Shorewall 1.4.4b

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@576 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-26 12:42:40 +02:00 · 2003-05-29 14:48:09 +00:00 · 2003-05-29 14:48:09 +00:00 · 1905dd9d1c
commit 1905dd9d1c
parent df6a59cf68
17 changed files with 5017 additions and 4949 deletions
--- a/Lrp/usr/share/shorewall/firewall
+++ b/Lrp/usr/share/shorewall/firewall
@ -926,7 +926,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 		eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
 		;;
 	    *)
-		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
+		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
 		;;
 	esac
@ -943,7 +943,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 		eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
 		;;
 	    *)
-		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
+		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
 		;;
 	esac
--- a/Lrp/usr/share/shorewall/version
+++ b/Lrp/usr/share/shorewall/version
@ -1 +1 @@
-1.4.4a
+1.4.4b
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -10,4 +10,6 @@ Changes since 1.4.3a
 4. Don't include log rule number when LOGFORMAT doesn't include "%d".
 5. Add --log-level to LOG rules.
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -49,9 +49,9 @@
 <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with 
                        port forwarding</a></p>
-<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to <b>connect
+<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to
-to port 1022</b> on my firewall and have the <b>firewall forward the connection
+<b>connect to port 1022</b> on my firewall and have the <b>firewall forward
-to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
+the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
          </p>
 <h1><b>DNS and PORT FORWARDING/NAT<br>
@ -65,10 +65,10 @@ to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
                             subnet and I use <b>static NAT</b> to assign 
-non-RFC1918            addresses          to   hosts   in  Z. Hosts in Z
+non-RFC1918            addresses          to   hosts   in  Z. Hosts in Z cannot
-cannot communicate       with     each other  using      their    external
+communicate       with     each other  using      their    external    (non-RFC1918
-   (non-RFC1918 addresses)       so  they   <b>can't access each     other
+addresses)       so  they   <b>can't access each     other using   their
-using   their DNS   names.</b></a></p>
+DNS   names.</b></a></p>
 <h1><b>NETMEETING/MSN<br>
          </b></h1>
@ -136,8 +136,8 @@ out   to  the net</b></a></p>
 <h1>STARTING AND STOPPING<br>
          </h1>
-<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
+<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 'shorewall
-'shorewall stop', I can't connect to anything</b>. Why doesn't that command
+stop', I can't connect to anything</b>. Why doesn't that command        
                  work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
@ -151,9 +151,9 @@ out   to  the net</b></a></p>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
                            my  interfaces </b>properly at startup?</a></p>
-                                          <b>22. </b><a href="#faq22">I have
+                                           <b>22. </b><a href="#faq22">I
-  some   <b>iptables   commands     </b>that     I  want to <b>run when Shorewall
+have   some   <b>iptables   commands     </b>that     I  want to <b>run when
-   starts.</b> Which   file do   I  put them in?</a><br>
+Shorewall    starts.</b> Which   file do   I  put them in?</a><br>
 <h1>ABOUT SHOREWALL<br>
          </h1>
@ -161,8 +161,7 @@ out   to  the net</b></a></p>
 <p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does 
                            it  work with?</a></p>
-<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
+<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it support?</a></p>
 support?</a></p>
 <p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
@ -195,8 +194,9 @@ external    interface,  <b>my      DHCP  client  cannot    renew   its lease</b>
 <h1>MISCELLANEOUS<br>
           </h1>
-         <b>19. </b><a href="#faq19">I have added   <b>entries      to  /etc/shorewall/tcrules</b>
+          <b>19. </b><a href="#faq19">I have added   <b>entries      to 
-            but they <b>don't  </b>seem to <b>do     anything</b>.  Why?</a><br>
+/etc/shorewall/tcrules</b>             but they <b>don't  </b>seem to <b>do
    anything</b>.  Why?</a><br>
                                             <br>
                                             <b>20. </b><a href="#faq20">I
 have   just   set    up   a   server.      <b>Do  I have to change Shorewall
@ -323,8 +323,8 @@ to  allow access   to my   server    from   the  internet?</b></a><br>
    </tbody>                       
  </table>
                                                           </blockquote>
-                     Finally,  if you need to forward a range of ports, in
+                      Finally,  if you need to forward a range of ports,
- the  PORT   column    specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
+in  the  PORT   column    specify  the range  as <i>low-port</i>:<i>high-port</i>.<br>
 <h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions 
                            but  it doesn't work</h4>
@ -333,13 +333,13 @@ to  allow access   to my   server    from   the  internet?</b></a><br>
   things:</p>
 <ul>
-                                                            <li>You are trying
+                                                             <li>You are
-   to  test   from   inside    your   firewall     (no,   that    won't 
+trying    to  test   from   inside    your   firewall     (no,   that   
-  work  -- see      <a href="#faq2">FAQ   #2</a>).</li>
+won't    work  -- see      <a href="#faq2">FAQ   #2</a>).</li>
                                                             <li>You have 
 a  more   basic    problem     with   your   local    system    such   as 
- an    incorrect   default   gateway     configured    (it  should    be
+ an    incorrect   default   gateway     configured    (it  should    be set
-set to    the IP   address     of your  firewall's    internal    interface).</li>
+to    the IP   address     of your  firewall's    internal    interface).</li>
               <li>Your ISP is blocking that particular port inbound.<br>
            </li>
@ -354,8 +354,8 @@ diagnose     this   problem:<br>
                                                   <li>As root, type "iptables
   -t  nat   -Z".   This   clears    the   NetFilter      counters   in the
  nat table.</li>
-                                                  <li>Try to connect to the 
+                                                   <li>Try to connect to
- redirected      port   from   an  external     host.</li>
+the   redirected      port   from   an  external     host.</li>
                                                   <li>As root type "shorewall
   show   nat"</li>
                                                   <li>Locate the appropriate 
@ -363,8 +363,8 @@ diagnose     this   problem:<br>
  zone&gt;</i>_dnat       ('net_dnat'    in the above   examples).</li>
                                                   <li>Is the packet count
 in  the   first    column    non-zero?      If  so,   the   connection 
-request  is  reaching    the firewall    and is  being    redirected    to
+  request  is  reaching    the firewall    and is  being    redirected  
-  the server.     In  this    case, the problem    is usually   a  missing 
+ to   the server.     In  this    case, the problem    is usually   a  missing
  or incorrect       default  gateway    setting on  the  server (the   server's 
  default   gateway  should     be  the IP address    of  the firewall's 
 interface   to the  server).</li>
@ -377,12 +377,12 @@ is  zero:</li>
   by  your   ISP); or</li>
                                                     <li>you are trying to
 connect    to  a  secondary      IP  address     on  your   firewall   and
-your rule    is only  redirecting    the  primary  IP  address    (You  need 
+ your rule    is only  redirecting    the  primary  IP  address    (You 
-to specify      the secondary  IP address     in the "ORIG.   DEST." column 
+need  to specify      the secondary  IP address     in the "ORIG.   DEST."
-   in  your     DNAT rule);  or</li>
+column     in  your     DNAT rule);  or</li>
                                                     <li>your DNAT rule doesn't 
-   match    the   connection      request     in  some   other   way. In
+   match    the   connection      request     in  some   other   way. In that
-that    case,  you  may   have to use  a  packet  sniffer     such  as tcpdump
+   case,  you  may   have to use  a  packet  sniffer     such  as tcpdump 
 or   ethereal   to further   diagnose  the  problem.<br>
                                                     </li>
@ -391,8 +391,8 @@ that    case,  you  may   have to use  a  packet  sniffer     such  as tcpdump
 </ul>
 <h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want 
-    to connect to port 1022 on my firewall and have the firewall forward
+    to connect to port 1022 on my firewall and have the firewall forward the
-the    connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
+   connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
 <div align="left">       
 <blockquote>                       
@ -430,8 +430,8 @@ the    connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
                                                           </div>
 <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com 
-                            (IP 130.151.100.69) to system 192.168.1.5 in
+                            (IP 130.151.100.69) to system 192.168.1.5 in my
-my   local      network.         External         clients  can browse http://www.mydomain.com
+  local      network.         External         clients  can browse http://www.mydomain.com 
        but internal         clients can't.</h4>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
@ -440,12 +440,12 @@ my   local      network.         External         clients  can browse http://www
                                                             <li>Having an
 internet-accessible          server    in  your   local    network     
   is  like raising foxes     in   the  corner   of your  hen   house.  If
-the server     is      compromised,        there's  nothing    between  that
+ the server     is      compromised,        there's  nothing    between 
- server  and  your other   internal           systems.  For the    cost of
+that  server  and  your other   internal           systems.  For the    cost
-another  NIC and  a cross-over  cable,       you can   put       your   server
+of another  NIC and  a cross-over  cable,       you can   put       your
-in a DMZ such  that it is isolated  from     your   local systems    -  
+  server in a DMZ such  that it is isolated  from     your   local systems
-   assuming that the  Server can be located     near the Firewall,   of course
+   -      assuming that the  Server can be located     near the Firewall,
-    :-)</li>
+  of course     :-)</li>
                                                             <li>The accessibility 
    problem     is  best   solved    using           <a
 href="shorewall_setup_guide.htm#DNS">Bind  Version       9 "views"</a> 
@ -464,8 +464,8 @@ local systems     that    use static   NAT.</li>
      </p>
 <p align="left">If you are running Shorewall 1.4.0 or earlier see <a
- href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions   suitable for
+ href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions   suitable for those
-those releases.<br>
+releases.<br>
     </p>
 <p align="left">If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please 
@ -617,21 +617,21 @@ those releases.<br>
    so they can't    access  each    other  using their    DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
-                            using Bind Version 9 "views". It allows both
+                            using Bind Version 9 "views". It allows both external
-external         and    internal         clients       to access a NATed
+        and    internal         clients       to access a NATed host using
-host using  the    host's    DNS   name.</p>
+ the    host's    DNS   name.</p>
 <p align="left">Another good way to approach this problem is to switch from 
                             static NAT to Proxy ARP. That way, the hosts 
 in   Z  have     non-RFC1918            addresses      and can be accessed 
 externally     and    internally using     the    same   address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
+<p align="left">If you don't like those solutions and prefer routing all
-traffic through your firewall then:</p>
+Z-&gt;Z traffic through your firewall then:</p>
 <p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
-                                                          b) Masquerade Z 
+                                                           b) Masquerade
-to  itself.<br>
+Z  to  itself.<br>
                                                           <br>
                                                           Example:</p>
@ -722,11 +722,10 @@ to  itself.<br>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
                            tracking/NAT module</a> that may help with Netmeeting. 
-         Look    <a href="http://linux-igd.sourceforge.net">here</a> for
+         Look    <a href="http://linux-igd.sourceforge.net">here</a> for a
-a  solution        for MSN   IM but be aware that there are significant security
+ solution        for MSN   IM but be aware that there are significant security 
- risks  involved      with this  solution. Also check the Netfilter     
+ risks  involved      with this  solution. Also check the Netfilter      mailing
-mailing         list    archives    at <a
+        list    archives    at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
 href="http://www.netfilter.org">http://www.netfilter.org</a>.          
                     </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
@ -734,15 +733,15 @@ mailing         list    archives    at <a
   as   'closed'         rather       than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
-                            always    rejects connection requests on TCP
+                            always    rejects connection requests on TCP port
-port     113    rather       than     dropping        them. This is    necessary 
+    113    rather       than     dropping        them. This is    necessary
-  to  prevent    outgoing     connection       problems to   services    that
+   to  prevent    outgoing     connection       problems to   services  
-  use  the    'Auth'  mechanism     for identifying       requesting  users.
+ that   use  the    'Auth'  mechanism     for identifying       requesting
-   Shorewall       also  rejects TCP      ports 135, 137 and    139  as well
+ users.    Shorewall       also  rejects TCP      ports 135, 137 and    139
-  as  UDP ports     137-139.    These are   ports that are    used  by  Windows
+ as well   as  UDP ports     137-139.    These are   ports that are    used
-   (Windows  <u>can</u>   be configured    to use the DCE cell locator  
+ by  Windows    (Windows  <u>can</u>   be configured    to use the DCE cell
-    on port  135). Rejecting   these  connection   requests   rather than
+locator       on port  135). Rejecting   these  connection   requests   rather
-dropping   them    cuts down  slightly on the amount   of Windows  chatter 
+than dropping   them    cuts down  slightly on the amount   of Windows  chatter
 on LAN segments      connected       to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
@ -755,22 +754,21 @@ server       in   violation          of   your     Service    Agreement.</p>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
                            section about    UDP scans. If nmap gets <b>nothing</b> 
          back     from     your     firewall   then it reports    the port
-  as   open.     If you    want to   see  which    UDP ports are  really open,
+   as   open.     If you    want to   see  which    UDP ports are  really
-     temporarily      change    your net-&gt;all     policy    to REJECT,
+open,      temporarily      change    your net-&gt;all     policy    to REJECT, 
 restart     Shorewall   and   do    the   nmap UDP scan again.<br>
   </p>
 <h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how 
 I change my rules. </h4>
   I had a rule that allowed telnet from my local network to my firewall; 
-I  removed that rule and restarted Shorewall but my telnet session still
+I  removed that rule and restarted Shorewall but my telnet session still works!!!<br>
 works!!!<br>
   <br>
   <b>Answer: </b> Rules only govern the establishment of new connections.
-Once a connection is established through the firewall it will be usable until
+ Once a connection is established through the firewall it will be usable
- disconnected (tcp) or until it times out (other protocols).  If you stop
+until  disconnected (tcp) or until it times out (other protocols).  If you
-telnet and try to establish a new session your firerwall will block that
+stop telnet and try to establish a new session your firerwall will block
-attempt.<br>
+that attempt.<br>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
                            can't ping through the firewall</h4>
@ -796,11 +794,11 @@ the   first   command    in the file is ". /etc/shorewall/common.def"<br>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written 
                             and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
-(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
+syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
-(see "man openlog") and you get to choose the log level (again, see "man
+facility (see "man openlog") and you get to choose the log level (again,
-syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
+see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
- href="Documentation.htm#Rules">rules</a>. The destination for messaged 
+ and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
                           When you have changed /etc/syslog.conf, be sure
 to   restart        syslogd        (on    a  RedHat system, "service syslog
@ -860,12 +858,12 @@ to   log    all messages,  set: </p>
                             <li>They are corrupted reply packets.</li>
 </ol>
-                          You can distinguish the difference by setting the 
+                           You can distinguish the difference by setting
- <b>logunclean</b>         option   (<a
+the   <b>logunclean</b>         option   (<a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)     
    on   your external interface (eth0 in the above example). If they  get
-    logged    twice,  they are corrupted. I solve this problem by using  an
+     logged    twice,  they are corrupted. I solve this problem by using
- /etc/shorewall/common         file like this:<br>
+ an  /etc/shorewall/common         file like this:<br>
 <blockquote>                     
  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
@ -903,10 +901,10 @@ to   log    all messages,  set: </p>
   that     command        work?</h4>
 <p align="left">The 'stop' command is intended to place your firewall into 
-                            a safe state whereby only those hosts listed
+                            a safe state whereby only those hosts listed in
-in   /etc/shorewall/routestopped'              are    activated.        
+  /etc/shorewall/routestopped'              are    activated.         If
-If you   want to totally open up your  firewall,          you  must    use
+you   want to totally open up your  firewall,          you  must    use the
-the 'shorewall           clear' command.  </p>
+'shorewall           clear' command.  </p>
 <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, 
                I get messages about insmod failing -- what's wrong?</h4>
@ -950,9 +948,9 @@ the 'shorewall           clear' command.  </p>
                                                          </div>
 <div align="left">       
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The
-   zone is defined as all hosts that are connected through eth0 and the local
+Net    zone is defined as all hosts that are connected through eth0 and the
-   zone is defined as all hosts connected through eth1</p>
+local    zone is defined as all hosts connected through eth1</p>
                                                          </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
@ -983,8 +981,8 @@ the 'shorewall           clear' command.  </p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
                            and it has an  internal web server that allows 
- me   to   configure/monitor                  it   but as expected if I 
+ me   to   configure/monitor                  it   but as expected if I  enable
-enable     rfc1918   blocking for my  eth0     interface          (the  internet
+    rfc1918   blocking for my  eth0     interface          (the  internet 
 one),    it also   blocks  the cable  modems    web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
@ -992,8 +990,9 @@ one),    it also   blocks  the cable  modems    web server.</h4>
          address         of   the    modem  in/out but still block all other 
    rfc1918      addresses?</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall
-than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
+earlier than      1.3.1, create /etc/shorewall/start and in it, place the
 following:</p>
 <div align="left">       
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -1030,9 +1029,9 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                                                        </p>
 <p align="left">Note: If you add a second IP address to your external firewall 
-                           interface to correspond to the modem address,
+                           interface to correspond to the modem address, you
-you    must     also     make     an   entry      in /etc/shorewall/rfc1918
+   must     also     make     an   entry      in /etc/shorewall/rfc1918 for
-for   that address.     For    example,    if you   configure      the address 
+  that address.     For    example,    if you   configure      the address
  192.168.100.2 on   your  firewall,    then   you would   add two entries
      to /etc/shorewall/rfc1918:      <br>
                                                        </p>
@ -1071,10 +1070,10 @@ for   that address.     For    example,    if you   configure      the address
                                                          </div>
 <div align="left">       
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
-   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
-1918    filtering on my external interface, my DHCP client cannot renew its
+RFC 1918    filtering on my external interface, my DHCP client cannot renew
-lease.</h4>
+its lease.</h4>
                                                           </div>
 <div align="left">       
@ -1115,7 +1114,9 @@ firewall     to the internet.</p>
 <h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages 
                            all  over my console making it unusable!</h4>
-<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
+<p align="left"><b>Answer: </b>If you are running Shorewall version 1.4.4
 or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see
 the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command 
                            to your startup    scripts or place it in /etc/shorewall/start. 
                  Under      RedHat,    the max log level    that is sent 
 to   the    console        is   specified     in /etc/sysconfig/init    in 
@ -1125,12 +1126,12 @@ the      LOGLEVEL    variable.<br>
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting 
                logged?</h4>
                                                      <b>Answer: </b>Logging
- occurs    out   of  a  number    of  chains    (as   indicated      in  the
+  occurs    out   of  a  number    of  chains    (as   indicated      in
- log message)     in Shorewall:<br>
+ the  log message)     in Shorewall:<br>
 <ol>
-                                                       <li><b>man1918 - </b>The
+                                                        <li><b>man1918 -
-   destination       address     is  listed    in  /etc/shorewall/rfc1918
+    </b>The    destination       address     is  listed    in  /etc/shorewall/rfc1918 
   with a <b>logdrop           </b>target     --  see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                                        <li><b>rfc1918</b>
@ -1139,19 +1140,18 @@ the      LOGLEVEL    variable.<br>
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                                       <li><b>all2&lt;zone&gt;</b>, 
         <b>&lt;zone&gt;2all</b>             or      <b>all2all          
-    </b>-       You have a<a href="Documentation.htm#Policy"> policy</a>
+   </b>-       You have a<a href="Documentation.htm#Policy"> policy</a> that
-that     specifies      a  log level              and this packet is being
+    specifies      a  log level              and this packet is being logged
-logged under that policy.         If you  intend        to   ACCEPT this
+under that policy.         If you  intend        to   ACCEPT this traffic
-traffic then you need a  <a href="Documentation.htm#Rules">rule</a>   to
+then you need a  <a href="Documentation.htm#Rules">rule</a>   to that effect.<br>
 that effect.<br>
                                                       </li>
                                                        <li><b>&lt;zone1&gt;2&lt;zone2&gt; 
            </b>-    Either    you   have   a<a
 href="Documentation.htm#Policy">  policy</a> for       <b>&lt;zone1&gt; 
       </b>to       <b>&lt;zone2&gt;</b>  that specifies   a log level and 
   this     packet is being         logged under that policy   or this packet 
-      matches    a     <a href="Documentation.htm#Rules">rule</a>   that
+      matches    a     <a href="Documentation.htm#Rules">rule</a>   that includes
-includes       a log level.</li>
+      a log level.</li>
                                                 <li><b>&lt;interface&gt;_mac</b> 
    -  The   packet    is  being    logged    under    the      <b>maclist</b> 
        <a href="Documentation.htm#Interfaces">interface     option</a>.<br>
@ -1168,17 +1168,18 @@ includes       a log level.</li>
 -  The   packet    is  being    logged    because     the   source    IP 
 is  blacklisted   in   the<a href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist 
            </a>file.</li>
-                                                       <li><b>newnotsyn </b>- 
+                                                        <li><b>newnotsyn
-  The  packet    is  being    logged    because     it  is  a  TCP   packet 
+    </b>-    The  packet    is  being    logged    because     it  is  a
-  that  is not part   of  any current    connection    yet  it   is not a 
+ TCP   packet    that  is not part   of  any current    connection    yet
-syn   packet.    Options   affecting  the logging    of such  packets   include 
+ it   is not a  syn   packet.    Options   affecting  the logging    of such
-        <b>NEWNOTSYN          </b>and        <b>LOGNEWNOTSYN        </b>in 
+ packets   include          <b>NEWNOTSYN          </b>and        <b>LOGNEWNOTSYN
-         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+       </b>in           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                                       <li><b>INPUT</b> or
     <b>FORWARD</b>        -  The   packet    has   a  source    IP  address
    that isn't in any    of   your  defined   zones    ("shorewall    check"
-   and  look at the    printed   zone  definitions)   or   the chain is FORWARD 
+    and  look at the    printed   zone  definitions)   or   the chain is
-  and   the destination     IP   isn't  in any of your   defined    zones.</li>
+FORWARD    and   the destination     IP   isn't  in any of your   defined
   zones.</li>
                                              <li><b>logflags </b>- The packet
   is  being    logged    because     it  failed    the   checks implemented
   by the     <b>tcpflags        </b><a
@ -1204,9 +1205,9 @@ the    tcrules   file are simply being ignored.<br>
  the    internet?</b><br>
                                             </h4>
                                             Yes. Consult the <a
- href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that
+ href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that you
-you used during your initial setup for information about      how to set
+used during your initial setup for information about      how to set  up
- up rules for your server.<br>
+rules for your server.<br>
 <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; 
                     what are they?<br>
@ -1221,10 +1222,10 @@ you used during your initial setup for information about      how to set
                                           <b>Answer: </b>While most people 
 associate      the   Internet     Control     Message     Protocol (ICMP) 
 with 'ping',    ICMP  is   a key piece    of  the internet.     ICMP   is 
-  used to report    problems  back  to the sender    of a packet; this  
+  used to report    problems  back  to the sender    of a packet; this   is
-is   what  is happening     here. Unfortunately,  where NAT   is involved
+  what  is happening     here. Unfortunately,  where NAT   is involved (including
-(including      SNAT,  DNAT    and Masquerade),  there  are a lot  of broken
+     SNAT,  DNAT    and Masquerade),  there  are a lot  of broken implementations.
-implementations.     That is    what you are seeing with   these messages.<br>
+    That is    what you are seeing with   these messages.<br>
                                           <br>
                                          Here is my interpretation of what 
 is  happening     --  to  confirm     this   analysis,    one would have 
@ -1233,22 +1234,22 @@ to have  packet sniffers     placed  a both    ends of   the connection.<br>
                                          Host 172.16.1.10 behind NAT gateway 
  206.124.146.179         sent   a  UDP   DNS   query    to 192.0.2.3 and 
 your  DNS server tried     to   send a  response   (the response   information 
-  is in the brackets   --  note   source  port 53 which   marks this as 
+  is in the brackets   --  note   source  port 53 which   marks this as  a
-a  DNS reply).  When the   response   was  returned  to to 206.124.146.179,
+ DNS reply).  When the   response   was  returned  to to 206.124.146.179, 
-   it rewrote  the destination    IP  TO 172.16.1.10   and forwarded the
+   it rewrote  the destination    IP  TO 172.16.1.10   and forwarded the packet
-packet  to  172.16.1.10  who no longer    had  a connection   on UDP port
+ to  172.16.1.10  who no longer    had  a connection   on UDP port 2857.
-2857. This causes    a port unreachable    (type 3, code  3) to   be generated
+This causes    a port unreachable    (type 3, code  3) to   be generated back
-back to 192.0.2.3.   As this packet  is sent  back through  206.124.146.179,
+to 192.0.2.3.   As this packet  is sent  back through  206.124.146.179, 
  that box correctly   changes the  source address  in the packet  to 206.124.146.179 
     but doesn't   reset the DST IP in the original   DNS response  similarly. 
     When the ICMP reaches your firewall (192.0.2.3),   your firewall  has 
  no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP doesn't 
      appear to be related   to anything that was sent. The final   result 
- is   that the packet gets logged   and dropped in the all2all chain. I 
+ is   that the packet gets logged   and dropped in the all2all chain. I  have
-have   also  seen cases where the source   IP in the ICMP itself isn't set
+  also  seen cases where the source   IP in the ICMP itself isn't set back
-back   to the  external IP of the remote NAT   gateway; that causes your
+  to the  external IP of the remote NAT   gateway; that causes your firewall
-firewall   to  log  and drop the packet out of the   rfc1918 chain because
+  to  log  and drop the packet out of the   rfc1918 chain because the source
-the source   IP is  reserved by RFC 1918.<br>
+  IP is  reserved by RFC 1918.<br>
 <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that 
                 I want to <b>run when Shorewall starts.</b> Which file do 
@ -1258,22 +1259,21 @@ one   of  the   <a href="shorewall_extension_scripts.htm">Shorewall Extension
 Scripts</a>.     Be sure that you look at the contents of the chain(s) that
 you will be  modifying              with your commands to be sure that the
 commands will  do what they     are    intended.    Many iptables commands
-published in HOWTOs and other    instructional    material    use the -A command
+ published in HOWTOs and other    instructional    material    use the -A
-which adds the rules to  the  end of the chain.    Most chains    that Shorewall
+command which adds the rules to  the  end of the chain.    Most chains  
-constructs end with  an  unconditional DROP,   ACCEPT or REJECT    rule and
+ that Shorewall constructs end with  an  unconditional DROP,   ACCEPT or
-any rules that you  add  after that will be ignored.   Check "man iptables"
+REJECT    rule and any rules that you  add  after that will be ignored. 
-  and look at the  -I (--insert)  command.<br>
+ Check "man iptables"   and look at the  -I (--insert)  command.<br>
 <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your 
                web site?</h4>
                                 The Shorewall web site is almost font neutral
-  (it  doesn't     explicitly       specify fonts except on a few pages) so
+   (it  doesn't     explicitly       specify fonts except on a few pages)
-  the fonts you  see   are largely   the   default fonts configured  in your
+so   the fonts you  see   are largely   the   default fonts configured  in
-  browser.  If you  don't   like them then  reconfigure   your browser.<br>
+your   browser.  If you  don't   like them then  reconfigure   your browser.<br>
 <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say 
-              the ssh port only<b> from specific IP Addresses</b> on the
+              the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
 internet?</h4>
                              In the SOURCE column of the rule, follow "net"
  by  a  colon    and   a  list   of  the host/subnet addresses as a comma-separated 
    list.<br>
@ -1292,14 +1292,10 @@ internet?</h4>
                 <br>
                 <font color="#009900"><b>    /sbin/shorewall version</b></font><br>
   <br>
-                <font size="2">Last updated 4/14/2003 - <a
+                 <font size="2">Last updated 5/29/2003 - <a
 href="support.htm">Tom     Eastep</a></font>        
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -41,9 +41,9 @@
             it to your Linux system.</b></p>
                                             </li>
                                <li>                                    
-    <p align="left">          <b>If you are installing Shorewall for the first
+    <p align="left">          <b>If you are installing Shorewall for the
-time and plan to use the        .tgz and install.sh script, you can untar
+first time and plan to use the        .tgz and install.sh script, you can
-the archive, replace the        'firewall' script in the untarred directory
+untar the archive, replace the        'firewall' script in the untarred directory 
             with the one you downloaded        below, and then run install.sh.</b></p>
                                             </li>
                                <li>                                    
@ -76,8 +76,8 @@ running     1.3.7c.</font></b><br>
 color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3 
       on RH7.2</a></font></b></li>
                                <li>                            <b><a
- href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and            RedHat
+ href="#Debug">Problems      with   kernels  &gt;= 2.4.18 and           
-iptables</a></b></li>
+RedHat iptables</a></b></li>
                                <li><b><a href="#SuSE">Problems installing/upgrading 
     RPM   on  SuSE</a></b></li>
                                <li><b><a href="#Multiport">Problems with 
@ -93,21 +93,35 @@ iptables     version     1.2.7    and       MULTIPORT=Yes</a></b></li>
 <h3></h3>
 <h3>1.4.4-1.4.4a</h3>
 <ul>
  <li>Log messages are being displayed on the system console even though
 the log level for the console is set properly according to <a
 href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
      <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
 target="_top">this firewall script</a> in /usr/share/shorewall/firewall
 as described above.<br>
  </li>
 </ul>
 <h3>1.4.4<br>
  </h3>
 <ul>
   <li> If you have zone names that are 5 characters long, you may experience 
 problems starting Shorewall because the --log-prefix in a logging rule is 
 too long. Upgrade to Version 1.4.4a to fix this problem..</li>
 </ul>
 <h3>1.4.3</h3>
 <ul>
    <li>The LOGMARKER variable introduced in version 1.4.3 was intended to
 allow integration of Shorewall with Fireparse (http://www.firewparse.com).
-Unfortunately, LOGMARKER only solved part of the integration problem. I have 
+ Unfortunately, LOGMARKER only solved part of the integration problem. I
-implimented a new LOGFORMAT variable which will replace LOGMARKER which has 
+have  implimented a new LOGFORMAT variable which will replace LOGMARKER which
-completely solved this problem and is currently in production with fireparse 
+has  completely solved this problem and is currently in production with fireparse
 here at shorewall.net. The updated files may be found at <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
 target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
@ -120,11 +134,11 @@ See the 0README.txt file for details.<br>
 <ul>
      <li>When an 'add' or 'delete' command is executed, a temporary directory
- created in /tmp is not being removed. This problem may be corrected by installing 
+  created in /tmp is not being removed. This problem may be corrected by
-     <a
+installing       <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
- target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
+ target="_top">this firewall script</a> in /usr/share/shorewall/firewall
-described ablve. <br>
+as described above. <br>
      </li>
 </ul>
@ -162,9 +176,9 @@ expected<br>
 <h3>1.4.0</h3>
 <ul>
-        <li>When running under certain shells Shorewall will attempt to create
+         <li>When running under certain shells Shorewall will attempt to
-   ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
+create    ECN rules even when /etc/shorewall/ecn is empty. You may either
-   /etc/shorewall/ecn or you can install <a
+just remove    /etc/shorewall/ecn or you can install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this 
   correct script</a> in /usr/share/shorewall/firewall as described above.<br>
         </li>
@ -196,11 +210,11 @@ have     also     built            an <a
    <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat 
-             has   released an iptables-1.2.4 RPM of their own which you
+             has   released an iptables-1.2.4 RPM of their own which you can
-can    download         from<font color="#ff6633">   <a
+   download         from<font color="#ff6633">   <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
-                </font>I have installed this RPM   on my firewall and it
+                </font>I have installed this RPM   on my firewall and it works
-works      fine.</p>
+     fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself, 
             the patches are available         for download. This <a
@ -219,8 +233,8 @@ works      fine.</p>
  </ul>
                                        </blockquote>
-<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18               and
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
-RedHat iptables</h3>
+and RedHat iptables</h3>
 <blockquote>                      
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 
@ -244,8 +258,8 @@ RedHat iptables</h3>
             RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict         with kernel &lt;=
-  2.2 yet you have a 2.4 kernel               installed, simply use the "--nodeps" 
+   2.2 yet you have a 2.4 kernel               installed, simply use the
-  option to                    rpm.</p>
+"--nodeps"    option to                    rpm.</p>
 <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -255,8 +269,8 @@ RedHat iptables</h3>
   MULTIPORT=Yes</b></h3>
 <p>The iptables 1.2.7 release of iptables has made         an incompatible
-  change to the syntax used to            specify multiport match rules; as
+   change to the syntax used to            specify multiport match rules;
-  a consequence,                   if you install iptables 1.2.7 you must 
+as   a consequence,                   if you install iptables 1.2.7 you must
 be  running                           Shorewall 1.3.7a or later or:</p>
 <ul>
@ -274,25 +288,26 @@ be  running                           Shorewall 1.3.7a or later or:</p>
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
                           </h3>
-                       /etc/shorewall/nat entries of the following form will
+                        /etc/shorewall/nat entries of the following form
-  result    in  Shorewall     being unable to start:<br>
+will   result    in  Shorewall     being unable to start:<br>
                        <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                        Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-                       The solution is to put "no" in the LOCAL column. Kernel
+                        The solution is to put "no" in the LOCAL column.
-   support     for   LOCAL=yes   has never worked properly and 2.4.18-10
+Kernel    support     for   LOCAL=yes   has never worked properly and 2.4.18-10 
 has    disabled  it.   The  2.4.19 kernel   contains corrected support under 
 a  new  kernel configuraiton    option; see <a
 href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 5/27/2003 -   <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">  Last updated 5/29/2003 -   <a href="support.htm">Tom
-</p>
+Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/mailing_list.htm
+++ b/STABLE/documentation/mailing_list.htm
@ -33,14 +33,15 @@
 border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
 height="35" alt="">
                                  </a>                                  
      <p align="right"><font color="#ffffff"><b>      </b></font>     </p>
                                  </td>
                    <td valign="middle" width="34%" align="center">     
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
                    </td>
-                   <td valign="middle" width="33%">                     <a
+                    <td valign="middle" width="33%">                    
- href="http://www.postfix.org/">       <img
+      <a href="http://www.postfix.org/">       <img
 src="images/postfix-white.gif" align="right" border="0" width="124"
 height="66" alt="(Postfix Logo)">
                                  </a><br>
@ -71,43 +72,46 @@
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
-<p align="left">You can report such problems by sending mail to tmeastep
+<p align="left">You can report such problems by sending mail to tmeastep at
-at hotmail dot com.</p>
+hotmail dot com.</p>
 <h2>A Word about the SPAM Filters at Shorewall.net <a
 href="http://osirusoft.com/"> </a></h2>
-<p>Please note that the mail server                     at shorewall.net
+<p>Please note that the mail server                     at shorewall.net checks
-checks incoming mail:<br>
+incoming mail:<br>
                        </p>
 <ol>
                          <li>against <a href="http://spamassassin.org">Spamassassin</a>
        (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
                  </li>
-                         <li>to ensure that the sender address is fully qualified.</li>
+                          <li>to ensure that the sender address is fully
 qualified.</li>
                          <li>to verify that the sender's domain has an A 
 or  MX  record    in  DNS.</li>
                          <li>to ensure that the host name in the HELO/EHLO 
 command    is  a  valid    fully-qualified  DNS name that resolves.</li>
  <li>to ensure that the client system has a valid PTR record in DNS.<br>
  </li>
 </ol>
 <h2>Please post in plain text</h2>
                  A growing number of MTAs serving list subscribers are rejecting
    all   HTML   traffic. At least one MTA has gone so far as to blacklist
-shorewall.net     "for  continuous abuse" because it has been my policy to 
+ shorewall.net     "for  continuous abuse" because it has been my policy
-allow HTML in  list   posts!!<br>
+to  allow HTML in  list   posts!!<br>
                  <br>
                  I think that blocking all HTML is a Draconian way to control
   spam    and   that the ultimate losers here are not the spammers but the
  list subscribers      whose MTAs are bouncing all shorewall.net mail. As
-one list subscriber   wrote  to me privately "These e-mail admin's need to 
+ one list subscriber   wrote  to me privately "These e-mail admin's need
-get a <i>(explitive   deleted)</i>  life instead of trying to rid the planet 
+to  get a <i>(explitive   deleted)</i>  life instead of trying to rid the
-of HTML based e-mail".   Nevertheless,  to allow subscribers to receive list 
+planet  of HTML based e-mail".   Nevertheless,  to allow subscribers to receive
- posts as must as possible,   I have now  configured the list server at shorewall.net 
+list   posts as must as possible,   I have now  configured the list server
- to strip all HTML   from outgoing  posts. This means that HTML-only posts 
+at shorewall.net   to strip all HTML   from outgoing  posts. This means that
- will be bounced by  the list server.<br>
+HTML-only posts   will be bounced by  the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
               </p>
@ -151,19 +155,19 @@ stripping <i>Received:</i>      headers to circumvent those policies.<br>
 name="words" value="">    <input type="submit" value="Search"> </p>
                            </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the
+<h2 align="left"><font color="#ff0000">Please do not try to download the entire
-entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
+Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
-won't stand the traffic. If I catch you, you will be blacklisted.<br>
+stand the traffic. If I catch you, you will be blacklisted.<br>
                     </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
-                         If you want to trust X.509 certificates issued by
+                          If you want to trust X.509 certificates issued
- Shoreline     Firewall     (such   as the one used on my web site), you
+by  Shoreline     Firewall     (such   as the one used on my web site), you 
 may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
-            in your browser. If you don't wish to trust my certificates then 
+             in your browser. If you don't wish to trust my certificates
-   you    can    either use unencrypted access when subscribing to Shorewall 
+then     you    can    either use unencrypted access when subscribing to
-   mailing    lists    or you can use secure access (SSL) and accept the server's
+Shorewall     mailing    lists    or you can use secure access (SSL) and
-   certificate     when   prompted by your browser.<br>
+accept the server's    certificate     when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
@ -173,8 +177,8 @@ may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
    to  this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
-             the <a href="http://www.shorewall.net/support.htm">problem reporting 
+              the <a href="http://www.shorewall.net/support.htm">problem
-    guidelines</a>.</b></p>
+reporting      guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list:<br>
            </p>
@ -194,9 +198,9 @@ may  <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
-<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
-may be found at <a
+list may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
@ -223,8 +227,8 @@ may be found at <a
 <h2 align="left">Shorewall Development Mailing List</h2>
 <p align="left">The Shorewall Development Mailing list provides a forum for
-             the exchange of ideas about the future of Shorewall and for coordinating
+              the exchange of ideas about the future of Shorewall and for
-            ongoing Shorewall Development.</p>
+coordinating             ongoing Shorewall Development.</p>
 <p align="left">To subscribe to the mailing list:<br>
             </p>
@ -258,16 +262,17 @@ may be found at <a
                               </li>
                               <li>                               
    <p align="left">Down at the bottom of that page is the following text:
-             " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
+              " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
- password      reminder,         or change your subscription options enter 
+a  password      reminder,         or change your subscription options enter
  your subscription              email address:". Enter your email  address
-   in the box and click      on the "<b>Unsubscribe</b> or edit options" button.</p>
+    in the box and click      on the "<b>Unsubscribe</b> or edit options"
 button.</p>
                               </li>
                               <li>                               
    <p align="left">There will now be a box where you can enter your password
              and  click on "Unsubscribe"; if you have forgotten your password,
-     there      is  another  button that will cause your password to be emailed 
+      there      is  another  button that will cause your password to be
-     to you.</p>
+emailed       to you.</p>
                               </li>
 </ul>
@ -277,13 +282,14 @@ may be found at <a
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 3/24/2003 - <a
+<p align="left"><font size="2">Last updated 5/29/2003 - <a
 href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
-© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/myfiles.htm
+++ b/STABLE/documentation/myfiles.htm
@ -35,10 +35,10 @@
  <p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
   use a combination of Static NAT and Proxy ARP, neither of which are relevant
   to a simple configuration with a single public IP address.</small></b></big><big><b><small>
-  If you have just a single public IP address, most of what you see here won't
+   If you have just a single public IP address, most of what you see here
-  apply to your setup so beware of copying parts of this configuration and
+won't   apply to your setup so beware of copying parts of this configuration
- expecting them to work for you. What you copy may or may not work in your
+and  expecting them to work for you. What you copy may or may not work in
-configuration.<br>
+your configuration.<br>
    </small></b></big></p>
  <p><big><b><small><big><font color="#ff0000">Warning 2:</font></big> </small></b></big><b>My
@ -60,7 +60,14 @@ configuration uses features introduced in Shorewall version 1.4.1.</b><br>
  192.168.1.3 and external address 206.124.146.179.</li>
                 <li>SNAT through the primary gateway address (206.124.146.176)
   for    my Wife's system (Tarry) and our  laptop (Tipper) which connects 
-through the Wireless Access Point (wap)</li>
+through the Wireless Access Point (wap) via a Wireless Bridge (bridge). <b><br>
      <br>
 Note:</b> While the distance between the WAP and where I usually use the
 laptop isn't very far (25 feet or so), using a WAC11 (CardBus wireless card)
 has proved very unsatisfactory (lots of lost connections). By replacing the
 WAC11 with the WET11 wireless bridge, I have virtually eliminated these problems
 (I was also able to eliminate them by hanging a piece of aluminum foil on
 the family room wall but Tarry rejected that as a permanent solution :-).</li>
  </ul>
@ -69,15 +76,16 @@ through the Wireless Access Point (wap)</li>
  <p> Wookie  runs Samba and acts as the a WINS server.  Wookie is in its
      own 'whitelist' zone  called 'me'.</p>
-  <p> My laptop (eastept1) is connected to eth3 using a cross-over cable. 
+  <p> My work laptop (easteplaptop) is connected to eth3 using a cross-over
-     It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall 
+cable.       It runs its own <a href="http://www.sygate.com"> Sygate</a>
-software     and is managed by Proxy ARP. It connects to the  local network 
+firewall  software     and is managed by Proxy ARP. It connects to the  local
-through a PPTP server running on Ursa. </p>
+network  through a PPTP server. running on Ursa. </p>
  <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
      Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
  server    (Pure-ftpd). The system   also runs fetchmail to fetch our email
- from our    old and current ISPs. That server is managed through Proxy ARP.</p>
+  from our    old and current ISPs. That server is managed through Proxy
 ARP.</p>
  <p> The firewall system itself runs a DHCP server that serves the local
        network.</p>
@ -140,8 +148,8 @@ TEXAS=<i>&lt;ip address of gateway in Dallas&gt;<br></i>LOG=ULOG<br></pre>
 <h3>Interfaces File: </h3>
 <blockquote>       
-  <p> This is set up so that I can start the firewall before bringing up
+  <p> This is set up so that I can start the firewall before bringing up my
-my Ethernet  interfaces. </p>
+Ethernet  interfaces. </p>
                  </blockquote>
 <blockquote>      
@ -172,8 +180,8 @@ my Ethernet  interfaces. </p>
 <blockquote>       
  <p> Although most of our internal systems use static NAT, my wife's system
-      (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with 
+       (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors
-   laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
+with     laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
               </blockquote>
 <blockquote>      
@ -216,5 +224,6 @@ my Ethernet  interfaces. </p>
 <p><font size="2"><a href="support.htm">Tom Eastep</a></font>        </p>
                <a href="copyright.htm"><font size="2">Copyright</font> 
 ©  <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -41,6 +41,7 @@
      <div align="center">                                               
      <h1><font color="#ffffff">             Shorewall 1.4</font><i><font
 color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
 href="1.3" target="_top"><font color="#ffffff"><br>
@ -52,6 +53,7 @@
      <p><a href="http://www.shorewall.net" target="_top">        </a> </p>
                                                      </td>
                              </tr>
@ -78,9 +80,9 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
-       that can be used on a dedicated firewall system, a multi-function 
+firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -89,8 +91,8 @@
      <p>This program is free software; you can redistribute it and/or modify
                                                                     it 
      under      the    terms      of         <a
- href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
-General Public License</a> as published by the Free   Software          
+GNU General Public License</a> as published by the Free   Software      
     Foundation.<br>
               <br>
@ -139,6 +141,18 @@ QuickStart    Guide</a> for details.<br>
      <p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b></p>
      <p>Groan -- This version corrects a problem whereby the --log-level
 was not being set when logging via syslog. The most commonly reported symptom
 was that Shorewall messages were being written to the console even though
 console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
 16</a>.<br>
 </p>
      <p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b></p>
@ -151,8 +165,8 @@ contain '%d'.
 src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b><b>            </b></p>
    I apologize for the rapid-fire releases but since there is a potential
-configuration  change required to go from 1.4.3a to 1.4.4, I decided to make 
+ configuration  change required to go from 1.4.3a to 1.4.4, I decided to
-it a full release  rather than just a bug-fix release. <br>
+make  it a full release  rather than just a bug-fix release. <br>
     <br>
     <b>    Problems corrected:</b><br>
@ -176,8 +190,8 @@ with  fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>
            LOGFORMAT="fp=%s:%d a=%s "<br>
      <br>
         <b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT 
-  string (up to but not including the first '%') to find log messages in
+  string (up to but not including the first '%') to find log messages in the
-the   'show log', 'status' and 'hits' commands. This part should not be omitted
+  'show log', 'status' and 'hits' commands. This part should not be omitted 
  (the LOGFORMAT should not begin with "%") and the leading part should be 
 sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br>
         <br>
@ -196,9 +210,9 @@ the   'show log', 'status' and 'hits' commands. This part should not be omitted
  and  in the .rpm. In addition: <br>
      <ol>
-             <li>(This change is in 1.4.3 but is not documented) If you are 
+              <li>(This change is in 1.4.3 but is not documented) If you
- running  iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject 
+are   running  iptables 1.2.7a and kernel 2.4.20, then Shorewall will return
- replies  as follows:<br>
+reject   replies  as follows:<br>
         a) tcp - RST<br>
         b) udp - ICMP port unreachable<br>
         c) icmp - ICMP host unreachable<br>
@ -207,9 +221,9 @@ the   'show log', 'status' and 'hits' commands. This part should not be omitted
   convention:<br>
         a) tcp - RST<br>
         b) Otherwise - ICMP port unreachable</li>
-             <li>UDP port 135 is now silently dropped in the common.def chain. 
+              <li>UDP port 135 is now silently dropped in the common.def
-  Remember that this chain is traversed just before a DROP or REJECT policy 
+chain.    Remember that this chain is traversed just before a DROP or REJECT
-  is enforced.<br>
+policy    is enforced.<br>
              </li>
      </ol>
@ -218,6 +232,7 @@ the   'show log', 'status' and 'hits' commands. This part should not be omitted
               </p>
             <b>Problems Corrected:<br>
          </b>                                                          
      <ol>
                <li>There were several cases where Shorewall would fail to
 remove    a temporary directory from /tmp. These cases have been corrected.</li>
@ -229,14 +244,16 @@ This    insures that all loopback traffic is allowed even if Netfilter connectio
      </ol>
              <b>New Features:<br>
          </b>                                                          
      <ol>
-               <li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now 
+                <li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
- supported  in the /etc/shorewall/tunnels  file.</li>
+now   supported  in the /etc/shorewall/tunnels  file.</li>
             <li>You may now change the leading portion of the --log-prefix 
 used  by Shorewall using the LOGMARKER variable in shorewall.conf. By default, 
 "Shorewall:" is used.<br>
             </li>
      </ol>
      <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b>          </b><br>
@ -274,11 +291,11 @@ This    insures that all loopback traffic is allowed even if Netfilter connectio
      <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
-          Shorewall presentation to GSLUG</a>.         The presentation is 
+           Shorewall presentation to GSLUG</a>.         The presentation
- in   HTML     format but was generated from Microsoft PowerPoint and is best
+is   in   HTML     format but was generated from Microsoft PowerPoint and
-  viewed   using    Internet Explorer (although Konqueror also seems to work
+is best   viewed   using    Internet Explorer (although Konqueror also seems
-  reasonably   well   as does Opera 7.1.0).  Neither Opera 6 nor Netscape
+to work   reasonably   well   as does Opera 7.1.0).  Neither Opera 6 nor
-work  well to view  the   presentation.<br>
+Netscape work  well to view  the   presentation.<br>
                             </blockquote>
@ -303,6 +320,7 @@ work  well to view  the   presentation.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
@ -321,6 +339,7 @@ work  well to view  the   presentation.<br>
              <b>Congratulations to Jacques and Eric on the recent release
 of  Bering    1.2!!! </b><br>
      <h2><a name="Donations"></a>Donations</h2>
                                                      </td>
@ -362,6 +381,7 @@ of  Bering    1.2!!! </b><br>
 </table>
  </center>
 </div>
 <table border="0" cellpadding="5" cellspacing="0"
@ -384,8 +404,8 @@ of  Bering    1.2!!! </b><br>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
-if       you try it and find it useful, please consider making a donation 
+but if       you try it and find it useful, please consider making a donation
                                                                     to 
           <a href="http://www.starlight.org"><font color="#ffffff">Starlight
   Children's         Foundation.</font></a> Thanks!</font></p>
@ -398,10 +418,8 @@ if       you try it and find it useful, please consider making a donation
  </tbody>                             
 </table>
-<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font>
                                                              <br>
 </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -59,13 +59,13 @@
         in 1999 and had DSL service installed in our       home. I investigated 
       ipchains  and developed the scripts which are now collectively known
   as   <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>.
-  Expanding       on what I learned from Seattle Firewall, I then       designed 
+   Expanding       on what I learned from Seattle Firewall, I then      
-  and wrote      Shorewall. </p>
+designed    and wrote      Shorewall. </p>
 <p>I telework from our <a
 href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
- href="http://www.cityofshoreline.com">Shoreline,        Washington</a>  where
+ href="http://www.cityofshoreline.com">Shoreline,        Washington</a> 
-I live with my wife Tarry.  </p>
+where I live with my wife Tarry.  </p>
 <p>Our current home network consists of: </p>
@ -75,24 +75,24 @@ I live with my wife Tarry.
 system.   Serves as a PPTP server for Road Warrior access. Dual boots <a
 href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
                         <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) 
-      NIC   -  My      personal Linux System which runs Samba configured
+      NIC   -  My      personal Linux System which runs Samba configured as
-as   a  WINS  server.    This      system also has <a
+  a  WINS  server.    This      system also has <a
- href="http://www.vmware.com/">VMware</a>  installed    and      can run both
+ href="http://www.vmware.com/">VMware</a>  installed    and      can run
-    <a href="http://www.debian.org">Debian  Woody</a> and         <a
+both     <a href="http://www.debian.org">Debian  Woody</a> and         <a
 href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
                         <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 
  NIC    - Email   (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP 
 (Pure_ftpd),   DNS  server        (Bind 9).</li>
                         <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 
 3   LNE100TX       (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 
- 1.4.2   and a DHCP         server.</li>
+1.4.4a   and a DHCP         server.</li>
                         <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 
 NIC   -  My  wife's        personal system.</li>
                         <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD,
 built-in     EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My
  work system.</li>
    <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys
-WAC11 - Our Laptop.<br>
+ WET11 - Our Laptop.<br>
    </li>
 </ul>
@ -108,8 +108,8 @@ WAC11 - Our Laptop.<br>
 src="images/poweredby.png" width="88" height="31">
                    </a><a href="http://www.compaq.com"><img border="0"
 src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
-                   </a><a href="http://www.pureftpd.org"><img border="0"
+                    </a><a href="http://www.pureftpd.org"><img
- src="images/pure.jpg" width="88" height="31">
+ border="0" src="images/pure.jpg" width="88" height="31">
                    </a><font size="4"><a href="http://www.apache.org"><img
 border="0" src="images/apache_pb1.gif" hspace="2" width="170"
 height="20">
@ -139,5 +139,6 @@ WAC11 - Our Laptop.<br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/sourceforge_index.htm
+++ b/STABLE/documentation/sourceforge_index.htm
@ -7,8 +7,8 @@
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
-                                                                     <base
+                                                                        
- target="_self">
+  <base target="_self">
 </head>
  <body>
@ -30,8 +30,7 @@
 src="images/washington.jpg" border="0">
             </a></i></font><font color="#ffffff">Shorewall           1.4 
-    -                <font size="4">"<i>iptables                   made 
+    -                <font size="4">"<i>iptables                   made  easy"</i></font></font><br>
 easy"</i></font></font><br>
                                <a target="_top" href="1.3/index.html"><font
 color="#ffffff">          </font></a><a target="_top"
 href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
@ -75,8 +74,8 @@ on   a  dedicated    firewall     system,      a multi-function
      <p>This program is free software; you can redistribute it and/or modify
                                                                      it
       under      the    terms      of         <a
- href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version           2 of  the
-General Public License</a> as published by the Free   Software          
+GNU General Public License</a> as published by the Free   Software      
     Foundation.<br>
                 <br>
@ -92,9 +91,9 @@ General Public License</a> as published by the Free   Software
      You     should       have     received        a   copy     of   the 
    GNU     General          Public         License                 along
-    with    this   program;            if   not,    write  to    the    Free
+     with    this   program;            if   not,    write  to    the   
-  Software              Foundation,                   Inc.,  675     Mass
+Free   Software              Foundation,                   Inc.,  675   
-  Ave,  Cambridge,      MA    02139,       USA</p>
+ Mass   Ave,  Cambridge,      MA    02139,       USA</p>
@ -122,13 +121,24 @@ QuickStart    Guide</a> for details.<br>
      <p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b></p>
      <p>Groan -- This version corrects a problem whereby the --log-level
 was not being set when logging via syslog. The most commonly reported symptom
 was that Shorewall messages were being written to the console even though
 console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
 16</a>.<br>
 </p>
      <p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                  </b></p>
-   The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out
+    The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
- that the code in 1.4.4 restricts the length of short zone names to 4 characters.
+out  that the code in 1.4.4 restricts the length of short zone names to 4
- I've produced version 1.4.4a that restores the previous 5-character limit
+characters.  I've produced version 1.4.4a that restores the previous 5-character
- by conditionally omitting the log rule number when the LOGFORMAT doesn't
+limit  by conditionally omitting the log rule number when the LOGFORMAT doesn't 
 contain '%d'.                     
      <p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
@ -159,8 +169,8 @@ with  fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>
            LOGFORMAT="fp=%s:%d a=%s "<br>
      <br>
         <b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT 
-  string (up to but not including the first '%') to find log messages in
+  string (up to but not including the first '%') to find log messages in the
-the   'show log', 'status' and 'hits' commands. This part should not be omitted
+  'show log', 'status' and 'hits' commands. This part should not be omitted 
  (the LOGFORMAT should not begin with "%") and the leading part should be 
 sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br>
         <br>
@ -179,9 +189,9 @@ the   'show log', 'status' and 'hits' commands. This part should not be omitted
  and  in the .rpm. In addition: <br>
      <ol>
-             <li>(This change is in 1.4.3 but is not documented) If you are 
+              <li>(This change is in 1.4.3 but is not documented) If you
- running  iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject 
+are   running  iptables 1.2.7a and kernel 2.4.20, then Shorewall will return
- replies  as follows:<br>
+reject   replies  as follows:<br>
          a) tcp - RST<br>
          b) udp - ICMP port unreachable<br>
          c) icmp - ICMP host unreachable<br>
@ -190,9 +200,9 @@ the   'show log', 'status' and 'hits' commands. This part should not be omitted
   convention:<br>
          a) tcp - RST<br>
          b) Otherwise - ICMP port unreachable</li>
-             <li>UDP port 135 is now silently dropped in the common.def chain. 
+              <li>UDP port 135 is now silently dropped in the common.def
-  Remember that this chain is traversed just before a DROP or REJECT policy 
+chain.    Remember that this chain is traversed just before a DROP or REJECT
-  is enforced.<br>
+policy    is enforced.<br>
         </li>
      </ol>
@ -201,6 +211,7 @@ the   'show log', 'status' and 'hits' commands. This part should not be omitted
               </p>
              <b>Problems Corrected:<br>
          </b>                                                           
      <ol>
                <li>There were several cases where Shorewall would fail to
 remove    a temporary directory from /tmp. These cases have been corrected.</li>
@ -212,9 +223,10 @@ This    insures that all loopback traffic is allowed even if Netfilter connectio
      </ol>
               <b>New Features:<br>
          </b>                                                           
      <ol>
-               <li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4)
+                <li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
-   tunnels </a>are now supported in the /etc/shorewall/tunnels  file.</li>
+(6to4)    tunnels </a>are now supported in the /etc/shorewall/tunnels  file.</li>
                <li value="2">You may now change the leading portion of the 
 --log-prefix  used by Shorewall using the LOGMARKER variable in shorewall.conf. 
 By default,  "Shorewall:" is used.<br>
@ -258,8 +270,8 @@ This    insures that all loopback traffic is allowed even if Netfilter connectio
 target="_top">a Shorewall presentation to GSLUG</a>.         The presentation
          is in HTML format but was generated from Microsoft PowerPoint and
  is   best     viewed using Internet Explorer (although Konqueror also seems
- to   work reasonably    well as does Opera 7.1.0). Neither Opera 6 nor Netscape 
+  to   work reasonably    well as does Opera 7.1.0). Neither Opera 6 nor
-    work well to view  the presentation.</blockquote>
+Netscape      work well to view  the presentation.</blockquote>
@ -296,17 +308,18 @@ This    insures that all loopback traffic is allowed even if Netfilter connectio
 border="0" src="images/leaflogo.gif" width="49" height="36"
 alt="(Leaf Logo)">
-            </a>Jacques        Nilo       and     Eric     Wolzak       have
+             </a>Jacques        Nilo       and     Eric     Wolzak      
-      a   LEAF  (router/firewall/gateway                        on  a  floppy,
+have       a   LEAF  (router/firewall/gateway                        on 
-      CD    or compact     flash)  distribution                called   
+a  floppy,       CD    or compact     flash)  distribution              
-             <i>Bering</i>          that          features              
+ called                 <i>Bering</i>          that          features   
-Shorewall-1.3.14         and    Kernel-2.4.20.          You    can     find
+           Shorewall-1.3.14         and    Kernel-2.4.20.          You  
-        their    work at:                <a
+ can     find         their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                    <b>Congratulations          to  Jacques     and   Eric
   on   the     recent    release     of  Bering       1.2!!!        </b><br>
      <h1 align="center"><b><a href="http://www.sf.net"><img
 align="left" alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -397,8 +410,8 @@ Shorewall-1.3.14         and    Kernel-2.4.20.          You    can     find
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
-if       you try it and find it useful, please consider making a donation 
+but if       you try it and find it useful, please consider making a donation
                                                                      to
            <a href="http://www.starlight.org"><font color="#ffffff">Starlight
    Children's         Foundation.</font></a> Thanks!</font></p>
@ -411,11 +424,8 @@ if       you try it and find it useful, please consider making a donation
  </tbody>                               
 </table>
-<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font>
                                                               <br>
 </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -51,9 +51,9 @@ solutions    to  more than 20 common      problems.                 </li>
                             <li>                                   The 
       <a href="http://www.shorewall.net/errata.htm">   Errata</a> has links 
  to  download        updated     components.         </li>
-                             <li>                                   The Site
+                              <li>                                   The
-  and   Mailing        List   Archives     search facility can locate documents
+Site   and   Mailing        List   Archives     search facility can locate
-  and  posts    about         similar   problems:         </li>
+documents   and  posts    about         similar   problems:         </li>
 </ul>
@ -104,28 +104,28 @@ solutions    to  more than 20 common      problems.                 </li>
 <ul>
                                       <li>Please remember we only know what
  is  posted    in  your   message.      Do  not  leave out any information
- that  appears   to be  correct,    or was   mentioned    in  a previous post.
+  that  appears   to be  correct,    or was   mentioned    in  a previous
- There  have  been countless   posts   by people   who were   sure  that
+post.  There  have  been countless   posts   by people   who were   sure
-some  part  of their     configuration  was correct  when  it actually  
+ that some  part  of their     configuration  was correct  when  it actually
-contained   a  small error.     We tend to be  skeptics where  detail   is
+  contained   a  small error.     We tend to be  skeptics where  detail 
-lacking.<br>
+ is lacking.<br>
                                         <br>
                                       </li>
                                       <li>Please keep in mind that you're
-asking    for       <strong>free</strong>            technical  support. Any
+ asking    for       <strong>free</strong>            technical  support.
-help  we  offer   is an act of generosity, not    an   obligation.    Try
+Any help  we  offer   is an act of generosity, not    an   obligation.  
- to make   it easy  for us to help you. Follow good,    courteous   practices
+ Try  to make   it easy  for us to help you. Follow good,    courteous  
-   in  writing and formatting your e-mail. Provide   details that   we need
+practices    in  writing and formatting your e-mail. Provide   details that
-if  you  expect good  answers. <em>Exact quoting     </em>  of error messages,
+  we need if  you  expect good  answers. <em>Exact quoting     </em>  of
- log  entries,  command output, and other output  is better   than a paraphrase
+error messages,  log  entries,  command output, and other output  is better
-  or  summary.<br>
+  than a paraphrase   or  summary.<br>
                                         <br>
                                       </li>
                                       <li>                             
-    Please    don't    describe     your   environment   and then  ask  us
+     Please    don't    describe     your   environment   and then  ask 
-  to  send   you             custom     configuration   files.   We're here 
+us   to  send   you             custom     configuration   files.   We're
-  to answer     your  questions     but    we           can't   do your  
+here    to answer     your  questions     but    we           can't   do
-job for you.<br>
+your   job for you.<br>
                                         <br>
                                              </li>
                                       <li>When reporting a problem, <strong>ALWAYS</strong> 
@ -184,6 +184,7 @@ are   running<br>
                                           <font color="#009900"><b>lsmod</b></font><br>
                                         </li>
  </ul>
 </ul>
@ -191,10 +192,10 @@ are   running<br>
 <ul>
  <ul>
-              <li><font color="#ff0000"><u><i><big><b>If you are having connection
+               <li><font color="#ff0000"><u><i><big><b>If you are having
-      problems of        any kind then:</b></big></i></u></font><br>
+connection       problems of        any kind then:</b></big></i></u></font><br>
                              <br>
-                         1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
+                          1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
                              <br>
                          2. Try the connection that is failing.<br>
                              <br>
@ -229,17 +230,17 @@ the SMTP headers  of your post).<br>
                        <strong></strong></li>
                      <li>Do you see  any   "Shorewall"      messages ("<b><font
 color="#009900">/sbin/shorewall  show   log</font></b>")            when 
-           you exercise the function that is giving   you problems? If  
+           you exercise the function that is giving   you problems? If   so,
-so,    include    the message(s) in your post along with a  copy of your
+   include    the message(s) in your post along with a  copy of your /etc/shorewall/interfaces
-/etc/shorewall/interfaces               file.<br>
+              file.<br>
                        <br>
                      </li>
                      <li>Please include any of the Shorewall configuration 
  files        (especially               the    /etc/shorewall/hosts file 
 if you have      modified    that     file)      that  you    think are  
 relevant.  If   you  include /etc/shorewall/rules,         please include 
-/etc/shorewall/policy       as well (rules are meaningless   unless     
+/etc/shorewall/policy       as well (rules are meaningless   unless      one
-one also knows the policies).<br>
+also knows the policies).<br>
                        <br>
                      </li>
                      <li>If an error occurs    when   you   try   to "<font
@ -262,20 +263,20 @@ to the Mailing   List    --   your      post      will  be rejected.</b></li>
 <h2>When using the mailing list, please post in plain text</h2>
-<blockquote>      A growing  number of MTAs serving list subscribers are rejecting
+<blockquote>      A growing  number of MTAs serving list subscribers are
-  all    HTML  traffic.  At least one MTA has gone so far as to blacklist
+rejecting   all    HTML  traffic.  At least one MTA has gone so far as to
-  shorewall.net      "for  continuous abuse" because it has been my policy
+blacklist   shorewall.net      "for  continuous abuse" because it has been
-  to  allow HTML in  list    posts!!<br>
+my policy   to  allow HTML in  list    posts!!<br>
                 <br>
-                                         I think that blocking all HTML is
+                                          I think that blocking all HTML
- a  Draconian      way   to  control     spam    and  that the ultimate losers
+is  a  Draconian      way   to  control     spam    and  that the ultimate
-  here are not    the spammers    but the   list  subscribers      whose
+losers   here are not    the spammers    but the   list  subscribers    
-MTAs   are bouncing    all shorewall.net    mail. As   one list  subscriber
+ whose MTAs   are bouncing    all shorewall.net    mail. As   one list  subscriber 
  wrote    to me privately      "These e-mail admin's   need  to get a <i>(expletive 
-    deleted)</i>  life     instead of trying to rid   the planet of HTML
+    deleted)</i>  life     instead of trying to rid   the planet of HTML based
-based   e-mail".   Nevertheless,       to allow subscribers  to  receive
+  e-mail".   Nevertheless,       to allow subscribers  to  receive list posts
-list posts   as must as possible,   I  have   now   configured the  list
+  as must as possible,   I  have   now   configured the  list  server at
- server at shorewall.net   to strip all HTML    from  outgoing  posts.<br>
+shorewall.net   to strip all HTML    from  outgoing  posts.<br>
               </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -307,10 +308,11 @@ an   MNF  license    from MandrakeSoft     then    you can  post non MNF-specifi
 href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
                      </p>
-<p align="left"><font size="2">Last Updated 5/19/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 5/28/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.4a
+VERSION=1.4.4b
 usage() # $1 = exit status
 {
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -926,7 +926,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 		eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
 		;;
 	    *)
-		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
+		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
 		;;
 	esac
@ -943,7 +943,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 		eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
 		;;
 	    *)
-		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
+		eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
 		;;
 	esac
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.4a
+VERSION=1.4.4b
 usage() # $1 = exit status
 {
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.4a
+%define version 1.4.4b
 %define release 1
 %define prefix /usr
@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Thu May 29 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.4b-1
 * Tue May 27 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.4a-1
 * Thu May 22 2003 Tom Eastep <tom@shorewall.net>
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.4a
+VERSION=1.4.4b
 usage() # $1 = exit status
 {
`@ -10,4 +10,6 @@ Changes since 1.4.3a`

	`4. Don't include log rule number when LOGFORMAT doesn't include "%d".`	`4. Don't include log rule number when LOGFORMAT doesn't include "%d".`

		`5. Add --log-level to LOG rules.`