', 'start', 'stop' and 'stopped' - files. If you already have a file with one of these names, don't - worry -- the upgrade process won't overwrite your file.
    13. -
  13. I have added a new RFC1918_LOG_LEVEL -variable to shorewall.conf. -This variable specifies the syslog level at which packets are -logged as a result of entries in the /etc/shorewall/rfc1918 file. -Previously, these packets were always logged at the 'info' level.
    -
    14. - +
  14. If you are running a kernel that has + a FORWARD chain in the mangle table ("shorewall show mangle" + will show you the chains in the mangle table), you can set +MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. +This allows for marking input packets based on their destination +even when you are using Masquerading or SNAT.
    15. +
  15. I have cluttered up the /etc/shorewall + directory with empty 'init', 'start', 'stop' and 'stopped' + files. If you already have a file with one of these names, don't + worry -- the upgrade process won't overwrite your file.
    16. +
  16. I have added a new RFC1918_LOG_LEVEL + variable to shorewall.conf. + This variable specifies the syslog level at which packets +are logged as a result of entries in the /etc/shorewall/rfc1918 +file. Previously, these packets were always logged at the 'info' +level.
    +
    17. +
- +

12/20/2002 - Shorewall 1.3.12 Beta 3
-

- This version corrects a problem with Blacklist - logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything - but ULOG, the firewall would fail to start and "shorewall refresh" +

+ This version corrects a problem with Blacklist + logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything + but ULOG, the firewall would fail to start and "shorewall refresh" would also fail.
- +

12/20/2002 - Shorewall 1.3.12 Beta 2

- -

The first public Beta version of Shorewall 1.3.12 is now available (Beta - 1 was made available only to a limited audience).
-

- Features include:
- + +

The first public Beta version of Shorewall 1.3.12 is now available (Beta + 1 was made available only to a limited audience).
+

+ Features include:
+
    -
  1. "shorewall refresh" now reloads -the traffic shaping rules (tcrules and tcstart).
    2. -
  2. "shorewall debug [re]start" now -turns off debugging after an error occurs. This places the -point of the failure near the end of the trace rather than up -in the middle of it.
    3. -
  3. "shorewall [re]start" has been -speeded up by more than 40% with my configuration. Your milage +
  4. "shorewall refresh" now reloads + the traffic shaping rules (tcrules and tcstart).
    5. +
  5. "shorewall debug [re]start" now + turns off debugging after an error occurs. This places +the point of the failure near the end of the trace rather than +up in the middle of it.
    6. +
  6. "shorewall [re]start" has been +speeded up by more than 40% with my configuration. Your milage may vary.
    7. -
  7. A "shorewall show classifiers" -command has been added which shows the current packet classification - filters. The output from this command is also added as a separate +
  8. A "shorewall show classifiers" +command has been added which shows the current packet classification + filters. The output from this command is also added as a separate page in "shorewall monitor"
    9. -
  9. ULOG (must be all caps) is now -accepted as a valid syslog level and causes the subject packets -to be logged using the ULOG target rather than the LOG target. -This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) +
  10. ULOG (must be all caps) is now +accepted as a valid syslog level and causes the subject packets +to be logged using the ULOG target rather than the LOG target. + This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) and log all Shorewall messages to a separate log file.
    11. -
  11. If you are running a kernel that - has a FORWARD chain in the mangle table ("shorewall show -mangle" will show you the chains in the mangle table), you -can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows -for marking input packets based on their destination even when - you are using Masquerading or SNAT.
    12. -
  12. I have cluttered up the /etc/shorewall - directory with empty 'init', 'start', 'stop' and 'stopped' - files. If you already have a file with one of these names, don't +
  13. If you are running a kernel that + has a FORWARD chain in the mangle table ("shorewall show +mangle" will show you the chains in the mangle table), you can +set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for + marking input packets based on their destination even when you +are using Masquerading or SNAT.
    14. +
  14. I have cluttered up the /etc/shorewall + directory with empty 'init', 'start', 'stop' and 'stopped' + files. If you already have a file with one of these names, don't worry -- the upgrade process won't overwrite your file.
    15. - +
- You may download the Beta from:
- + You may download the Beta from:
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- + +

12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux -

- Shorewall is at the center of MandrakeSoft's - recently-announced Multi - Network Firewall (MNF) product. Here is the press +

+ Shorewall is at the center of MandrakeSoft's + recently-announced Multi + Network Firewall (MNF) product. Here is the press release.
- +

12/7/2002 - Shorewall Support for Mandrake 9.0

- -

Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. - I have installed 9.0 on one of my systems and I am now - in a position to support Shorewall users who run Mandrake -9.0.

+ +

Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. + I have installed 9.0 on one of my systems and I am now + in a position to support Shorewall users who run Mandrake 9.0.

- +

12/6/2002 - Debian 1.3.11a Packages Available
-

+

- +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

12/3/2002 - Shorewall 1.3.11a

- -

This is a bug-fix roll up which includes Roger Aich's fix for DNAT with - excluded subnets (e.g., "DNAT foo!bar ..."). Current -1.3.11 users who don't need rules of this type need not -upgrade to 1.3.11.

+ +

This is a bug-fix roll up which includes Roger Aich's fix for DNAT with + excluded subnets (e.g., "DNAT foo!bar ..."). Current +1.3.11 users who don't need rules of this type need not upgrade +to 1.3.11.

- +

11/24/2002 - Shorewall 1.3.11

- +

In this version:

- +
    -
  • A 'tcpflags' option has +
  • A 'tcpflags' option has been added to entries in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP - packet header flags.
    • -
  • It is now allowed to use -'all' in the SOURCE or DEST column in a rule. When used, 'all' must -appear by itself (in may not be qualified) and it does not enable - intra-zone traffic. For example, the rule
    -
    -     ACCEPT loc all tcp 80
    -
    - does not enable http traffic from - 'loc' to 'loc'.
    • -
  • Shorewall's use of the 'echo' - command is now compatible with bash clones such as ash -and dash.
    • -
  • fw->fw policies now generate - a startup error. fw->fw rules generate a warning -and are ignored
    • + href="Documentation.htm#Interfaces">/etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP + packet header flags. +
  • It is now allowed to use + 'all' in the SOURCE or DEST column in a rule. When used, 'all' must appear + by itself (in may not be qualified) and it does not enable intra-zone + traffic. For example, the rule
    +
    +     ACCEPT loc all tcp 80
    +
    + does not enable http traffic +from 'loc' to 'loc'.
    • +
  • Shorewall's use of the +'echo' command is now compatible with bash clones such +as ash and dash.
    • +
  • fw->fw policies now +generate a startup error. fw->fw rules generate a +warning and are ignored
    • - +
- +

11/14/2002 - Shorewall Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. + +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. the PDF may be downloaded from

- +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

+

- -

11/09/2002 - Shorewall is Back at SourceForge -

+ +

11/09/2002 - Shorewall is Back at SourceForge +

- +

The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-

+

- +

11/09/2002 - Shorewall 1.3.10

- +

In this version:

- - - - -

10/24/2002 - Shorewall is now in Gentoo Linux
-

- Alexandru Hartmann reports - that his Shorewall package is now a part of the Gentoo Linux distribution. - Thanks Alex!
- - -

10/23/2002 - Shorewall 1.3.10 Beta 1

- In this version:
- - +
  • You may now define the contents of a zone dynamically + href="IPSEC.htm#Dynamic">define the contents of a zone dynamically with the "shorewall - add" and "shorewall delete" commands. These commands - are expected to be used primarily within . These commands + are expected to be used primarily within FreeS/Wan updown - scripts.
    • +scripts.
  • Shorewall can now do MAC verification on ethernet segments. - You can specify the set of allowed MAC addresses on -the segment and you can optionally tie each MAC address to one -or more IP addresses.
    • + href="MAC_Validation.html"> MAC verification on ethernet segments. +You can specify the set of allowed MAC addresses on the segment +and you can optionally tie each MAC address to one or more IP addresses.
  • PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file.
    • @@ -964,106 +960,177 @@ or more IP addresses. may now be specified in /etc/shorewall/shorewall.conf.
  • The main firewall script - is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall - is very small and uses /sbin/shorewall to do the real - work. This change makes custom distributions such as for -Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall - that tends to have distribution-dependent code.
    • + is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall + is very small and uses /sbin/shorewall to do the real +work. This change makes custom distributions such as for Debian + and for Gentoo easier to manage since it is /etc/init.d/shorewall + that tends to have distribution-dependent code
- You may download the Beta + + +

10/24/2002 - Shorewall is now in Gentoo Linux
+

+ Alexandru Hartmann reports + that his Shorewall package is now a part of the Gentoo Linux distribution. + Thanks Alex!
+ + +

10/23/2002 - Shorewall 1.3.10 Beta 1

+ In this version:
+ + + + You may download the Beta from:
- + - +

10/10/2002 -  Debian 1.3.9b Packages Available
-

+

- +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

10/9/2002 - Shorewall 1.3.9b

- This release rolls up fixes + This release rolls up fixes to the installer and to the firewall script.
- +

10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and server - here at shorewall.net are now running RedHat release +
+ The firewall and server + here at shorewall.net are now running RedHat release 8.0.
-
- 9/30/2002 - Shorewall 1.3.9a

- Roles up the fix for broken - tunnels.
- - -

9/30/2002 - TUNNELS Broken in 1.3.9!!!

- There is an updated firewall - script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
+
+ 9/30/2002 - Shorewall +1.3.9a

+ Roles up the fix for +broken tunnels.
+

9/30/2002 - TUNNELS Broken in 1.3.9!!!

+ There is an updated firewall + script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
+ +

9/28/2002 - Shorewall 1.3.9

- +

In this version:
-

+

- +
    -
  • DNS Names are -now allowed in Shorewall config files (although I recommend against - using them).
    • -
  • The connection - SOURCE may now be qualified by both interface and - IP address in a Shorewall -rule.
    • -
  • Shorewall startup - is now disabled after initial installation until - the file /etc/shorewall/startup_disabled is removed. This avoids - nasty surprises during reboot for users who install Shorewall - but don't configure it.
    • -
  • The 'functions' - and 'version' files and the 'firewall' symbolic link - have been moved from /var/lib/shorewall to /usr/lib/shorewall +
  • DNS Names are + now allowed in Shorewall config files (although I recommend against + using them).
    • +
  • The connection + SOURCE may now be qualified by both interface and + IP address in a Shorewall rule.
    • +
  • Shorewall +startup is now disabled after initial installation + until the file /etc/shorewall/startup_disabled is removed. + This avoids nasty surprises during reboot for users who + install Shorewall but don't configure it.
    • +
  • The 'functions' + and 'version' files and the 'firewall' symbolic link + have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease the LFS police at Debian.
    -
    • + - +
- -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
-

- 9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
+

+ Brown Paper Bag - A couple of recent - configuration changes at www.shorewall.net broke - the Search facility:
+ A couple of recent + configuration changes at www.shorewall.net broke + the Search facility:
- -
+ +
- +
    +
  1. Mailing +List Archive Search was not available.
    2. +
  2. The Site +Search index was incomplete
    3. +
  3. Only one +page of matches was presented.
    4. + + + + +
+
+ Hopefully these + problems are now corrected. + +

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
+

+ A couple of recent + configuration changes at www.shorewall.net had the + negative effect of breaking the Search facility:
+ + +
  1. Mailing List Archive Search was not available.
  2. The Site @@ -1071,2027 +1138,2003 @@ Search index was incomplete
  3. Only one page of matches was presented.
    4. - - - -
-
- Hopefully these - problems are now corrected. - -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
-

- A couple of recent - configuration changes at www.shorewall.net had the - negative effect of breaking the Search facility:
- - -
    -
  1. Mailing List - Archive Search was not available.
    2. -
  2. The Site Search - index was incomplete
    3. -
  3. Only one page - of matches was presented.
    4. - - +
- Hopefully these + Hopefully these problems are now corrected.
- -

9/18/2002 -  Debian 1.3.8 Packages Available
-

- +

9/18/2002 -  Debian 1.3.8 Packages Available
+

+ +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

9/16/2002 - Shorewall 1.3.8

- +

In this version:
-

+

- +
    -
  • A NEWNOTSYN option has been - added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established - connection and that are not 'SYN' packets (SYN flag on - and ACK flag off).
    • -
  • The need - for the 'multi' option to communicate between zones - za and zb on the same interface is removed in the case - where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will +
  • A NEWNOTSYN option has been + added to shorewall.conf. This option determines whether Shorewall + accepts TCP packets which are not part of an established + connection and that are not 'SYN' packets (SYN flag + on and ACK flag off).
    • +
  • The need + for the 'multi' option to communicate between zones + za and zb on the same interface is removed in the case + where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
    • - +
      -
    • - There is a policy for za to zb; or
      • -
    • There +
    • + There is a policy for za to zb; or
      • +
    • There is at least one rule for za to zb.
      • - +
    - +
- +
    -
  • The /etc/shorewall/blacklist - file now contains three columns. In addition -to the SUBNET/ADDRESS column, there are optional PROTOCOL - and PORT columns to block only certain applications from +
  • The /etc/shorewall/blacklist + file now contains three columns. In addition to + the SUBNET/ADDRESS column, there are optional PROTOCOL + and PORT columns to block only certain applications from the blacklisted addresses.
    -
    • + - +
- +

9/11/2002 - Debian 1.3.7c Packages Available

- +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

9/2/2002 - Shorewall 1.3.7c

- -

This is a role up of a fix for "DNAT" rules where the source zone is $FW + +

This is a role up of a fix for "DNAT" rules where the source zone is $FW (fw).

- +

8/31/2002 - I'm not available

- -

I'm currently on vacation  -- please respect my need for a couple of -weeks free of Shorewall problem reports.

+ +

I'm currently on vacation  -- please respect my need for a couple of + weeks free of Shorewall problem reports.

- +

-Tom

- +

8/26/2002 - Shorewall 1.3.7b

- -

This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" + +

This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.

- +

8/26/2002 - French FTP Mirror is Operational

- +

ftp://france.shorewall.net/pub/mirrors/shorewall + href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall is now available.

- +

8/25/2002 - Shorewall Mirror in France

- -

Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + +

Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored at http://france.shorewall.net.

- +

8/25/2002 - Shorewall 1.3.7a Debian Packages Available

- -

Lorenzo Martignoni reports that the packages for version 1.3.7a are available + +

Lorenzo Martignoni reports that the packages for version 1.3.7a are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author + +

8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author -- Shorewall 1.3.7a released -

+

- -

1.3.7a corrects problems occurring in rules file processing when starting + +

1.3.7a corrects problems occurring in rules file processing when starting Shorewall 1.3.7.

- +

8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

- +

Features in this release include:

- +
    -
  • The 'icmp.def' - file is now empty! The rules in that file were required - in ipchains firewalls but are not required in Shorewall. - Users who have ALLOWRELATED=No in shorewall.conf should see -the Upgrade Issues.
    • -
  • A 'FORWARDPING' - option has been added to shorewall.conf. The effect - of setting this variable to Yes is the same as - the effect of adding an ACCEPT rule for ICMP echo-request - in /etc/shorewall/icmpdef. - Users who have such a rule in icmpdef are encouraged - to switch to FORWARDPING=Yes.
    • -
  • The loopback - CLASS A Network (127.0.0.0/8) has been added to - the rfc1918 file.
    • -
  • Shorewall - now works with iptables 1.2.7
    • -
  • The documentation - and web site no longer uses FrontPage themes.
    • +
  • The +'icmp.def' file is now empty! The rules in that file + were required in ipchains firewalls but are not required + in Shorewall. Users who have ALLOWRELATED=No in + shorewall.conf should see + the Upgrade Issues.
    • +
  • A 'FORWARDPING' + option has been added to shorewall.conf. The effect + of setting this variable to Yes is the same as + the effect of adding an ACCEPT rule for ICMP echo-request + in /etc/shorewall/icmpdef. + Users who have such a rule in icmpdef are +encouraged to switch to FORWARDPING=Yes.
    • +
  • The +loopback CLASS A Network (127.0.0.0/8) has been added + to the rfc1918 file.
    • +
  • Shorewall + now works with iptables 1.2.7
    • +
  • The +documentation and web site no longer uses FrontPage + themes.
    • - +
- -

I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That -input has led to marked improvement in Shorewall + +

I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. That +input has led to marked improvement in Shorewall in the last two releases.

- +

8/13/2002 - Documentation in the CVS Repository

- -

The Shorewall-docs project now contains just the HTML and image files -- the Frontpage files have been removed.

+ +

The Shorewall-docs project now contains just the HTML and image files - +the Frontpage files have been removed.

- +

8/7/2002 - STABLE branch added to CVS Repository

- -

This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch + +

This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable tree.

- -

8/7/2002 - Upgrade Issues section -added to the Errata Page

+ +

8/7/2002 - Upgrade Issues section added + to the Errata Page

- -

Now there is one place to go to look for issues involved with upgrading + +

Now there is one place to go to look for issues involved with upgrading to recent versions of Shorewall.

- +

8/7/2002 - Shorewall 1.3.6

- +

This is primarily a bug-fix rollup with a couple of new features:

- + +
  • The +processing of "New not SYN" packets may be extended + by commands in the new newnotsyn extension script.
    • + + +

    7/30/2002 - Shorewall 1.3.5b Released

    - +

    This interim release:

    - + - +

    7/29/2002 - New Shorewall Setup Guide Available

    - +

    The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who - are setting up Shorewall to manage multiple public - IP addresses and by people who want to learn more about - Shorewall than is described in the single-address guides. + href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people who + are setting up Shorewall to manage multiple public + IP addresses and by people who want to learn more about + Shorewall than is described in the single-address guides. Feedback on the new guide is welcome.

    - +

    7/28/2002 - Shorewall 1.3.5 Debian Package Available

    - -

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are + +

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/27/2002 - Shorewall 1.3.5a Released

    - +

    This interim release restores correct handling of REDIRECT rules.

    - +

    7/26/2002 - Shorewall 1.3.5 Released

    - -

    This will be the last Shorewall release for a while. I'm going to be -focusing on rewriting a lot of the documentation.

    + +

    This will be the last Shorewall release for a while. I'm going to be + focusing on rewriting a lot of the documentation.

    - +

     In this version:

    - +
      -
    • Empty -and invalid source and destination qualifiers are -now detected in the rules file. It is a good idea to use - the 'shorewall check' command before you issue a 'shorewall - restart' command be be sure that you don't have any configuration - problems that will prevent a successful restart.
      • -
    • Added - MERGE_HOSTS variable in shorewall.conf to provide - saner behavior of the /etc/shorewall/hosts -file.
      • -
    • The time - that the counters were last reset is now displayed - in the heading of the 'status' and 'show' commands.
      • -
    • A proxyarp - option has been added for entries in - /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described - in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface +
    • Empty + and invalid source and destination qualifiers are + now detected in the rules file. It is a good idea to +use the 'shorewall check' command before you issue + a 'shorewall restart' command be be sure that you don't have +any configuration problems that will prevent a successful + restart.
      • +
    • Added + MERGE_HOSTS variable in shorewall.conf to provide + saner behavior of the /etc/shorewall/hosts + file.
      • +
    • The +time that the counters were last reset is now displayed + in the heading of the 'status' and 'show' commands.
      • +
    • A proxyarp + option has been added for entries in + /etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described + in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
      • -
    • The Samples - have been updated to reflect the new capabilities - in this release.
      • - - -
    +
  • The +Samples have been updated to reflect the new capabilities + in this release.
    • + + +

    7/16/2002 - New Mirror in Argentina

    - -

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + +

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in Argentina. Thanks Buanzo!!!

    - +

    7/16/2002 - Shorewall 1.3.4 Released

    - +

    In this version:

    - +
      -
    • A new - /etc/shorewall/routestopped - file has been added. This file is intended to - eventually replace the routestopped option - in the /etc/shorewall/interface and /etc/shorewall/hosts - files. This new file makes remote firewall administration - easier by allowing any IP or subnet to be enabled while - Shorewall is stopped.
      • -
    • An /etc/shorewall/stopped - extension script - has been added. This script is invoked after Shorewall - has stopped.
      • -
    • A DETECT_DNAT_ADDRS +
    • A new + /etc/shorewall/routestopped + file has been added. This file is intended to + eventually replace the routestopped option + in the /etc/shorewall/interface and /etc/shorewall/hosts + files. This new file makes remote firewall administration + easier by allowing any IP or subnet to be enabled while + Shorewall is stopped.
      • +
    • An /etc/shorewall/stopped + extension script + has been added. This script is invoked after Shorewall + has stopped.
      • +
    • A DETECT_DNAT_ADDRS option has been added to /etc/shoreall/shorewall.conf. - When this option is selected, DNAT rules only apply when - the destination address is the external interface's + href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf. + When this option is selected, DNAT rules only apply when + the destination address is the external interface's primary IP address.
      • -
    • The QuickStart Guide has - been broken into three guides and has been almost - entirely rewritten.
      • -
    • The Samples - have been updated to reflect the new capabilities - in this release.
      • - - -
    +
  • The + QuickStart Guide + has been broken into three guides and has been +almost entirely rewritten.
    • +
  • The +Samples have been updated to reflect the new capabilities + in this release.
    • + + +

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    - +

    Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/6/2002 - Shorewall 1.3.3 Released

    - +

    In this version:

    - +
      -
    • Entries - in /etc/shorewall/interface that use the wildcard -character ("+") now have the "multi" option assumed.
      • -
    • The 'rfc1918' - chain in the mangle table has been renamed 'man1918' - to make log messages generated from that chain distinguishable - from those generated by the 'rfc1918' chain in - the filter table.
      • -
    • Interface - names appearing in the hosts file are now validated - against the interfaces file.
      • -
    • The TARGET - column in the rfc1918 file is now checked for correctness.
      • -
    • The chain - structure in the nat table has been changed to reduce - the number of rules that a packet must traverse and to - correct problems with NAT_BEFORE_RULES=No
      • -
    • The "hits" - command has been enhanced.
      • - - -
    +
  • Entries + in /etc/shorewall/interface that use the wildcard + character ("+") now have the "multi" option assumed.
    • +
  • The +'rfc1918' chain in the mangle table has been renamed + 'man1918' to make log messages generated from that +chain distinguishable from those generated by the + 'rfc1918' chain in the filter table.
    • +
  • Interface + names appearing in the hosts file are now validated + against the interfaces file.
    • +
  • The +TARGET column in the rfc1918 file is now checked for + correctness.
    • +
  • The +chain structure in the nat table has been changed + to reduce the number of rules that a packet must traverse + and to correct problems with NAT_BEFORE_RULES=No
    • +
  • The +"hits" command has been enhanced.
    • + + +

    6/25/2002 - Samples Updated for 1.3.2

    - -

    The comments in the sample configuration files have been updated to reflect + +

    The comments in the sample configuration files have been updated to reflect new features introduced in Shorewall 1.3.2.

    - +

    6/25/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/19/2002 - Documentation Available in PDF Format

    - -

    Thanks to Mike Martinez, the Shorewall Documentation is now available -for download in Adobe PDF format.

    + +

    Thanks to Mike Martinez, the Shorewall Documentation is now available for + download in Adobe + PDF format.

    - +

    6/16/2002 - Shorewall 1.3.2 Released

    - +

    In this version:

    - + +
  • A logwatch command has +been added to /sbin/shorewall.
    • +
  • A dynamic blacklist facility + has been added.
    • +
  • Support + for the Netfilter multiport + match function has been added.
    • +
  • The +files firewall, functions and version + have been moved from /etc/shorewall to /var/lib/shorewall.
    • + + +

    6/6/2002 - Why CVS Web access is Password Protected

    - -

    Last weekend, I installed the CVS Web package to provide brower-based -access to the Shorewall CVS repository. Since then, I have had several -instances where my server was almost unusable due to the high load generated -by website copying tools like HTTrack and WebStripper. These mindless tools:

    + +

    Last weekend, I installed the CVS Web package to provide brower-based access + to the Shorewall CVS repository. Since then, I have had several instances +where my server was almost unusable due to the high load generated by website +copying tools like HTTrack and WebStripper. These mindless tools:

    - +
      -
    • Ignore +
    • Ignore robot.txt files.
      • -
    • Recursively - copy everything that they find.
      • -
    • Should +
    • Recursively + copy everything that they find.
      • +
    • Should be classified as weapons rather than tools.
      • - +
    - -

    These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in - the cgi-generated HTML resulting in 1000s of -executions of the cvsweb.cgi script. Yesterday, I spend - several hours implementing measures to block these tools - but unfortunately, these measures resulted in my server - OOM-ing under even moderate load.

    + +

    These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in + the cgi-generated HTML resulting in 1000s of executions + of the cvsweb.cgi script. Yesterday, I spend several + hours implementing measures to block these tools but unfortunately, + these measures resulted in my server OOM-ing under + even moderate load.

    - -

    Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS + +

    Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access will remain Password Protected.

    - +

    6/5/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/2/2002 - Samples Corrected

    - -

    The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These -problems have been corrected in the The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems + have been corrected in the 1.3.1 samples.

    - +

    6/1/2002 - Shorewall 1.3.1 Released

    - +

    Hot on the heels of 1.3.0, this release:

    - + - +

    5/29/2002 - Shorewall 1.3.0 Released

    - -

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:

    + +

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:

    - +
      -
    • A 'filterping' - interface option that allows ICMP echo-request -(ping) requests addressed to the firewall to be handled - by entries in /etc/shorewall/rules and /etc/shorewall/policy.
      • - - -
    +
  • A 'filterping' + interface option that allows ICMP echo-request (ping) + requests addressed to the firewall to be handled by + entries in /etc/shorewall/rules and /etc/shorewall/policy.
    • + + +

    5/23/2002 - Shorewall 1.3 RC1 Available

    - -

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:

    + +

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:

    - + - +

    5/19/2002 - Shorewall 1.3 Beta 2 Available

    - -

    In addition to the changes in Beta 1, this release which carries the -designation 1.2.91 adds:

    + +

    In addition to the changes in Beta 1, this release which carries the + designation 1.2.91 adds:

    - + - +

    5/17/2002 - Shorewall 1.3 Beta 1 Available

    - -

    Beta 1 carries the version designation 1.2.90 and implements the following + +

    Beta 1 carries the version designation 1.2.90 and implements the following features:

    - +
      -
    • Simplified - rule syntax which makes the intent of each rule clearer +
    • Simplified + rule syntax which makes the intent of each rule clearer and hopefully makes Shorewall easier to learn.
      • -
    • Upward - compatibility with 1.2 configuration files has been - maintained so that current users can migrate to the +
    • Upward + compatibility with 1.2 configuration files has been + maintained so that current users can migrate to the new syntax at their convenience.
      • -
    • WARNING:  Compatibility with the old - parameterized sample configurations has NOT been maintained. - Users still running those configurations should migrate - to the new sample configurations before upgrading - to 1.3 Beta 1.
      • - - -
    +
  • WARNING:  Compatibility with the old + parameterized sample configurations has NOT been maintained. + Users still running those configurations should migrate + to the new sample configurations before upgrading + to 1.3 Beta 1.
    • + + +

    5/4/2002 - Shorewall 1.2.13 is Available

    - +

    In this version:

    - + +
  • SYN-flood protection is + added.
    • +
  • IP addresses + added under ADD_IP_ALIASES + and ADD_SNAT_ALIASES now inherit the VLSM + and Broadcast Address of the interface's primary + IP address.
    • +
  • The +order in which port forwarding DNAT and Static DNAT + can now be reversed + so that port forwarding rules can override the contents +of /etc/shorewall/nat.
    • + + +

    4/30/2002 - Shorewall Debian News

    - -

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the -Debian - Testing Branch and the Debian - Unstable Branch.

    + +

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian +Testing Branch and the Debian +Unstable Branch.

    - +

    4/20/2002 - Shorewall 1.2.12 is Available

    - +
      -
    • The 'try' - command works again
      • -
    • There -is now a single RPM that also works with SuSE.
      • - - -
    +
  • The +'try' command works again
    • +
  • There + is now a single RPM that also works with SuSE.
    • + + +

    4/17/2002 - Shorewall Debian News

    - +

    Lorenzo Marignoni reports that:

    - + +
  • Shorewall + 1.2.10 is in the Debian + Testing Branch
    • +
  • Shorewall + 1.2.11 is in the Debian + Unstable Branch
    • + + +

    Thanks, Lorenzo!

    - +

    4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

    - -

    Thanks to Stefan Mohr, there + +

    Thanks to Stefan Mohr, there is now a Shorewall 1.2.11 - SuSE RPM available.

    + href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm"> + SuSE RPM available.

    - +

    4/13/2002 - Shorewall 1.2.11 Available

    - +

    In this version:

    - + - +

    4/13/2002 - Hamburg Mirror now has FTP

    - +

    Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  + href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall.  Thanks Stefan!

    - +

    4/12/2002 - New Mirror in Hamburg

    - -

    Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website -at http://germany.shorewall.net. + +

    Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website at + http://germany.shorewall.net.

    - +

    4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

    - -

    Version 1.1 of the QuickStart - Guide is now available. Thanks to those - who have read version 1.0 and offered their suggestions. + +

    Version 1.1 of the QuickStart + Guide is now available. Thanks to those + who have read version 1.0 and offered their suggestions. Corrections have also been made to the sample scripts.

    - +

    4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

    - -

    Version 1.0 of the QuickStart - Guide is now available. This Guide and - its accompanying sample configurations are expected - to provide a replacement for the recently withdrawn -parameterized samples.

    + +

    Version 1.0 of the QuickStart + Guide is now available. This Guide and + its accompanying sample configurations are expected + to provide a replacement for the recently withdrawn parameterized + samples.

    - +

    4/8/2002 - Parameterized Samples Withdrawn

    - +

    Although the parameterized - samples have allowed people to get a -firewall up and running quickly, they have unfortunately - set the wrong level of expectation among those who -have used them. I am therefore withdrawing support for -the samples and I am recommending that they not be used in -new Shorewall installations.

    + href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized + samples have allowed people to get a firewall + up and running quickly, they have unfortunately + set the wrong level of expectation among those who +have used them. I am therefore withdrawing support for the +samples and I am recommending that they not be used in new + Shorewall installations.

    - +

    4/2/2002 - Updated Log Parser

    - -

    John Lodge has provided an updated + +

    John Lodge has provided an updated version of his CGI-based log parser - with corrected date handling.

    + href="pub/shorewall/parsefw/">CGI-based log parser + with corrected date handling.

    - +

    3/30/2002 - Shorewall Website Search Improvements

    - -

    The quick search on the home page now excludes the mailing list archives. - The Extended -Search allows excluding the archives or -restricting the search to just the archives. An archive - search form is also available on the mailing list information + +

    The quick search on the home page now excludes the mailing list archives. + The Extended Search + allows excluding the archives or restricting +the search to just the archives. An archive search +form is also available on the mailing list information page.

    - +

    3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

    - + +
  • Shorewall + 1.2.9 is now in the Debian + Unstable Distribution.
    • + + +

    3/25/2002 - Log Parser Available

    - +

    John Lodge has provided a CGI-based log parser for Shorewall. Thanks + href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks John.

    - +

    3/20/2002 - Shorewall 1.2.10 Released

    - +

    In this version:

    - +
      -
    • A "shorewall - try" command has been added (syntax: shorewall -try <configuration directory>). - This command attempts "shorewall -c <configuration -directory> start" and if that results in the firewall - being stopped due to an error, a "shorewall start" command - is executed. The 'try' command allows you to create a new - configuration and -attempt to start it; if there is an error that leaves your - firewall in the stopped state, it will automatically be restarted - using the default configuration (in /etc/shorewall).
      • -
    • A new -variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. - If this variable is set to "Yes", Shorewall will automatically - add IP addresses listed in the third column of -the /etc/shorewall/masq -file.
      • -
    • Copyright - notices have been added to the documenation.
      • - - -
    +
  • A "shorewall + try" command has been added (syntax: shorewall try + <configuration directory>). This + command attempts "shorewall -c <configuration +directory> start" and if that results in the firewall + being stopped due to an error, a "shorewall start" command + is executed. The 'try' command allows you to create a new + configuration and attempt + to start it; if there is an error that leaves your firewall + in the stopped state, it will automatically be restarted using + the default configuration (in /etc/shorewall).
    • +
  • A new + variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. + If this variable is set to "Yes", Shorewall will +automatically add IP addresses listed in the third + column of the /etc/shorewall/masq + file.
    • +
  • Copyright + notices have been added to the documenation.
    • + + +

    3/11/2002 - Shorewall 1.2.9 Released

    - +

    In this version:

    - + + + + +

    3/1/2002 - 1.2.8 Debian Package is Available

    + + + +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    + + + +

    2/25/2002 - New Two-interface Sample

    + + +

    I've enhanced the two interface sample to allow access from the firewall + to servers in the local zone - + http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    + + +

    2/23/2002 - Shorewall 1.2.8 Released

    + + + +

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My + apologies for any inconvenience my carelessness + may have caused.

    + + + +

    2/22/2002 - Shorewall 1.2.7 Released

    + + + +

    In this version:

    + + + +
      +
    • UPnP +probes (UDP destination port 1900) are now silently + dropped in the common chain
      • +
    • RFC +1918 checking in the mangle table has been streamlined + to no longer require packet marking. RFC 1918 checking + in the filter table has been changed to require half as + many rules as previously.
      • +
    • A 'shorewall + check' command has been added that does a cursory + validation of the zones, interfaces, hosts, rules and + policy files.
      • + + +
    + + + +

    2/18/2002 - 1.2.6 Debian Package is Available

    + + + +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    + + + +

    2/8/2002 - Shorewall 1.2.6 Released

    + + + +

    In this version:

    + + + +
      +
    • $-variables + may now be used anywhere in the configuration files + except /etc/shorewall/zones.
      • +
    • The +interfaces and hosts files now have their contents + validated before any changes are made to the existing + Netfilter configuration. The appearance of a zone +name that isn't defined in /etc/shorewall/zones causes "shorewall + start" and "shorewall restart" to abort without changing + the Shorewall state. Unknown options in either file cause +a warning to be issued.
      • +
    • A problem + occurring when BLACKLIST_LOGLEVEL was not set has + been corrected.
      • + + +
    + + +

    2/4/2002 - Shorewall 1.2.5 Debian Package Available

    + + + +

    see http://security.dsi.unimi.it/~lorenzo/debian.html

    + + + +

    2/1/2002 - Shorewall 1.2.5 Released

    + + + +

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.

    + + + +

    In version 1.2.5:

    + + + +
      +
    • The installation + problems have been corrected.
      • +
    • SNAT is now supported.
      • +
    • A "shorewall + version" command has been added
      • +
    • The default + value of the STATEDIR variable in /etc/shorewall/shorewall.conf + has been changed to /var/lib/shorewall in order + to conform to the GNU/Linux File Hierarchy Standard, + Version 2.2.
      • + + +
    + + +

    1/28/2002 - Shorewall 1.2.4 Released

    + + + +
      +
    • The "fw" + zone may now be given a + different name.
      • +
    • You may + now place end-of-line comments (preceded by '#') in + any of the configuration files
      • +
    • There +is now protection against against two state changing + operations occuring concurrently. This is implemented + using the 'lockfile' utility if it is available + (lockfile is part of procmail); otherwise, a less robust + technique is used. The lockfile is created in the STATEDIR + defined in /etc/shorewall/shorewall.conf and has the +name "lock".
      • +
    • "shorewall + start" no longer fails if "detect" is specified + in /etc/shorewall/interfaces + for an interface with subnet mask 255.255.255.255.
      • + + +
    + + +

    1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

    + + + +

    1/20/2002 - Corrected firewall script available 

    + + + +

    Corrects a problem with BLACKLIST_LOGLEVEL. See the + errata for details.

    + + + +

    1/19/2002 - Shorewall 1.2.3 Released

    + + + +

    This is a minor feature and bugfix release. The single new feature is:

    + + + +
      +
    • Support + for TCP MSS Clamp to PMTU -- This support is usually + required when the internet connection is via PPPoE + or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
      • + + +
    + + +

    The following problems were corrected:

    + + +
      +
    • The "shorewall + status" command no longer hangs.
      • +
    • The "shorewall + monitor" command now displays the icmpdef chain
      • +
    • The CLIENT + PORT(S) column in tcrules is no longer ignored
      • + + +
    + + +

    1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

    + + + +

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + for details.

    + + + +

    1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 + Shorewall Debian package is now available. There + is a link to Lorenzo's site from the Shorewall download page.

    + + + +

    1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores + the "shorewall status" command to health.

    + + + +

    1/8/2002 - Shorewall 1.2.2 Released

    + + + +

    In version 1.2.2

    + + + +
      +
    • Support + for IP blacklisting has been added + + + + +
        +
      • You +specify whether you want packets from blacklisted +hosts dropped or rejected using the BLACKLIST_DISPOSITION + setting in /etc/shorewall/shorewall.conf
        • +
      • You +specify whether you want packets from blacklisted +hosts logged and at what syslog level using the + BLACKLIST_LOGLEVEL + setting in /etc/shorewall/shorewall.conf
        • +
      • You +list the IP addresses/subnets that you wish to blacklist + in /etc/shorewall/blacklist
        • +
      • You +specify the interfaces you want checked against the + blacklist using the new "blacklist" option + in /etc/shorewall/interfaces.
        • +
      • The +black list is refreshed from /etc/shorewall/blacklist + by the "shorewall refresh" command.
        • + - -
      • Several - bugs have been fixed
        • -
      • The 1.2.9 - Debian Package is also available at http://security.dsi.unimi.it/~lorenzo/debian.html.
        • +
      • Use of + TCP RST replies has been expanded  - -
      - -

      3/1/2002 - 1.2.8 Debian Package is Available

      - - - -

      See http://security.dsi.unimi.it/~lorenzo/debian.html

      - - - -

      2/25/2002 - New Two-interface Sample

      - - -

      I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

      - - -

      2/23/2002 - Shorewall 1.2.8 Released

      - - - -

      Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects - problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. -My apologies for any inconvenience my carelessness - may have caused.

      - - - -

      2/22/2002 - Shorewall 1.2.7 Released

      - - - -

      In this version:

      - - - -
        -
      • UPnP -probes (UDP destination port 1900) are now silently - dropped in the common chain
        • -
      • RFC 1918 - checking in the mangle table has been streamlined - to no longer require packet marking. RFC 1918 checking - in the filter table has been changed to require half -as many rules as previously.
        • -
      • A 'shorewall - check' command has been added that does a cursory - validation of the zones, interfaces, hosts, rules -and policy files.
        • - - -
      - - - -

      2/18/2002 - 1.2.6 Debian Package is Available

      - - - -

      See http://security.dsi.unimi.it/~lorenzo/debian.html

      - - - -

      2/8/2002 - Shorewall 1.2.6 Released

      - - - -

      In this version:

      - - - -
        -
      • $-variables - may now be used anywhere in the configuration files - except /etc/shorewall/zones.
        • -
      • The interfaces - and hosts files now have their contents validated - before any changes are made to the existing Netfilter - configuration. The appearance of a zone name that isn't - defined in /etc/shorewall/zones causes "shorewall -start" and "shorewall restart" to abort without changing - the Shorewall state. Unknown options in either file cause -a warning to be issued.
        • -
      • A problem - occurring when BLACKLIST_LOGLEVEL was not set has - been corrected.
        • - - -
      - - -

      2/4/2002 - Shorewall 1.2.5 Debian Package Available

      - - - -

      see http://security.dsi.unimi.it/~lorenzo/debian.html

      - - - -

      2/1/2002 - Shorewall 1.2.5 Released

      - - - -

      Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.

      - - - -

      In version 1.2.5:

      - - - -
        -
      • The installation - problems have been corrected.
        • -
      • SNAT is now supported.
        • -
      • A "shorewall - version" command has been added
        • -
      • The default - value of the STATEDIR variable in /etc/shorewall/shorewall.conf - has been changed to /var/lib/shorewall in -order to conform to the GNU/Linux File Hierarchy Standard, - Version 2.2.
        • - - -
      - - -

      1/28/2002 - Shorewall 1.2.4 Released

      - - - -
        -
      • The "fw" - zone may now be given a - different name.
        • -
      • You may - now place end-of-line comments (preceded by '#') -in any of the configuration files
        • -
      • There -is now protection against against two state changing - operations occuring concurrently. This is implemented - using the 'lockfile' utility if it is available -(lockfile is part of procmail); otherwise, a less robust - technique is used. The lockfile is created in the STATEDIR - defined in /etc/shorewall/shorewall.conf and has the name - "lock".
        • -
      • "shorewall - start" no longer fails if "detect" is specified - in /etc/shorewall/interfaces - for an interface with subnet mask 255.255.255.255.
        • - - -
      - - -

      1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

      - - - -

      1/20/2002 - Corrected firewall script available 

      - - - -

      Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.

      - - - -

      1/19/2002 - Shorewall 1.2.3 Released

      - - - -

      This is a minor feature and bugfix release. The single new feature is:

      - - - -
        -
      • Support - for TCP MSS Clamp to PMTU -- This support is usually - required when the internet connection is via PPPoE - or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
        • - - -
      - - -

      The following problems were corrected:

      - - -
        -
      • The "shorewall - status" command no longer hangs.
        • -
      • The "shorewall - monitor" command now displays the icmpdef chain
        • -
      • The CLIENT - PORT(S) column in tcrules is no longer ignored
        • - - -
      - - -

      1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

      - - - -

      Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.

      - - - -

      1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. -There is a link to Lorenzo's site from the Shorewall download page.

      - - - -

      1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.

      - - - -

      1/8/2002 - Shorewall 1.2.2 Released

      - - - -

      In version 1.2.2

      - - - -
        -
      • Support - for IP blacklisting has been added - - - - +
          -
        • You -specify whether you want packets from blacklisted - hosts dropped or rejected using the BLACKLIST_DISPOSITION - setting in /etc/shorewall/shorewall.conf
          • -
        • You -specify whether you want packets from blacklisted - hosts logged and at what syslog level using the - BLACKLIST_LOGLEVEL - setting in /etc/shorewall/shorewall.conf
          • -
        • You -list the IP addresses/subnets that you wish to blacklist - in /etc/shorewall/blacklist
          • -
        • You -specify the interfaces you want checked against the - blacklist using the new "blacklist" option - in /etc/shorewall/interfaces.
          • -
        • The -black list is refreshed from /etc/shorewall/blacklist - by the "shorewall refresh" command.
          • - - - - - -
        -
        • -
      • Use of -TCP RST replies has been expanded  - - - - -
          -
        • TCP -connection requests rejected because of a REJECT policy +
        • TCP +connection requests rejected because of a REJECT policy are now replied with a TCP RST packet.
          • -
        • TCP -connection requests rejected because of a protocol=all - rule in /etc/shorewall/rules are now replied +
        • TCP +connection requests rejected because of a protocol=all + rule in /etc/shorewall/rules are now replied with a TCP RST packet.
          • - -
        -
        • -
      • A LOGFILE specification - has been added to /etc/shorewall/shorewall.conf. LOGFILE is used - to tell the /sbin/shorewall program where to look for Shorewall - messages.
        • - + +
      +
      • +
    • A LOGFILE specification + has been added to /etc/shorewall/shorewall.conf. LOGFILE is +used to tell the /sbin/shorewall program where to look for +Shorewall messages.
      • + +
    - +

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are + target="_blank">version 1.2.0) released. These are minor updates + to the previously-released samples. There are two new rules added:

    - +
      -
    • Unless -you have explicitly enabled Auth connections (tcp port - 113) to your firewall, these connections will be REJECTED - rather than DROPPED. This speeds up connection establishment - to some servers.
      • -
    • Orphan -DNS replies are now silently dropped.
      • - - -
    - - -

    See the README file for upgrade instructions.

    +
  • Unless + you have explicitly enabled Auth connections (tcp + port 113) to your firewall, these connections will be +REJECTED rather than DROPPED. This speeds up connection + establishment to some servers.
    • +
  • Orphan + DNS replies are now silently dropped.
    • + + + +

    See the README file for upgrade instructions.

    + +

    1/1/2002 - Shorewall Mailing List Moving

    - -

    The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. - If you are a current subscriber to the list at Sourceforge, - please see these -instructions. If you would like to subscribe -to the new list, visit The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. + If you are a current subscriber to the list at Sourceforge, + please see these instructions. + If you would like to subscribe to the new list, + visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

    - +

    12/31/2001 - Shorewall 1.2.1 Released

    - +

    In version 1.2.1:

    - + +
  • 'shorewall + show tc' now correctly handles tunnels.
    • -

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist -releasing 1.2 on 12/21/2001

    - - - -

    Version 1.2 contains the following new features:

    - - - - - -

    For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version - 1.1.x users will not be forced into a quick upgrade - to 1.2.0 just to have access to bug fixes.

    - - -

    For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading - to 1.2.0:

    - - -
    - - -

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    -
    - - - -

    12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror -in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall - and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    - - - -

    11/30/2001 - A new set of the parameterized Sample - Configurations has been released. In this version:

    - - - -
      -
    • Ping is - now allowed between the zones.
      • -
    • In the -three-interface configuration, it is now possible to - configure the internet services that are to be available - to servers in the DMZ. 
      • - - -
    - - -

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    - - - -

    In this version:

    - - - -
      -
    • The spelling - of ADD_IP_ALIASES has been corrected in the shorewall.conf - file
      • -
    • The logic - for deleting user-defined chains has been simplified - so that it avoids a bug in the LRP version of the 'cut' - utility.
      • -
    • The /var/lib/lrpkg/shorwall.conf - file has been corrected to properly display - the NAT entry in that file.
      • - - -
    - - - -

    11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall - mirror in the Slovak Republic. The website is -now mirrored at http://www.nrg.sk/mirror/shorewall - and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    - - - -

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:

    - - - -
      -
    • One Interface - -- for a standalone system.
      • -
    • Two Interfaces - -- A masquerading firewall.
      • -
    • Three -Interfaces -- A masquerading firewall with DMZ.
      • - - -
    + +

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing +1.2 on 12/21/2001

    +

    Version 1.2 contains the following new features:

    + + + + + + +

    For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version + 1.1.x users will not be forced into a quick upgrade + to 1.2.0 just to have access to bug fixes.

    + + +

    For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when upgrading + to 1.2.0:

    + + +
    + + +

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    +
    + + + +

    12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror + in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall + and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    + + + +

    11/30/2001 - A new set of the parameterized Sample +Configurations has been released. In this version:

    + + + +
      +
    • Ping +is now allowed between the zones.
      • +
    • In the + three-interface configuration, it is now possible + to configure the internet services that are to be available + to servers in the DMZ. 
      • + + +
    + + +

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    + + + +

    In this version:

    + + + +
      +
    • The spelling + of ADD_IP_ALIASES has been corrected in the shorewall.conf + file
      • +
    • The logic + for deleting user-defined chains has been simplified + so that it avoids a bug in the LRP version of the 'cut' + utility.
      • +
    • The /var/lib/lrpkg/shorwall.conf + file has been corrected to properly display + the NAT entry in that file.
      • + + +
    + + + +

    11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall + mirror in the Slovak Republic. The website is + now mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    + + + +

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:

    + + + +
      +
    • One Interface + -- for a standalone system.
      • +
    • Two Interfaces + -- A masquerading firewall.
      • +
    • Three +Interfaces -- A masquerading firewall with DMZ.
      • + + +
    + + +

    Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 - . See the README file for instructions.

    + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + . See the README file for instructions.

    - -

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend - this to be the last of the 1.1 Shorewall - releases.

    + +

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend + this to be the last of the 1.1 Shorewall + releases.

    - +

    In this version:

    - + - -

    10/22/2001 - The current version of Shorewall is 1.1.16. In this - version:

    + +

    10/22/2001 - The current version of Shorewall is 1.1.16. In this + version:

    - +
      -
    • A new +
    • A new "shorewall show connections" command has been added.
      • -
    • In the -"shorewall monitor" output, the currently tracked - connections are now shown on a separate page.
      • -
    • Prior -to this release, Shorewall unconditionally added the - external IP adddress(es) specified in /etc/shorewall/nat. - Beginning with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be - set to "no" (or "No") to inhibit this behavior. - This allows IP aliases created using your distribution's - network configuration tools to be used in static - NAT. 
      • +
    • In the + "shorewall monitor" output, the currently tracked + connections are now shown on a separate page.
      • +
    • Prior +to this release, Shorewall unconditionally added the + external IP adddress(es) specified in /etc/shorewall/nat. + Beginning with version 1.1.16, a new parameter +(ADD_IP_ALIASES) may +be set to "no" (or "No") to inhibit this behavior. + This allows IP aliases created using your distribution's + network configuration tools to be used in static + NAT. 
      • - +
    - -

    10/15/2001 - The current version of Shorewall is 1.1.15. In this - version:

    + +

    10/15/2001 - The current version of Shorewall is 1.1.15. In this + version:

    + + +
      +
    • Support + for nested zones has been improved. See the documentation for +details
      • +
    • Shorewall + now correctly checks the alternate configuration + directory for the 'zones' file.
      • + + +
    + + +

    10/4/2001 - The current version of Shorewall is 1.1.14. In this + version

      -
    • Support - for nested zones has been improved. See the documentation for details
      • -
    • Shorewall - now correctly checks the alternate configuration - directory for the 'zones' file.
      • - - -
    - - -

    10/4/2001 - The current version of Shorewall is 1.1.14. In this - version

    - - -
      -
    • Shorewall - now supports alternate configuration directories. - When an alternate directory is specified when starting - or restarting Shorewall (e.g., "shorewall -c /etc/testconf - restart"), Shorewall will first look for configuration files - in the alternate directory then in /etc/shorewall. To +
    • Shorewall + now supports alternate configuration directories. + When an alternate directory is specified when starting + or restarting Shorewall (e.g., "shorewall -c /etc/testconf + restart"), Shorewall will first look for configuration files + in the alternate directory then in /etc/shorewall. To create an alternate configuration simply:
      - 1. Create + 1. Create a New Directory
      - 2. Copy -to that directory any of your configuration files -that you want to change.
      - 3. Modify + 2. Copy +to that directory any of your configuration files that + you want to change.
      + 3. Modify the copied files as needed.
      - 4. Restart - Shorewall specifying the new directory.
      • -
    • The rules - for allowing/disallowing icmp echo-requests (pings) - are now moved after rules created when processing -the rules file. This allows you to add rules that selectively + 4. Restart + Shorewall specifying the new directory.
      • +
    • The rules + for allowing/disallowing icmp echo-requests (pings) + are now moved after rules created when processing the + rules file. This allows you to add rules that selectively allow/deny ping based on source or destination address.
      • -
    • Rules -that specify multiple client ip addresses or subnets - no longer cause startup failures.
      • -
    • Zone names - in the policy file are now validated against the -zones file.
      • -
    • If you -have packet mangling - support enabled, the "norfc1918" -interface option now logs and drops any incoming packets on -the interface that have an RFC 1918 destination address.
      • +
    • Rules +that specify multiple client ip addresses or subnets + no longer cause startup failures.
      • +
    • Zone +names in the policy file are now validated against + the zones file.
      • +
    • If you + have packet mangling + support enabled, the "norfc1918" interface +option now logs and drops any incoming packets on the interface + that have an RFC 1918 destination address.
      • - +
    - -

    9/12/2001 - The current version of Shorewall is 1.1.13. In this + +

    9/12/2001 - The current version of Shorewall is 1.1.13. In this version

    - +
      -
    • Shell -variables can now be used to parameterize Shorewall - rules.
      • -
    • The second - column in the hosts file may now contain a comma-separated - list.
      -
      - Example:
      -     sea    - eth0:130.252.100.0/24,206.191.149.0/24
      • -
    • Handling - of multi-zone interfaces has been improved. See the - documentation for the - /etc/shorewall/interfaces file.
      • +
    • Shell +variables can now be used to parameterize Shorewall + rules.
      • +
    • The second + column in the hosts file may now contain a comma-separated + list.
      +
      + Example:
      +     sea    + eth0:130.252.100.0/24,206.191.149.0/24
      • +
    • Handling + of multi-zone interfaces has been improved. See the + documentation for the + /etc/shorewall/interfaces file.
      • - +
    - -

    8/28/2001 - The current version of Shorewall is 1.1.12. In this + +

    8/28/2001 - The current version of Shorewall is 1.1.12. In this version

    - +
      -
    • Several - columns in the rules file may now contain comma-separated +
    • Several + columns in the rules file may now contain comma-separated lists.
      • -
    • Shorewall - is now more rigorous in parsing the options in - /etc/shorewall/interfaces.
      • -
    • Complementation +
    • Shorewall + is now more rigorous in parsing the options in +/etc/shorewall/interfaces.
      • +
    • Complementation using "!" is now supported in rules.
      • - +
    - -

    7/28/2001 - The current version of Shorewall is 1.1.11. In this + +

    7/28/2001 - The current version of Shorewall is 1.1.11. In this version

    - +
      -
    • A "shorewall - refresh" command has been added to allow for refreshing - the rules associated with the broadcast address on a -dynamic interface. This command should be used in place -of "shorewall restart" when the internet interface's IP - address changes.
      • -
    • The /etc/shorewall/start - file (if any) is now processed after all temporary - rules have been deleted. This change prevents the accidental - removal of rules added during the processing of -that file.
      • -
    • The "dhcp" - interface option is now applicable to firewall -interfaces used by a DHCP server running on the firewall.
      • -
    • The RPM +
    • A "shorewall + refresh" command has been added to allow for + refreshing the rules associated with the broadcast address + on a dynamic interface. This command should be used + in place of "shorewall restart" when the internet interface's + IP address changes.
      • +
    • The /etc/shorewall/start + file (if any) is now processed after all +temporary rules have been deleted. This change prevents + the accidental removal of rules added during + the processing of that file.
      • +
    • The "dhcp" + interface option is now applicable to firewall + interfaces used by a DHCP server running on the firewall.
      • +
    • The RPM can now be built from the .tgz file using "rpm -tb" 
      • - +
    - -

    7/6/2001 - The current version of Shorewall is 1.1.10. In this -version

    + +

    7/6/2001 - The current version of Shorewall is 1.1.10. In this version

    - +
      -
    • Shorewall - now enables Ipv4 Packet Forwarding by default. Packet - forwarding may be disabled by specifying IP_FORWARD=Off - in /etc/shorewall/shorewall.conf. If you don't - want Shorewall to enable or disable packet forwarding, - add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf - file.
      • -
    • The "shorewall - hits" command no longer lists extraneous service - names in its last report.
      • -
    • Erroneous - instructions in the comments at the head of the firewall +
    • Shorewall + now enables Ipv4 Packet Forwarding by default. Packet + forwarding may be disabled by specifying IP_FORWARD=Off + in /etc/shorewall/shorewall.conf. If you don't + want Shorewall to enable or disable packet forwarding, + add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf + file.
      • +
    • The "shorewall + hits" command no longer lists extraneous service + names in its last report.
      • +
    • Erroneous + instructions in the comments at the head of the firewall script have been corrected.
      • - +
    - -

    6/23/2001 - The current version of Shorewall is 1.1.9. In this -version

    + +

    6/23/2001 - The current version of Shorewall is 1.1.9. In this version

    - +
      -
    • The "tunnels" +
    • The "tunnels" file really is in the RPM now.
      • -
    • SNAT can - now be applied to port-forwarded connections.
      • -
    • A bug -which would cause firewall start failures in some -dhcp configurations has been fixed.
      • -
    • The firewall - script now issues a message if you have the name -of an interface in the second column in an entry in /etc/shorewall/masq - and that interface is not up.
      • -
    • You can +
    • SNAT +can now be applied to port-forwarded connections.
      • +
    • A bug +which would cause firewall start failures in some dhcp + configurations has been fixed.
      • +
    • The firewall + script now issues a message if you have the name + of an interface in the second column in an entry in +/etc/shorewall/masq and that interface is not up.
      • +
    • You can now configure Shorewall so that it doesn't require the NAT and/or + href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or mangle netfilter modules.
      • -
    • Thanks -to Alex  Polishchuk, the "hits" command from seawall +
    • Thanks + to Alex  Polishchuk, the "hits" command from seawall is now in shorewall.
      • -
    • Support +
    • Support for IPIP tunnels has been added.
      • - +
    - -

    6/18/2001 - The current version of Shorewall is 1.1.8. In this -version

    + +

    6/18/2001 - The current version of Shorewall is 1.1.8. In this version

    - + - +

    6/2/2001 - The current version of Shorewall is 1.1.7. In this version

    - +
      -
    • The TOS +
    • The TOS rules are now deleted when the firewall is stopped.
      • -
    • The .rpm - will now install regardless of which version of iptables +
    • The .rpm + will now install regardless of which version of iptables is installed.
      • -
    • The .rpm - will now install without iproute2 being installed.
      • -
    • The documentation +
    • The .rpm + will now install without iproute2 being installed.
      • +
    • The documentation has been cleaned up.
      • -
    • The sample - configuration files included in Shorewall have been - formatted to 80 columns for ease of editing on a VGA - console.
      • +
    • The sample + configuration files included in Shorewall have been + formatted to 80 columns for ease of editing on a VGA + console.
      • - +
    - -

    5/25/2001 - The current version of Shorewall is 1.1.6. In this -version

    + +

    5/25/2001 - The current version of Shorewall is 1.1.6. In this version

    - +
      -
    • You may now rate-limit the -packet log.
      • -
    • Previous - versions of Shorewall have an implementation of Static - NAT which violates the principle of least surprise.  - NAT only occurs for packets arriving at (DNAT) or -send from (SNAT) the interface named in the INTERFACE column - of /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective - regardless of which interface packets come from or are -destined to. To get compatibility with prior versions, I -have added a new "ALL "ALL INTERFACES"  - column to /etc/shorewall/nat. By placing "no" or -"No" in the new column, the NAT behavior of prior versions -may be retained. 
      • -
    • The treatment - of IPSEC Tunnels where the - remote gateway is a standalone system has been improved. - Previously, it was necessary to include an additional rule -allowing UDP port 500 traffic to pass through the tunnel. Shorewall - will now create this rule automatically when you place the -name of the remote peer's zone in a new GATEWAY ZONE column in -/etc/shorewall/tunnels. 
      • +
    • You may now rate-limit the + packet log.
      • +
    • Previous + versions of Shorewall have an implementation of Static + NAT which violates the principle of least surprise.  + NAT only occurs for packets arriving at (DNAT) or send + from (SNAT) the interface named in the INTERFACE column of + /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective + regardless of which interface packets come from or are destined + to. To get compatibility with prior versions, I have added + a new "ALL "ALL INTERFACES"  + column to /etc/shorewall/nat. By placing "no" or "No" + in the new column, the NAT behavior of prior versions may + be retained. 
      • +
    • The treatment + of IPSEC Tunnels where the + remote gateway is a standalone system has been improved. + Previously, it was necessary to include an additional rule allowing + UDP port 500 traffic to pass through the tunnel. Shorewall +will now create this rule automatically when you place the name +of the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
      • - +
    - -

    5/20/2001 - The current version of Shorewall is 1.1.5. In this -version

    + +

    5/20/2001 - The current version of Shorewall is 1.1.5. In this version

    - + - -

    5/10/2001 - The current version of Shorewall is 1.1.4. In this -version

    + +

    5/10/2001 - The current version of Shorewall is 1.1.4. In this version

    - +
      -
    • Accepting RELATED connections - is now optional.
      • -
    • Corrected - problem where if "shorewall start" aborted early - (due to kernel configuration errors for example), superfluous +
    • Accepting RELATED connections + is now optional.
      • +
    • Corrected + problem where if "shorewall start" aborted early + (due to kernel configuration errors for example), superfluous 'sed' error messages were reported.
      • -
    • Corrected +
    • Corrected rules generated for port redirection.
      • -
    • The order - in which iptables kernel modules are loaded has been +
    • The order + in which iptables kernel modules are loaded has been corrected (Thanks to Mark Pavlidis). 
      • - +
    - -

    4/28/2001 - The current version of Shorewall is 1.1.3. In this -version

    + +

    4/28/2001 - The current version of Shorewall is 1.1.3. In this version

    - +
      -
    • Correct - message issued when Proxy ARP address added (Thanks +
    • Correct + message issued when Proxy ARP address added (Thanks to Jason Kirtland).
      • -
    • /tmp/shorewallpolicy-$$ - is now removed if there is an error while starting +
    • /tmp/shorewallpolicy-$$ + is now removed if there is an error while starting the firewall.
      • -
    • /etc/shorewall/icmp.def - and /etc/shorewall/common.def are now used - to define the icmpdef and common chains unless overridden - by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • -
    • In the -.lrp, the file /var/lib/lrpkg/shorwall.conf has been - corrected. An extra space after "/etc/shorwall/policy" - has been removed and "/etc/shorwall/rules" has been added.
      • -
    • When a -sub-shell encounters a fatal error and has stopped - the firewall, it now kills the main shell so that the -main shell will not continue.
      • -
    • A problem - has been corrected where a sub-shell stopped the - firewall and main shell continued resulting in a perplexing +
    • /etc/shorewall/icmp.def + and /etc/shorewall/common.def are now used + to define the icmpdef and common chains unless overridden + by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • +
    • In the + .lrp, the file /var/lib/lrpkg/shorwall.conf has been + corrected. An extra space after "/etc/shorwall/policy" + has been removed and "/etc/shorwall/rules" has been added.
      • +
    • When +a sub-shell encounters a fatal error and has stopped + the firewall, it now kills the main shell so that + the main shell will not continue.
      • +
    • A problem + has been corrected where a sub-shell stopped the + firewall and main shell continued resulting in a perplexing error message referring to "common.so" resulted.
      • -
    • Previously, - placing "-" in the PORT(S) column in /etc/shorewall/rules - resulted in an error message during start. This -has been corrected.
      • -
    • The first - line of "install.sh" has been corrected -- I had - inadvertently deleted the initial "#".
      • - - -
    +
  • Previously, + placing "-" in the PORT(S) column in /etc/shorewall/rules + resulted in an error message during start. This has + been corrected.
    • +
  • The first + line of "install.sh" has been corrected -- I had + inadvertently deleted the initial "#".
    • -

    4/12/2001 - The current version of Shorewall is 1.1.2. In this -version

    + - + +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    + +
      -
    • Port redirection - now works again.
      • -
    • The icmpdef - and common chains may - now be user-defined.
      • -
    • The firewall - no longer fails to start if "routefilter" is -specified for an interface that isn't started. A warning message - is now issued in this case.
      • -
    • The LRP - Version is renamed "shorwall" for 8,3 MSDOS file - system compatibility.
      • -
    • A couple - of LRP-specific problems were corrected.
      • - - -
    +
  • Port +redirection now works again.
    • +
  • The icmpdef + and common chains may + now be user-defined.
    • +
  • The firewall + no longer fails to start if "routefilter" is + specified for an interface that isn't started. A warning + message is now issued in this case.
    • +
  • The LRP + Version is renamed "shorwall" for 8,3 MSDOS file + system compatibility.
    • +
  • A couple + of LRP-specific problems were corrected.
    • + + +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project -

    +

    - +

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    - +
      -
    • The common - chain is traversed from INPUT, OUTPUT and FORWARD - before logging occurs
      • -
    • The source - has been cleaned up dramatically
      • -
    • DHCP DISCOVER - packets with RFC1918 source addresses no longer - generate log messages. Linux DHCP clients generate such - packets and it's annoying to see them logged. 
      • - - -
    +
  • The common + chain is traversed from INPUT, OUTPUT and FORWARD + before logging occurs
    • +
  • The source + has been cleaned up dramatically
    • +
  • DHCP +DISCOVER packets with RFC1918 source addresses no +longer generate log messages. Linux DHCP clients generate + such packets and it's annoying to see them logged. 
    • + + +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    - +
      -
    • Log messages - now indicate the packet disposition.
      • -
    • Error +
    • Log messages + now indicate the packet disposition.
      • +
    • Error messages have been improved.
      • -
    • The ability - to define zones consisting of an enumerated set of +
    • The ability + to define zones consisting of an enumerated set of hosts and/or subnetworks has been added.
      • -
    • The zone-to-zone - chain matrix is now sparse so that only those chains - that contain meaningful rules are defined.
      • -
    • 240.0.0.0/4 - and 169.254.0.0/16 have been added to the source - subnetworks whose packets are dropped under the norfc1918 +
    • The zone-to-zone + chain matrix is now sparse so that only those chains + that contain meaningful rules are defined.
      • +
    • 240.0.0.0/4 + and 169.254.0.0/16 have been added to the source + subnetworks whose packets are dropped under the norfc1918 interface option.
      • -
    • Exits -are now provided for executing an user-defined script - when a chain is defined, when the firewall is initialized, - when the firewall is started, when the firewall +
    • Exits +are now provided for executing an user-defined script + when a chain is defined, when the firewall is initialized, + when the firewall is started, when the firewall is stopped and when the firewall is cleared.
      • -
    • The Linux - kernel's route filtering facility can now be specified +
    • The Linux + kernel's route filtering facility can now be specified selectively on network interfaces.
      • - +
    - +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    - +
      -
    • Allows -user-defined zones. Shorewall now has only one pre-defined - zone (fw) with the remaining zones being defined in - the new configuration file /etc/shorewall/zones. - The /etc/shorewall/zones file released in this version - provides behavior that is compatible with Shorewall 1.0.3. 
      • -
    • Adds the - ability to specify logging in entries in the /etc/shorewall/rules - file.
      • -
    • Correct - handling of the icmp-def chain so that only ICMP packets +
    • Allows + user-defined zones. Shorewall now has only one pre-defined + zone (fw) with the remaining zones being defined + in the new configuration file /etc/shorewall/zones. + The /etc/shorewall/zones file released in this version + provides behavior that is compatible with Shorewall 1.0.3. 
      • +
    • Adds +the ability to specify logging in entries in the + /etc/shorewall/rules file.
      • +
    • Correct + handling of the icmp-def chain so that only ICMP packets are sent through the chain.
      • -
    • Compresses - the output of "shorewall monitor" if awk is installed. - Allows the command to work if awk isn't installed (although - it's not pretty).
      • - - -
    +
  • Compresses + the output of "shorewall monitor" if awk is installed. + Allows the command to work if awk isn't installed (although + it's not pretty).
    • -

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix - release with no new features.

    + - + +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + release with no new features.

    + +
      -
    • The PATH - variable in the firewall script now includes /usr/local/bin - and /usr/local/sbin.
      • -
    • DMZ-related +
    • The PATH + variable in the firewall script now includes /usr/local/bin + and /usr/local/sbin.
      • +
    • DMZ-related chains are now correctly deleted if the DMZ is deleted.
      • -
    • The interface +
    • The interface OPTIONS for "gw" interfaces are no longer ignored.
      • - +
    - -

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels - and it supports IPSEC tunnels with end-points on the - firewall. There is also a .lrp available now.

    + +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels + and it supports IPSEC tunnels with end-points on +the firewall. There is also a .lrp available now.

    - -

    Updated 5/18/2003 - Tom Eastep + +

    Updated 5/19/2003 - Tom Eastep

    - +

    Copyright © 2001, 2002 Thomas M. Eastep.
    -
    -

    +

    +
    diff --git a/STABLE/documentation/images/network.png b/STABLE/documentation/images/network.png index fab0fcace41c76668e7c104ec5c894b2884ccaf7..8e07ed5c8d7c1a29524d7830714fe961794b02b5 100644 GIT binary patch literal 52379 zcmeFY_dDEO*FKC842Ry!s3Ao38b(bB!DtbpcR`{>FnSkV^k9sr35ibh8l9Pt1knjb zh&p*@zt+)K12KVcaBx8C5AW;Y;NYF(;M~wA z!UO)Y1cg!oKX5(u)Rb{Pjk2r*zu-G4X({30R3(y}TM+=iv)eq>)55`l@!;SDhvVR! z0)GldTaoz(B9 zRZQ#5bZSY&G2A5;MD{t{=UO!sBZ-adq?*AE$*1IE`sPDQKxc%CeJXxhyYtRc6_IGH z+3Cn(|Jbp}?rsZ8RcBbE;IXgGGh??p)ZVD)CG>k)1E(k#ml&5Qmsno+;*|og*iw8n zuh{ZMt`sNNRhh#1B6+U4o+9WWE?=bs!R6J}^wnX|1>030+yv3|DC9TD)Nj3r3{{Xp zlY|F+Z1ZWzQP5FyV)Iu19PlgY9k-3NC-{)&Ewq6zA3H%|#{*nN zsCdqMF*y-M`S!R+^X6RFMwtVj!sk;^G49O5#h1r;leMMf@;kH)YN9Gq_OI`-OssK( z%|=)r|5HE@L{#O{4So?!ToZ_U=T~wHSW~5^Dv7Gi+9oN3qB}kuE`5(y5z5j$_&#wg z$MC%;ESomt(EMt3u>@9rh%Gr(Mu zhE&J}dI&%dG6$QGVaEF{duLToNTt?U(gQue;zQKXo8N9;$JT93@B>Aekcq{yftl#m zerE9U48(xZBzSv{359dL6n6^4`U!#nh_*jr4~8U25xmY$ zP;<@#P9-P_Ys7CL)UOR13QtddchU3(mBQAgUihnn&f@=EPJ^j+qb(!*3ulswf)OQl zg^uknLgD2@ny;_J_8)uw{~!Lh=GTteuUelQALAAuhvtsZ0+0%u=vw)34~vNa;!*)N z%9j0R_JlnW9G0fXh7Wlp=(duEMeBzl7Bm!?&9^d=<^C-Fd=F&gdkY>W!tP+#1=HLv z2JFBuCAZlGrAr(=ubouhl@w%Ydi%E3=c0t^+m2xsSS|9}IL!R)X!TY((?`;s}X&kzY>p@Oxw;}Nv%a_l^}Al!Wv5O#FR>C15eY6-)9~~k{VHEtQ zwKd!M~Tpf|wJBCvS7sAw4I#3Gz!ix`zGK(fN>y_(O6xNrhGA? zLV)D9jl?g)Nn54k!Iop@O@3`0VYJ0fNZD6tJYCUq5G>|ET9g~R>7-6bm=bws*AnM( z41IwpH`V_0aMHj7OmI&x3)mQkW%7j;15HT9L&fUO*gVG9Rm!adk6bgYsUwN*(Lwhf zA2e378VfM;MJcgTflZh?3_!j@JR2E5NP?k$x3>Zp`%cRhNwj6B>54LunNk8GK)D#>D2h*sDTYX|53wz3#IvfUOy8}|b zpXSy#4BL9G#LGaiVb(3oUefHn{gi>vVMK-J(}boH^dBzlCX8Mzr{6xuxx>!jMs6QC*P?*(Je5J|fY0@|AyBkb9O^%}ET?GP;pFAw9ONkxoQ{ zwU(%5l7szN5X?vd|i$+QQ2YXy?|F6#lVsm|F3vIu@urXr%cuw)a*!2mFWa;Ywj} z->Kv~nd4&9+PiUq^3|P#q-YKlH+av^FIEcoCILhy_x0E{!aaSWh^m=U1Hn`!NKp)l2VY(i5tuhmiuaMzDBHG_9QbrgJRzEqn-N8QQB(L#@dS%w$2nUMm*wWX%$z(K*evVCu%4AP9Lc; zsT&@)>R2@bifWF8Ti$<959{ZYZ0u8L22m`0C6rzw?BC2cTew;HOOOicijK~wxfAV0 zvUF$C(LO+{auzNO5>(RK=_Q%gy?3;ChkrAh_{>nM9U`m@+aY&FuDv!ZydSsrljL!+ zaLviT&k_inMS*CMg6!PXUjFg7&^woWE1A<9yAd3WDs=KJsbq-*(odLXf+tWuSt6j4 z0#$+E)P$|C zI>pyDc{{0PI%(iv$-|@J92(mfd!`Z4N z&Jac_YzlWhu6Xd@r{sNgB0tux6O(7W+1aInQ^4aB=CZ^1&H9Ea?t2Du&;wXfZnJbY z?*gw1r;4B(c@4#c9L5N=>||2N+bcBAO&4|Zt}8^|XlgI)Q}ao7jDF@6%fCDeKv9v< zkOJ7TOHOp)9S|f(TtyI9c&hwYCOFQ;dV3UCfHZtjNJA>!`d6=O?et)Wsv=v0CNaz& zhq_Cy;p$!Uk@6SeM1({0rTVSwXpG@^vqXnfa1OfhlPfM`E=G^T_WtdZ@akxEZ z^T5qfAe#3izH-5JIVP&XgA>wuVeKOHNc}!6p;m*VOV0J`f%pEzY@$S8J#b@bW?@Xh zau1i1j=+3g`15huSKXal+A2I1ll#LmH*WS&E0VW~(hqd=tO%Qi{~<@n|t zS0Sewj>ZV5+EH{jx$Ef)VcdR8EvuWfvSr+1O3e1zXY*zYnrS_9I#_k|ac&mW_)Gdh zzDf(Ul~Iv*WW^D>lRZO;c<*$xhivo>$GwFwCqv=HdL)-OA8q4fI;NZbQAEVjuoWo} zl2|SSV;cU2w4NOBQ~NJQQa9e4qo>Z(54Jx&y(pzPvV6EPI{&i4b;S6CJOBQ_J;_Xk z+=zpLyZUy*k<-FWwz&=m;gFJBJY@CDWet%S7NYLnxd_lju)(JO@-Zl`gZ(*YD`br1 zFsx_yiG_%*+ANCGqHL1rhFLum%Amr68v>5=I%^lA&Q!`=TP>TFntv(fJoo;^M>>ql z#Dn*?*ZEn7;1vkMlKx@W;47zm8y{D;^8-!a^UuRHERnwQZQ}t?eL-U6?+_)X8C;L9 z^U@!hNePVGUQD}CE8nQ&2T>h9hLr z>h%|JP&EnD`h1UQeB!D;Dzs9N&p(PRVpu)d?Rzvs^tIqt-5~M~dg@cG-oUkt9zeNa z50a-hYPhgPGCSLTMgR*Iz@c9lA`Qzk-;lrbrbjpKj^%8MX?)9pdtAi-wT~olAr(WC z@K10P;N0$@iN!43=q<4qD2RJNR7Jyavp-k|=e@d@(Ho;=xRxIut>87N7X~97UJJLWffI|=3lDXUt@SSkk+!+2*|TY zj;Eo zjR6LRyghvRl4M`AsAwgg3PbbT)mHTyecuB~Yz4f_KvyaGGJg7Jl@I&Y_n6lXPL+KN z&jz^BQ)(KhnrA{qUDsun2pUI5*h1I^47NKFg*;pDc+MqMbNroTSLT>WU@A)eu1`W5 zccx_Uh+-Eho8PR%&nI00%(v6F;kj zktIR%0sbHT@AHqSgu<0C;)k!(z2swr9U9knGMMD}rqESd-i3&1Qq(I8JqMn`Wnf-KgIjaY*nG-7EZ4YrGr+ zw(y>vb|s@CS4aQIOH>H`mYCeSn@vV8n9Ev|m7)9JM?LoO!~^X_Xy;n|(Jk=5-`M#4 zY><&3pZ*5dyU2hQu0g+6_AapS7qwzPeqgt_8u^>HhF9;Wqx@f)J}w@f(SE;%tHe3s zSMkasPzDbo(+SQ7UF>jx!ydQ63qbV$vcg>za^DCWK}8BtP-CaOrBJIxNN?Lu!cDyQ zZuOx4*R@L8)#O!3uGoc$hjH_=Ud>47?>h%a--l+v6LfEnDKc*L&uiPM23!^5zvdh6 zbfl+q4wN%JE!d(0S*IUeemJXs3GrmQg`TR-&|AFrdS#F}8N`;xPgz=oV3(QX#OQuh zikC|UAyX`xA}ub;AARf4KOC&tO#Dh~c8fCHpYDF%Axpt>XBDnzQUo zme@xM|D?Sz3|jua)x2Ge;N2zCV_P-8^f{bDbN%)Md zmLWN_BR%o8GB2Yf9f^gQ4Qp)m8~Ox){H6RpwW9`Is?p23%Mel_T4e2#{y7oX~qu&WeAZhz-`k5-2Hh()*%4v_RS5hLGoUPCpgCf^^TT`p2MxQ>=5ZNzX)nLs?C0BgH zgc24Wz} zSN?osYk#aJVUPI^n(y0ue;oD#X{k@}GYamH{1&L8KrlV=>i1!<3FsbffhH%In=BMU z-Za$R=!k#*^5UnYekSeuRBh1Tp7jpE(;v7*H)GB}C<}Q1KJ;>Gu1qzl@bdZe!vIaZ z_3%hl{;K6{r>ILRL(8dv6Y{{1_3uoLg~vDh*|`jEe04T1>zXP%TN;JSOZ1XuxB9%9vJP)zeEvL`c zYp(KG3HsGst@j#CnE`BkzsLo3-gnTn3T*7=55;E%h_nytzWfo+n@{aKLoQ(3I9}-r zp$ddU!KM0_>k48F0KvxdVc^d_XJ$v2+kr|f;m_sapDmGg_QEA`&8eg*77X4Z|l$Wqr)~;7^+ZRYIullRmKoD*a_L8jZQf?S&^Y~EFrFSd}%2Nh>li>6_@3|>p-|tXzBzRSW`uv#B zT$&~rsYMGlK-rq^HI^6*O zluk3OG0OH^Swl<|=2pf-fuZ^1WqW<0sZ7SxQX;3JxcPv11N2>Uig<*wzUa+a1t5NTrz_)xg2m$Jl??ijnB>V4Xe0J?j z@_wq2KLUz{&sh$2<6m|MFmJcaEbbcFG7T?xj)m5Hn^zJhZgt&g`7owg?EWunB3J>` z-&x5AuBRJZ3N0EPD`Aa8OBDVB6FMzXP<{y}L|K8v`O1^0mYLzgR?U@PpK$G@w)T$C ziJMpUjTPvm+FAHnjiTcZdMqqh@*1tu)&xs`k9gSplpbe)V)>!rS!S32{`VoguyFW- zjPX%k-bM=J=E<@4(K<;e{2hHu+%=IHEm!11bt@8Gv_^qlNWmmd#0x*e*zYGz_={b% zMnGI-qk3CNq+skTlb_7%cZ4aKp^D^$X^~X;$fw&YRCsxv#yAjeTA^ibw8(Nf2it0z zz4Ycq^~T&;*`+Y~;mwDsHz2RoDiRHgeefQ@MrYJN`~h&1MJ+@X(PvF8g6Xjx-w3n9 z70Mo6nuSA*_;HB*Bf`{zqcGI>U+YlQ#arrGZ@Tm!C(UbptC6Z6GZCkGs0ekXJV^$N zjh-gmR})z}JQz*?wI0B7+Db1dmAAH_y^S;FNbmtLIZMfq{v#k9q-*fv6%&2SabVJG zy=tZ|w!Cg01)i`Z`AG0RpVY2Uf1JqCxw%Wq!q!WP61;vi+ZuTKHF20d<}tSJXmC04UFX=HcY*3FHxlapd`!+T%5zS>3cS^wLv=hVep>4DavzI zTkm-W&~}i@)a#SpPT^w4f6xliXtiloO@c>)(izP4M3qHomb-H|^INwd2PP$S3`q@G@n zfFpS1>GOG6BN@BiOJgKxB#66Ql|+?Y+bgUSr`jD#dpoblbUu-&%&do~cTyctO>CiofE!zeSEPIyK8 z)?Aysyw^Q5ovGFsOioLl!9Kw2q@(fTRmj&cZZAL~9sOaZU5)aG#jdNjGiRUJT?&!) zx{-J+{yAdO%{SfJ^9g^qOb}wdoWu6KXbne0&RLpOaj>e<&4*+JI_!Yg!_I$WX@GdY zlINy6aFLaFY!#>zsO3S+JPaza2LR5^gWzcxJd?K)Bb>#RX-rk_t|`qPOR5A_``KVP59b=5t; zGp6G4xet{2hHaG*bhscWJoBsWdCKw_0fcaU`x_~+K>HI=_mQ}YIc1+5ZysDaef&Uz z>L|gAm9@NBjBmJ`$A8?*we2h0rth-Utap5bua1=xa^Or|!UCwWhusD;MIN{6qaH;g zJPFkrdQFt9#NejqtI-tRS>`L-y%EFKMD{OlM~$W$EiWErQDImL+x5k;!Pp2;alOE* z@?0OfSH@>qKd8P}o>lI+5zAR~jw5dQ?QE)gE95dlx4Xnzir+rvXhp33x+r`r1h|M2 zP}(nF5G6OphX*B;AcV5KS@8WRM4EOzJoPhuH-Q}VkCUw>-LF-P$p1?g)NUd%tGSykE(Q%gFO&u*nm z`}Y@@P&PDGIJF!(9j#=SQ&#L@Vn+AJSD;;FtYFS??nJS%rV6Ux=ajJ759YYYHTGFU4_y)d)|&t zR7l*5Fb0GK|0SdjAmkwd%iV8u-e$Ay^NX&@g9|^7oP}PpwHfq2P3HfiDqgat(+X$e z0<`rEXc8NEq^L;@eMudXr^f8lH}`=OpD*fwVA|6vAF%Y8MFVK5>aG{+HO~R$%(KKO zvqbM!Y&I>1<->%&4c1s60b?zZ?RDG~*=9&_ox6lr9mhmKiUk_Xy-EL#sN5VZ@pw@tk z7Avq4@}I&^u?Ce}EN+jou2N!h8lw!RvB;4MXyJg-+WVF@XkRwSqxWR!RiSwD$-hJ; zQ!@M{Tr50)T(Cd7n*TEtK7N?w^!e{&)`+TXe)`Ni%lL$glq?1DFB@$pC>I+ZJ1LL$ zJAW8qzsNipx{P?>l5O^1M?ENh{D?R9S55^~Ut2AOHl~zc7vK}nQR71K>x;(^z}&V? ztpT@&94LcAwUzT|V;t2ym7p7}S-*L)xAJ~nMbvnL!(F`;UjZrv(oswF#zPf{1@0!M zkHa8h{QoLHhYp#3jE)en=5>aFM(-7s^E}m73WfiW75xsyQn;joU<7a9+8<6WKDxzc z2`;R{VKaHN=&&MUMbOaF~(H5d-uv{u>b4u1(fE3cjo~JLbW?7{gl!!hFQ08t;MYHDK@hu1K&*JowUIq z2i~n624v#$f;q(kBCTPWI9UOW&;yjd=~%du64JN%VVx=9?_7V?B+~geN_)m#D%DV) zh1$^P$v~L20AZpL(*O1qKE(M$d^J7m>N)`}TI&{jdOe#_cycM9;w9FAei9EW z)2-{)srUzAd-gg3@muID_vCWwJ>XlV#Rmaq0QiwMa4KazzBIEQvF)D}nBj4)zg)w? z06>tKr|FZFy8?}eh6{iu(plL5>IB!m1C&Huo;r93ZR`Odf~A+1v|RfOHP)X91Z)08 z`=ndA)-|dn!&mwq(p~%7GyqpwpgTpPAXvJ^O`v4NG#ColTW{eQYrU!=IayA)-h|QP zE#1PBZ&q(uubn6z_}^-$#(PsBuQ{|MN>blcU%S6_IX2TBi*_eOmn?Vz_ods#n%9&& z0cf~5+yq49MDzLSeqRQIT+<+W)jZg8Q-V$nsiX7_ zp~lxi$D;L*Ej+0Hk1gJVAbI|K0~;0XaL=~D-7oYq12Kgsi&1QCr@zZMi>5N8v9vG2p~}kAkmV^ z6~a#d{od^@35-9QKjqpk1ppTCeGxf%1@@Xf2&!}{T&qFKpDl!u3xC4=FmdJh5!%jT z)Ah=q;I<`+{C=UThKp@=6giv6^3i%Yl>=M~}RKwry#uV_Vu`27Utt=Mf<%ubT8KNZ?dRWfOQa+! z&bpy|IpMDV7mLxa#9MQNjB{PY3by#ojy1h^H$vgP%}kH4lS^eQ5I8HhQ=TpMl?f+m zp#gV9Fg8O6gH~mt%v#h~g=SJBD(bn(Ie`Hn6tU#b9XhHrfm%!B9ooE$RoKNc+auRb&r>Y`JzOW5t+Vj*4m^12QYMLE`J>6|40LBSIsO1-20&1A z>`~ti)VgidZLPXC5h8goMxQ=F7w!!Zo2U5z{EFKl`7JQr)v=3BxST^>wuwz!Kk~dM zu0H#50xtcS_O@Y+qlARL>#_?IK!j4% z?~s1%r9N6{*P2ETNMy2On_Pxg_`8x!}+`*VbEZDqOp62a`Fiv_Mfm4eMIMB)Wg zxc548f&0=63n(S|CK0UIJbZ%!5KTWZcI>*w&V()hYuqKFp4o0X3YwU`Xx`c);Xus(sAO$8qyEY+&IHkw#8#&7J&cPCu1tY9cS z_sH`@+x4jc_6dEA?kwPa(ee}GJ2va%YpV<$h9H;ZkrxWzpG}u_oc0tfe$>zPa>8Pb z8n%l~3)^Z%&7Nd$b%t%_hS0)z(gHsap?KWHUP{xf%XsjX)&mgh2F3zSrHzwyx#}@m z*L%&i*)PIAFDJ?mNW1G1-}J75Qv-vvKT)iu+FQUIcwRLb4lXM}@a`wkY8J~tWY>`fT38tr^#BzVJNInnkY5#_ z?Ld1ce&%;Z&8|p##XYx5hM!TZ+%I^1Px7diZdJEXEw}VqZCJ!rCB8u{T<>*}D1^U1 z8Z-~_5sCE!ggZMDGJbKn{>#1UD?c$z^%j4&Vlq4ooZ@OsT8MD!)x@zV%lxb$p9nVBmc|x!}-opH7NUT zs~@Z35o2Auu+no*j)ZdkL1n(*b`!HEUdyX;~pfRjc3eX<1LWa5~a4MF6?M0cRodwr(Kvk|G;?1>4YeS@Z~ zvWy3xA{$Xn))i(Hz?977ZaT-cW7h)?GKSh8bvlAx_T zSM!mD=poR9Z(*75(+MEcuk`t^4XA_VJ6%`t+UQ+M_Lc{5+yUtLeEWAtY% zM|#HTiFoYKS$J8PKX@@0^s)J>J<*N)g?nH8mV;{ea-A7UzqmP>maj4&4`41A!F>~z`=48V{$L7E~W zv8wLwsxCc(+?g*+MV;R~qptfBn>IY`@dg+dG`HB|#muzNTj7EqMGoA{tWL=sjccA^ zBZegarHnQ1i~P5ZVg%@KyA$R+m|$ka>$>os8&r6Y7rqFjDv}9I^LE-ZDD(=MH<~@%JO?K3VbtMK)_ashfOL} z$)CVyBo;#x4zFlCjrn#9O+4zM1g%JE0|0ogmE;Gh5-GeaqQv>jE}UK9uq3blJb#6-&z{iCZX574_#AcNmz0oUp%=B=5q9<*qQj46(^^ z8pkIejdA&em8W$ym>%$!`h?lla*1w^RN#1k6pqM|#pYa)6zSp2`8b&zw~lls;AM69 zxYM`@if;?!LponE$1IuJvxm;cq%p2DhJsxPJ&pVc*reC{5QLR0gqi&+nrxeRYm=z#FrQ1~Q70o~+%xu-0a2=*d6;XXg|yDB}~yE>2Xb9*wO zCAD&5nQ%2cLiyLLg@lq03XGdHpQBK38V;T0*!?YIG6+$Fk@0ay5T?T9 ze6%s}JIYtI_KDpkPtuZmAF-cIOgNNJDDZ_+Fu_*$^DR_2f3p2~?D$K32nke63A$M_ z?{l#C?d5$Kz(OvhB@H7=xn689)q;DXC~n>Ru&m(O41Ds8(Jlk;F%3EbtVcu{VwLHm z)fI|Tq3DcGi+@glS|hD5js_dOJa{W13wO0JGq zw#J(?1Tu-kC!yMOMN=7o6(TO;svm{$gL+Umq<3n}A5t;!?``mT9+L8&3npS1o=#1s zM}a?4{VJhgOsd+ej~!1UhU~s%Tjo$gc8RH@sC_JE{32v4&kJ}}XT=OfTP{jw*YXlI zahU1~@JFyLZxVUCnWpp|j#6iDu;NXh#WJ?BrFh+$(F}{$N^b$a=n;(J>^|Ms!QOgc zEXt8^-Pfiu&wKdPl3s(mtZJ2oZ&`4)8sHLiaP?4l$5-oJJI#@kleMkWIx_K;^+@-q zi8^{&&6|Uo6}D#pjjgH7(|yIK^8i;cZ`q=r$4Xc-T%0s7n8Tk5|0y2HF%#+C1H;@0 z(}K30tt*GL&Hj9oLu<-CM=74`w%=kTsyfIg@Rukukr9|SVD`eC;6rIUv;f%mZ0YdM zOt^%NhN%6%rK5{Qn`zw$aQCl4ZfVtBmk;DBf)RbqkZcsS0*rH9mVb%^VCSXFe^GxW zT%|1jn1FSMzrfR}9j>-SP!AWi<~odU2o%N&K>?7a|MSuW5K%@>8$IBQ=_yS#2n_>n4*&azBoy4_P_E*$ zys|YU^3PmrK5H*Rk^hbZw;{MUMAL!M`o*R2F--_@pRBXq)tBmxX4~XjH+wdYK2)sOT@C8a@1ct!F zr5osz4u7p033oBb1jGKC3&Avvt`)Q9X`Zu zuEBicQ|lyTtUrNYc7vKq;!yC3&0joHw!KLa znaDJijMoi(8XrOnsJMJ}#~=x~0$5sZ{MlfdeuKvc$VF>**(E%HTTKG{^}49T36#SE zqgd#Cln9recKiPA5cIFL(lQtv?@t$B?cBTGo9nDYv2Q`%4Jjy=+FJoQvDc$#DM6r3 z2JzVn2SeQX{j(;FlmIgK4$$&<7C7h)9&Z#pTj=*!>KKoBfKR_i@6ku9lO>snmJqSP70Af z+kC@5N5*7n&d}+=O{BSdr)*7%LU0R?UNn3CHPWFIHT!vALqp3R@wt1*i)M}V55e4^Ltwp7Uc6_(O_1e zMb}}$%>%1&9GdC%k<1h-M0ZTSY0I-Lg58n3I9wKYp01|n7aNDFZ;HxR0foz`g7zuC zdz(#rU&!s;!+?q9ejeRVfF{H|iYiVzbl-$Ty=DvieBW@V8by{*SRQOPcf`eroemET zHi$&w7W-=$c7)M)N#18GVDV3Q%^wNRZyJfre9uS#v16T{%eUG-5b_acgTM?>ZzCI+ zdRPtBQC#R}OfZ3jy{%>_WuNukPDR?v8%ZMgkQrL?M_*7Bh4?=fXvt$j{B+)ZkICCr zepSPV=G%JkRP3|2-qhDB}1Uwla zg1y3lumxa-q$%?WP0oqvmlWehFv{fi(+d&7BaWur+UuRS`nQ}P{92+Txgvsz26P9e z{9$D}G!M#=kx}$KJM?O+;LOdCf|0iQ>IR*z*8vgd{ROFlbuo!9$4dFPWZ4YQS3Ik zR!sixDLwAnuNy0UY|YtHK^OZ-g$#(4r508@6rxYd-XKZ{VLM?0!QfF=No!00B6^ry zL}7FLTyEAs(#9d zVJ`xCJo9mm%$t0Y4$9Au)=B$4Plk$9Murj2%5IX^%ze5-`0ycldNI zuCTP-FDsM{m+1nPn<^=!hF9n;;f;+^XDeEB!FeUWuU`|TKaf#tQ%@yc{-cBOV4e~c zM}i{qbrbg}I(TlHQYvQtld}R<|#} zTEu6&)r!M*M@|H&ZY4n%aYN>}wveZ-)x_d0kAJkTsB{;VwZf(d&t{s-Tp&^91P4fb zrpq^N0cY#7a8{S`@MZF&ZG~J7mqwm|O1=RZHh}S_xB1Io9)DZy%!2sU;FO#8cN3aQQ~S7r4qgC+P()OOxrXRNN_X8 z8zc7RthX`oSIEqwB5)Tbaeb$$Q|3cL*eHh~ef(^MmV^LOAXnB(`E6m?3j5J^vYIV5-vYnH4F+E1yfl{xo#rsX ze#H3>-ysPelWli^*By8QL&ozx1o zfm)*8@=uGvlO@0Hi!zbcj4cal*ciEaC4wpOILm?_J<)s%$Op?cZa*9%x>IkXjeqyS zkqX32p=<^A#M4)o-kU0ffRwwGokPpAQ26oHcp|$xW=gQV^q6kdR1C=^9q#7b#5x& zC|6e`Pa?83IMhVf)!P^Hz5=dH91G5aD`ld-0Ue3aAo%LNK*T=A4r9u-EQ(Lttn4-tLGBvubZrt$iM+CjK06_J#|kDNo_W)wi51c%?1S> zZQUVW>I{3}I@=`Tcez)fmZ(Zk2%>7an4Z6k`qZsa1PoVig&xUPcr{dzw={2cr*HL4 zRct&SX~4FXf%L{>Db@^3OlzRJncI&JmNbb*z30wI65n*(xHYz)0T7R`yNzBObvbs3 zfVV*>R{^_1FT5IDy|&L+j_-Y|@A7(=9w{HG!~S6#AEIZ8{0|}cwzC!Mzy2f3nW(yL z1h`-CZ&chdm#zu27cPJ#bi*5Qsg|bATNQ5QLJTlRk%PCOw;&9sgBBnI0PWW47*1ZFb+PT$W7O=m7;fe-x}NLjKcx1re2 zaGg7sSl##*3>QE&2E-!SYaS;)w@1FE&N|vUF}NBB=>GdL-|uLOBS(EyjgUj4af8&0 znU3(ZfX99#KLgKq+s`oL$tCZP%s-HX@RY;@J?eWN5^@#*_xy`+uvmQ8erwY3qV?i% z`f(oqoVJa_H+*k{){|9*gf*cG9C4XCTFfs$`64-N?IlJqD6uN5+6(CT9)EZ>Hq+v( zZw2pJ>_Ci7yL!Ls{wCz<7#WrGL+MZ~XR3G+}m`9*CZ{?joYb~NifPDoJ1RaFs|F(hw7nG%PTW&0TdANuMWNyH7N zxKY2LHQ1?oPdM<4h2M?WJ9x#yxNX{@U}5Sxf!J*%+zLgNF#r>+LbSvK68>czF{Iz~ zv>`;4=1wOeTP2TC*d!NTFph1vF!7ir{g_x0^1*7QnR`Lf!rsQb612(msbXWlC5T&YLuJZ`Drr27c>$PdpwVTZ61<@EL`W0o zrGIFYzGE1Q`gnqb%OYgLrTq>%>#mtI!2AH754I7r+Ymr!{ppY#a70n}J;cHF$u}h0 z?+7{;Vfy^4H)P4w?Yt*?fq;gcT3Eo=k9y@PlP&i%;Mq}RTs8qaQTB2^FVQ)IM+Fu3 zCqt))Ruc3*r0TY_U)%1jzE)%O?y~XA5IVx&5yYEyMwFi?TX?LZxAS*^+87Fv)y3#i zV0mmQ7N69?sd<}bz!DV1c&CfRVuXmxh$T@>pui4A>wT9^-#MOvOo#1%g7}ua%SB6| z&z($|H7W%lFv0PlqCR*fJvulTq{7}-q_QFk(r`%P!vzKl!zF*M5alW*^2+#Y-!HKY z;f~UyLM?Ndr^E@#pr0!zf}Y^gTN43QkG=Z~7V2^xBnd{K2QOgxQ8$UDN^kT{NFPUF zj!*S1CI==-{EY9_3*UNVW#^cqWkcux;FRHjOp%n(F%)~<5n`5@Dv$tX6WHnl=kl8y z7M6wNSDm)BE(Ea@*fe{~C!S_C#hT|KRx<+Fq)d?FT8@G-~H+KL9{+{S$>m+}Ee3cQ29OYVnro!Iz9py!1C}938H;&jEoNtd&XONg% z$-S;%M5&}!;lxFOdwc{^?Fy;XUi)7}Aqb28`T9k>k6Wk_N@(2YJ@~WSp{|YG{B$7`D{5CJu0@3Tc*`tJq9pc7BxD3OkJtHRUq4KIZ*@1<%72a+ z#g1_UxwY^t%Au=*K_v`ly8QdqyRRanUGO|Q6eX2-gM9AXlyF9nlhth=BTc3LiTu8E z&Sj=x*h4VG5ix(aF0aD(i7puy1II^}xWS=!GwDW5RxU`n zZ@N$sT1Uqu-6{P}y1cI)d^4X=oPu1~OuO7cDrrp(rYI(F8HUV4sg#QxF16S!^G1e7 z-^YEIoX$|cd(fik=68A1C)<@9{fw>TfB4s`Z^cIsMvU7{cTKr+hR|DdmmCFd9_~p) z+t!ZU=D0FMy@f*{w?TlCI%>6yxx><5x(zj1_!AvqtP0JSTLJ!2w>7IqrF5y^pwU;y=ev?)5GOlwX4{H10(V*m%Dm;iWQDJsL}61BYyAM`Gm1U z3;#c$)DW(>(b5NSO(?V z60TtadcFBSHF?lki+E`(F8`q>wd<@=PQW{)iCvJ>9kfjLm7$-*U-|ccxXIrHp^P1~ zQ)Os+Fq!@?U#-e)H}u}afjXxhslXri7m|`X6nG%Q;0))fs;sE|Nr8=6Ysfq-D|JC_FC)nS^bSc z;ooZeDC)|954GMg%#P^JrYOyQV+gm_-($5wgm*h1zjD{6T-hQrMW3LVmWFFhxQH-g zd%2qr=HKgf&{Yr;_|~#S{pkR;$aBiMb~|)$Bn)`=YDpe^=7qx}ebI9rmGh*D$l{*yp*#XM7KBeBuL{T9LqQCw{^q(=HuIujDv9sOB!k9}rI z&@Yvu>cI%^r_R^shL$RnEg{|*(5F7Z{2ls%2d9CFfi7(_AM_RLuDOsjvvJO*>nY5| zkCzi{lPNGK45a|yBL*K$!;MpRBrT>rTIr6@{b<(?X+fjakjz}v?S8GMpmI1lWs8=>JL`-REy1`Lc3eSWp}pMm}SkM_iH3@=S&K=mZEHs1@4W;cknSI{E# zfxtV``7&u_?9y2l?XLKx^oWWik{ry1Vz{K`tTc#-u^>>#m#$bY&?kSYPRf z-D$(P9L|TsK72JYg&qcLa)W+98_If{czmk&QJgL}T{EzWK7SZB*aF_h14pY?HOj0( z9QDZaiFFz(c8$1Ket_k0C zV$$?f1#oltk>)ti+)-@hi=USv@;%HXA>Nau7opaNeSj7$h=5gr!j|@&(1K2mgN_}d z_&gAc2;86))o7vtU`I9*&X#NM(Iv*&zH|Z!o~%F*he*CpupuA6(;@u~_{>Z(WDvwZ z@x((`Ou6!SV|PT`9U4C5KV#Jt44AnV!}1J&RnQg5E_g1>cQD!&aLco(Xf_aceR9e| z-GK#_7i|h9g<_B&#Z5;VIcq%aFU6$#-a1~TdFNf zqX0Oc2eJY%BnO}Ysjg({Vn5k3?|5u{_7t(s3Vj~tF(dv#Du7;=9^1Q(6e}#SR=No| z7?BEk?gG&)V{^U39F(reFwJJo%*!oBwPz$M`j*12JqhEnC@+H%c-~$0eoCU0$gFq#Vs!yyb3ZX{6Qc(BOX3beK zbu)a9RJxDm&0T$d0!kFsMs%fhf_~|~7lvQ}sY4X3z`{N#LvBMQv;$#-Jsq9y7Ok@7IE+@)-xQ`PfJ zxP;gcPL;;)l6>p}PILO>4Wdsn4q+Zt_LPt)p^>PAmYY*2wsq?# zE77po{UN4Boy?uY5xPal_EJnUUD{D|YVzXK86x4TC!$T%`u!~Tx?C2`D2wZ!Wa%N*1Z3eSsCZ7w>wryg-u8QbcVT3Evgh=+nP%VRpS0@gu zrC&rBKAb0Z$dWud`FvU))pMR1!(#lIN4E>h-Z0GDg`yj58lg%;*oNBpbaMAW#v{Fj z<;1&(-*$38Do~ZO?~w%)Koh=qme@XLPt9|N+Z()QLWY?+@%6q>2qTa_A2QJCgb+XS z(o5*)N!Brqk)eCeCyfa$Q)@pOMGCnp$!VyshMLuq7}OkEA)jj2-*KLk=yhrDD;PP> ziedA<_1E-OU!IAqbT16ri; zPHQFZc>(Q+!_RS@lFCF5nO6P8?o#FSPlJULo0D<(Ur-t5;sF+nW3l3M3`Dy7`T9>G zJf~enAw16mYBFrEIsF?sCHNQ;u#dtlN* z0}NWBC^+{`uk-eB_@|K9Rl(>iZ?h&Iq-$4c1qnJV_>WJk{x^_9x0vPOqnQQWz!r?SQ72Ajw5GDuqIQZG6PXYRoh>HH|Pm^hPV6*`< z{mHrVmAbW{L5l691tu~i4 zot^wPk|YoN{U1BynlNC?YQw@TH|^>G~dAV*_nV4(0Q!Mq~p>oW(3+X~m;0KP%XNSY_?p0NM%*N6L*zmQvLh(gPg?`B3 z$P;X;18M_1k2J4u=PCiyU!eHF%1$J0sjaWE^2FemdN4>f#{OiEMse#yfo3dfNs?+G zbMUb4+fzA2c=hG3`#_9GPgesD(E0yiCCbsE5bOA>>T3}})?;Mk1N;FBrUjN61LT#c zgP9cXyKKeYT*G#xV!F0}f>Y`RnhHwh2g6~RU( z+4^15FF$fAYx7`l<3mI!nO|56ELgTHYVWHi4ES70T5w!b#4wrE`tG|VoS;AgNf?m@ ztTnPzy`8ZF+upFuVc`^q7@SH0RWu32w;WE#36o!~xT=ub;V8&y`mF%7fjuj~sehce z+5Ea}!sKPAVG2E`91CoK+lD_UMMAEW7ZZ9owJ||-k)@9@G_l-DzZsGDuiQ@L@p^Rz zMe_DnVBK66pOkfuLUm_}skNvLM^lA0s<+Pd1`ux&a|3vJu4V71yWSc;5^%cohR3Re z$fvAC`$X9iwY>>(s1dJwj7}hLi|9D-L0*{6LjPR2y#_%4GJY@05&zESYn^cj>AqGN zmNh5i(oGCQ){zThFpc#6W2DjX+u#2&XRg3nHlPBu!iKfUD?Dl$8PvI065HJZg*IN~PptD^jVNL->tY#A-A>QiS+`9oN=#!yfty;ZgZ04y5yBvyNH z{V}kxsDXjy-;AG(Hn1S{;qVqqpQrS%FriFT4fH)MFgn=b1oNUtI^qcd%;uL{>_z_g z@EmD67Y6_2RGz$X`dD6PYJLo#jrgO3tW`@)3(GGrj)sBrjWoqk0EM#-LuBDYL%4)P zS@aI;kW`!&TY)Xn9MIlwkR@D|AT%6Llou1BsOHTqI976W9!hrBXA!P*iuPeKi8RO; z9Z*|7V~K<$JpA6!tQ>(+{=#O`$PW>hkE3>0g&A>2!t=f^<#fARxz;#+P}8RtgD`tl z;EP-N=G=Tv_0^5a^W%A)nE5ex$n;+liuP{E zTn>);em=~Yd)beevJmdpO6WfrtvS3a?@cgd#?#bEFD2H+RkDk)@x*#&y^lfTe4m$3 zpiUQ%{QPmbi^tlp*!I$iECZ(6XwL&#c&B??^luN6rKdyRfvEw$QhRS+nr7LA`~+|W zpCr#N9maWo^zwQo_bdF2M9cLLP-uTp3#~jykZj>a&N;rf4RUS2Qo! zY$@rDs&L;&Tyx$XsUdTbUZgazv5_&4e%rAS#n^|V5S7^w46|ukL*d`6ULsMuBpKO%k)_8vw7-f%qUg&a@D&~ zEu=vop#D_-%XUF_DHvHYOBLtM%n=*B%r|v|!wWZjmk3Dki*}ptFH%b~Yyp*ijMr_U z%wspTNPJ+morz=wLcbpcR}XSYD*%?>x8l3QE{KSy9a3k#is$KpwPTR} zobdG^x_x$T(JOlqJ!it~ku2dR?>Cm7qyJ?=+~5p0VC``YxP<=v9#(C&%J=d(tlfNR z%zz-K9wlJ9EkTCL?Q*V6B%+p~LXi=yG~X(>eG$3O#-P5p{8_|UoC@oZPxS6YQ<^ve&2&rdd{ z82&31f1_u()-SB_LDfkg-H_Tbqi3Y5#GDzkE7xMN&nlhNyhO++HKqfgz2eOsU zuYi_zD*Y(^g*sgAr*JFzph^WdWflZy)Fuv&yRiiMFIF#69HgcG$cBXI$@Kb z0}W<4g%*10fc$>C7=TmFse->0-cr$_5m}fppAC`Cq6s;uMF37ZKQ0MK8~CqT10Yn3 zNY%&o%5{koH*_QayjIw6KmcPnvIs1P(2~)fNuVXZkVKyloidmT%y=VsCCo8kfBDF+ z2RbY%h6E6^OP_u=<-{0&HJBn$gVb= z0~{$VDn$^^=7{}<>tI9MwAwqqlpHCqVpViVn8IR_LQ7*nmMd2lPiVmL?lfcPTIh2d z%*VEvPcLK*@eRmFIK0W5Gd&$*&3IG*Ztn=!n!Wfxz6C=R3yzX9@j(}hdngr)IzX55 z76EnM7UU6qKDpzOl7QxCoV*kwow;Q)D~|E_E44J4*jic|O6r{Yh%}t3) zkW=7J`F*vEN7(158X}in%xXC48SY+BBP5FxjqD&857n}nHzJ{rBJNSu+$3h_jz`{d z?W+W=pA}*b+RFM0?!02V#WwoTq$~&XzjEYqV}mBY|ND0gSSY754y(-5n6ekrF}het zTSSysck4)(L3Uy+d)DZQb_+KVfAKxD`$+l~YEozyL1yqb+(L{Z0pM6MeY}-d${cPZ zEQ_ypp`%|=pfdIyl0-C4562Esr+6iMBcY8#bBb4YoHv4;Wb9M}leaF3o96GFZop1) zpvbRVr!p2HdN@+Y{J}>j;}Aa<|LNhZAMW$7*z>Xz0$SaxM8l#Kk)(#ez8hw~zBitt ze%%zWN3DVeH2~2Kll*aM9G<~Q4(d2SL1&3{Nxg%T7BCPOh|mUE`SNhUx$sw)4#gjahW^TR`Srq{65g1 z;OHZTwZA9aYp%EcEUV{F1(Si$Bf86;HPd%zd~;-D@5o4&Hi5ua%6rrh$3l()NbPGX zI0THl%v{JH*@ZzI5MR7ZFJ!+atfj+D8YAXaaQX{{F~e(22sVmUHJEEQrt@)HY|c^^ zKLqM=w*Y=Dv2b~iv6=ogxx=nSd$SgGA7(f0_9t2hRUz$97-_?4PD)PV$9czvm&xX2 z)9f!cx!Uo`peUy2c>_VY;{c?KFnWn z*82O~0J-p@qZuZ&j2|6X2AnD$#r7?A0n@9XVnMmG-ooKI#mGgcaLyFAh`R~_iN(3x zl6den0faoHi4E0rmT{J3aY8YUs5Jv0YK|WZswOlL;fSr#aqN>KO(}9Q-+|6JJ2Wq;_3L94{v6R22Ol$e7vZ8K*>0E6vFJqqpaD^hq|MYi=cm9Ol=gCfox zkrbafOPi@wOQ%K}*C3N(jk=!4rF z-LE%Wl%Tr7?qJrGxEu(O!yhk95kYK7h?X!duX^|w57K38=}0|sIUO@FSXXQtbNRQQ z8cOMKA?c&wy99ay?D$RR6reG1B!EL@rzi~@0>2>?+%6U-l+|q^p69&i`w9a_7ED+| z${EJ4x50tySA>mx>g>XfIoPL2yuN-KpmGq%Mh;xwskosWgo)4PD$t3TP{kVG-( zsmD|>9Suiej{=o)a#tcWbu=KVlAzvlGM$y+IGu}y9df%bwJ3n34II>*IOZUiPM;LD zQ2i?|CU0t$#MOU#cd^Z1-X&{wIgO_pLq9o`Hz?y#9xr81kfoax3WGWP;=>Z7A`4D{ zZ5sx6SBKBl&>ZpEcN1=Y235(92?pUyDt+RW2G3RgO%?8ok5Wa%31>9Y#?AAyA8co~ z>Mo?Sry3L~nck_ZjI*JxGB>UDna3KQbXm2W+UTwbQV_wM&UQCP=7uHI5YOqGwmO!B z2!k$L)t^4Tv8fO)_~tHRibz|AS~B(GfbaQNWfgrT6i%%8cN4@EBep?NXRmhxs6UmUwZ&1R+yJ>@-EqTsNuxPvrLcTM^bbAK6xRUV_rnjV zWbRyzJ6$9+39`vo4HeFoVR`;KZT^M1qqG0*#}gv3Q3Qc9-im>v20ro~igu-tS5G}( z-A|8(NXY0&ij1uCuorKb@|H+!rD+M)_Ag)iRSB|miR|fy-~h=348+4dmeDQ#^-@hW zPF>}q)bTRK4KtAI2=KdyhWy%sm68OZ?oeQW^6r-0mT zjU)&Z@S&8B0pjVTiI1Jk(Mb%x-4&DBzpv1+F1)K15DT&^IA^79VC>D!EvQqVZWBB8+S5~=h2uP)l z`#*gTy@lVMIZcvZsq-UUy_7&=7}aXI_t-aD7_k8{%(U>;Bc^H{ z*MELw)Qx$qvDJNnKHHEBX%4%~b-WLh^g2QCCzZ(6Y4zXQ)A&UFc_J%?e^8O8EqriO z-75N}D(M#iYqf?Kn*9}VTr%(ovv@o7-4bX;xNiBY?amf^1m{Y*Kg&1J*mo2~0$#hi z=#76SaI%2F8NLxx@xYGj*J%LxcqFAAY!X{J8PsCHQtINHLv%M?MTPeNe9@R|@inU@ z_DOmw-tSWk2RijdH;M`Ae7qI*Je;?9{HDV6ZV@PQ1K}ML;Yr4X78c%9E3}b}eXsJW zTHqQ;g+=RrF#6U$ZPMp*dp7}Kr^-zd2ioe~UFEA8&Z5Tp{(-IMIWKR3xJcp(l<2Tv z6qwUs@tiYa_+Pr-9&iv~nYJ(2o~A*iDZ0ZO{1uRgl)1C-i**rGJdHwC>0p&X+Uz!P z4eLYd=um5S$MvMk863*5w4UYhUdoJU2WTM)HQIuf05xxkhWGU+7|5+6qWOaPf4WJE z;D_)*B}10~y>;mT#QVZB69DdGua7r^`^IaFEX_+p|)g;1(vYGyYljTLG^h zr^4xfoV#RP$;vS-x~+Va6+^w*wKQp#`mdh=$N{U}Rx$Tyx+h4-Y_@qmx(l4Flpdj5 zF2M+$T+zv?5(|^+yWsNsr(bMmbr@U`vF#>Cne*ui6;bVVbQR-UU!IyXg8K0C(U_=; z{_s1~NA93j7h0Mdl5`pPi?xb)$(Ih>G@hr&p$PnE6q-Rer^Upi(D9G-jb|sh)>h4@ z!bc{GM;wYP*cZ%yRZ)PEx|=j>0P#zUWT_$>x@7;Rw*M`)Be14Kp6Od6wb8`fN#HMN zhK&5=b8Ydg!3;CCmWJsqUZiVJbp^vUa7gnLLbC*w(L8#PYnc`TJ_o3Y{dg~if7^6LA~%YCKCM-JAH zOz)$)jyNBfOuLwae`q5I6M$ctQ**imOB&!iuFk!49vM|@P|J{_f<8Y|S{_U8Tm0(( z#mvk^^(6eQty#ObhM*lMAvufR7vA9Y2bDSHZ%n|>_<`uYkUOywW7*oPo>06;SRrtL zoG4_Je!w?rWU^M#cZLPE_Wj~K9I$>O=&$(M{U_oPtI&X=@t(yU&Nn+YOw&XRvDX5+ zzFJr<5m`NF<53#cG<$Tg&+T(f$tujQjLtYa_?*Ux3WZYEzsa@rbg&Q;p1T_kulT9l zr%B!E3kYsKlX;B7ov7!CP(tc7=j~B6${4k^2!FhJ+v6|JQnm|f)LOAu%Y*hB%-8er zdzaVCiHIX<3k}2 z`-!>^f7*s~f_}34p1~jkhmTl-h#ivE{9>ymBy(6nmwI=#dJ3jXgf+cO-Mw=N3l<(b zl>_79Jlj)7%3C&5*Yiu8A9;Is+@+Sa3VYV^0oF>RI`Z+K9lbyH`sNRStn*zM(=kDY z#WXEbu=aJ%#jt7|CNT|q(B=wvMPWl1_Q=C5gy@YpEV~lVcdlK|sfngV)JP0_h1XzL z41F`jkG8@P6yk{O$GBcavf$W7Z+4vc8A&A;xx|6@-NOM!}^xX_65qTs__TY#-1y)P^-qb>oIotgg5t{i@ zkMJ@M>xJGa3Z=26-KupEb+K2ABzBjva4uS57M-Y@ICkZbK;D6i}nvw zDvtxOzyY9lz#F~VuB@p&M3X_F9Vfum@cs;NXm$JTsV*7@+iYI$zdsvHAp*XOHUs+i zpbF0(+TpUceT`3wg^RJ`8sz)hg&E@J+{Niv(?JX7|}h zH#_DPeW6OgMDsiX5Bl1fM-4|q<$y$J3ajbTlEp>Ap_70~q5cI(jA`j@(~eKV86oFt z=T?DhOKY! zRcB>((aaM-W8aZII5>LE{Mp;~ycS<0_C=_@{=1=sRFqV>LeElSGRmf{pNCk$oQ^-V zn!XPtO@5Rr(?H-D=Md`QLKS;d%^?1|%{qBu?$We7VSQgYzm+Bgh{oA-9kfZ%9Y25U z@)=iihj;3{;_jW^*+ezH5Hqh*>eEjdEz1|(7FADfQdhNVCgu?ixLAazy;H=r4d@9w zvX>q44F$nk8H%Uc-nCXmZW$!fs z<8FOqm-Ft8iJMYxem`*1IiSAX0gMY?T!J9@$r)WK%sY3y}h}K;B6Sp4okGj%CTvvKWxb$=C5uVkCun)Dl_9@NLA*!5A6o^ods7 z<7c`QH>v9`)WzgnQc^1%n?E6!qj8Q#-gwL7s;2?rTP#@AKfyz_NgIveo zWT3otMV3xJZot*YKKwJFq|7w7c4=akK?qenmTKzrG?Sn znR8>Q^2#=fK#(Qx`#cw+pAt%7*>t zc0WzT>W9^+rn8xaW5?80$DygaSCVvi5Irt%rfd?RKZ$eZJa>{RsnBNxsUqU+vTaJ6 z7ZYzC$9`pwm{&7G^#D?!s6qhz0&5>LRxN4PRiTjf1NP00i}@IPjXqenMWrm4b;=F9 zjdYesZ6`Y0qEcE*JNMWb;@&VPs(bQ8yrHwgjsuFK5(L+)%_$+C%wgBE6A3{nqL$ay z^=rz>H95B&HZ+b@NDf8stQ4w?q2}7RWU8*q!6dV7%9 zd~LmsVoShGAi%oo{{3jA{=h!G`%V{`h0`g=pg~ym2Zgftz~)4g4UC)Oh!-vxBExd} zkP^}j+1E*;yf%f4Y4X( zTN*18QnB+Q79vh$?ah!KX)fxaKB_mAdLI}?5y3&`P_M1KlPL_~Yx_Bg@2bqj07D|a z2i%7W=7C3?(mVdEkzO{0-#&*aBJHqVP7HO>B$SjrkrzfX{K4$AeQMc@jXehggw;kt?PSSc_rqvERs1$b9}?;9!2tSbl(VrrOjjWlU@PK%6} z8D9kZr4{m!%1*K;(vB|7`wCK``nkh+Zhe#C%=Eg{UUQNAuw=|!Up_aPZFOVVHMfA; z(Sae(_nrfh3`x^!p1SatIN~%!AeMSdi)ZJ`S&ySAFx;c^JL0>!_xlB0dyXzNH zN58-ob!~zAE8ke-&lSrK62__im8i=R8G$9%5?dNk%xjw&o)Wfv^s|qM4I=z=m!Zb5 zJymPG8^}bu?FDJ@>^|_!(#v5W)+GLdq9kLQ+d%;eA4qef7Z;M962rPBfnB!m0m0_V z`?;|bCxu2Y+R#oPZl?Te$la+I-mj|y%y}w2WmgS#l>I1fdg2=B)Dn>8=q zr#88uD5HKF4f9<+pOh{~X5Hptkqk9`*0!5Pb)hNNe93(sxYrGoZxG{hE7T>o^bB@N zzX6GTeRmDsa%<$PHT#j$YtpcueK1>LOUxm$ygl%>G0A~(vB!$c#RnvP|5zps&XV@?7P%HPk{z^NpFZe30Rg)^4EYQVI&1?dna zh`e{+*~K7p6mS%m)u?RfF-kj1N0>+{Gl1`k6e9xl0w@Me6era(RI%wXImC+zIi<$B z6g@Og==zV6*^g())UJDRg)oOYUC;TO0{Cx7)Tk6ukELh_$^_|&C`#G`yfeD*MZvZV zu<(xG>Dtw`(SXRRPU?URfo}~tqUfr?Fje-E!u>3$QE=p^AiCVZN;Rw=^MeOy%TjY41xLi*6LwFiz3-b$nE12m3!MJ!*Un9 zt~2%>O{5M}F1>cc3hm7Czq_mk`{~)qT_k;XNqEloqX5r~09^)Hr>#_e4*&hzejY>P z@p991Gyv5L27X_|dIoqPoHav0;JPs45gu|`0dB)Zq&GaSneQL-*{KRki#%cV4gl%1 zkQo_@X7?pXt!Hf=_PKuyP-d*MvI$#e>NLV&U8_*1;}jipySyBWRXLA8tnW;l&W#8) zir{Y36G8h=(2(MP*Iof-qbF?D(Jkz?9KsdbqU^lCDR0rq1N8&3K4;A(*$|EO`VTb`=X+gs}vkm#2Z1-8X&AkU+CmGg7Eg5CN5N7?oLb$ z3sLboA~unG;w2|dxIY=>s7*l{F}3Qs#EFeuCbqM7@s#0>W}!>oVuz|ze~jtTfDpQ+ zyE4&_VmV7N9z0&1d(aSdaG@Ywd5rk)i%&udJ@|UaD8`~jgF!ZcF(&`6k&%Su^Wmu& z%gy~L6}_Vq&$+{6p95K8X?Tm8`yvUT1NNqE;#%SJ4o-nL+z+QXPRzkwvQZW%i(7Sf z%GE!9!N5Ns2t#Lresw}Qj^6#xiNHGoO{d?Rqg@ie_3pn@42L@fR|w32%+mkO`~gcW zw6bCrFe?Ki8l843e+2lUn3;uC^cxgSsNK;#`v0@D|GT%|JKZcE1*-SInp}m0OjdwL z{|6Dqd;yY6l1OIQL9%Hd@wICaCeGp9ejd~GLLQVNDU{&SBQxn$$J!oYk^|6=v%_2W z@cE>Ywjt2Sc-@npeRdw3wp!_s1Kf(W9oO{cVk$$(bB=(uDC-C08JdX=A4bE6pT!aW z@011$%8TFOy**oGI1YwA_!SK zawpt#7ny@XrO9{$bZA?{Tt2wr1UTS|tx(jedP=s48S3wHE0~{JA#J}9XaMwPq7;dY zafjjR2wkCV!K1)=ZZwMia{@3!1pjkBYR>d6w$b!K21Wi>NnHk4bB6m7_N?OsWMO!$ z2S*OrzMVvYhk7IL>o`C~$2IEJB06#dOlz7Q;&)y6@91}~i*kIOvkF?eW1+w!NwuX- z=X?^LH)~bPb5H-ji{ElSen`CVf|DRN!Aclo^pj`~F*QTVoIZEL0ZQVO6i`lNu#=C^ zKP}KFkC%DF_6~P6%k89&A5a(gh!CbIx8DVb1&Qi$c61eW6rv^j@6r3OeA9ztH?r{y6wsz_ zmTLhZLUZkVUzi-wMZUFTqU|^8F_Suf9E)!*q^K%iJNW+d7HJ%NQ2>u8F!@x_$-Vk=sgAzY#2De`F8K0pwwDi0}@%MHu^wTAx{^8f^8 z1Qw`ujqj-xCT+D!_ikRfG*cIrXwT`n6o+4`e7AP+UPuOt4Aq(Rs)mx5mW%FaosUGT zzoX;PDSeCpC1bKKtE3+1J4MNJdrE*|1)MGcsX67>C{X_%n4pk!&iVTp2=3a+Vo0Ml zlrS@g>RzM4f0LPvywVEmg&`R;UPuPbLdA79IBHwd!op{0Do{l9(SXlj^$4{vUyY?Hm|&NfIH0$VVdwl(V$$KNfe z3o0D*4;|J0_O$;d*+^xjM(rYP0D0-R7t?QHz|aN*EcZ@b1<;3omk$Sel3O6e`a5p$ zThjj71E4U`T#|WpW$B;nLaQ|=H-O9kzaAih38nD(Xzlw+rhG?IL1#zcncueVJHV>) zawf>C@i(ZLclPD`AD;_-8Qo&2%8EN1X{~!mgF66$bU;PtKaBS8e#*i97M4Y<01Jot zJ2_=;2QeEo&Fkdj2-F2GwLYK|6D}tP6ygXp_!5sauHsD=mgl_=WsFYpcExiHQpUZb zR{W93-Sc=nKgc0p;s#(6I+WqSq_grWgrWM;I?L)Inw!zO|VR zrr*5A^|)U{Dq?+cp*n!nZ-G zVMd2RXN)ZzC99S96YpYXhI)z$_0|cHJqvd1KH`L8@F?LA_yPsDWu%@C3NzSjg5Udv zV3_>yfv^QcalE#wiUu?FJR~y zn%I~P*q?AMh6o6z5rI^76eeb5CIA<-|y*O-2Wg^t*o8{JO_#X&kv z!StGLTdnJaMS~cVgs-SEHCUz!^k(L%Ce{u60YXFb<8`-hftFtYI#1_!enTL$5k$B* zMPqJ5fIzYV{Jmyr44Ced^TU2trC(PM3E9z{>oQGXAoi?ZuUB` ?RxcnsVj6hS@6 zEU5$yHOD;YjVr9Nu9Kh!15u{N^<_6pHPP@d4$Yl^O){&IZerb+QTathXtZ0|JF@Xp+;)?nXn$X|o4h?VvIvH#H*4^7gIy zPk&aU`H_3|JD+HB@*_pneGX8ccY1+v~pZeBo(&JAF(6-m5@q67Ib(EOV%s zvCPH^c9S}1Rv|sXj!bV!LyoS$V8yxj!pY?lvB>uGtGoD*2zg#nasFGWJz;xcMIBaOE2ZUC z$T?m4=&x}o59T)|d>YhFdG3@}*C+C9(O0H*R=r1bj6#7yyIg39d-KJJ5RDCn2H49L}bBdeiivddwdFYo&ooHhxlLE~Vj- zKPjuCrHTc09W79DnVjkK<=@uxXlgd!p~Uo#0@QC|MM4Zld>OweW_P|aR(m>CG&c+x z4sM^dCAgK5>7$Ay%+AGzig{AM_X!-Y`&2C9_zR@R_K!D}R1^()fXx6HF+=bG%$X_r zuu1CcPK3sLnLug$R>tqUnXad<9w#5lH3|~ykh1JC>oOe3r(qt((@e-$_)wMChq~V8 zakSNCJWW*jNT@cue)2_004_tR$; zACRL(GWpho>URe%OlHsrH~61Hh#!A96v?U0=FxRXh_E$Uel(zUxUpvTh^n!aXTTO$ zML%b@Ij?kdwcfTGZLb_oiIh&UHrJa%j!}wpwWiC*!&y3n8jSMc@QI3&@i*(lnfiJv zbgtXpH&kR(;pI-WC0}Qw+H31ZgwdQJsR?M;-0J4>-gh0-xu1B})m`uIb$Q*)?F(F3 zOfaD|!-j(P3O@B;I3LeABBg_6`k*d*Env0V#%q8T7ZiL4F32+D|p?&BJNFH zZ0g}^KGkiT3@ly+C0uC3SQ@AEpQYcYJWXFM;ESS~%faGpPr-!-%4=87nt_NJz0#oG zoLN$Q0eH_7l6#;^gWCPZRc&PrEJNojE_qvPS>d?bT45dhULS}6Rbun=H?Uyzb@1@{ zZe;L!3!e@C27y=ah(TpBbXh22lBw);w3y5&e4XI~@Q&!A zQV}&oLp&&#)DYkO#)%s}Dar9>$su4s+;k%#SJKTt zbIe}9pS0;U=B~kbi{(o&sSYs+dmnHq@>c2HVgHxzyD|b{7QAp`rnQN692HLvnJ1(ml?r; zW2p}Ttj+g{?$V&Bs2=_*0crqLQz56Gd-C-SHVe4(tw>P*mRl3F+-}ASTc^SsVJXac z+E9LQk$H2?1^8MFMtMiq1{CUjmkIz*RM*5$_ zK@b(Uci}xh7!a6?I_~LL>2DZ-I;%})^v^ajLGN7If?=~F=V}%Qe3#q*r%C4i|8J73 zjXz3uLLStM&*P$&EGzsAhU$T80aIG(g(*eU8|!ZB*CmZ{ zXbvjC5N~W#&9e4UNgo&5E-B;% z)D8bM02`mi0Y4~#JLPzdH;vTY-!dXa5Kf}q+P_yXe9S!%l!6?Q8J*dLL+b3i3!Is< zAA-2RzYS>qY7_$vY`k<5d^m2pR%g7 zBymUdar0*iMj}o0pn;5Br%Lbf?^kspPjyLp29MAL@V^_VPx4>{4G1ZW&Md>z$sN{L zXjsCJ9clkIU~S!miEiMPlc3jlHdVco`EajNG48*+NpJpT^(bhHqtyKVo;gI_RIn^| z*IAO|?`N1{xo-kGNRu0_@EMmAs@LN$#!;$c{`>wyd38T{KfKf&x@V55Y06iS_i-0mtTXby=OpfKAEp?L<+A2>kW9b?-S$H5*QG_CXSz zqY1qiJBKIbKrJviOmIiRaSEV@Fw?pm2^|^UpfVvJ;F*#?G#rcUv7i z*ZzUR`S2V5Tp<~l3g2%g$W+f-01nb>sY*ZVv=PH!xGAnmO3XJ<2U1)4I}hP2wP**6 zPev6zVmD-mDx^?DF1v}lzn6WW&xBye_d3XO+5p~{;ngFY7PlZ#I^hHS*!!o`W}3Sj`3$U4DylV!)N5jr#A-p|gH@>maL^^4`CxgW_?r zCMhBu2nh-(d{|=1;|4#WBmw{oNxQCstt=C5i4b^|w4=8;Q*=CAFjG`?Sh(ro_3q6! z?d-#&a*z#rjz?qQlS#p(*hSo1BKY{i_Fc`Q;ffzqmf5YAxpD86N{W<9nms@%0+1{u zV`a7|z@Z=@+Y5IkO|yB*EE^*We>xKX4DB&LWhrA%B9hsug0%gw_0Z5v=C#Aqi0{-$ypgbJwzO zR1DBKFUeZ2OT}KBIBl(9Vc1Ij-CMGISzpaD!1X9~A#|rdjVafe3sf~ok`EYqB`}jj zhU&h+n<`FKv-*Hyita3{vcz{*f$5GM-08u02k5!G;xbl*vszjcC6_$%JeSdc>keid zx23Zzg7|#3`gl;$aLV)DV=vKUR3F9m6R(thYrtsGYALR|ZjHfBPW2g}-VeJJ3>!X0 zmWN)0?G}FH&>q!XM$bAqkme-{OS^gv^-5Y`oW)%|KLQ0m_NpP6!bSZJD;|~+fOE7@ zBxWV?ZUg_FE#2{k;Z6wYVS5$kAko)gS+=vm`I!gk_M1U>y(fy%4* zvD&k-*DyX1NSUf|xeX?85#Uc2p+PdvkCz4lZI7gN7U~=CFu1?T#4`7QIIJ4VQgPJt zvr?bDiiAl0w!cl{Wfk28iCQnfq>1P$nJH+eDA@1uYPhl91@wJhuj<1S)4cKU2nTNB zG^x?>4&08o$vGd&N? zJ8~p_dbm+VpK*MkTfy>|+wK%2&{M?IqJBb!Gbv8&dtmygiTpN$KZOO<7Ygt50vr4< zpKHOcwQ99|KMBlVytvQm#v4nqFhf%Pm-(qg1+Y)Le7@)}?D=3GOjo z@8lvrdKqO|OfTCUUYD?it&k#hk0ffV2k%ude5jeYK)LPw%q8>OCr2H%25rel#e4 zuip9;*(LtdG*dkevfY< zr0`n7KVQV&f*m8GwyYYT73%gyBg96xfj7?6?CgU%O<9bH;LAG!U!G)tSy!s>YZv}v zKPqCeE}2m>Q*B{eb_pZoEe5jbj?$=>Ph z(S|jHHi8Gc3F_}wc~VqxdHC3^lB+FrU@UqyNmnBK6Ywc|mAn}0aDA|jIy`Hg`h8RA z8qYMYxbZV`n%bMVQtD3VEo$4{H*TRN2)Ms_b!KrnZ?P7xd3oxKHJP${syx{355vk9 zH<<;2SMs_#@u_H@+V*=nW{%dmlrHl& zPvDO>w1Y~Um8$utfTwY{{y{lKQ_e;@4V^oQzV{kpDb~a@cL|T(gZrmuj+L3gj4juE zrd%;K^>yo2xCz)3+EU`RF^g;-PL{i{j#7oHuw)%1q^;Ro!+22!T=?6=ZXAljKxG!= zEwf-g++c1)B}8(1@ibYPD@n*|$G_A()F)UhW*RF^v4Y%>aULaZf(th?E}t7-I?F~pH_Wn@biJ9LwWF0Pzx4q zoLOETr<^Dds|J(tViF_W9&8ckAcL}xM(N=zYUt_>~ z^lO)q+|JI;yChKTjg{iN`!w~(7DkQObm=kb*TkD+Zd&#L;mmQN#Je%QalMR%V{@L0 z#(Kw$sb>0Q?PQHPX<-w0y|QggVSsG*0ky-XVQZ>NTLtuWOj`hgGV^7ITd&Ecc)Cm& z2pcgno2I`56CNf;!~$v53?y-KuzlPX>@&VUchiMm$3D3kCgL>qD}yz>SInbRfLx$x zB|hGUb8QT{f%04Y`o2L4(Zl1MVH9wf+&6C*)6t@+;;XOYPgbzcd9qP7>`IQ5Z&2~1 z2fV7+&4?|P+O6owSX}%{t6s#92zn2yL9?;}R^arx5=YmY7T#`m+=23)=N)_qFq zr|UcGec%eWGE!z6oK(woCIX(|D2y)XW;s0D45gXy($gK3aSa$Pu~m!ZjI=gwi)$z{Zi%1y&RCi#D{3%tpXL(!(%5?oK#~!dOt$utZ`E2ajsqfzW zgmr{o?Aph9xX1waa$}+r4+|1~M5>{aD)}{%AA{I*;_<6i$R`(2WsDlo%zQksGDh>* zlIIQP3#7)y_XlnA0dXMRQL{zBu1O5cioWgwjI4<2z6u^?rRK_h{{jEghKjj`wI4fc zU5P!@YXF~Ll_}o`sn8P<&Mg%iKM7zluZ509$Hfcm$=k-LP36_qPrQU{H&@iJ zJN|z23Y&(pkR6T7i13xt*t9T*QH7F6X%_E;c8H>^xu2lDZjt@0-nOcg5UujQ+h^hW zgL1F7@$>MrgZq0+etx@q?B72I&ZjXUk6o2_O#;wuEsCt)_SE`Wvx@^wO|=^#X%5Yw z8PjN&Tq$;oDg9<@ajS?<^#V5|ytl&0J~sY>H-%F?(tg__*7~!;;c=hCYURZk;#sP) zOm(d~l}Xy11j-wkca;Y&r$vzR?r?waFB^U070+$`WNK-xAUX*!M;TGUPq!+vBs^`J zU(-DgLECMPX00m~SU2!zXh5;1E8)id|6n^IDlm+K;klA|hmByhpD$lU+3}tBt!g2a z$~#Pm7J}TV`Z@jEy;f7BN~~0p^Ez-6>}4NRIyF<9y~k#Lsw0-a6d@PBU!LM{^;Y{m zc|x%^f#gq?1V>Z-*zraZw0c$Plg+?y-dP&CehPI6FxI^+-zHs=F{DCMw8)&&k^~)- zURc?RI^h*&6Ws`TyK_Stxb&*biL~ypjv@C;>jErKZD28?D187RD8n-qEIvn0E--;% zfg!8brjTouGkux+Y_Zcg#HHfdaZz=ffOb2%^Dh`&F@|Q~R0uYN2CM`;+oqpCm{7L% zaqXSk!$h@QcXxG=4nY2flx!9wcarY|kzbr|66+1z*V@awT({;< zk5stYoZO#Tv%A~FQ&CXnBelx+M6>=Q!_X}kZjhSy@k*fe zwGeLan=3n>l4VAYVx`7Vn`hZaYjr&r9DDB@?eNW07rxz1qkUo*(Ud~A-YLU81 zH+fY>pB6zTQQ7+?tnqCh?=#rK^FajvNDC>&Xkzh2=@v++x+>%I^S3$1Vee)q7TzYz zX`BXKLN6nDSH<6c*h{8zqPG$-Hus;u@-_8B$n1*-1(^+MBh_DWl!ADzOxmLAel40n zo$(p0oJw2eS1pa?jw|n#-h)GN!f zwrc-we7MxLpVZIm64JTo0{JYF7#W-*Mbfx(dm?!rJ58MFKUHqGw6vK#pAnTmJ?4>+NAr^tsqqjsI%Mq~Brer9%K*t0J*G@uhU_is^s zPZDjNKG2X0VWx{W+9W! z^dE5G;cj5Z8Rt9VFWI~tjBiIXw8@7!$F9Q@q~YY;p2C9XpZuB_SmcY|AmdQW@yoaZ zXJV+R+I@unXt$kIDs)Si*z%{*mYX#=k5^ojC;2Sa527KF_!#fYO2jY3gKTrP&2T)& zO_kQiJ1fy&Elz3miqneOxIJ(p|6fSeTO(DlYU1)H`nC*v^bQ=>`g^nnd_3aRh=|W z8$B3viX6_8EG9y<2h46c=iw9!0sAI@cZN?I+S4z`Kt z*L!9kZFW%NCu`G3djaUYEHk9pW|!j2*4sSNa#AaLA4&P`b9!wgw72fbjwMpSvnz!b z=&&1n>TbY0xvOPT!jPK`sbE40bRCSt>&Wk~m<46APw4Or*tTk5V~rxkLa!vN_&4kx zka~Ge6XONDbGf!)mpgFS>0>*9Y41^&-Api$v(b>?iC*26stT#6-LA{{20R zb+6w`4QuU^72?OJqaGiLw$O-}(Bhc-EQ`~|Ora7hi{g&dO!iD3qQ^3n{oitQ}yK_U4e3fb{Els}v{LEz~c4y`l zi#qpIS2?0b_CwTbmJAZlSD{2W@raH z@<+3M{<#h%lL8=bt=yd=Vz^di`;|Ge`OfC!vV}lX);K45?}08-aG~}LjTnE@;#&IT z<15C_8$r}Tja4LuSrb8Y)IXba>?pG}C@i$mQAN-^CuhPY|Q$a_0b*K z=eR^L`Q9oKU8CpiCSNtb(`hUnIFu=^lJ5s@Re5{VuaE+0_an&&%pYIoa4cl6Lu%SM6#{_Xj|6b~$nDLD`QjR5}tOV6OU^+(p%= zLf0?eD9$z9b2bd$7I3evSlH6Zu9BLVz+h&(r$efuMec7@EjM$-=RpLQK2M3sVeCFU z0lbi zvXEBZ=V&PDx(({Jn`0x|E^n4s)|Av0sLPj6=Y z>Qqm{az6T$6wdu3@|3)rUNF>|&*#Q{WwlOm{djAIBt%v!hX>V4slRuQAwVGwzE8vH zPKUcbmU}4E`s$Kn9BDK2*r(n1tJxVETnU)Q4^(yMBZFAV+wASv-z`w_OGCpA`#5t@t2A;YR2HIfq6mbLVZ+M+a=C~H3jUk{pw zM^|qEikz?ut@BRq$tMc4Gy>kT?h<%9EwymBU-~MiNTb)wi_hUM5Ci=Oh&}J*3t?)P z`!1*+J&9D)@*7}Evm|{-iYUu0KOOx>+4jpqaKb{C9@f@Sy7P^ejKWYUHLg2bp8a?^ zc0ee^?NobdmGW4_knFd=0e7>Fy{a>fboTIp(5JN$uC3tYexnqOwSF48L)-0qwUW)0 z%-+YP+ibw0a@CokGMCO9GSA`=vN?)azdc9^FP)yam+@;Q67kQL|5r9{+M5MVyh&rt zn#!QwE8^usu5BOE@o>6f+H0>OE6)t-XrukG{{r-dCJli5_~3bQWOV=hmgee|+&6l> z06x%hS14rQA0ZP?@$5X=XmMOQeC< z-x}(OzKk7Hm=f)C^}vT}HZEci+loK=`i=*DKqzi>8nf)`J?+0O+rwjT5`8_$s9(ORTN5?s%FA~FD1OZn`# zxp4{HmCU5wZ6dus%<&a$=+kC1!+SHqUv1;B?IwOr=Fl?!2N1nb!T4!TJfn`3GU)RK zKeowCO5K08iJ=#}%30CoeH!3=+UJx**4A1=zQCK$Alv+2N}zcfvsmk=?Cfx)H)ASS zcn-c&v9f0cK_c`>{KKs?qiiw6Qtio}*CqToWiqy9B-SLJNleq~+N#WvlH6>78@Voo zv473)s6wfJYArdA2|1RmpRcQ0kV>x1?LQTf-1)S7CtF|Y!8@ur_Na%VGk zZG>h`_>IC7pQD6<_cm66|JNw?abECAf;wbcgf^;_ZtGQ6(QA;2t>NfR0MR7bqfG|D zP%njQSI6O!%|+7S z6jq-ipLi%B@_PsI0!t`y&!%4bjj4%vNq+q2J5|dikNM4HTRjJr*Gkw|tR^m$YKSGFO2O-LFnDLr2H*6r z(ZS(D-w4l-0oP-v)PqI1)*1{LX!bBCpZpGHi~UYjB`3GTE^?S!TCDXmiNfH=Ge&y% zU5{XW4V*6TGo@CKi-~L#E}SxP*9>@mJ|%~uhaah|&RqZG)9Tra_iavBZcxSiBj^5_ zpIY_O6YbfU5Gna20JpWZ$Vv&>3Fr4`^!CJdm6PdRqr5sOf}FLyw8W)N=Bq&fuxW;|$)Nj|u_6OfDs-W-VW)@Du@D>MmFA?N0`huwvKHKu zbNl080nYi*iwJkAPQ88Bk*yg9|EhdrM}M&0RGm!nq8R$LE1)_iK%y{L-4#dqiH__y?N!QFU`RT!+TtN#;G z@&$ot^)ISSX9r@Dgvfbqrx@Sq7uX!V{=lnMqw32PMgsYmsh@^ zdJm5n`k>PTJjR7{TghA^p8=gYG{c0*g*`@Nf`K!1#=#0%C0@hjf%_N}DyV~YY^Q>Oh5B)}_b=mYe19iXC>gt|{{CEds=H5HY=dv^<-RvM#|xbYd8dQz z0w6CH!-#F53_!fhev5Drd_DZT?+7AYlU}FW!Q(J1)gEQ**tQ?ulX>U!sYHa$-T;!i zZ$^tbsXs(vKQ)5x$Y6IUHZT4P*~oEU`dXNuMV~){t(rZ3E;KLJ+m_oT=^0mB`iMC? zJ6aF8KCH!>KHMe7BhVV8k(ZfiSxS4R&vnjx<9mgZ>(_zBlpU|gy2d7MGNfo8w}4dN z5VE21^Gsy3++>$;1#B2gneY5sq-!o(tkHlsSn)C69~m1l3eFCDNQw0RKE+eGZt^sz z$rQ?3M0^VYs;H-AB%(6I=U)nmHjF9^?fc^QVKrq@w#0M$2m8V9UtiR0Ez#mPn#ELS zovj{z41(n}?z->o4Ri`~794&)+9_(zb0-d$nmah0So)OPTw+TScN9O&Ck%CU3I|6Jo6+0`S@z3&gM1|Ps=Dd0HvpOsT?C)*aL{!e39 zVdmY70Ffzn;<2je-puyHpW*^zxG9f$ruQs^!E*R#r|?g_=nUn`@rEpEgWwBL2yW)i z>#78%;&fiddltjE*Y8sDBgJCSV}-nGPHzji-7IMH78_nXMMYe=U+R^E!Pc!^c2yDL zRxyDXCq>39a7(|?i`}L6Xn0Xp%Cn$cUs$oM|FGcVOUN}%ni6kYi)bnmmJlLoKTdm6 z05>5h-%nIyyFZ3B_HUxhbz;}+zWY%FRkIWC0>vou<}z4-AV`V2N=CalCCdfxOX~Et zQGyx!WM-(xoVp=mYQ4W4bZ~5u+WSqb*?=lboyL{S!O5#o0z%W<;!r^@i$FT>`SLU$ z`}<;&;Ep{wGMc5@0LwN3D6<%v70*j+-KFPurYJKdJP1fN)GFr)!JTOy2cy>E%&K~Qhds~i0 zKcV{u>ERB#C0kuOjo&^O(qCL%M>SO1D4>#c;Tmq-i>A2SHCKIoBdO8j*?yA68ZJMv zQb?ZrxurrFc~{C%^3}1WboF$G#Vf~669!A=a{&QtL+oiSoNw;i@!j*S4YwOV?EG=S z=uCk$Ji&H5sr_sfp|bDLi{w?{rmI@clf;9Xo;^Vg3x{i< zhE){ny@=qa}AK9{D^aF?yw!H>MD#-sgLbFr5teJWUdf~67iP;Usl2HVAtAbIo? z^W5{Na&wj{e{C@Ps{b#zK zohzQYSrOP4BaujvSm{1z5SPvcY~4c<=S#qvIJ$xTz9+E)!M#EA$)FFDw1AWt^=V4^tA2du?;5G0R=3yI)te{9wKkh~ZD4v>;JORc-$F8OKQQtm8oeQoFyz$QWDL6!-7Crd|$R-MsekQq9IZ zwM)b^c3Jd{3ZH+awLCO$6v4STV@h%kQ3K3(cWx zl|J2w5=RG$kGFaV`z9*s?hY3=q)3I?SV{QY_yj%Pi{Lzk`xfs4)j>eFu%>-- zX87czNdf9uQcI%84X_&nqG#0;#SqrC!{cpA{IO6ZnO*8^mFcxdR>8tqdZVGBOTbUe zsZXqWkI^JWj_0$xu!8>%Dg3bStneZMBFBW-#d^Z^es1Uw1^}iPImsQ8lk1Ouo0`Lb zLYz$qFN))j*?m4Pvn_5>rk+9g{R!o&>j3xo>=rG>HM=JaR|d?*0UXuU6Bm)hAL0bD z$ibHrZcH|W`PJmaGma6;a3wT>62K!+FGZQ@ozk7%5%y$x(X5tGL*n&eSrAmw5CYFC z+K_mblT;93-upIg5WEUvdoF=g-!7g-x#K<%aaVZlB;2@Wr#inm%c zzFYHI_c@EY*>;>#r?0746j|jGg4Z`e?GYh@aUO<^VyJnr91G$KspogEDr$}^#)B+C z>lbIOi(S_U&a8VhTIc#@(WcIUu=kbXPdQj=~fm4BwVeGtYN(%=`g$C#-FfyxA;cEa&n$=y?vQJ4#8Abo=mNsa#r|qzo{w=z9?3zPSBqIpFWBfHkGV-t~ZQYcRaJCJWkv)2>wZk zuwOgVPma1BNQxalc}hEw9M;GDXUT%#yztrlzKP0*OnXUMuiG?y5bM=3GwUsU4&+XM z{kLm3gIU(RORPs3=U=_bxX5i%(f}SN|L0+kDR(`0@~7Jal-*k&2qKsN71;w8-~uAu|0|LrwDeTkhNhd1kV)Y2zfUfKE6kcr?Ty}dAXgt~C+ zw7<>i2a8Nmjw%`6lUUBbcMS$a1a_Fo9}U99+3`l*=}>Ou@q>E4Hafj(uK`xV9Wa(k%74ZZVIbVZ;?M4o@!$v`@5cfhp!pDP zFYiCnY*6A21>UWEONLaPz9|76*N89H`tu%nmPjDdSSeTIB}%VpkdVXr?@MSB__#(| z^YeflL-cS+j|CSgd}#%&Il@K&D$KBqKu<>QDLQ+EHiGG(#ibqbx?)4wPv;Tf2`T(f z(ba$$rdXQ&CxY3w1BC3S5h+m-d-e_e@ z)Dq^=pHaZ#VcIwb8T1fek>@FF?b-@IlmLC2x4!ai^lUiun>MbJ*gzs3z#O5&|2Ytv zWT1!d_wjN5u&E9VrP15V4QhSj=iWfRgZYtP@n>@nUSQJ4bQI?gT(ak0a0&bGGSP;q zq|VLKiQH_CwO~HSPd|07mPJeC3_2z%H$qSWcj67Gr`Sj9PtKr58CGuO=sDem|IdU^$#2>wu`yY6l5GHhmH?jjA|+DT zX6ePB1fv{v524mHw|)eB)CK7I|4|KLw&oFP&tA0pZz0~lll(K8ZW8^^ngd7Uze|a7 zo?*` z1FeWyVC_a5{Gf1k9{NTxq<>>$@)gO277xJY5q|%i`yHc@vobuzt{^H zXunGoFPX0fSzLN7IRrVeq@Xe}H27k@LcPui-&#?A1p$;56j{(#Yehe;tb=WrL_-~`th625){Mo^IN4;# zDq*Do3JtI!C`3RgaLo#@_l!}@R4$i>hU=nxNmW_^Jj4DBVExrv^;IPve?VA**%c;v zXM2dgdVKsi;vq2}zt*B#PjtCCb@o0u@mz}jYv=T5sY8%b3INn$aViX8m5qsSxP@ex zTc184Q5kX57*JGFwhlg50p9E2SWV(sH zg+sq#kPy^^uus=jm{fx*+92>d*gRwZyW%HdcV*Atis`VrYd`v6@}AML`h(qnK-uMF zdV1}}Kc^0u!#Do3!JMsmBT&-2z!>2x8LapH@6nv2{&&5UCP8Yhq!`8#~)VOdJ1hafW zqGm8)l3f+cJ>Fa)9ca}g3GP7|yU@sXNT5Zk_STln&UpityTHT>KZ|L*&kYN9E{&r# z#^K?HA6GZ2i|?44{8@IuFUF3n!Kh^rHBoX~tC_dA_Z-pRd^z1Bn-uLklUZY9<#yFb z6;FDJRYw14?CKG7&y0c3nDe9-j>0^U;(U{w|183|Phy?C(Z?OlXB||LW6TW=oc#Pm zdH^o0-_v838XAe3yDxTHbL6qWwzo5bM4L}w%WRb{1$ym%(#>7ziCb zxv(KC`g(#`ec#ZPaRXM>;rNo0V^J+-^sdmZlj61P0U3+S-)I}tZ%4{$F*RWn>|dH> z4!_qR3Qr**!f@pT@4x1Xppv8nezA-9&S$W$HU86SHY_}xG zowNC!-CqzC5hTfJb?R#AQ0MG8|LgZyrjFzj-)e%kY2rn=z(VJTZ}QsLdM zoIz-HZTTYfD8NuIFH@c}nbB`43V?widWXUYeSK25w(PE~;6{yx#8bbKTVF*Kmgux-yxZ6LAM%XpyOASapVT;U z7G<%Mj>zibHEHq&WEh`UH%i76>#wn=hsYq$ZMkGM2UXGdtAGE*1U4dINCLIy01_AD z+ziIWtly#Q!M499ewXujDSla=VT@I%((V}dQ?BKS*^bqb!##4qvB9Vc$0*{+2JRFX z_NEKcxX~~==1azXz2qi+9^n>)SaFk8%!^C27~t34?wP54#=TN9J)NDQg$}KvIx*;fJ4_-%R-%=uo!K0+5_^$zk=094 z<9V0#;cDVMet(}~iDYfFKV|K4e1yk@QU^Npa12SdPjpDp^m;{_bmWU-^OY8@`B1Gi zkv3vU{|))jnQymp@of4%`m@HVSI{^ZDl8i%@#BmMh)w{5kKyy(AyC z6`x}+*-I*eGVYUnJV*s!MTux3YPmL7nxQd4z&7OJ3L>)@7pXu+k#i2?vol4!&i5!b zi1W-LDepCDelTe>>si)X8QxZS3oOD)PE424g%khv8@$ADL5dpM0k*WaGY)))vwF1p zB54E7o6#w0D^(?ixF``xGAGFfuHGM}xBZ(e2Cld}u(<%n)^(UYW6=I-@21b2M1=po zpmp%RAO*xj-XufJFH~JiCug9k#yUGId(OVQr3>t)f5tM1WFv%f({(+z6ULco{|=$T zZ{$EF>uIb!NpGXCo6KO!%dLtl5_!rN-2B??Rh3YiqXQ?wo{jx^!%Izccltwd_|T zwCPl}q%R0~4LvhVaF^TgYy+2T#Huvn2(mZ7h6~YyenG4T42JAsb6K}DtHg`d*BvT; z-ka21xaaDkVYV4ZLLtRrsq397UGaJ(ZgzerDyzf1O<3U^r^@rss=UAA0R$QU-o|P& z&%NgZ-tLTV)(vMB$o$J-mLPr3$$U!NbFYsH@%8#ls^w!^69z zMM3~RSyJ zzrjZVXgoYOVLZHb3p~8rDR_7cP8oGNGI)4{b?SE&^gYdfohzU@yOLH&;f5LqH!>4+ z$BOt#W*(?>e6kgQ@D_$YzkB1i^2l3iQYH1B%Y;O)ZR3zRb!^?#32Y1%YGRMZZXivN zSq#@uk0Q*79zADz`^c7^)A!(c@Hp^A^B*^2 z^zc218a{X|&0wx^_To==sds)2Z7e|>(se<XFL+ZyQp?DNxYVsN(WjHP+D_Q%`iM(+wL zreO04rPsb1d=z9Ott6E`tD6BK<-2XNeZ|@zG@N}^F5zi7Q4clp`b|)*t17!2FSeK|Vw7chd;y2LJ ziZ*!?IOU6E5zkQULYbE!$Z&Rz);lSe#h!b<6-^6f>fP16w%^(*7Kw3sGjs**gm_?T zIZfgID3{6M3sUv*N1$ijITFZ{QcPEb)JR)u$DecS*`@T19x)_egZ*A*W-*O6dVativnc*=E$=x5b;)MOTh;FCk_dXS{pxB z#m_XRiy40HKV?;M87z7@Y5Fe-3txgubuVXyt5G$aPp`E0r<;YhXXQ^&R2yxEXR&>t zbj<1MQw_61S11Tl!pg5Oh|yZ|ZpczT8({Ba?KH!mjpV!to*!QMK>8mO2-HF2zYTar zP}cS_zLv^+xAy4T>Vn8X<95h@~Nw^GC@LLB}WiL!q=fbg z#(wKTdZ|1fEStu4k0#ce5N2{f&TELXQ+a^F`=VVdi7{DuYTaFz`v_sgo33LVIEym? z#w)QJmdnS6o?P#JSc|h^9${mA;4S(qyq1Yz@j}v10WPqB#1R^V+&7d*Reeh=di4?O z8FVcw34##0sn+|wWNG3C5C>huD7vOS-(YtpjvR zN=*~_uzn_%AfE0DMr?p3-Ovmrdh$*W=K%s}Cp5s4D?d@LfUe2o+P^YkBjN%KKTngE zC~H94>~ZFi|K+7Eu7j-0LqA6PQo zMQN0d1i4D-e|)Ki-=~$ryu6Co_oaFBjDy?jLeqbAh}|%y?C0s*?I`O8-KAh;-dLjG zoxe19s*rh)=O(IGocZ%emOa`1k39Uj(K_6mf4S-a%GFm64}W~LyMUj@%3yMHMulvL zpQW?6$E;ybl-$m<$S8(g38xweRl{(6GxIvBp-;9Tv^$;QE!X^H%lj(X>e~1j^?&d1YV8kvvw3;ev?1GAY0;DN zj;N!a09~=E_Ik)bk~VONg{)1m`5K+PcuIidy%hl@LH_0H@_9c)2-^Q* z1w7dy>n(~f4B=$lW}i)unnZuM#=8#|5FwwZ#_~)>*X3Hc$i5n`bj(^9!qBA84vUrK z#M4CW^iX=mU2)fO$P9z9ki$vn=^0uL8yFL>$EA3)KiMhDBj%7;+36;jYjG!QLz4I? z6TE|%o%O3l(ya>^!P{ulh3}#&Jl~ZS4u$^ew(3!nCSQ-;nHa&VR)PJFB;39Gj2)r$ zAqHvFCaa-*4{HK%c$|dMmhBzh&SCP5T)Q<2M5y2=ek439#4$oYU(hc+Hpri)i~M|2 zC^BOGjmtCcnGD8LO4O7+yaN(LGZc{Sn$!+6C01hnZ}TKp97HHyET zp`jZl3t8Z+v{qJ#$fw>)F}|6^II~wDwq?zFBQN80 zCbhlnCIjtbB^*>o|%u!T?jaFo>ZAMBb)V2 z&J}L5mI=XUN0JXY!)j8bC?+hjxtX;@t+IpW1*#>XQr=Q|Gc^T>5bg$>Up+1EF!w&Jw6iKJa zsSkJj?hq)RX$0WuPUtgJvXFmd{7KHq-a0Y8!a~G;<(Ms&)55B`&xZ1=G~u;H(bG2q zwxLA%B=X-O{+U10P;He~nCHHnN(w_^z6o!Vu)?C%oAX2|HIrS9Fy!KxB^US^{!4mM z!C9n@VRKzz%v#lv3Q_cmk@ID!vhRbyAAB?`W5V*RZ!td`y_0DI_RRghqEKV3ZT!mc zH*OFS4y<;i5Cp2B2+b~2j?|dReoZ>3~y_L?{W7l0e zUov_SX;%*Dg#&teZK}O129So+n0jKm+yfFg#pG#$4v-4=%^`y=<7IloIi2yx7uj3f z3PWpkx5SOGF)%i-1s_Swx96-#{;ZR5`>LcP_scNK1}WW67vCi9*;GsX-xGBa9Xi%> zmuLUPZw=n7^XA*`HRQ$l1yVZOYw+?;q(J-XILD_Uzk-$Rk*LqQBuh*g!N?n( zi0O|rva9uAiSlZsN}v$Gx{z{K=;!N}AXoJLw!#qUsfxHUSo;!oZ9;a9MwAkLMGx%H zO|F=?s)%m92>NvxqT@tr7bIym5j|3y zY_4NDt2t3qck(NcY9!d-(_2ev1iGC0M=QGq&ETMq)=vxv9kNan9l zoS8n8eK;1x_lIXWWolzL^g5Fgy(~)tMNE&B;nkl3<0#M6Tadit*!-QqY@K!n`gv9l zyJxA0EFM|oYfRD*63zutl?~fieC8x8YrFE-46AfRD*Wp-#EoedX|9~Crs8Lf$$Xb9 z2w~it%-@~>jZ);x*Q02<1my8r`$Pk~h;HjBUQ!Y|z9%-%jFLxRcR3C~J;(|7Y!8Sk zW0rV#ub*q+xA72vsFIH6v*V7(^sIX&JC}_etUtFzeC`WRqX@WT|CO_UKju!P)3+CK z$khPf%rszDEdVwQaI55Pb{P4`yMPSwWbNB3F9JUi z4v{5-BVjV<0i~F4!ll*9aH}(s`&Q1jsJ-ut!HEKL=(_ag5~1H`n17OUqYz#y=lit$9>lo~hKAklPbt z=DQP+HkXC3_q&`5)p-l)lkWo~n%MoT7QMhrN|ZiyI$?U2jH?mJBdzq*uZeTpcj!Mz zDaAqgf|RTkWO^J!i2RuiWf~G`)=0M)ti6pjZj89(JcLlKcx?!QZLay{OILHErEO;O z4M4}^tF2j z?2B6;`50|!^wA@%>`ndj|B;vkoK4O9f`=$+M&b$FfJ~`B#oC)HViZU27Z%j0>H4_etSe z6Ox5J0KY5`0&}y7i?5JV8`E}qi#r8VI?jovw2V^I5KrxXGf{$5gjiZ{e+~1K=RGWN z_90TSh?R(&fvypqDl8lql`&RkzqE}jduSgLC};w)EgTnm2c_(+JC{o$?Pu$E*-zZs zD63Bw-`1}&_%EBu%?fYR6-V$sYVX?a?Ou6Ar3aN06eS9`M8s^lX6hrp_6OfYOIyz7 zbN!WjS{PKzZ1?En_8U?6hfMjj-+-enzB&c8-q9&wEq_ zVw9xt!SA;U8?ms~3xp|AcDG$NZISdmDLdO_y$aEeNrvga-3*HSqeJK8nh&cb$c$ri z^7MJc&HA)MHSiUDd+gVY{SM)SqHo|oT&(3!9c5h-;^Vj-@&>L_VvY+pX5iMbo@$CU ze|*lUa{MAU4`$sxoz^x}1{xy&EkBDPR9ja%&4U0T*Yz{In5)a|y#o$YhJz2Te_>># z65r%w)tT8KqB;!VkrkQN8y@@hEaTu7Th(vvY1yT!#X^y%EAARFN)qbY8Q+hm3va2= zJ*0;d`si@VUB=?Q0~S!>Shc^F{R12pTW--!h+<+5rB(DEb?s; zjD^?~1!Sl(FL9h+IhCm-F^gzFZq%zeZ7_hC`^;5dV_}DL~Lbr`VNKezVmz3*mY*F_WD;wjhgLxF9q_^bcAeph^ zV(DFu+Hyf-UuCoru99YHwb3qqpS|@U|5oICCCWufl}k%>cg^Q=2BhajZ90$Ht~9}g zqRUzsK2Wztn1}mZhXiHpB-6l;5p}T3T!YmVUwI>SmK`Ol?C-JUq<(4~8CWlC9`QYO zpvQ1P71rBi`dEi#nSBXiU7LT#u*uP2Zp&a+IJ>O-9lGhND6ipg=cXzua*}{5|Az3Y z`qVFR65(5@%L4OH+w79;*AFK;9!&?8_W}-&WiAG$D2z76MVP5#cQ;DC7Z3OsEW2&c z2>#}B%fWyOOY#a&YzY zEw)VvSL-pUBqBUFC|Y|6pR2j^R?$_}6fTFFLfzE4EmsN>t!cBfX9q`STU)c4c(BHz z?PKAgadQtx`&*%@92{urXGeJk>L6N45FJv&T1d!wC(E3^*j#*5d2hc5QOS;FBl+mW z?zr+bUE=%;U2@HJMa$%H-XtlvJDL>_%pt*=&ga~KSfy2Kx;M82F-NM1@(oVyx~RlN% z7D8{RYjU{DFv;=S@6Qgo!h9nx{n6Sb;M_Eq0UXJ9e3Hv=&I%RzJ=PE1?CQ%COv>Cn zOTX)*Nw?IFRAf(!Pv^!%9R<_JRFvU^ld!^XSTny5a%GNH$vd~^ay`~DW525S${%&A zzBGPc@Y5Q*ODJP&hHZbOSqZ7LLJ%U`&BrbVxVTkpzMsVhdooPY!zOI~C0IOxJBus3EL0&XiC)P4%)*|lHnb8A}q6}0gN5nkJYn0cb^${yjpD{bEC zvxh#3hcRbB_5RdBol!B;< zV5%F(V^Az&3tDE7#2dt&WXro$8%A1Op49Y7E%So1RK8>4H@wfLdXX7VELt@vq;xk|)7@|=0?M2eyzOTB!&NjLnHGl%?di}zU}-L14M zQ#FXvB-(zBLDqFe4N(!eQxVq{Oh%Qrei0VNX$18_P{CZ57UFX;i9KhU>Ozr>TbW!6 z2#d;))y3c43RgXSe?$uG7}FcP)V$YJY_=$iU)wuV9%*;MMY(o& zp|4u@b2v1KQC|Cp)Mob8wXjo(8Lxu2#fomRl&;{9L=M{x7L?HGP-4%AA5%3K|E)(0 zIn<@SxjrRIg|6?aex8W|eZ(%w9oLVIO0zsEGxhDnqh@te@aG4Q?W~kaeDClrov9~ftld-9i|K-l#=eQh*l6( zbnxn)rP=eawi%(it?A}<%6$vRfVt6k9_@Rmc{B0Nk zDSA!dhTMpCr!nh0^i7qYO*514WEx|XnvcFNuk5q@T)W1`Tq6GsP#;M<6h_$e(r$7ih^LODki z7@(F=op}jHLIw%VMw?rU1sXTV_<0F(UqcO)Q3MB=W zJJzpf_VM{QJ1ZvR5EgZs_IV8OptNJt5QHn^Gm^Xo)cAuj4w7b~9v_m`w-;63N15c& zq2~bsC`Z8m3OCqJ(nn&Yg^VV+ z6AqORh;cbK>7qJddKv+GM}qSh2Ifx-U*$LoEkuMo1Y$4~JCj$A2tA^rE?XPC#aJ{r z<_{Xhglms~y#cdGBOI|b)GA*sDyyq0jnRIu#h~wAb_3>C$7+l#Xcre@!=(#cswPa{ zVo5=8-jvmQRMLgEf2&C3f`Qoj3sLRPp?6gN13?cj8O7nb`W=W6eAJJfnrvwVbaN4*=ba)wdOWR`2 zQbbj_io<9z#Yvu?DF_juh$fL%m!`PtEJ)=sADr3olMGg|Ye9y-Zo?tSXuMHURlAdw z)F}(?ZU2}THA-?*RL7yeq4g}iUzidi`*rloA0MYjl)1vzaZ3F(k0N-UR*}KiUF9ly zv1m6k3~W@;Ha7qE;j?GRiz$Pg@Fk}hI$=(^e$lI&t&c6f^t_nj>iS3q|NbjUKkXl} z2O%0y49AFD5i<|z$IEyNX|fCFXI-!5@pEjpkoX)5a;pbo7|9HNPhh zv2~sDQjppos9SxyOCG}cz*@|^m9SASyI4*T30gykZmTen5X6T`+pyU5GQ=#~`AaoDApobrfe$)zF7}q0Z*0avF!8 z&A!$MLb%m)CUW6COEx&7aKHRqV%Ko0an!-^_N$D&(1*Jbbe4~Bna$=aNL5(Px~t4z z)l4XY+M3Cyitrz@t-SsIBQQTx3pxd|L!X`TX`A|tul(rA4<@>)I3IZ%WEO`3R1V() z=TkYWynMVXXs>^FZSr%-(@P9s%f1>`S%n-3L_ zTFd&3_;f!`M66)!houWNafo~l_)7e_q%-j9)^g<#;rV9A)^2oHwbM-^*vC82Nt{-& zORna->J~iSZu~i2tH-*2~Cn=XlV zPzECNT)Wu4aSRB6t_iJ2EU`ocbMee^bEaTFC>036xe{?b>3k$0(h{lL@I0l#XTK(o z4Aek)U1daYU*hECEFx9dsye;=a6PxAT7P8cJN^6kUYxs0!1jWYj;712J=oB*9RT+(TqzoIbV;;I;#hnR;V!gXwN6O zmU?+8VC_ERhgwBPb2-NpRaBMoP>u+$%SHzn66<2!Fg%`e3HKs|(cS*X{b2=W;~QpM zdKY9`r`m&3{*%!OTq2JDCG~;p-Mw_3v@6X1t}~M|`X(s7y2UscRw*s?K-C7%B39mb zkGyvl|2hZyxBo5bm77oOLd&?8A{%mlkdMTqHgB36wO3F6kIrmN93OpltyCL)ejv8& zDrTG&QAqvtDg$OILsCq>zO;!4HO$r5#ZxoWW!?ij8h-XN5iEWbt$BchE;kJGYt%M0spYb7w<-=r%(yqEu;XbqWq$RRjHtVQd;!PyqppX#zz=3Y}6O0&!6SJ0k*srDVW z(G4I8<4IpZp{+S zUG&NjMKJ6QruaL10UK_A%3y!@t~@z!01jN-FelH7m}3-Yy5is%V83ven+|^PWhmNM ziv-qm67R~FViboEzr&e`Ym4S%MUH&IZ~F%Er=Yp{_VFK=k}69Z_r(=QA}}cM{{7X$ zXe>V#Nr0cA9NpeAudmWogOg+ziSKTYMk8%z;&cUZ@NWX3ds5fv_U^rKhUhljC>5(& ziunI%*5+DT505fFLVdh5?I$}r)zvlu*HS3g0}Mz@RVrSk8j9q5A`XP#FLk>Yr?rXq zfGk}AS00JNP{RxBYuNAZ-0sC~eIglr$8w|Ky-Iu4QlU{Gpm&cVb`RGbKLkk0lRzy^ zFktv=q2P-#J!~y1r{y)+<&wPmH?bRt<#7{-Eu9>jlUwhIaNivQ11==EAMLC#wATl) zYpP@nI0vUZa{z9NOtgG5+hzL4eAmMlGe#VG>|#L;!~g;y5b9Sawi=N)VzlIUbo;jHtv#G;lup ze^d@%QDYLm>3zphQ3cht|3^g&yan&YB@c79fO%g0`_YqysQuk8*5<<>FQivDRx|w( z@x^Ls+szk$`h=SKt#~DFpbI#P`*BjH08-`-*Lst8Qm|p+LWznWQc)iCbYj%tx6(lA zsjH;oay1q()uQc;?78K+!Ri(RL{!EL1jxtxH@;Yd18$FHLgjO)+w_6|C%c^0QEfTj zi}RyfrI?j;#~a^+npv#By896ES&+%@kEv+bKdB6-WPP>hG3$FYcxT&!EwcXjAl%KP3?fs)-sG~p6mP8XSpnp}D0V?3_S&(1|5RFCA7t|rGK^TG-% z{|;nf&7Vb+Cw-;!^VUqA3p{`wj{wxm$a~s`)-2hGU7~)Ssi=kNFe%0;2a~{LEtF8L zhapreBN>QAS5~{%I6ol(!2dMx+1L+5Lp?9yESrJX{k!&0RXhmLmSe=Pe-Ra1YDS`~It5z2UM|n=<*k)IhK0%Nn2AW%Fo)y4I0Oq?oskN| zQgZsh8>e^&AZMOFvF9(o=$-!{yY|H<6GcNDVxP|^Hxe&=1O2?n<$(jvJz)`2#fACV ze0A#Utgj+vu5>osujDIJ93mvH5T)lxFG`VwsPy|3t^EsFz~9nI2%@I+LL@6s;^;Wy zo|P6QQ^!l=u4^X8Z<;f*X?`{)iZ+C9*mje+4?l}C`A!55uC0F$t}TRE->NV~X=n*e zN9i%cWJBq^q`Ox(eC|EsehhRspo~4Y?Z6Q1_yFed}y}ZNk6-Ej^_!0REve#1_H+PPi0b zhSiw;dikf?d&gceCeh@8)HGf@LPAuZ6FRW=d_U(w3GUH2u$&umRcCzq_x{#zRu65E zG6*UuXcOr?{X4xU1$fwyr-Z_Gw=Rm5%JXWZh`f_bjXu8y;fGUI)eE-@7*Ro0QDA-^ zyB!Uy&WAvwoakz)31P}l5~y&7yo)W_;K4jG?Iw<(P2%?Dj!!;VXXUXy-<6mfz>!A% zb)@cjK<7m0R_gvt-|vr`zgsG=+;v_+6eM@uZU;UUZkk|*i%eLb`Z9ILea{rbihyf(v@?V3IIT0`qgb?#OR;`uucji);}U+eT?Qly z>>tE%q2w~~Gh<;;8TbPAinbe(NW-BjApC?zz8D5e{6e>W4eB~s`nkn8~;pgt!4^QB0V|KsjuGu;>D(~JmFf;|7r!Kpz)+I zP+i=;>(rXfEqfB)7lPOrk~4-?wP!uCAps%X{ijX79Zm?(0BcWfbiX%uD{H>(AR+=Z z-bTsEjmdZ-kl9EDv^3!ESoj5N)pK4z{9uM-QkwPb{!we@(hUE3dHv7a=n4V;k>HPT zk$XLw?wcU=t2QQJpO=T|gZv}Djfrup?oSs(kk_gICbS_%Ss38q{4|+g^1^lR%YP2G19oNZu}PiXZGy)jq@M9UVJ+>@V}H z^%jI_yXa%nnpx8PyEw!d<3dL#adVT*Em~CYQCs+;_VDiy8#Cuc_pAuLuk7{kSlOj1 zDGteEfn0?Nv&#cp4F?%xyb^Q7ceZCr=+@Ig(EMt%9d~L7k3r;%Wp(w!pdewRn4QlL z#EDD*h%8c(a!bFffrTCF)AHpTa~VXiu}xK57$zGT9U5i87B{E%v&v)v1mZrZ##0Pu3}$Y>X4bvNZ`7ao4l68B%;+uCkx$eQ^LG~4(8gH_Fq#--o<%sj z-hb$cginXlIStudytufw>4PDpo~<9Zbj#E^C8HVRqFzw@rt7W+z%Af?Gx6_CPCl@y z1nD4B7}R&+&cv@_n&i`|i@jG<yr0Z0#yW%uHZe{|@A-cno`ghI-gnjM-7N}K_ zn)Wu1h@RE+Ozt9i?T>1j0qlnJ&`(868wCTO_0tBD;d8b<*@7mx4PpoXa<0ucZtX>4 z7(MLoIpLUUH20rwboPxB*8Z4Y8%7{ZRGasjk#d<1WB*N|05|$3uMQCP9PM@bt*@<$ z8nw7>;eWh2Of%tmv|V2>R1ASd9?=HA6N@f>(7qX~`4RMk-o1~u$7R*niNJXGcu)D; z(0D``v_5!R+p9CUrbRx{$LYtW;>{k?7Ji-&iPr^$D#3gqg~s3cLJgn;b-ecM()xo{ z_I4%c0**_Dy;`3c68N)lAFlcC$ovtG)AXH%2U-71&8ak-2JS;h;!$q>@!88BFZ~XP z*7>C8c=zU_`MdjhpVXC$QA--iU^H+YsgD~CMCJgS4N3o$r*29=ec~_o*q0kN*3p=* ziB=bDN97zTQ9Urqinwu*VRILyS2-FdfWt6$<}$1S3FDcD-gMr$kdSQ-e?9BjcnXJ) zJweDBlw!|%|1Cl#!O___p?Tpq*7rN!PS;<+ecn)V$y)#3hailUi$OsB?_p4KX|115 z(K@^;FM(NXy)Eh<@Gf&dx;UcRY8BY}GVCkvUmRor&Y@Kgi9f#j2xje?PPghovgB7? z3(^W_ceAHIV*q3G%A54Ls}X^$*!DfI`KwbB$td;^=@%YW9g$GrcqDD8wx6caeJ+_0ym97M@+Rd*$a&F)zAuCyY_fW$D z7{`FOs`y+igd8#(AT4!O8BO{nq`0jy6?G{@(RhyIYfk{g9b}$(@QHuOSB7U8-?{jRT@8_f&5EIF(?YEa+$Jr(TF`Cc757r80JfGZ# zW+P*5^?CxK<)D-lF9R4L#G;qhNBjP?DPjtKG9qAq zdcUU;e29^;&I;3_q#(q^n(SKLhX0w^oBiL8^^U}BD}UZjdvAxdBGUbT1cs+MEfqd# z0!aIOndL)X<@>?w-IK;1}AI7}DoFLF*7F3v)| zoeanCOD;>#=J75M0vFGcRi(!qod@`KlH#!y>P*C=ml(ObWlRAhsWCD>ZmGR{ne|pE zV{UtWd1$r{3&}psCjn=9>D}=Hn*10KgB%kM^y}%8`{>$z$>~N0T~u%is>J`W@7iV> zs>;PZ^)XCgX!5qo=NbqRb(=|~e}MghxmB!eJeDCOP2;HOb-%sHz=JY7AjCz33}p zA!0%h$(Fv%$C$0l)_V5@rOHQ~FFnyos|F^`ziE^37{qn9Flb9)=7Hk7mIra>+No7G zQu7{OIbEpU&T1KqQzDyOXm>zlV$I`>FirI9yi-OnML>^G4??t@&U96A`Ca_X=2n>& zH4tey&zrW%jMBur`Z=5M-&@BI3W~xHB;WaJD3{a0oc-m!P&3?e+er6H`dUfds=$ZD zCQ^*ri&3b-dv)6wlg)f-7XkN`_DJ&5pMxGgP-RCOdBLcGHtK`|wQkttz%3#k;IM8G9pM(Ly;+xNs$9C=}BK-yJt2D$JkF)ltx%^L0L@ zd-*l(7AI4cm$2CPBq2iwQGlpVlZ^%6aS?MB{N`C>Ljzw>)qVn3<-7wT1=KAA_Z>SZ zrR-|`t|~p9Dgcy4zzryz+zzh>Fa7sC!eW|#io#T)Rw zy7|S!qb2oZkZWCs)m;_;uj@5eFez=`Ac)!x@21s0| zd|mTSIZn{87rk6R+k$&8|GCG(hQ1ZvMGBLSK`wM@eJ2RXar7!Bc0rt)A{euQ#EB9zIa40XBrNBxHF4U(?uj8audRwX2992 zv~dE4CCvE1!UMH`yt|k#X^y?0wSDQP)6q+hqpinY?BHo^fZfljZ)kz#K_2HH$eslqPkMc^P@dTkl%vlAk5w=JF-uy9gl{jis zEzlA?9fWuT5(fhpPhK_fQ@H%#yIYildSC*O`x`-j%akQNP?X(k*R>EQ(gH4QXYQk_ zc80?jJ3DWp|9Urr1s-r`{13WPYF=L`ACm{HL~nSRl}*2@oD^Kuvf?REBj65)%6KTo zAf)J;`d<_yRZ)66U_W*g+C=Js@k&Dj3 z*H1UeKk3fll0p(lQ&q4$JGuZQt9gjF`n1oJBSi?>%7(q$FoE~(CgTTcUz{SVK@q3! z>{5swy@Uc7@nx-IzEFB0WKbW*R#_{H`Q(1+U@+S!U3P?^l@iCC9a|smb`3SM%91mo zN414W7k(k}S3;?LRDxP)n{RlxKvH>{Pq*Hk4@lM@&2GzH$cP0!Husx!Ozr5nU$ri< zl%fvg)Ny{x*=8fN%%wMPit30~jD(r z*+S-T?QYpc$xeuz&~og|NWi;hK)$?izmGq{@g+Xv$)jPB8glUgYE7%;$=6_cSO%yb z^?im^o9zGSO{f$?Prk9IUWUL4VeAaYX_PFSOr9yne@^c`Ard0{bp_r6nOOFfd*_@y z1mz%6drET6qBrjek&NecdnL@R-qzKWd@D3l;go$uYMKt{T4fGvje;vJ%Y9H)BX0~^ z$2mO+sxUM|VjX^HC8kwUXkA;j_HbDBqUm_@CYlPf871s)1g$zU}f*~4GbGoQ5WVGCg4rb+BawN=L!8u z9H<=wTZg8}Da5+?7WcgQ?q_)ai?0Ce!0 zgq4NQM+Ue|Xik0eOv3BUCaGYkK_VWl5@pGWht}EiPve8ypa!)uaX18defZMk#4Uhp zb;R@Zmm#Z+=Yzv`q__g8g*%2+wEZT5!;#^bmef9#>k?l(Dg^44dbQ~(ayhu+Em;Xa zXVR&YaQhH4Q-Z;WEStlnr?Wb*$oal7yeIW3k-;#glEQgU-kqnE zbV2w&Ih!pr6Qt=ZoUG+-9gLSPUjC+GM+R3pv5qIS;flOg{TM}~NO?mN%5&yPQ#19` zQf{W5rza!}<1NOy+0{pID|xzzPM(suwtU#g!S>yO?LjXWR=7t=LlCu|55Izax27Lf zBO1Ri^x6rR)-_+q2rwy z@8+7*P8%O#e&+L?PUeffKj#cI$!*vZ`O9D5P7Vxw|}<^kfxSwAUg0*A8ycn){z0Fgu!RU*O3XlPu{U`j8Zp!VlFA>tCG| z_7{MPX-Zc^CEm@(eeV@x6S-ti1dmS#VIBY2ZsO2&I_Sxt4U|ogR*U+djq6#&t?808 zp1+2($G#jgm^U16)nC+Y_FOSBp@EN3nw2B34o!$Q3$8ZfBq}OPX5(uhrTH3^$^A-c zF=uUb8K9W)?iQz6W2U;abWh4&EXrkj#=p*G^<%sE+mk*?$ELkDO1T6WQ*|gpD%UEn zSGG-n`MUg3N7xxeIYs}ZvhG{e62hmIKjJz(^1_>L8{ad_^eWzyJHGc4=6hKmR&y9;4BVPFwo~-9@iETfdB-don)@DnH(}pT zzSYV!n$d^2tn?k|GJ_<1MCSZkMIMuYw^HoE1_(LmJsV;*ig@5JzfXx{{hO?8bV_ri z3CfurzF>F0S;ZiCJU5#JBc}dt5R9;)X}l}G2r1qkdua6tR(71OyXF07FIzQ6g@G7C-EdGpd)`&rrty)oZfh&(2zzs*jIyDA z>r#h6j(i`8)*!sK5!yeK1Z4n9c&ESh7C%wm9jD(e8$vP~1e6JCL*{?b*~-Lo-%AW# zk^&E({|Ue7dh738RPS2^Dr8;bS=Drd!00K zut+6*;=_F~gwVuV_0sX@mq1cJhlkz+Km0Jm%@<4Yad`ztW`$&dTzOGJh{Wl(8znV`vZOw8QSWtVe(D?m+ZIDKHxQtf#tcxSA1Dpp8v^b?I#a`# z&SPQ&TEJyLwA0ch9eMlXrC1pC!TWMUvnwEUAxc;Vk_t4Q6w@?nYH+KSux0fKJ+=>lF+Lj#P(lj_9_Wsed0e+ zK}egYM+FOy0QtX(l8q9BRJN_c5c%+7yz+l>l^m7!$@V^~iZv!hj|MQOQGXwt8z+4W zzt9690GI(rCQE`hOHz<|C5v?bKQb}V(npPc-vt4oX`^oYKunLP9Mqowu`~ziVMcgU zE&QN*p?;L&#Ub1-qG8tm;ygy~&xA>)=3;7(4^{q9q^Y!ka@za5 z@TRr8@j43sUkqobh9)~-%^T!g>t+3_PC-EjVZ-ZeqN( z?`dX9gnH-dd&<*5MBlJi7zqdT%BAYL`@O9yw}t&W%)KwY-XX{p#%}`igu*m4{BO6l zGc8fn$vtqv3S`3_Q0e|hJBXtnyvYibsdMK?vo`n3FIT7%;^B9PSyJb;3g*~oWWMdU ztY1*M-nu;A9E@2aelK5CZ~s+9#%)SfdJiu55et2!@5+ElxG_ua(0HbC*|D7pW9x!vh9#3g zaOsy9Cn-N>BIfZ9sQ$sG@j~18p^fmGpaSm8Fj7H$;)(nR@J&+hKnjw4VZsHI+xmi| zNY~4$)Tnr2En6kCXcQC1^IhBOT~`Rb+N+yj08(~Ayyy5`aFaH=VxD(SksKe~S3{7T z@x3PYY^5s7>b@_8L9xwWcAGoCO57X^HTT~nyTjydDRi%kKKBVvF?m$g^ZuYRHP-AI ze6X?m|Arm^uI0w+wK{Jy**^=`r7K(QDPLPi-RFfAWy#ximh(jtB zn8o2(?zxVH( znJlk|LVw#cZ`^8sJsE^-yFy{s>Y7=AqDf%3=#@d^$1@FhqAN({8Iu$hGBn?(j0TIn zR*Q)`GIm{G2s8HIOYbyP*HEc9yC+=DCbSA(EwPpN#WbS}eQuV0I~o(Ar>{mX}W&Accwy@he=EcLi} ztwx#EWhm=(;anef1Lj;iN7osDoQ4m(%S6`ViB^d0QZ!cKbx!CW_a}i{^d<-Ki$)IJ z!FMNtA)`|8$~(HVJv?7@$5ZN8UFAtO4o=}vrA~Is)+V^mL?#Z_r@G?>5-|<%=xjKj^7%HgP zhR^1GGBxaAPttQ{H9#KgM8XsCzWw@@PdDe@xz>`RU#ot%S_}-p$6Q%4^7```gWViA zMX(opV<#E(`+IrHpqujeavqGrmW+YMEqEj@p2v}oQ~yxDj=L61#kf0(&*}G^bt*Kf z$-wko_>1-9&3xXs$T&8#rbo+hal>4o4`1@-SL%JeN^IleZ=~cwj~EC)MYTN_Z0!rz z6@Jn-{6VVe>tj!%qG^l@{E8kafyCOY^Sew!YL3EO!cdY3e&;39EG{u#qX!k^Qr3on z1FoPc#)+s zN>AzAH+yguWTpAr%s+3_TZ=y3;71z|%+v9xq4e%{mPCTy)ff4v(%>T7KT-PsWA8nK zqWZpeL2_s)nw)8J&OwqiIf)7gk|gIKNRreb5`+dM3W(%JP_iUR0t%9ov?v*oOruE9 zCJE~7<`@3&eebQQJ5}>xre;1;%{hCYwbR;bJEhhpk?Ra^qR&CRM%_ztWlBy(Vu=RoPScQ2b&{ezSR%VHdKIkYNKnk6NTlL z6r;~g2){lE#Qn9ZKRl*8M8}#1*WW~mYYquMSfHSw4Pcrix_Y?pNZ-}rbm_$5#v8b; zgy~c5^`x9(@}0qfdoiK@nlCd%>5g8MGBXc8QqkaO+X>ijG^=f=Pg z^~I-BwA-28TlMPSG(4vrj-c|$3vUZ(IMz)J5NDZDh1sqtW>DUZ$q|&dM$OGr)Ia>h zhbCg!Y#fbfd?m;n@r)~C(BrMis=KQ(5p`Pa?=jcHwJd$chXN=oToSf&bWr5nvg@dM zM#4AZ%)9ZeS4pwL!aDSVUxhe!Qx!#1&Z9} zjbc=hcKhqBrE+-aS=Rvkr7io)Am;+39MU>HdA4VQ)*4!IDc|!KP z`KjmhOqqf%17%VPl{pbxHXhl!POarjqk%S>mMGttjJl{XG|%nV`p-~cZRkYBMDF!M zi<|K9-VXe77;L!&PdKwFoym;MM68Gr#$G1Q7aCDwkq=*BA%eL_KLevB27&~iT4iyyy^bHvqtpFEs1Qu{_tHps?F zsj*LeJ3>dDVeXt_?$5nCH>5bO3a%=K?{sm%iEl=4XW!d0(8_gt9m)s#t)eB zMOKFlRXz#6F#D;2d2JI*K50o+ie)9um43Qbf^>Ft5YA7}VqS2%PK%~fv4bV{SjHQO z@kF}Kb!u$}jz7c_y-1B!ELfvG^Co0^*X^1W$IVU{!~Hoo9%g^X_%18L(uNXFNs}R^ zlH+$7|6y(YkwE9`{%Xo03F%0MPlF_HheZ2w)YVg)4D3e#xdp`%$ z4(lfm#oOrE`}vJJMDe8mirPA1WIr3w|2p7~*w=qxyDaGKh)HmGAa`eRYeyI(_gUS0bGYZ%%)qwtNFR{a1Hx>`W%QRckN=vcCUsjhrVH-P1w9bes z;(F1$|7aY7G>BxcUAAgvN9e&i-yHOpJ5ZUxe{OI;a{?DiP4t{VB$WQ3t(S#KSx zVDYqvM9t|83t9MK#U#dj@B-n=16CGB$^hAG>dXJGfXhD7QgnX3iwO(c@-Lj8to@X@40r%GP zUyXi#H^Djc3{5z%u1_M=n@(xR_|EYOX^pe*K#-W>+LeAI=y&f26H77UEIc>9Wd_xl zvo3i(EGEFLpeBrM2J_rZ!(zHAk?Aoz(OegP+u-O9m2d=cP8n$l!CG>2D1{suVDmm;j!e;M$xrn7Y0sI?cDnHIYqs_+qU~klD zq~S&po@=ODPS-fW6#~gLsu3Wl{jl^Z=Gb&6M(uh*#}Lq6$-AWSevgY6@YX z0WQr_3O2u-B9!kT2`ziV$q48;Qz(cJ()6y3k)Q##UTG>*cjrAr@@C<)A1KmyC$z;dOZzA4-S7FS`kt)4 zqN=nAJo4I1Sgl;m(lW=6qeAPGd52JMaHBj+K#;>n+9^Vf_m z-uM*X(oeo0hS6yDX`~mEVq{=O3P_KEkZxlh%3T#}^GlJ^*J`VeW2u4xBn+;MYx%RT zQoTo_dn=&ctnw_he8&QEG6n*4F&wA)PlqlF@ z&nA83NIN15N&!91v$J#~ubLwHSQBcXM;9;fn(Hc_@xZJq3NUAM{>+>YRPN} zU#bUh2aVOcW#(nf4ubrE<$mfFnto4*t6)@2lc0FE?eX@z6HX2TyS+~PB=-2ycua<2 zn{cbHp@0p8w`i)p*|!pwZLiALx3TUTY5ULG2pG3}`t0)0oH)-%;BBP&Yu9@MRFjX> zX$js?UDhBYN^I!Q9Q0@}dhBf?E6?L>li3~0#WXp{&9W4k_9jxUYDUpuD}u|HvDZcG zL$Wbrsh*VGT4c~oXBal?Pzd0ygI`4Pz^~Fk6g4HdKNF1}aj~v*nm8W2bJM&0D1;|D zI(MREd(~e0Dnvl6gs6hAQhFI0`AbxK8AI7?MSOh#p|r5W+RPUUT;9i;6SM+~5q26z zK57=zuW^8GQNTFZ=_#+Gx(uLqe+N!nTU+ZDH6}FiTgL(KqrJoI@CXobz=cvRg3JA7 zbWD*?*Yd|nVz?>8f*C?%0v1vAr9SZAkXrBty`Cs9h9%o$f}99`Ii$5}3HDdms5Cmg zR}i3)=JW=F=&&z?I%DP`h@)jwGh`ufbcu2ojAGBFN=PE_ST_JOVYolyz$J?SwEG4IiTK9SH4u%CnWo1HXK?p=xr8UQqz+@QuADI5yk6 zjTUv^xlnyKi6hv_qJa79#tE``fnY>yLk53(ds|$&{`2j{$v%oxRIb#+Z~obM0EM7N}6nwuf>T;BqtMFPn+F{Pg*{sCJO6RIynC`@s>8k8!0CNs~ zrmsN)KXC3I<`IfBdL)DA)E#?}te9iO@-clPfea;hB}YmIh|GE)0r zTC#0&fpt|ie0JpfPGU)o#?o&bu$b7cO^)jt6I8Y}RWB8YQ%T@{!wq`wor0mM43BdE zkN`C#RNt)7%KSm>epN>}6@qqymDA7B)xK*9&%}H25qE*s?|Siw$vB-f>g}G}LQ8~? z)|?mUf>6ZP$8$63(7A+IcXB-1|LQ0PNnuJxp#zCSq^GY7xOvh|_d{#6+r=_?&9_%- zxz}E*8?5O+?hhE^FI{te+0AAA^UAi=oe6@6#f`Armg@-=h@(w=vtkYrKRFCJj3~Nd zc&e^}f}dzY1sS5i1S5J-Px0X6*HLnbyMI(CGlg=3yZQBFlgXEvW$tJ>*OViRPRMO$ zCr9~-1Xe#8b1*;DwMbO86nKId;eLuhTcKLz_I!bObq+`8SRfi8kYyR!6;SiHi| zBLedIGkb-)pzOqdxp_7Oj~mIalm;Szlc(kb>q;*^B|@=t6y^J?f;=h4$?RE|Fs_sA zQk*Np4OMuiC&_o;S#kgJa~q@HMK^NmIEden2$qKRDru2puCNJOG_;r(WU!|Q>TY-! z851B@2j8B>2td50OL^e3HZ$>7@hBiXQo-iI#e6K?viyX`ZvSVz>h@-`D%qzT*UqKIuu`q;p9|VuI=^(kdje#6Pt~+9BtrpBUK`Ih}CWeRq0AhPo42p`_6X_bR z0xinb52NCtA1;3?S9p|xbNOPgQ5Kh#3__AptP?7j5H<7NZIywDc-@hRY8JaZxj1m^ z?n|ll=8K2Do9!PZVDQ95hqRKWoo%aXK>$Iv%_bm`1)v4l>6=*kU`= zH~W_m3_iep)xyM`1G>mz={{8GcS%CFZI+I%4Dey!lX|9AFb9{?c;P*vEP}gyn{$*J z6KHQ(D&giLB_~tWO6^5Z4~D=z`Gumq&G5H}Ghm?#!?45^l?23^`7tXt48QG40_6Mu z!N+kjd5>-Ye)yzix+rrZ8-#cKGCmQU;!{auu|_nZCbWU8NSV$dY25!Pvv9j*O}ybU z&?9ZNiO*n8TgkUyYYtwe&Z@iS9WCqa6m#X;TuILo5#O67e6e@)hQ>FYa)27oUvYPL z>cPI=Bx$?16E5_WpO*twqGy63%@ytgn~LuDDCGKkwl8@6CzWlT`NNv3MVjX?xYJ;~H+|cCChr&I#Tv|`tl!P%+H<4t zbPA&Sv}Fu#cA@D$6T2~tvh1*#TtUnB2KhYcM-V=%39!d#M=gge;hnQ{}b}IcjpM_3QFFCL)%xpp8TccEGX$g%9Y=HRT z5|dl{V3-p76E>M83V7lPT1ZEDQg-3$H}O&psKC+uBGcKj#cq$X0=qBd@ejvNWLEcn zT9;xWzlV(btJ#6~0bQ5!KPIOPG0*Tx!RS-48uzHnSH2yed?jr`q?F!$NBZ3@`mz=` z`^aRqW#tEuwI?aAm6y1=Y>d|8O86}Q3?x5Z$9hn=BYoc(j~kQqm3Diy#}n6YmR=uY zzE-#CQd)9Qhle2Z3qEFyo*3vyq>$1`viJOKoNE2-n&AXc+Myn-ABZ${*E#1^lvt9{1`L3I;`9 z?8hT)qc8ADrVoOj8GxL#NdVpDe@qKvHJkUY@Z_@try^hR&0HJ=;dZqZ31H`cFP?wG zYvKEGr$Kpu?zPh}!8j{R~9${qPa`UXEPL?&8M`_GgD2)hfIl+oY$HGomX z-XDq71dTD+{%$B$RH_Bu$%ZxvuW?8M;k|n;d7Z}pW;k04DsVYFaM8#7$@=x+uRvmf zhz$Now~jsDLm~xG(FH{?o?k-&6!oW? zt6B*N`fQ;{yMG{4?1Ww^J!h${|1bYyh-sQyj{{}~qvLoL=K}uiA5#1(ZY;hS7d`Zc zm*t{XVH!qPE?Kl5F74gF&x!Bc1wfF@I1)G%-Yj_3=j_3{bnBB|MK^fF=)=|nlwP+W zF^*0|scF>J4)2mh0`=vyeCL~X=nq(bdTg??3Xo9;6D=*iHSg#yKae&SuH5|6LInSg zF>$~_Fo`g^3Y$}xA3a;Cor1?e*ntBr`{I47DH%eSqlgx#u+EMdW;vD7q{Z&cUa#<) z5Z<5obEtK6Q@v$asydT z1i&}4qzHkOKyZ#3AnPVc-|U#134&-|5${`31R`t~V6l6~$(tn{K^ z007+n+1?wYGd{l1t-_EPx!HtHsZ?7irz$oaa3BI7KO`a_1!PZ-FV`rBWWF#tir*RX zco9dA2;)!KrSwlraR<{B7T1WwZ2r>|_cv(3p!nPgSga`0J+^MTSu*33leM%&t`?^B zXxrITCbd{K+DPKCi~&J)gtvyBrMiaS7nFp6dg95v^@~1^36MUzr&xe+TW&2#;*V5E@AiaEx z8_u$QId*liE__9Ji1a0Q$L@H>1k>|m59-%Py8g_|4VuGpT01)F^K97UfHWwX@NAR7 zblE5^cBu4f^o@%<8(b5*A0tQC7tr=8o|>dQkOh^CTwKDez`;|xN!|E`}2 zSjnI!Zz;O>{R=y&oZL$nAv!L4N3w95BK(Z*#&UKU2ung->N^%q1IG9HlgSp~#-A`! zFChIk+bwTNKW$oMkv;a`MVDsovc!vh@`nsXsz{){ADtPRkQ5f!#uo)6u_aR|7zMh$ za|z6k=4^@|R5zuY%yUe~7cH$+aZSq7?`#v7;+2V{`1!kK=TIT$xyd#k1xjVrVfjQ@ z*K6vQ+x81ql$Q1Q4suQV+C=^3?loc~WSCc$y?yEZU~1(5&NLplxCXQU{}aqzlrC{q zAKEn|ltYA$t=s>+h*g17MDz1_C?xT2^GpZJ-Cl7Ur z6*#AUqke4Kn5?F*qM!VxMfAxzZ0KF0xdtoD-ZDOeD|xu9gY}lx{OBLa;gL%4_<_z5U4(aP7${SaaAIX1{ZYlMODfui@!i4B+qDfnZipAl zpC;R21EN8={=gRqKICEVRWx1b<<; z-0k@V(f}}tR1T>3rQ7AXbxMbMWaEuNSIhnqx*c*}Is zQIcfD)&`faz+DowR^(fXImo>TOe!+F&Y^HO>Xo;|4~&Yq#st{OiSx#=tV{DssWql> z9G-Osy%rX;)c@Il&Pe(B*Tx)vOdKc)fmQT11dHE)WOB5)|t8}g_1I#e^`ta zkrv3>1PM)6M5ExBWI;X#a>R5=Qeh4c`1~DK#PgrOKRlm^hOrTUjVof8M=0x3j~^bC zI`?pgK6d?{u^mSug(Tj`lZafU_dOY5w@e1Ok_?%vQP6|>Tkq%(`-Iq$~_^uAj8mICTlM3dVFG zHCQ~vD$6Z>^~MIMR#-dSj#|ZT@3Kb+?#M{Zw-B}ihb^NZJ$C)_s*lMg(N&d)l>Oe5 zz1F2S*Ox2*6tKXSMDXA}Rrryrj0aAWF$(xtKgv;(T1ERJZJmO~49VT3EhI6cqWWVh zGF(3YZN?$+8?ahN8TDWIcuRkX$8S3Bgq?lr`1GkGq?J34Fnc7B7p^2gikK`n5Ww;! zKOwfCTB5%Bt|t-Ms`wt#wx-t@N?JUw-LkDpNs)2G2?jw8E)Nt9xplrZBeIg%9)UhM zHK0vPClOxLH&H>_0vEyR^G3Bc4sYFUG!xmc!iO35f3S6Jt=*CA-gI=)HE$6DxH{6| zwbV&`8Y#Zrtc3a%zdH6eGV;A$k!DwlG|8s0y0_bQOjV>4CSIqM7m#MJn=YiwNG(|} z8h>&tULUk9AN;AC|4?>&#@TnKDsjw-17yHu$>2s?8tcCZ`F_ppFws&V+>Up)#%4$5 z?2_>E0^iDS$C0{gQ{OA;((>MRm{Lmf?g2Wuh=ZZ!?SP-#_Yh!<_=V0yD!(ZM!04a) z5Z~+o&#r4tMi`CSP{(>iX`8tL&m3-)wS#cAX-IhCjBOfqDHB@EeJ(f;-={o(vuGou z=)}?bY77AE&2MRW+XGv$1f3diVcr+OK6N#}4$rf4iV06rpP(GMlAO`6<;}X37qF8Egs$yt+6ynU z5XjhG3kr{?=<2QPp=YrsRf;cpe<|oOX;6SzvY}2Rxw=Mp`IqNdV-yf8TMP;*zFxbb zgz9MR<2SpQ783%kHE(_$q5HUfatLG@hBPv#CQrB?Hw)58IOQ!MHiZ4wihniDa9fz} zS=$~<62r^ilvass5CI(GuRw$@Z1a0ZhwVW4P{JLnnZ57q#4W7FRfFoVMcth9hCa(j zdUfo?OFuvD{pOv{zVq$Z9|q8O^9xKOa3iUry&rGtV?JD_WHO37!Y>)W>s!Cfh-^Kt z^Mm--vg|AR;Gntytcm~UaV*6lkK9+w$oLQld+I&&8|c!+v2vZ<^LPrxruxKN*Y}q? zn~jPawr+925cHp{B7bsFBGBXS3Wkm%&UqqE@K=B*JsT6hwgtp2v!@}Sa!Bk9EKZoU6$D6au8fi~(v1uG4 z)5Ng+MWL2vT0;5ql@CJL+4BvaSSwH7?>{fNDc~*G%M90P5V!81D!u0^YAnCnfnF=$ z!y0bnGM#L9S*{-%fg&b)V1@{PMR-{`LyMa1Mqf;xYy`(R0F9KL_DMNxR$hzB&+6rM z3Hxy-(De(SH0<{EwNybVD4eHgRd56!rHA1ass#S?#hZ5TC9$Yb?o!{Q1fB0Uq;aqC z{JSni^RMciy}vIYroH&$&0$iDG*~e>x6Joe3b^7zc=;jOyDNhU)k zJ8g&xR%pz0+uMsCfzhTr_9MS{Yb)7y3OBJq2>iQ7<~WQw1lL%m(Ze0e>so1g#Y@9O zn#HyyS{>QAiAn^YvwPESPSth6KE~tK6&iB z)HB)f1T4KfS^ky6ZP;^?f+UMJtcJ(J5_gH9E+=mhpydV-82=tMVm2sV7u#5m@EZae z^|%RR+x99fqo~nL0h3GLnVZ$-9p^eO>gRyDLK(V22UQY~H2{jSd4j-V zku7`tV^RN5%(e~y=4G<<)8p397fP5~BtS=x{=PAGJ92XmPy4!{t-dMU@%)>lbIxxm z`?9PZla(JrrIWC7k$A0jzptPM(Stk+rs2!D16i5xSZK0T-$-YY7P}s<2`VKtn~c~I z8xq5V-NW71-Rv6w%LnhgMZSB89s4@+q5b<7#)IdFgkhn3wjvw0U@@%v^v4D4i3r}Y zZ2ItD(et{@L5Xs>pxdRd~3JKZwcSFD-#U#5LUCQ^dbwHRy!bqmj^6)?Wlmw zl^7-XgGB$T063sHci!}wyv&$T=n~Gc&}wU%8V;7ioId{=x%fG6=yTAgoC&Wu)}O~J zob2l{J#oR;6e^Cloo-WzHuVB@`y+H_dpB@sMCF4#a;tm;#7Bahv{mZtbB6;7oJp;LqLq8dFYQ3CmR<_gy z@c_&)QvW%iY-hUg9O5Lrh#F6`OoC&C4t5_zPC` zq{Y$NLiC-N>K0eggsP$vZ#$oV6U+go1KVS`pJj07RGCs=_?1oyVk7%R9yB2mGPCft zg{HUrh2oiUI^*Y$-4Gw&R_d~t@4(yZI$p{YG&-`o zI_0Y#y@8IEBC!$pycF15A`{=Epvs2gvg+ip-d_#=Sp_9+jz_H0D@S;=;Q0XkosbK*4vZuXpdrN@2?DW^^2y@DHSQ zgc$_a7u8zW2&JEBxL-q#h&_@2TKF=gOPhK?{|Tkzq<+dyZh4GA_f6bL0~ZhDQrpD zkEU%c8~kX(^3dFO8!BB;?{3jEe90e!L=He3Vapjf&Uzv{E@|vH3Y- z$-nlT_^@oKi#bFpZ`eB(M_+T|$yJVGupAl&g0J6bUDRsvHZ?xKzGp4cT-{BJaomrU za|YVhsOYQl_n+0d8ay1Ax)ocW9HBGeuTt_kvQ?z%3Y{*(DBu^#f#kvt^jFibe0 zo<9>xm3s~B7?sS9lcv*b-%&9|@l@u%W;yCmXQ*FF4_oOCY)u&>2_Hc`o|Lp-Ob+Mk zl2TVn@&&?CKE8FC7XW6QyjFjgSpz=oKGv*-X<#-XK;R{G_3)X{G;3!1TuY*hT`dJV zLD8;%IT=Cj7SDgj6v-&xad#!h_QhV>Z(FC;j89u-#-3#VOrJEWJa`|cIEk0vSLu+$ zY1(8fbjL&HIwj*!f2DpT)0Rd!si*a7yd=w#W~njtFf>Ve-FajFaoha5l0A#jV}C>x z%F!PE($dHKy+~XzJva~mxia{Umk~cm-rbek{0JJg9E%c*QP{dPh$fsEZ=(pN;ShUx zJWj%?Kd_9{x%=cHoxevC@ooZ#yIfKE3yg#q-C? z%QnyQdE6C=46&*BWNm{SwFTl(_i-^Ox5(3toY@l~Ko)tjf&?hB($8nx<;6~yL%8=U zRO^3y3i*8MG8ETYA7xvS{5h^p>=;lOpaF-B^lZ>akSRvud*|n(9s)ZNAPUtWQ~J%8 zyGIjK@$ zJz7e5hNaheS3lV>D#foJ?QkS5Ya-Nns$`j=lurN5av3QtKCQwfm04Kp%=r8`!0ND5 zm=%jIwVsY$!%;xNskyHQp{G%YlC3q**!?*Ceg5O&F@A6qWcjdRW;x#e3dMPWE**3G z`OouBwx%>J?t{9!@Wgiek*LMW0m4JN<_(ESHhX`o2ARuBuP928ukjB^+OC~LY;@{B z=~3;oSosAIU1fDT^N`UbFaJdn$5Ypzo{sl!;SNu)MTaW~V>;zC($*)^KUY&w2>pT8 znjl6SM?$*RVA#l64uv-aX`jaI;LpQ>|?wPqd8Da(epT<9DdmYou{9!WxZ>O{H zq$Z`>5giM~e#OTwi}FaDU){$igz4WWf7dZfdGM?iPRYfsfd_X>Y43(t5UR-@IZvlE zg$uGkV{{YeX+P2G#V}B0&7BOvMPHL)Yj#-0X=Uqd1~fM}TqRKpD|2RGOciRE}H&g=A@$2+}fP5Kcm_hqEH0mQ z<#e4uVrF&arjal;2zmo%jUcfORjwskmQ7=N;z>O0Bk4Z`=}{+;5{BQLO1xc_zo<6Xqvy@)O*M4d~ioH4}?V145EWCE;JYH z|6*IW97PDc-djuUME&#Lo}pkN5pxz@a-y?r0Xw8eG~p)^cf}k!)6_aO&?<}KP;UP% zvLJuUoimk%#hQJ|YbK;>GezX0n^2a{+>b&4-aXT7_Lv=W5Y&`7wy3W<#0?|48lwc) zKo4zRA9T!q|GxS?kybOm^Qru;QpJz1lBvz#e44>Uxb%+VoB1c;iVXjZk={Qw-a&6QWw$1YD&%*}J+d3*KS9-0x z>>iAMKHyk<@6#bgpTu?)5gf7cDnd!Y@1Uj9;a;A0yE*ljOxau}&-mwpf!k{Kfdv^6 z%;t+rcK4jtmNbpw?^IzjFFG0+X`zi2II83ojSMXTM(lcE_olF3$)H;|p4IueeSXGT zj!et2v_6YuHJujJcXYLa1;UD{7mH}NmCs>$*0=I_R&i+fG0U}&k16<`Dq1c(>2xV9 z-8M`MQHj{aFJ_D5zVd=>jL7CnZimF^^;a9DlA??@{v^Q}BDAgA(V-F_28)mYiER#l z>~zTTJ*URnmw1Qf;PDI$-|^dZEweiRmrTt`3|hkU)Ey^Jrn*C~MUHYWdo$uL3^-*5 zdA;0o2od_jDBU_Vb!S$eTJRF7Bw?W)=78SmQr`n7=4k(O$aBqwuA8$PTdc?CGV;5v zWw%E!A!i3l_^BOzdfLo=2xEO~$l)9AH4R3Q&EiXr#}j9^6?nx1LGrr7 zO8}dtlXHJ)dAv-Q9Pu3#>&!wdV>Xcvj>PiOFh#e{aoIV7K^H1DF5)WGL}~~>J6o*! z!K-1djXYu1Nc=Fm3|J%6;5$%P)sFt#4PK6{?+_LlfOze_@c?#HprTfis;9P~9XEN6jLkdx{Dmis>b412eQV9=x8ES}| zjsoFz(qaHq46+~Cj_+)O3Ro(4$M8i%DH~}-wVl#;8h?J6l^FyP(T#a2>ey?Z80j=N zE$DJAG~gKGn4HAT&PCyFlBR3#wDuftcv#c5o}H*bg@pTA(bH!3NB;~gklYxh0NLCb zKWmBwP3Um1zyVeh`bmC^D||22Mm3N2atjfbXoIIt4+&}>?wx*zv@c#cQQ0`@spP)T zu5J|NaWi%?HjmUuThPIgiM0Q5M}*Y{@eE11bj=HtgKMAH+@;{^>^gI>rvilrJK1}l1Gg>_!N_pPrm>+u8SUVk$ zo$hm{P9q2fib+<{?5FR$7X3>XxqLT83#bUl-K|Gdzhc1pc^TGILQlI(Jjn*6k>@$bo}jegEjVA~X6t*_QKL!rm>&wSF`Xw@|3i zxgk!pc9%~)zih1A1W|Pz4<1cC@6JrVzvYik4wT49f0poXzagi9hoVJ#TM+Gh`=CHD?~J}CTO#dHRc+H$HQ|5vP88HmRgGBR_eJ zXQP-G`$p9y#)FiS#4wdOH|~9a_~jbugtsAe{@zIcoiB$qVxqJC8gg>uTM!XXD@4i% zf~X0LG%N3%6lTq*idGs_irK>d(3t-*5gkS;yXmHL8csj`>1Z)My^@O)_|Qne%SHFl zV%dA~s~Nuj2fLWg$$%R>AlP~NYIZ0kxE=#Q0e7qd?)>!}N`oL+l`VlbnxaFq(>?Ix zU)vGu_fni6{un4QyI0cw-`NzKCX_Layy&UJ)zLnq@b1Y=Hp%W-4eGlUmi2;>9!k@1 zSDe&N*lO-2Z>ga}-vw48Qu28RH5CtHv=XQMjfG~oT|S+&1xLW&^Sqg<8>dtI{?^0< zxm?NWElkwl<$SdsZ&DgvW+(dJK4jV)-K&HA1$m48X`}r_RC2*i(OE#?8VE~CKs;kM zo?D-TlJBI$2rxYsZ@6S$=cOHYc(4QDUKui3P(_)=LkNGQ(eJ9{SeP7T9$vo7U{pmt zjihecPD%@D472MkR{PvFX@djCe;gUPbv@83N6ldga%o1_n$|A2REa&0JchdAtehhj zFW`}2Rrkh^O1sd^fMk_=*Q$dD3j9k}RvHGo%_&{zHMU9X21N^1EVUdYjVnM!z_NgW z%Gvlr)<-5(w(`b*7N;tf8J}oLnM%j+rRY({-Knk~X6;x-4+hI#i#0(*_r$FcKMIO( z_vTO24<0ZbACxJw+y)uO)IRC!l<;IEvGx-v{N^w#g=09e8s+mWp9B!Uz)1uBGk0$R z1bT!D7YS?zI%%UIb3Gal z62HX|L=bAI%N|AD)r5-pk}ICFN^(ATYP;+KxE}LVHc=a>?<)QGIr2*#+AuIs zdtSSikW+?C(rqVVjA@_frm$|7WR?`A-H!f+ZB#h0b-tX4C6awGji11H6$EMTo@U1I zAg_u2yJ4I~!`^N8uwe<`d?k+xk>Y;6`gt?|*W13$%WDplT9QxBDbCK>7xhSD7vplS zXAR5k&M>=h1U!||$Qv&qg%F+3@I0(B2T*megMrZAKRX*Y7Edz9l1%791YKWH%%CJS zmA83-WKJJFfxSNMs#I>VPb@jSkE_#h4yi1YLfU^2T;KNqrtG$4>Sn0S$hZHwD?9O? ziiJCs!5#zO(8HhWP_7pPj2+?t;0iRV{@Y~c28GdcYt5xo{Zf_^TW;NBCbzC_n+8Yq zU;NJhY>hs)k};y&m1@;yY1O}L%op(?wEqi>fYRSxdxkM^r8WQj+s)M%_c)xu#@~xm z4Ac>ir0=y>5`|8^*uqej%`D+4W+^q%}HDc~soYr_Bv{eiE|8I}_N`;mDS z-9!hi@{$9(Z~vB)$Td4AB4AI{4qV(Em+a z{C$)8XOV#K``_u{-}i+7$rc^4ML?Ux=FM-D@|hd-Z6SMhrLWh4*t+M-%^y|bnB4M( z$be6$3vb{CttG+w(YGKr;RiYol(D#?YLx^4wDajQ(9fE`UAL0gYu~B*3;Q7=D9T{S zsT+H`Rb2jqWcvq&NRbKJ)W(Db)C6%r0&@k28sB_2P9OT?3o!v+>hj_5v%T2J@9m^x z4|Yx-lHl}F@lZD~(ZAr@*#LW37$^dY2t?y1SB+3h(tImHR2s7e^GWUvpyE&YK1&Cu zhHY#H_Eobm*G_(7GPr%@>9aa45Z)Nlr{p4u22AIP9t*yDeQ1mpJFnLAAc2nl1h;Gy zeW`{RO{s&nXs3e<-7x+3oOUn+kX-H_0bMj_wCVqL3ttK{M0l5g`V{o=o^3SotSj5F z&~H)Fer8buk$WI)RPZ@=qJE9^oxa-8DE1_I)msh{JUye2ZhE~baszZ4m!qz!Yd2VI zCg7vZAKKB9ETj8agy&-4kfG%e88rs=m5weKdJs%);)GCh_o#Nj!3hMPi3oynt3#B3MuMRyK+j55k6oo+k@Y&5{)>y>;b`N4a}M8mT-aTBtTe%0u7q^a zY&QLZ0n>FubeVP^68}umoLIB5&f7AwjI?`w3oln93A^)?{>BD?u6fu1Yp;J z#VC+{;SyQ9K40d1XFbA&VgV1aKR56Ov=Ko#DzC-T?UI=jo4-yB-$*SNyHG2}fjpH3 zaZ%oOt`4qI6PH-Ds16 zvZta5q8Qd_BgpR94F1}(NkfV|IxS_TG9AxbP}9D?6-5f__8y2H6K#{5y>jh}Zqhab z(++hVwCMv=n7Rd_H&YMsWym%i0B@bG1p7oGjM?n!1*`{Wg2$jKYq00c8H8nv5(k$7 z!|0J}nE@4Z6t3Wc*W^e&y$7yd%H=_WOQ86H15T3lbY8gpFX{4Lc7sdWVBjBsJ*E%_ z6fDorfm&3=(VRQ2CT^bkd4rA&s=ju;g*9f%yLUQ#}%)#}v$ex}Yc zFA1zKR1(3f^y(pz((A%p?$aMv<|`V%h$_(9^&3P#f?zZyDxZ5dL?;MqNl=G`^z6ZuUP+26RUgP%6O0gWteaF=t#00_AEc81X^UIs5 z!}p$lS1>ubaW)ba>hzq2098_do%$_H5{BJuLf3HX*3`@1ap-}CmRIlB>;nryyIN<- zj&ES!_1v=bvG~yPbAgYDLsfBu$QKB8{)yMZSAWW?k26(>bCrAiG?qs;rG%w zBV`U^^wXYQ5hRN&oRDwamA>gY#ju|RGK4|xW>NG{KqDQzw48D3UX@`kt1`j8WmA{AjUZYh_@eN#F zVm2p#Dy$WDTwxnrNbp{_mn56E#x#ZJ8NKwQD+P1NgGW-F?*(#gi!3kdjd`)8ZV-?fvBwfTS;-u!`K2D9xfU3SVT;QOR=)i{VKTcLD&8 z^O@wCpWsrTm@UZ)>g8mD-NlBlBkYIU@3f|-XPx)|L`q^qCzuLCq}%#F%Fx%6ucr(T zn0_=CgfaU*t&`k%OANP*W>;mqo*DR?sL@?&;(m(J;qb5HK1%PQxmO*a=!W6PE5m6( zeQ7J;ZlH2AZ!xj6&qBWH_D^(9pT_f0=P0M&dVetPA8MH1)=>4#WmmML%5y@PWEO?c zSxHziWD&!QMusHjuUDs+{w#&>t++4DKdb8GxVW7q7Z)W)8O%SNnGe5o+o@s+hER!k z6845vP#Fx zq%N!A$NjJ}_qeaT<=mn-oyU2IK!oO#HV(cqagsQ1ZoiFeoox~L!f7GHAtGz6&;I5b zMX7%?3ps-2&J{C?7KM8QgHOj5@2B&_bHd`s4=94f`UT=r&8l`IHH>WUvAvYQcn%2P z2@Sq9V=+IQbeyHZ*L~J*}o^NbzNz0}Mh z8WRnv?$OgY_yw_HscmkzR`&Z3->M9%#t!I1Pxe=U6ldDZi`Zs;bYMNwVCTcRjRI63^0IMwglUz} z(?Y;Cj2|hN1em=(a47u$5B|T*I6J?~TmO_>xB3>Ie+v3E%%EuUGGI&yqpFaBCA`~|^ekRfj@N6vJW z6N(Uvh(^6Q58mLR3cPY>mijI+hFZQRDrqT`V8+*;32S2ujVXc`=3EU28H$Y5%{vP` zn7MBy2MlyrIsYfqRb{BHIY~T?iCbHXCaB@ca+IJR|Fa7{m6E8hE=-_Cav<+B+_KQ4 zJO>f3?Wk$4WdztNzj#`s8*!DXzUAXCdf@k)s9&!u@nPW7;Gaj1$Wy#_+YFb>PrY)q%v`m*)I9m0R9d z5ju$JFB+`sng3@E7W{v{!NJ>SK{LNzj=n1+$Mm${+|$l>#p#Tr1N$CcN0;8YLkwIm zyLC`q;hSy1#P1UKKbLG)ylz#K{bPP$W5ZuRZldW5+|JgE3VHkARfn_{Y5y~JTYk1v zux$f0U9sEc^&+@wf6>=qv?}grP$KF^bZoHYnI_N*-t%lx*qsx%+-Y$_?!s|V!;1l= z`sDMC7}P4)DxZ4+>PC4tOx!9&ea7JmaZ_fQsBq>8!;85BnqDd5Sna2(zMBWr`nPF0 z+u6sspFz_rMO`!lOJ4#TUu*u;bY_st0t)Q4Sh)ql;~j`huvzZ=-jF^b+~!PU`b_GhphUWh@&x_E{S$+t2eMfbaIIa6+!g{R42_)yr-oEq z2Coa?KJNVnDD%CjdRq@voEugfmj_>u9)NvGzh6&Ph@09M->(&79liqIRrbMKba#$j zQNFIbtoJUq??0W`YY*-L=BO;66Ig5#5A?SF`H}E$3>N%D8fq&6Qh@p~Uj*vU$r?5t zw!3TX%+_OAkelpQ|C;dK`};m);00mjb0dpQ3}N18yPdHCc{cyP;5o&@Bk+PIqozyk z?sO-!W#~EN+BKGc7tyLR%hc%`K!aYXbIDFg1^K>CzU;V-J z%bwyBP6AtwrB> zbQD*$WnkF2ApDE}6~JkFkUb9WW)S#&=5QL*0h5#+sMtxJ&dxF8eeM#vq8OHlR|PVT zD|>%_@BR7o<}5_IUqWH&a||791g>CJK39}xX!vO)z=&V2(nVg6^O+T{!YLFe$w6P8 z>yRjmW0PsUtdcn3ZB5XMOY17=3RLrae=MjmOkZ&BSWpNrQMH<$lx>To*46Zz`xp!$>p)Z#%t!Ti&7E^q zJgdW-V*V5690@3QRxI{iz?Amp;)f9TB_Y+ku0C*6+dZiLG3p(#tvueMOpRNs=392b z?cmM5*14@mnBCe)z2F%;;4iLS{5JCIPrh9 z_ny&kcJIHqHp;N{UPf;T(PNZRB0)&>1kt-FK_Yq^f`}dweGo*C7QJ^u7(|Os#OQ|6 zOa8Yc&-4ABwSNC~)_HSY9q-INbML*ceeH6!&u2~VPU%=xf)s2Z_GclPjR#%TJ9As= z&mhdyT?P3}r&Fm3dLv?=O0xQ}+S@3GCx-cUC;{*@elxjUiR3$ut1w>*s?^ zhmf&(n*>|t33HAYmX-Ie;E}qwe@5G8DK#3pr#ipfx>okmq2{gU$B^~=>34z=#^3tn zn2MPEu4?K|7JD4;fqjZt-(99d@*F;lmAreayB#$L+B>MCquNjVHCT2esVZ;VQhlkr z`sj=jyv5?99DWBpzf=NPt-l(&>q0nS<7AEzhyrWwm#NNPckzQ^Ro+}O?xQ+)qMZ|) z=6Mm@zTp6U*lk&rHnp^oP18daqlVqe$$VIo zEYGg*&&4l<8fTl8fbz_rRLV#9%S|bK_m!uc$IS1{RkqBhh^<>sJiUGYQ!o%Fnx1>Z z0W&&;_=Y1)?g2AmS2`BLBz!hsyr4czd?jOeOnuKRCIk^Wax z?7|^|Z$?!{4X<`QTd6SbjvpQF0yJ{((!Qvg1P%^UN&u*Is;LKHr$;}g= zCnPgI_s}#9oMrcl3nhZcP7%*Y8|yvNtOaGGQo>7 z^x7B{iZ@2d7~Pg?q`L&5iguVsz$ z4eZPDIIV#1r9Tw0`fOB%MMK(Go|BY$)&UXE`G8VO-F4-RBxJ>q@sL2J^ymcJ*C)YN zxucy+`m4vArs2%-vZk5KGu(PVek36#%H#f)r*c9bRjy1Ku&=Aj7Y%4P{`TqlYAuHE z0EC@$`p-{wvWQUAof0|HfR_xQaaBkIH@TLb_f9tM@B*&^Y_9{xXB>zUwciwkM_FwH zk}@PN+u1xtodMKS=yZtNZ?a7V!1v}2HrFFA6T*Y(EJ^{FDrxrLZRr5~r%h)b$2dF~ zS*a(DM^vIuKl21bOen8uW&p>W04SjDuJ@+}xyLy_?=`*Kyyo|7xbgR=THvO(G#`1R zTJ43GEb~7tsmv-iSBj6Pg}$q{ z#~eL1kg}QP!0#{1>M7AuCvWgvv3Jd!0}nR7iZ7Ts6QCExjw~DV;s<_L49^vRz@Urg z{R=vNGvL%vdm%5!nC1>8AMehz-^!v@b|fEI8fc+>wntMIKD=?X@`$$UB_YhKd91cr z@bcIMfT`S|>uJ#>)V^jOTmkQ?NL{7`k~vR4YW;vSxv+5+F4-_ZIQb@2PLSBHJ6wO2 zqoC7(6pqh?PB}#91F_2&Gk%J01-aI7)cYC3l>FH2@E^O7&h6UzDI1 zwhuX&L;QS6P*L;p07#x6sn-65eD>mNv5AhkJh-iWii9WzdQx`6;B0o9km@pYyV`U2 z6X1jnfqY!t2nOI3EoHtg5%l#HFOcq zS|td3-YS6FedjxLy6|I*DcC6sOZLqi4aqNf(yuS;bWOVWGjO01ltcMT z_TU(HWXU<7zLZ_uQiOBdxX?N|*Rd}PVJUh~&$M=GF8kF&0P)l-A>6Ab=xzKInah&c zC{>L2jex=zAIkxELq~9tF5rVVR{^($wv{0l+NP)UncNmlZU@v;r>VwI*|>K0Gu*D{ z4P$@thIyZ`L-pqQN)BDPObtX972t0*X3EmEN+zz!D}Om)dm!9nwZx2&&E;qbdE^%p za5Awj37o#B5a|d&9Se$r1T!o@y$&I+ff*Qet2k0NqB4V#+T`omE+P6=l7+<%zQaxz z+Q)0P4d=&=NeeU0eNCP)r~x8*rP)rd^4?6qGZc}AfO58#KRSeL=B0}Ah?q;jWSN<~ zj1>7py-p5k!v4jt-XEu4XHG_883M3%RxP|016ko#46m1k8;^}HDu%QLeT}9Hi4IeX zew4|h5&S<_J8r z{^VJ6@y(=h9_Ic0bmo!^^;8$`lOJB?XOF@jJL!uKhs=w=ZbqFzpSv7%pNvH_X3tda zM9DLRm^vkfeEU)MUhNAI-y`xhueyCd*!hP5b7POU$x4$bsDuDe0@sjFozmp38EZu^ z6)UQ79b0_HOzS2uzh>-23N`4@J5Mh->J?w5ym*X4w{A~qo+?riubFEt{DN9VHC$;DERHU6tbQ+`8)@ye+%n3ZV@8=Bp>uYuY>x^Kq|#S=?B5>j^lQ8Y+T0 z85j<0Kzf68mC3<(!n@7FTQ*BP4&Qj;(*)^OFv&?p26GbciF>UGGc={fwi8^vR#D># z3q6snC0k$bgJ@!>T@^QkYt@CN{dO<#V<&z<1Y zJ5IJJCtou@)O3UAX8mNCWZ<%$ctFldcU_EK4wm;RP55{LpGK3n*rV&yM3m+v`~2%y z_2e~|UH7?Wk)#D*Ua(Skb2qm~_quO%dB{daXUnXYR``8-ZTfcQl1xEzvyz zr!!w>wu4)jWr1q<8HpR2)8KJ+T4ouel}uc!2y?`CWrGNDOHbp*xY>JPjqw#>(E`OLc^9H`4OkAY2N>Q+lE%`r)d5e`3r)H2fiAFwdG3YgCU+j z7$Wy1t1g9ixB>2@CfuYawhJ8#gSK%kVJ|xDWhopjf?sXkpQL55fGe`Gg6|}jL~r4L zMOSF8)w5tx~unk0Gi! zp72I3mGQ|iH-&}QO?dI4_M!cHy?VgLPfK&MQOU^OAsZN2>$|km78-?U4?v!&lJWQ2 z=H#4S*hG>Y*%OX&?I_d{Pft^z=_>QqU?GSE^OR;?*$CGn^r9-a197;-T|LD~0yddm z&9fXO&B&yRjdZOb>yRrD3vJ*+`OS)IgDJc2_NMt~p`P2(J?~%My;i6^oU#^w?jgFA{p(#see-EL2}yJ!`>IJrxn6m$c*ws!<00|$J*c~!VoD)MD?h8WBc z8{4hr93gsLV@&&05+k56vW!2%FJW|sO zy=o^jp6NClZn5`UC3E}nWj!@s;N&!oZxVcmLW+2U>uvTu^nFkorcTPDyA8@O?`6c@ zY>93nPu_2-Ims5V+v^_Y5vmA53q(1v55CwnJua4EfB_fVKLLg#p9r-QmUhB&t(8tKx!LpYbQ2?azMxB6cpM!vs2 zAap$;XRG6YIi6=1PDYHX!>7T>_#YQr2$NT$M>pEEqPIW9u9YpZ?J4tiy=%`^hqRcU z`vprk>|y~3d84G>pj~lH(Cw3rhqm^XFLN4$tyXA#rnBL1Kf68IbJmQVM0QHJK>|iD z#~bHb18RNIky~JS)YbkrF?x|br?ml*bTbU{y7Q%bUvGd0S>BQR+sC4dZ|QZN)SDv3 z)5|k)VJX$sVzSV2sRQZPm*Q^w4@z=5VBY!zcMWGy_TTvU%Uf{Tr@+#Nn+_qYsVzBV z9&q-sI(R&p#`9yC*9YS_ZRRAuNc%fjH^~U52=57_mf<9sA;=-**Z!v~C6oaxJ8eGTq(I{t}5hYAy>U*UUy5wbRWu(D_>X*y+^h)05xnP-i z_~Ua7`PF2m+Rq6FLzu8?@oDfo!SWMN?)kf~?cGE}_E41widqzM(SS?EfoP7@CU zvFIF}$IW-0?~gt)#5ezy*Z?spB~((pVoZn6JHYwJ5R<7<3sg!Dk?lFWO+yjIY9L3d%bGI>2R0^<+C zTG$@P0X}c^!xnKW!xI!lP5GIF+HTIN1EWrIyd>)6l`_G53(8=U0bd2hWQTV;N8v6d zBF3ng$YzT?YujTF&D99N&dX>VGNFX$s={8a2d2l%mlUtP*ENnacT6Z()~P0iYYxW* zQ1EhQP3z-LBFap(s0yw7ZiS|wrRC5s06pWb)wThr?sAunOBOS0)`2xVOQyUz$QP9Cj zLrse0#RM3veyWl?!5=!he3#o`_=dfHnf9f;IGE6jU0s0Z=(f1I5UUW#66D1`Gu~AO zpt{Mmt3aJ{*+$e!Ou7~8@mS7NM96%!Sc?(ikjkW85kII!!G80z*p{!6L4sTHhX75|2~?S#dgPgPh-nr=|?{d^GWbt zc5f_QB}rOlx5?2;lzi0GNLM{lh2)aHBc2m|vMHtgDWB@7oQRJ-Z)tAEq>}n-R=nzD ztC9VRWE-aM`i#P!ah^PHGCy#IGBSjl8{?o9J+G^@0!>#$0=9U-f~`$Go++U$!4OFz>FOMv2L?nIe9;C%Ut=t|-)DLbTJ4zPH?Fv#%md#y9u2Un3-|XSyf+TTF4q!Aj-* zLs#e?IAE$vKf&ZDn!8_6_ZsIg1~$!Pdn)B`LXe+O8#FB5aUjS;?^MBh`xMz3$?f0d zg&Pw+7Cm~wqax3T+1xplL~uez2Y>nHpRf2{ZZ}^kA0JL?R$ZVE`-{&@CfBzWO~=`F zvcxfXpk%sOk?vrQE7su#94{)^ zOx6Kv#F@a{BVpKu$xA)8`eue`Vp{f|-;AZ|1r_0|h&{wYKT7ADWQ|Y1#o@`0zfL9e-J}V5YYB6PV8*jR3RKA zGk7XeiF$E$+Yr9?0Uk+#dm(Ks*Mi?7FXuUiTp74$x{^4JT5A&fU56SExLS=^&rW;EWCXvAaRuP-t!htFi zWP+UF_8N9fYV&DA8^Ky|adKY=ZgeXoZHqTrNHPqlvLQk-Fy4inty3Pql;zgCuNPrg zXYqw=rI}mjJ=8X0`{J_vTrx8rLQdAoksgwzfy7Jeh{6l>&EMRSK=xd+hU$)&Gh)hz zD}iDS)DjDLkHN#AC%~JajoNHfv3|>K&}(S8uC5VN@25oXkA6o*qI!4)ZO))`pwEHK z1fL;ETldAl`>lH(3)Qgj`VzsHNAli<`PGw*_k!<_S-XBy)l*W0LiKY}+Uk#PFl17? ziKcVm0jbf;PF)o2t@ti7;H_{x$`d)b>Z|CuBogO5pk#$uv?^!S#}QH&UdJU;7bVbM z9Wm-m{x!4bvJob@OWx_)JN9?{?oDGkaPmaB9RgPvb&#Ya|=bt$xcf4&mb0L+iIFG{8(29@B3m z9D<6sGD}`z@x81iU@WH5IlGcH(7)kIB(vU4IsQ79kr6eAOKJviHz|H(qUXyb?N~yc zr!eQ7Kz$6F7ichBzx4FLo*&wp)jxlv^Q@!rJ75fk#Uf0uGG7K>wvS<6ld-G07mOR+N@IzwrHm~*-wQ5XEH*I;w7(UFeJY~J` zb~7?0y1hxGheSY6*+02Nni~s*>}0J|YIVDmqH?`2O{kKFXZFb|zJ=@- z7=|a%X|Fh}!CX{S;S2h-&@wo1UxCa6=JV}R*L8SYO}1>l!OzA=)`9u}{>Dp@K`Id^ zFPj&gGb`ikMR9;aFWw`^dMz|J<^K~8*PNg~&QoWQja2lsKxt7(&@YjXBMfqbT;&p7o%ujGVg4?+c*^o;bMt$?XRAy=;XIhD1S zVLwetZ;xpvdj#kQ38~Wl0+Y?!H5doJ!a=P|AdX!5zBgJ(+nzNo4rQ3Kx{Rbk)hGxu z=_Nn7DJ#-5sSol_9jwz6;~a)@_)&YfFZNdws0dQL%2_pMubj82W?zB#HNkr4qfGLY zRD9(g6s1ucsKC#Y9(g>^B6u1EZS`5%PZs>x+aPB!r_#jev+f?g$S;Z8F>YXb)>KT$mLhGP=0&B-SM+3~&cux! zIr{OvnR+gJ7Zs}>_LztBufo=iOefc?KE9^}>c2V}N!z!J=ZZ7U?nV_UDb_(Nr)08k zd>q9Z3EK#JZ2fW2B|}FI-pL=7_^tx+902de9}e`~OyVCjXlK}j4!e4N;Q+n4GrV+5 zJ%g2-=5;m!0Fq!H7rQ4?vf9ae;-sB9cmnJf{r5i%Mu|(*b&&=ki>L@ALWMf$X##{eB z6gpQo@;%^bHXK+LlF@k14tQT>^RcGH=|gIGq4=G>br>goSD7EkM+{6VYNSdlEW_Ts zAMF@>p)ZX)y_%TtjhMTKHc_SlyGcaSnl5s`3LCF{PRKu*V%i5G)|0Djpr63YN4hxy z=e8qwZyqGy)Hm{=Nrdvt`mdk<*bK8nCOIpy6>iDPT|#1(ex0kDrN)6tN@eGEu<)OI z?8NGJip&>ZJ73qly*%p~>&?Y=y!xqe+|gWYE7ufd6g{-xKBn9#6vMA>L{KpTfV#V* zuTz2F;iQ9U6=Dfk?gn{TVY^{BUN{FaYp`%cn64OqYoi|+);O4eGRVXEyM&s;vUt7N zGD>yagm>IrLskiX;aNS>L_jEJQ)8IEjSbLPYTHITOMsbu3u?0R3wN%}{WDX6?d?XJ zJ-DqyNz-o^;dcK*Ts&4lalN@GzGpb6SHCU#;RTqlces}f6bpRd%poJOFn(s?{QH!Q)N;=WAQ*nvmcYHt z85170tew*wVq9h}uoZqvDzv#J{r0~Q_Yvf_JTaAHNQ6d0*UaORjjC6gW2 ztdO5mGq2oY=%`pUr;YG9o7U`^N)65~bKGdeO;B!-J{x3sIWd%&wvnDKqUt5a5ZZAe9x^kX_Wf$dU-As(YF?DKg^ta(6#tjhqT z$_5ic@Y1AJ5QqguQcp2p*vKtg^GbL-lz)lERDl?Fmu|79-FJ6r?y=x9h>dBjFp!oz zxh0BLkHOBJ|1{xQD0P`Jn+C)no`NhlPhQ50LHZh8JhwGUDsH$nh%E9X zdqx2a4Ppawg;azMSx1^tn=bBVf&T1>_*D^+~{Hbho< zYbUZ^_^nftWT5(K@!U=_Rxe)bOc)O(DMPp+{qYoDL8ZufRuz+|2Is{1hm!0Te!k+% zTMv@rsHYU*K$)>V)oyL2U=x{axK|uNX^kZAZZ(}MKH1Kpu`;7DIG_!#)0jP%n0qR_ zbA|b-8*{38+>o@BOUMKHac6#~B1;7PJdu*XSUu~5HVSUtt0i=R z+mI;;q#8}RoO$Ca+D*=w;6I&Opg?H7=fQ~2g%s}_@grrLR?Cc8TUHZgq&KXcBcchG zXf@dHhMkc?)TDZL^J#I0<<)f9(cHWJz~+Imp8fzL};!T6)} zAj89qw(l}2Z>%lXi9g;`)FPMYNGwUB((aK+H89(1+j z2dcY1T6SDkUqe*3E7_IgKQnGgy4FhVND;LE7#cdQIj^!CX6QEAshjj4c{-M5>EPl9 zdJ+UlFGM|_(ltot3WHD%+Y?ZP$0JKm>S{B`R_s*XHjmCGgh4J8Ftvz^5GD}6Ndd6m z;(>(~HUkNlmMw+aYr9`=O@?mo%clgN`U!B~j)`u%I6YF@xSbN)=%-2PE-~>6%O`kw zuez3<07`%`o?!nWo^kOgvCMz;@;vsIp=sdCb4gz}I=&D)-7E@JJ4lnZoymaem?xKN zfr#{wLUEp6cki4;2$PNWFIQ?#PD~6#)Tv$Zu3$?`NGO7xim^UTr)!vda9cD<#zjTj z43y5rO@jscPr5^21_{YuAe*1R=qUP9XSEqABrRLN?6hOJU7D>RgIp1+Sv+PKVXqov z2!#X_%Ve-2#J`B=#3Rh#f5@`C&sx+3jP!F(+s$3mDG*Z3J8Q%37>IM4ty~>>Fcuf> zJciR|h3{F&mv04Vn_}tKv&T%}DL!rVjEaZI|8ld)4PWAGe716K^76j=wR4-auuXGL zUGi3KA+FEQ*;j`O$IcO_U-*zX82ag;0O6w_`~=h;3{ofNE@_e>+vtZyB6WK|Nu9#| z8O4!Hvh3G@0HFLyFXr_nJzRXRIxvT54_L}tGGF<3u|`3g{v4Bw$?LWDke%_`0k5*T z9!k9m*v)cv6m~UU@h%pf(`tp+sEA14{QImVb<34HHWAI&2?SDheaE`DDJUB+#DAEs zK-}!Prf}>xonQMXUq^S_+-TYszu9G)WUUD)$`Z~n*XB8VAEKG!#-M!SaDIn9arxWA zqb$KyKRI{PiAc==q|JaAe?!9$K?oSsWH=rwtFzS#P@$wIoxuYNwtwk81_M6$seBy2 zKEB7OQ}B-7q}b>x9Z-1yWP<<|9M{3&H{hoIvsHG=)Q%=iE|^g%P#!FFSe5a>p$yok zblCJ3rFd#+=zwHHI(M-uV1GmP2_z_cyJv( zW&`b!6UmxlTz1@rW_9guf@*-ntLjojtCkPgkEx*_al8g6#+8&MLQj)>J;(U_54f%& z1OG&qvts_n4ON$w2^kK&jbyVRSnOK+e~zD`io&$%AG0{ET&qW+|iW~SG=hWEfhQ^xcA z*g$%~2#EiBfN?l^G+tA44Re=Lwg<8|oDFe}bj;zvHO(aMTIxW3mI2&sZhhXrwlU_s zhW3PaH4 $Vfn?0>wGk)6xNM@~b*eVnYal(*$>LZ1$XhA}sfZzk~g`3fiES?EwE~ z-_?&Fh3OtW5~-rReya2L>3xuC-AuEOiEgsGnoo__gXSaP@?-k%!&|!Edp^dawlE>S zfqWoHpEIEIXUe|tV@<3#Y`P?h8CYtq=mnTWKfE4M;@=UiQn#HAc)|GWv;Z6K%k^aZ z^Q4=)E}-%JFxqm0`g0tP&Gk5z|BmAhSa#jCZo-1&g`ofOH+{|bi{(8-$?KpG#Y=z0{~ zK#kk=jOl}awE8VyM2*W%e;L7{nfwHF^`*z3uI@4KURZ3=Aho4Wg@D{09dk$El^a`s z^mUOx1bvJ=JD%^Yk7yZSX zPJxD`Yi)_*a}9+Bh^xgzGQ@fTgw%i5HjpdmPMUrPz@qm5-sUyF&HcK^j2(AnK zRI1xTZq8+b>cVtHBoQZ+Mk`n4vWMt5O5h)vC;*-Lr<=wnbW215U{w)*S7{LSy7sUK z4j{c?$o0k-L=F6Otqp)h!K5z>XYNRD5(Si@lGT6(0JI*k^8eTRt&7M#yjJ|&WNK&z zFrorGnd{Z17z+pp=ql!}58~OAqha}Wj61V8PMG~pGWb8jC4>#IRzM8usM!dC+O}(z zd--Qqs>RV3$QMAj$&!G5y8L{vg}gKL%n>!;DUl_u3fH~4=X7JZQoE#ScEdHdZQ@_S zz^QJUTO?bYrBIx#hi8?t%onadUN!@COUlhI-|@HPTtP6+@XY;XiAbIMuKeXdo!#Hg zE_Q*TD2g*aYIiR{D7-scx4XAH&7L@9QQIqFOE%dct0*rEh~MHA1O5CvVHzb0;)yD# zG5pd`F~q%b_mD4^hcqUmu7@53=CTtJO6^KWFjP?lm;6Cv{G&IVPL(}DlTV)Q(o+yu zTVBI^{Hxp#;A^|)WLkZ(euwkDa<4R`B%9^G-o(V?NB~Q@pz3!?q$+lPkng^|P#52Z zm{3oa@wIevhBW>xM-I>#lGk8_mp4F6C>mi{K_CaUX8F$oF;{@E@j~T~`!MMYU(`px zF|R;#W%P5N1C##G+u^x5w>DOKYd$KwiBhO)@_u!jR};I2hm@B2qb7Y?i__n~=8UC; z1AIkd!-O5MG5F_n^^TnR%uS;7BK%b!UD15M;Z2YI6`iu(Vw!UpA8|1Q8Pl<6N?0iR#zk^g@Dg65=Ra}VKfwe4wgY&*HM z>qOjFC+zDoQZOz#Jh?GeToh1WQly^R-?VGiY$a1LFXKN`LDBd=Da{4D;c$X$Ay{Vu z*cPjH4z&&pKKWP_U)$(Gw@o7#&EE>R#(9CfMEY@Lr8k862ke(kgRsz9SzqU*ir}8J zuVM+@6*4LuKlj^Em1sV(*$lJ?2pPxA!j&>L9X)SR>VlmL+MZh*KC|eX7K#UD?d_e$ zP^UeTrb{-0uXG8)mmz1@w=~EEb4U^@x^OG(wMvGAI z0yImV0yQi-Px@l$uD)Y|E7`CUPPKWnh(=e0JlbOn0k*$N&J@;n?RHytSPUe;Wqz>W zED=ezxLry#k8`wqv#9GaS1@aHHm7*FDRbZ@ijwJG)znbDoEC++h5Dsyav2cFWh-Vs zRBQ~!uT1f1dH_F3?~lS@AOLkKneJIpPx!prZepr0`?oKh4x45w&hM{r;((3Ml?Q}s zT}q5#J8_zifzZvM!#aB+xfDswX|30e=zSKo(06cn4$zc-Ja}wi!8m+bjCrJuieZ32 z1P$koE8P`|FAi)sG(LWRNh9-P84yx9qG3$Mc}?w_M=uls7{^eY>%~iO*JE zCdY7pfIjAKhZpYKB^xfdt!0w`VGF|yd+5S)B(Z4a736K7$9tB%mF_J4EKL%a2w4S` zI3??8R}MYTl)@HxeoA$e}?XG(3yBT6FmlvMM24mpX>bHKNL^krug*c%LwWvMHT7A;DuW%AVk9_;| zZ4e?`Nt5Ctf|@xeo3l}#5XzK7`+*uS%H!h`Je}INsFe8^8Kt&6`QQk)8UN%*SmkK`~kiwt~_-+hVg}N9V^jenTl{en}+@b~4Nc@z1cA2pL zYBDx;7J=ic5!Ki>jviv0SMBDnJ&D|IlK7r3&Jb$&`XLvQkIISsC~j%{0ei~ap%p1& zp006k@}x%zcTURchQLS@Pt8hba0w2rt$EO!gXlT~j)bL~X$l*b*;B#Wvox<@C4qYv zOYz;FY_l4rd;8@5XXSa{zTo@!Sx>#*dKIRP$}Zvwh;yXGu!$H&k7`S5Oo$*YZ1!lz zbDnV}W3nY3ol<#=?mo~qL4W+`bVz@IeWr0H)fyL-jqgW)!P=7A8AhBdL=u2}@wuDa znvX#$;?oG-2CEXb<{$^ktv=E;W&V4SN}!XAvH+oJfF-$u%`*l11|b* zlIPmJDmfNm42wc!CeOW7@z-J~#xFT7PguBTX;rPAX`VC=o>}ppo?C;d5lG? z^eVj1JBIiONtA%daEXQz9?tpswmxw90^k=IdYTT=JtzD`34r@)Sep4@sFu(Z>KsQBKw0%QiwE zOGzvpyYyHOl$C~G^YKlMrH^9lCx<@=^M9Rzhc6!fuV-A_6R>%?d|jCY=>~^zOyV73 z+|Dw8N?u>+`>^869)>YnLD<{F7TgfykF>jWCQ8wVG<^a#-N;(wU|;~fKp(2!ck1>E zf|OlkV_2JiOn%4MvAf{+vLRh=AfCwfCK(eaMQjs}|{RVJzfqk(bzLoQ)zHkfgkR_j` zVU9O&xK+q}7f(<~9o;*ZBr{w$4zEocikoG{@`Dq}79yi+7AN?%#; z75L4)(*Z;O7zE|-ag=Vs=|z5AZL7$#%-jF!Ub`tWUEs-FtsFyyh@^(z6I)&ZPZ%t0 zKu2?yN=K9ySGk?($LQ7YtwUVR$$yA(%JEQBe-#skDxaw7ri)RxeImmVSw%jbb(9@B z@*)&6rOTX&J}^r&@)>0pB|EOOJQ#W#?p(oxz;-xM+mQsp^n)4;w=j#6N9ASmNJ_ zduxfk(@ee7`wsJ72Z75A>c^r0jZ#P{GsSon%fB-Sgv@JSck<5e?9T7+gtJ7qhVX>( z`tXoy+cYqD=q_&f<=_5B-U?H-N&t+afjK1rqM@q&Vl|z9P)nFc&d!NgMV_jSx>kIR zgv&Pi)=IsxvLQ4NxMc#v;nx%j4Mym)VZ)#>dPDSs&U5<>;k{2DSCz8= zV44Y!@y5+H66SjigJFCr)F{A;PMD)Z;l0Hnrokdu1ko)o%rnI^LFKx|MZCM7M!~~& zo~~)yapepU-5?h*SG{{<(QN_cFDH1B^{=Xuy6TUXAJjW9VwOBK8c8e%5h?p_}M4^bk>X2dy5>E;J5# zz9ndV%rB;HSfMls4tFxj1DJpAIR#s_wJRlW;@+9yV15S`y}PqCBP8EPn7O^ocVi)? zXJr`+7C}Q=`^Yq}7C_9g6AYicsvixLj~mii{0xpO+LQ?FgCg@C>JOiA4Xgno(yfYx zE}ZIBbS5VMWBgpl3;*>iTwfRecq&S;ew(Mit*Za=3x8c1za0|)@eTaf*>dmrpC&!+(FrrS+1H)6e5gRe_%! zV{9ZYhRXvwtM8pSe~k!K%4~W*sm64rAgvA`yP;5IT6U_`1D7j)-)I_Xed-77kQ2=t{%?W+wmN3oz;bXEHF(TI)_S f-MYqa`m@A=MKMBi@(Wi(*Tu2Ix%cUR>&gEI!$$6Y diff --git a/STABLE/documentation/seattlefirewall_index.htm b/STABLE/documentation/seattlefirewall_index.htm index c1cbb868b..22580a69b 100644 --- a/STABLE/documentation/seattlefirewall_index.htm +++ b/STABLE/documentation/seattlefirewall_index.htm @@ -2,107 +2,107 @@ - + Shoreline Firewall (Shorewall) 1.4 - + - + - - + + - - - - - + + + + +
    + - +

    Shorwall Logo - (Shorewall Logo) -

    - - + + - -
    - + +
    + +

    Shorewall 1.4 "iptables made easy"
    -
    +
    -

    -
    + +
    - +

    -
    - -
    -
    + +
    +
    - - - + - + + - +
    + - + - - + +
    +
    + +

    What is it?

    - -

    The Shoreline Firewall, more commonly known as "Shorewall", is a - Netfilter (iptables) based firewall - that can be used on a dedicated firewall system, a multi-function - gateway/router/server or on a standalone GNU/Linux system.

    + +

    The Shoreline Firewall, more commonly known as "Shorewall", is +a Netfilter (iptables) based +firewall that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.

    - -

    This program is free software; you can redistribute it and/or modify - it - under the terms of Version 2 of the GNU -General Public License as published by the Free Software - Foundation.
    + +

    This program is free software; you can redistribute it and/or modify + it + under the terms of Version 2 of the +GNU General Public License as published by the Free Software + Foundation.
    -
    - This - program is distributed in the hope that - it will be useful, but WITHOUT ANY WARRANTY; - without even the implied warranty of MERCHANTABILITY - or FITNESS FOR A PARTICULAR PURPOSE. - See the GNU General Public License for more -details.
    +
    + This + program is distributed in the hope that + it will be useful, but WITHOUT ANY WARRANTY; + without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU General Public License for more details.
    -
    - You - should have received a copy of the GNU -General Public License along with - this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, +
    + You + should have received a copy of the GNU + General Public License along with + this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    - +

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    @@ -110,192 +110,216 @@ General Public License along with - +

    Running Shorewall on Mandrake with a two-interface setup?

    - If so, almost NOTHING on this site will apply directly to your setup. - If you want to use the documentation that you find here, it is best if you - uninstall what you have and install a setup that matches the documentation - on this site. See the Two-interface QuickStart + If so, almost NOTHING on this site will apply directly to your +setup. If you want to use the documentation that you find here, it is best +if you uninstall what you have and install a setup that matches the documentation + on this site. See the Two-interface QuickStart Guide for details.
    - +

    Getting Started with Shorewall

    - New to Shorewall? Start by selecting the QuickStart Guide that most closely - match your environment and follow the step by step instructions.
    - - + New to Shorewall? Start by selecting the QuickStart Guide that most closely + match your environment and follow the step by step instructions.
    + +

    News

    - + +

    5/20/2003 - Shorewall-1.4.3a (New) +
    +

    +This version primarily corrects the documentation included in the .tgz and +in the .rpm. In addition:
    +
      +
    1. (This change is in 1.4.3 but is not documented) If you are running +iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject replies +as follows:
      +   a) tcp - RST
      +   b) udp - ICMP port unreachable
      +   c) icmp - ICMP host unreachable
      +   d) Otherwise - ICMP host prohibited
      +If you are running earlier software, Shorewall will follow it's traditional +convention:
      +   a) tcp - RST
      +   b) Otherwise - ICMP port unreachable
      2. +
    2. UDP port 135 is now silently dropped in the common.def chain. +Remember that this chain is traversed just before a DROP or REJECT policy +is enforced.
      +
      3. +

    5/18/2003 - Shorewall 1.4.3 (New) -
    -

    -     Problems Corrected:
    -     +
    +

    +     Problems Corrected:
    +
      -
    1. There were several cases where Shorewall would fail to remove +
    2. There were several cases where Shorewall would fail to remove a temporary directory from /tmp. These cases have been corrected.
      3. -
    3. The rules for allowing all traffic via the loopback interface - have been moved to before the rule that drops status=INVALID packets. This - insures that all loopback traffic is allowed even if Netfilter connection +
    4. The rules for allowing all traffic via the loopback interface + have been moved to before the rule that drops status=INVALID packets. This + insures that all loopback traffic is allowed even if Netfilter connection tracking is confused.
      5. - +
    -     New Features:
    -     +     New Features:
    +
      -
    1.  IPV6-IPV4 (6to4) tunnels are now supported +
    2.  IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels file.
      3. -
    3. Shorewall can now be easily integrated with fireparse (http://www.fireparse.com) - by setting LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. +
    4. Shorewall can now be easily integrated with fireparse (http://www.fireparse.com) + by setting LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. Note: You may not use ULOG with fireparse unless you modify fireparse.
      5. - +
    - +

    5/10/2003 - Shorewall Mirror in Asia
    -

    - Ed Greshko has established a mirror in Taiwan -- Thanks Ed! - -

    5/8/2003 - Shorewall Mirror in Chile  

    - -

    Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.

    - + Ed Greshko has established a mirror in Taiwan -- Thanks Ed! + +

    5/8/2003 - Shorewall Mirror in Chile  

    + +

    Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.
    +

    +

    4/26/2003 - lists.shorewall.net Downtime

    - +

    The list server will be down this morning for upgrade to RH9.0.
    -

    +

    - -

    4/21/2003 - Samples updated for Shorewall version 1.4.2 + +

    4/21/2003 - Samples updated for Shorewall version 1.4.2

    - -

    Thanks to Francesca Smith, the sample configurations are now upgraded - to Shorewall version 1.4.2.

    + +

    Thanks to Francesca Smith, the sample configurations are now upgraded + to Shorewall version 1.4.2.

    - -

    4/12/2002 - Greater Seattle Linux Users Group Presentation + +

    4/12/2002 - Greater Seattle Linux Users Group Presentation

    - -
    This morning, I gave a - Shorewall presentation to GSLUG. The presentation is in - HTML format but was generated from Microsoft PowerPoint and is best viewed - using Internet Explorer (although Konqueror also seems to work reasonably - well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to -view the presentation.
    -
    + +
    This morning, I gave a + Shorewall presentation to GSLUG. The presentation is +in HTML format but was generated from Microsoft PowerPoint and is best +viewed using Internet Explorer (although Konqueror also seems to work +reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape work +well to view the presentation.
    +
    - +

    - -
    + +
      - +
    -
    +
    - +

    More News

    - +

    (Leaf Logo) - Jacques - Nilo and Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution - called Bering that -features Shorewall-1.3.14 and Kernel-2.4.20. - You can find their work at: Jacques + Nilo and Eric Wolzak have a LEAF (router/firewall/gateway + on a floppy, CD or compact flash) distribution + called Bering that + features Shorewall-1.3.14 and Kernel-2.4.20. + You can find their work at: http://leaf.sourceforge.net/devel/jnilo
    -

    +

    - Congratulations to Jacques and Eric on the recent release of Bering + Congratulations to Jacques and Eric on the recent release of Bering 1.2!!!
    - +

    Donations

    -     		- + + +
    -
    - Note: -     Search is unavailable -Daily 0200-0330 GMT.
    - - + action="http://lists.shorewall.net/cgi-bin/htsearch"> +
    + Note: +     Search is unavailable + Daily 0200-0330 GMT.
    + + +

    Quick Search
    -

    -
    - + +

    Extended Search

    -
    -
    -
    -
    - +
    +
    + - - - + + - + +

    Shorewall is free +but if you try it and find it useful, please consider making a donation + to + Starlight +Children's Foundation. Thanks!

    + + - - + +
    +
    - +

    -

    +

    - -

    Shorewall is free but -if you try it and find it useful, please consider making a donation - to - Starlight Children's - Foundation. Thanks!

    -
    - -

    Updated 5/18/2003 - Tom Eastep -
    -
    -

    -
    + +

    Updated 5/19/2003 - Tom Eastep +
    +

    diff --git a/STABLE/documentation/sourceforge_index.htm b/STABLE/documentation/sourceforge_index.htm index a114c08cc..5f6fd28dd 100644 --- a/STABLE/documentation/sourceforge_index.htm +++ b/STABLE/documentation/sourceforge_index.htm @@ -2,307 +2,335 @@ - + Shoreline Firewall (Shorewall) 1.3 - + - + - - - + + + - + + + - - + +
    +
    + -

    Shorwall Logo - Shorewall 1.4 - + Shorewall 1.4 - "iptables made easy"
    -
    -     +     -

    -
    - -
    -
    + +
    +
    - - + + - + - + - + - - + +
    + - +

    What is it?

    - -

    The Shoreline Firewall, more commonly known as "Shorewall", is - a Netfilter - (iptables) based firewall that can be used on -a dedicated firewall system, a multi-function gateway/router/server - or on a standalone GNU/Linux system.

    + +

    The Shoreline Firewall, more commonly known as "Shorewall", is + a Netfilter + (iptables) based firewall that can be used on + a dedicated firewall system, a multi-function gateway/router/server + or on a standalone GNU/Linux system.

    - -

    This program is free software; you can redistribute it and/or modify - it - under the terms of Version 2 of the GNU -General Public License as published by the Free Software - Foundation.
    + +

    This program is free software; you can redistribute it and/or modify + it + under the terms of Version 2 of the +GNU General Public License as published by the Free Software + Foundation.
    -
    - This - program is distributed in the hope that - it will be useful, but WITHOUT ANY WARRANTY; - without even the implied warranty of MERCHANTABILITY - or FITNESS FOR A PARTICULAR PURPOSE. - See the GNU General Public License for more -details.
    +
    -
    - You - should have received a copy of the GNU - General Public License along with - this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, +This program is distributed in the hope + that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty + of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License + for more details.
    + +
    + +You should have received a copy of the GNU + General Public License along with + this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    - +

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    - +

    Running Shorewall on Mandrake with a two-interface setup?

    - If so, almost NOTHING on this site will apply directly to your setup. - If you want to use the documentation that you find here, it is best if you - uninstall what you have and install a setup that matches the documentation - on this site. See the Two-interface QuickStart + If so, almost NOTHING on this site will apply directly to your +setup. If you want to use the documentation that you find here, it is best +if you uninstall what you have and install a setup that matches the documentation + on this site. See the Two-interface QuickStart Guide for details.
    - +

    Getting Started with Shorewall

    - New to Shorewall? Start by selecting the QuickStart Guide that most closely + New to Shorewall? Start by selecting the QuickStart Guide that most closely match your environment and follow the step by step instructions.
    - +

    News

    - + - + +

    5/20/2003 - Shorewall-1.4.3a (New) +
    +

    +This version primarily corrects the documentation included in the .tgz and +in the .rpm. In addition:
    + +
      +
    1. (This change is in 1.4.3 but is not documented) If you are running +iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject replies +as follows:
      +    a) tcp - RST
      +    b) udp - ICMP port unreachable
      +    c) icmp - ICMP host unreachable
      +    d) Otherwise - ICMP host prohibited
      + If you are running earlier software, Shorewall will follow it's traditional +convention:
      +    a) tcp - RST
      +    b) Otherwise - ICMP port unreachable
      2. +
    2. UDP port 135 is now silently dropped in the common.def chain. +Remember that this chain is traversed just before a DROP or REJECT policy +is enforced.
      +
      3. +

    5/18/2003 - Shorewall 1.4.3 (New) -
    -

    -     Problems Corrected:
    -     +
    +

    +     Problems Corrected:
    +
      -
    1. There were several cases where Shorewall would fail to remove +
    2. There were several cases where Shorewall would fail to remove a temporary directory from /tmp. These cases have been corrected.
      3. -
    3. The rules for allowing all traffic via the loopback interface - have been moved to before the rule that drops status=INVALID packets. This - insures that all loopback traffic is allowed even if Netfilter connection +
    4. The rules for allowing all traffic via the loopback interface + have been moved to before the rule that drops status=INVALID packets. This + insures that all loopback traffic is allowed even if Netfilter connection tracking is confused.
      5. - +
    -     New Features:
    -     +     New Features:
    +
      -
    1.  IPV6-IPV4 (6to4) +
    2.  IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels file.
      3. -
    3. Shorewall can now be easily integrated with fireparse (http://www.fireparse.com) by setting -LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. +
    4. Shorewall can now be easily integrated with fireparse (http://www.fireparse.com) by setting +LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. Note: You may not use ULOG with fireparse unless you modify fireparse.
      5. - +
    - +

    5/10/2003 - Shorewall Mirror in Asia
    -

    - Ed Greshko has established a mirror in Taiwan -- Thanks Ed! - -

    5/8/2003 - Shorewall Mirror in Chile  

    - -

    Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.

    - + Ed Greshko has established a mirror in Taiwan -- Thanks Ed! + +

    5/8/2003 - Shorewall Mirror in Chile  

    + +

    Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.
    +

    +

    4/26/2003 - lists.shorewall.net Downtime  

    - + +

    The list server will be down this morning for upgrade to RH9.0.
    -

    - -

    4/21/2003 - Samples updated for Shorewall version 1.4.2 +

    + + +

    4/21/2003 - Samples updated for Shorewall version 1.4.2

    - -

    Thanks to Francesca Smith, the sample configurations are now upgraded - to Shorewall version 1.4.2.

    + +

    Thanks to Francesca Smith, the sample configurations are now upgraded + to Shorewall version 1.4.2.

    - -

    4/12/2002 - Greater Seattle Linux Users Group Presentation + +

    4/12/2002 - Greater Seattle Linux Users Group Presentation

    - +
    This morning, I gave a Shorewall presentation to GSLUG. The presentation - is in HTML format but was generated from Microsoft PowerPoint and is - best viewed using Internet Explorer (although Konqueror also seems to - work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape - work well to view the presentation.
    + target="_top">a Shorewall presentation to GSLUG. The presentation + is in HTML format but was generated from Microsoft PowerPoint and +is best viewed using Internet Explorer (although Konqueror also seems +to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape + work well to view the presentation. - +

    - -
    + +
      - +
    -
    +
    - +

    - + - +

    More News

    - + - +

    - + - +

    (Leaf Logo) - Jacques Nilo and Eric Wolzak have - a LEAF (router/firewall/gateway on a floppy, - CD or compact flash) distribution called - Bering that features Shorewall-1.3.14 - and Kernel-2.4.20. You can find their -work at: http://leaf.sourceforge.net/devel/jnilo

    + Jacques Nilo and Eric Wolzak have + a LEAF (router/firewall/gateway on a floppy, + CD or compact flash) distribution called + Bering that features Shorewall-1.3.14 + and Kernel-2.4.20. You can find their work +at: + http://leaf.sourceforge.net/devel/jnilo

    - Congratulations to Jacques and Eric on + Congratulations to Jacques and Eric on the recent release of Bering 1.2!!!
    - +

    SourceForge Logo -

    - +     + - +

    - + - +

    This site is hosted by the generous folks at SourceForge.net

    - + - +

    Donations

    -     		+ +
    - + action="http://lists.shorewall.net/cgi-bin/htsearch"> +


    - Note:     - Search is unavailable Daily 0200-0330 -GMT.
    -  

    - + Note: + Search is unavailable Daily 0200-0330 + GMT.
    +  

    + +

    Quick Search
    - - +

    - -
    - + + +

    Extended Search

    - - +
    -
    -
    -
    - +
    +
    + - - + + - - + + - - + +
    + +

    -

    +

    - -

    Shorewall is free but -if you try it and find it useful, please consider making a donation - to - Starlight -Children's Foundation. Thanks!

    + +

    Shorewall is free +but if you try it and find it useful, please consider making a donation + to + Starlight + Children's Foundation. Thanks!

    -
    - -

    Updated 5/18/2003 - Tom Eastep -
    -

    -
    -
    + +

    Updated 5/19/2003 - Tom Eastep +
    +

    diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 8c9cd5152..c0e2744cd 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.3 +VERSION=1.4.3a usage() # $1 = exit status { diff --git a/STABLE/firewall b/STABLE/firewall index 0c0f74f26..b20fc8b84 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -95,7 +95,11 @@ error_message() # $* = Error Message fatal_error() # $* = Error Message { echo " Error: $@" >&2 - [ $command = check ] || stop_firewall + if [ $command = check ]; then + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + else + stop_firewall + fi exit 2 } @@ -1130,6 +1134,9 @@ setup_tunnels() # $1 = name of tunnels file gre|GRE) setup_one_other GRE $gateway 47 ;; + 6to4|6TO4) + setup_one_other 6to4 $gateway 41 + ;; pptpclient|PPTPCLIENT) setup_pptp_client $gateway ;; @@ -1316,7 +1323,7 @@ setup_mac_lists() { done [ -n "$logpart" ] && \ - run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:" + run_iptables -A $chain $logpart "${LOGMARKER}$chain:$MACLIST_DISPOSITION:" run_iptables -A $chain -j $maclist_target done @@ -2015,11 +2022,11 @@ add_a_rule() if [ "$loglevel" = ULOG ]; then run_iptables2 -A $chain $proto $multiport \ $state $cli $sports $serv $dports -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:$chain:$logtarget:" + --ulog-prefix "${LOGMARKER}$chain:$logtarget:" else run_iptables2 -A $chain $proto $multiport \ $state $cli $sports $serv $dports -j LOG $LOGPARMS \ - --log-prefix "Shorewall:$chain:$logtarget:" \ + --log-prefix "${LOGMARKER}$chain:$logtarget:" \ --log-level $loglevel fi fi @@ -2042,11 +2049,11 @@ add_a_rule() if [ "$loglevel" = ULOG ]; then run_iptables2 -A $chain $proto $multiport \ $dest_interface $state $cli $sports $dports -j ULOG \ - $LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:" + $LOGPARMS --ulog-prefix "${LOGMARKER}$chain:$logtarget:" else run_iptables2 -A $chain $proto $multiport \ $dest_interface $state $cli $sports $dports -j LOG \ - $LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \ + $LOGPARMS --log-prefix "${LOGMARKER}$chain:$logtarget:" \ --log-level $loglevel fi fi @@ -2551,10 +2558,10 @@ policy_rules() # $1 = chain to add rules to if [ $# -eq 3 -a "x${3}" != "x-" ]; then if [ "$3" = ULOG ]; then run_iptables -A $1 -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:${1}:${2}:" + --ulog-prefix "${LOGMARKER}${1}:${2}:" else run_iptables -A $1 -j LOG $LOGPARMS \ - --log-prefix "Shorewall:${1}:${2}:" --log-level $3 + --log-prefix "${LOGMARKER}${1}:${2}:" --log-level $3 fi fi @@ -2878,11 +2885,11 @@ add_blacklist_rule() { if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then run_iptables2 -A blacklst $source $proto $dport -j \ ULOG $LOGPARMS --ulog-prefix \ - "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" + "${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" else run_iptables2 -A blacklst $source $proto $dport -j \ LOG $LOGPARMS --log-prefix \ - "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ + "${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" \ --log-level $BLACKLIST_LOGLEVEL fi fi @@ -3195,9 +3202,10 @@ initialize_netfilter () { setcontinue FORWARD setcontinue INPUT setcontinue OUTPUT - + # # Enable the Loopback interface + # run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT @@ -3221,10 +3229,10 @@ initialize_netfilter () { if [ -n "$LOGNEWNOTSYN" ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then run_iptables -A newnotsyn -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:newnotsyn:DROP:" + --ulog-prefix "${LOGMARKER}newnotsyn:DROP:" else run_iptables -A newnotsyn -j LOG $LOGPARMS \ - --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN + --log-prefix "${LOGMARKER}newnotsyn:DROP:" --log-level $LOGNEWNOTSYN fi fi @@ -3299,16 +3307,26 @@ add_common_rules() { logdisp() # $1 = Chain Name { if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then - echo "ULOG $LOGPARMS --ulog-prefix Shorewall:${1}:DROP:" + echo "ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}${1}:DROP:" else - echo "LOG $LOGPARMS --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL" + echo "LOG $LOGPARMS --log-prefix ${LOGMARKER}${1}:DROP: --log-level $RFC1918_LOG_LEVEL" fi } # # Reject Rules # - run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset - run_iptables -A reject -j REJECT + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset + run_iptables -A reject -p udp -j REJECT + # + # Not all versions of iptables support these so don't complain if they don't work + # + qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable + if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then + # + # In case the above doesn't work + # + run_iptables -A reject -j REJECT + fi # # dropunclean rules # @@ -3319,10 +3337,10 @@ add_common_rules() { if [ -n "$LOGUNCLEAN" ]; then if [ "$LOGUNCLEAN" = ULOG ]; then - logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:" + logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}badpkt:DROP:" logoptions="$logoptions --log-ip-options" else - logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:" + logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}badpkt:DROP:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" fi @@ -3351,10 +3369,10 @@ add_common_rules() { [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info if [ "$LOGUNCLEAN" = ULOG ]; then - logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:" + logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}logpkt:LOG:" logoptions="$logoptions --log-ip-options" else - logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:" + logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}logpkt:LOG:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" fi @@ -3455,12 +3473,12 @@ add_common_rules() { if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then run_iptables -A logflags -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \ + --ulog-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \ --log-tcp-options --log-ip-options else run_iptables -A logflags -j LOG $LOGPARMS \ --log-level $TCP_FLAGS_LOG_LEVEL \ - --log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \ + --log-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \ --log-tcp-options --log-ip-options fi case $TCP_FLAGS_DISPOSITION in @@ -4101,7 +4119,7 @@ add_to_zone() # $1 = [:] $2 = zone done < ${STATEDIR}/chains rm -rf $TMP_DIR - + echo "$1 added to zone $2" } @@ -4210,7 +4228,7 @@ delete_from_zone() # $1 = [:] $2 = zone qt iptables -D OUTPUT -o $interface -d $host -j $chain else eval source_hosts=\"\$${z1}_hosts\" - + for h in $source_hosts; do iface=${h%:*} hosts=${h#*:} @@ -4326,6 +4344,7 @@ do_initialize() { SHARED_DIR=/usr/share/shorewall FUNCTIONS= VERSION_FILE= + LOGMARKER= stopping= have_mutex= @@ -4452,6 +4471,8 @@ do_initialize() { CLEAR_TC= fi + [ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:" + # # Strip the files that we use often # diff --git a/STABLE/install.sh b/STABLE/install.sh index 910bb8923..8d5a62d45 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.3 +VERSION=1.4.3a usage() # $1 = exit status { diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index 35bb2a1d7..48c70abe5 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -19,3 +19,19 @@ New Features: (http://www.fireparse.com) by setting LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. Note: You may not use ULOG with fireparse unless you modify fireparse. + +3) If you are running iptables 1.2.7a and kernel 2.4.20, then + Shorewall will return reject replies as follows: + + a) tcp - RST + b) udp - ICMP port unreachable + c) icmp - ICMP host unreachable + d) Otherwise - ICMP host prohibited + + If you are running earlier software, Shorewall will follow it's + traditional convention: + + a) tcp - RST + b) Otherwise - ICMP port unreachable + +4) UDP Port 135 is now silently dropped in the common.def chain. diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index 5c359345b..77d3ed105 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.3 +%define version 1.4.3a %define release 1 %define prefix /usr @@ -105,6 +105,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon May 19 2003 Tom Eastep +- Changed version to 1.4.3a-1 * Sun May 18 2003 Tom Eastep - Changed version to 1.4.3-1 * Mon Apr 07 2003 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index bf1ea7dad..fa6541f73 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.3 +VERSION=1.4.3a usage() # $1 = exit status {