1.3.11 release changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@347 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2002-12-04 00:02:25 +00:00 · 2002-12-04 00:02:25 +00:00 · 1ad262c7cb
commit 1ad262c7cb
parent a237911ebc
14 changed files with 3739 additions and 3589 deletions
--- a/STABLE/INSTALL
+++ b/STABLE/INSTALL
@ -24,8 +24,12 @@ o Unpack the tarball
 o cd to the shorewall-<version> directory
 o If you have an earlier version of Shoreline Firewall installed,see the
  upgrade instructions below
-o Edit the files policy, interfaces, rules, nat, proxyarp and masq to 
+o Edit the configuration files to fit your environment.
-  fit your environment.
+
  To do this, I strongly advise you to follow the instructions at:
      http://shorewall.sf.net/shorewall_quickstart_guide.htm
 o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
  Debian, then type "./install.sh".
 o For other distributions, determine where your distribution installs
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -24,6 +24,7 @@
                     <tr>
                      <td width="100%">                                 
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                      </td>
                    </tr>
@ -32,8 +33,8 @@
 </table>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
-       port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
+         port</b> 7777 to my my personal PC with IP address 192.168.1.5.
-  looked     everywhere and can't find <b>how to do it</b>.</a></p>
+I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
         but it doesn't work.<br>
@ -49,9 +50,9 @@ but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
         subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses 
-to   hosts   in  Z. Hosts in Z cannot communicate with each other using their 
+  to   hosts   in  Z. Hosts in Z cannot communicate with each other using 
-  external    (non-RFC1918 addresses) so they <b>can't access each other using
+their    external    (non-RFC1918 addresses) so they <b>can't access each 
-  their DNS   names.</b></a></p>
+other using   their DNS   names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN 
        Messenger </b>with  Shorewall. What do I do?</a></p>
@ -94,13 +95,13 @@ support?</a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
        and it has an internel  web server that allows me to configure/monitor 
-   it   but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
+     it   but as expected if I enable <b> rfc1918 blocking</b> for my eth0 
-      it also blocks the <b>cable modems  web server</b></a>.</p>
+ interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
-      IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable 
+        IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I 
-     RFC 1918  filtering on my external interface, <b>my DHCP client cannot 
+enable       RFC 1918  filtering on my external interface, <b>my DHCP client 
-  renew   its lease</b>.</a></p>
+cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
        out to  the net</b></a></p>
@ -111,15 +112,21 @@ support?</a></p>
                          <b>17</b>. <a href="#faq17">How do I find out <b>why
   this   is</b> getting  <b>logged?</b></a><br>
         <br>
-     <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b> 
+         <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip
-  with Shorewall, and maintain separate rulesets for different IPs?</a><br>
+ addresses</b>    with Shorewall, and maintain separate rulesets for different
 IPs?</a><br>
     <br>
     <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
  but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
    <br>
-<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
+    <b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a 
-<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
+server.  <b>Do I have to change Shorewall to allow access to my server from 
-</a> 
+the internet?<br>
  </b><br>
  </a><a href="#faq21"><b>21. </b>I see these <b>strange log entries </b>occasionally;
 what are they?<br>
  </a><br>
 <hr>                  
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
        my my personal PC with IP address 192.168.1.5. I've looked everywhere 
@ -237,11 +244,11 @@ port</i>&gt;]</td>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-                <li>You are trying to test from inside your firewall (no, 
+                    <li>You are trying to test from inside your firewall
-that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
+(no,   that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
                    <li>You have a more basic problem with your local system
-such   as  an   incorrect default gateway configured (it should be set to
+  such   as  an   incorrect default gateway configured (it should be set
-the IP   address    of your  firewall's internal interface).</li>
+to   the IP   address    of your  firewall's internal interface).</li>
 </ul>
@ -250,29 +257,29 @@ the IP   address    of your  firewall's internal interface).</li>
        <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
-      <li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
+          <li>As root, type "iptables -t nat -Z". This clears the NetFilter 
-  in the nat table.</li>
+ counters   in the nat table.</li>
          <li>Try to connect to the redirected port from an external host.</li>
          <li>As root type "shorewall show nat"</li>
          <li>Locate the appropriate DNAT rule. It will be in a chain called
-    <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the server
+      <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the 
-('loc' in the above   examples).</li>
+ ('net' in the above   examples).</li>
-      <li>Is the packet count in the first column non-zero? If so, the connection
+          <li>Is the packet count in the first column non-zero? If so, the
-  request is reaching the firewall and is being redirected to the server.
+ connection    request is reaching the firewall and is being redirected to
-In  this case, the problem is usually a missing or incorrect default gateway
+ the server.  In  this case, the problem is usually a missing or incorrect
- setting on the server (the server's default gateway should be the IP address
+ default gateway   setting on the server (the server's default gateway should
- of the firewall's interface to the server).</li>
+ be the IP address   of the firewall's interface to the server).</li>
          <li>If the packet count is zero:</li>
  <ul>
            <li>the connection request is not reaching your server (possibly
  it  is being blocked by your ISP); or</li>
-        <li>you are trying to connect to a secondary IP address on your firewall
+            <li>you are trying to connect to a secondary IP address on your 
-  and your rule is only redirecting the primary IP address (You need to specify
+ firewall   and your rule is only redirecting the primary IP address (You 
-  the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
+need to specify   the secondary IP address in the "ORIG. DEST." column in 
- or</li>
+your DNAT rule);  or</li>
-        <li>your DNAT rule doesn't match the connection request in some other
+            <li>your DNAT rule doesn't match the connection request in some 
-  way. In that case, you may have to use a packet sniffer such as tcpdump
+ other   way. In that case, you may have to use a packet sniffer such as tcpdump
 or  ethereal to further diagnose the problem.<br>
            </li>
@ -287,25 +294,25 @@ or  ethereal to further diagnose the problem.<br>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-                <li>Having an internet-accessible server in your local network
+                    <li>Having an internet-accessible server in your local
-       is  like raising foxes in the corner of your hen house. If the server 
+ network         is  like raising foxes in the corner of your hen house.
-   is      compromised, there's nothing between that server and your other 
+If  the server     is      compromised, there's nothing between that server
- internal        systems. For the cost of another NIC and a cross-over cable, 
+and  your other   internal        systems. For the cost of another NIC and
- you can   put      your server in a DMZ such that it is isolated from your 
+a cross-over  cable,   you can   put      your server in a DMZ such that
- local systems    -     assuming that the Server can be located near the Firewall,
+it is isolated  from your   local systems    -     assuming that the Server
-  of course    :-)</li>
+can be located  near the Firewall,   of course    :-)</li>
-                <li>The accessibility problem is best solved using    <a
+                    <li>The accessibility problem is best solved using  
- href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
+     <a href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> 
-a separate DNS server for local clients) such that www.mydomain.com resolves
+(or using a separate DNS server for local clients) such that www.mydomain.com 
-to 130.141.100.69     externally and 192.168.1.5 internally. That's what
+resolves to 130.141.100.69     externally and 192.168.1.5 internally. That's 
-I do here at     shorewall.net for my local systems that use static NAT.</li>
+what I do here at     shorewall.net for my local systems that use static NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem 
         rather than a DNS solution, then assuming that your external interface 
-    is  eth0  and your internal interface is eth1  and that eth1 has IP address 
+      is  eth0  and your internal interface is eth1  and that eth1 has IP 
-    192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
+address      192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
         for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -394,24 +401,24 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
 <div align="left">                  
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE 
-       client to automatically restart Shorewall each time that you get a 
+         client to automatically restart Shorewall each time that you get 
-new    IP   address.</p>
+a  new    IP   address.</p>
                 </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
        subnet and I use static NAT to assign non-RFC1918 addresses to hosts 
   in   Z.  Hosts in Z cannot communicate with each other using their external 
- (non-RFC1918     addresses) so they can't access each other using their DNS
+   (non-RFC1918     addresses) so they can't access each other using their 
- names.</h4>
+ DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
-      using Bind Version 9 "views". It allows both external and internal clients
+        using Bind Version 9 "views". It allows both external and internal 
-      to access a NATed host using the host's DNS name.</p>
+ clients       to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from
         static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
-addresses      and can be accessed externally and internally using the same
+  addresses      and can be accessed externally and internally using the
-address.  </p>
+same   address.  </p>
 <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
 traffic through your firewall then:</p>
@ -513,32 +520,32 @@ traffic through your firewall then:</p>
        </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
-      to    check my firewall and it shows some ports as 'closed' rather than
+        to    check my firewall and it shows some ports as 'closed' rather 
-    'blocked'.     Why?</h4>
+ than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
-      always    rejects connection requests on TCP port 113 rather than dropping 
+        always    rejects connection requests on TCP port 113 rather than 
-      them. This is    necessary to prevent outgoing connection problems to
+dropping        them. This is    necessary to prevent outgoing connection 
-  services    that use the    'Auth' mechanism for identifying requesting 
+problems to   services    that use the    'Auth' mechanism for identifying 
-users.  Shorewall    also rejects TCP    ports 135, 137 and 139 as well as 
+requesting  users.  Shorewall    also rejects TCP    ports 135, 137 and 139 
-UDP ports  137-139.   These are ports that are    used by Windows (Windows 
+as well as  UDP ports  137-139.   These are ports that are    used by Windows 
-<u>can</u>  be configured   to use the DCE cell locator    on port 135). Rejecting
+(Windows  <u>can</u>  be configured   to use the DCE cell locator    on port 
-these  connection requests   rather than dropping them    cuts down slightly
+135). Rejecting these  connection requests   rather than dropping them   
-on the amount of Windows  chatter on LAN segments connected    to the Firewall.
+cuts down slightly on the amount of Windows  chatter on LAN segments connected 
-</p>
+    to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
-      your    ISP preventing you from running a web server in violation of 
+        your    ISP preventing you from running a web server in violation 
- your     Service    Agreement.</p>
+of   your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
           firewall and it showed 100s of ports as open!!!!</h4>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
-      section about    UDP scans. If nmap gets <b>nothing</b> back from your 
+        section about    UDP scans. If nmap gets <b>nothing</b> back from 
-   firewall   then it reports    the port as open. If you want to see which 
+your     firewall   then it reports    the port as open. If you want to see 
-  UDP ports are  really open,    temporarily change your net-&gt;all policy 
+which    UDP ports are  really open,    temporarily change your net-&gt;all 
-  to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
+policy    to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
        can't ping through the firewall</h4>
@ -564,8 +571,8 @@ on the amount of Windows  chatter on LAN segments connected    to the Firewall.
 syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
 href="Documentation.htm#Rules">rules</a>. The destination for messaged 
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
-     When you have changed /etc/syslog.conf, be sure to restart syslogd (on 
+       When you have changed /etc/syslog.conf, be sure to restart syslogd 
-  a  RedHat system, "service syslog restart"). </p>
+(on    a  RedHat system, "service syslog restart"). </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages 
        through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf 
@ -585,7 +592,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
                  <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
-              <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
+                  <a
 href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
       http://www.logwatch.org</a><br>
         </p>
@ -617,8 +625,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 <div align="left">                  
 <p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
-      for  problems concerning the version of iptables (v1.2.3) shipped with 
+        for  problems concerning the version of iptables (v1.2.3) shipped 
-   RH7.2.</p>
+with     RH7.2.</p>
                 </div>
 <h4 align="left">      </h4>
@ -714,10 +722,10 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
               </p>
 <p align="left">Note: If you add a second IP address to your external firewall 
-     interface to correspond to the modem address, you must also make an entry
+       interface to correspond to the modem address, you must also make an 
-     in /etc/shorewall/rfc1918 for that address. For example, if you configure
+ entry      in /etc/shorewall/rfc1918 for that address. For example, if you 
-     the address 192.168.100.2 on your firewall, then you would add two entries
+ configure      the address 192.168.100.2 on your firewall, then you would 
-     to /etc/shorewall/rfc1918:  <br>
+ add two entries      to /etc/shorewall/rfc1918:  <br>
               </p>
 <blockquote>                                             
@ -742,6 +750,7 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                       </td>
                     </tr>
    </tbody>                                             
  </table>
               </blockquote>
@ -781,8 +790,8 @@ aside,     the most common causes of this  problem are:</p>
                    <li>                                                
    <p align="left">The DNS settings on the local systems are wrong or the 
-         user is running a DNS server on the firewall and hasn't enabled UDP
+           user is running a DNS server on the firewall and hasn't enabled 
-   and   TCP    port 53 from the firewall to the internet.</p>
+ UDP    and   TCP    port 53 from the firewall to the internet.</p>
                     </li>
 </ol>
@ -797,12 +806,12 @@ aside,     the most common causes of this  problem are:</p>
             </p>
 <h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
-         <b>Answer: </b>Logging occurs out of a number of chains (as indicated
+             <b>Answer: </b>Logging occurs out of a number of chains (as
-   in  the log message) in Shorewall:<br>
+indicated      in  the log message) in Shorewall:<br>
 <ol>
-           <li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918 
+               <li><b>man1918 - </b>The destination address is listed in
-    with a <b>logdrop </b>target -- see <a
+/etc/shorewall/rfc1918       with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
               <li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918 
      with a <b>logdrop </b>target -- see <a
@ -818,34 +827,40 @@ aside,     the most common causes of this  problem are:</p>
   <b>&lt;zone2&gt;</b> that specifies a log level and this packet is being 
     logged under that policy or this packet matches  a <a
 href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
-    <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
+        <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under 
-     <b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
+ the      <b>maclist</b> <a href="Documentation.htm#Interfaces">interface 
 option</a>.<br>
        </li>
               <li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b> 
          <a href="Documentation.htm#Interfaces">interface option</a>.</li>
               <li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b> 
          <a href="Documentation.htm#Interfaces">interface option</a> as specified
-    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+      in the <b>LOGUNCLEAN </b>setting in <a
-           <li><b>blacklst</b> - The packet is being logged because the source
+ href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-   IP  is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist 
+               <li><b>blacklst</b> - The packet is being logged because the 
-        </a>file.</li>
+ source    IP  is blacklisted in the<a
-           <li><b>newnotsyn </b>- The packet is being logged because it is
+ href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
- a  TCP   packet that is not part of any current connection yet it is not
+               <li><b>newnotsyn </b>- The packet is being logged because
-a syn  packet.   Options affecting the logging of such packets include <b>NEWNOTSYN
+it  is  a  TCP   packet that is not part of any current connection yet it
-      </b>and       <b>LOGNEWNOTSYN </b>in     <a
+is not a syn  packet.   Options affecting the logging of such packets include 
    <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN </b>in     <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-          <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP 
+              <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source
-address    that isn't in any of your defined zones ("shorewall check" and 
+ IP  address    that isn't in any of your defined zones ("shorewall check"
-look at the   printed zone definitions) or the chain is FORWARD and the destination
+ and  look at the   printed zone definitions) or the chain is FORWARD and
- IP  isn't in any of your defined zones.</li>
+the destination  IP  isn't in any of your defined zones.</li>
     <li><b>logflags </b>- The packet is being logged because it failed the 
 checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
     </li>
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
    with Shorewall, and maintain separate rulesets for different IPs?</h4>
-     <b>Answer: </b>Yes. You simply use the IP address in your rules (or
+         <b>Answer: </b>Yes. You simply use the IP address in your rules
-if  you  use NAT, use the local IP address in your rules). <b>Note:</b> The 
+(or   if  you  use NAT, use the local IP address in your rules). <b>Note:</b>
-":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
+The  ":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
  Neither   iproute  (ip and tc) nor iptables supports that notation so neither 
  does   Shorewall.  <br>
         <br>
@ -873,24 +888,56 @@ does   Shorewall.  <br>
  but they don't seem to do anything. Why?</h4>
     You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
  so the contents of the tcrules file are simply being ignored.<br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
  to change Shorewall to allow access to my server from the internet?</b><br>
    </h4>
-Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
+    Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
-that you used during your initial setup for information about how to set
+guide</a>   that you used during your initial setup for information about
-up rules for your server.<br>
+how to set  up rules for your server.<br>
 <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
 what are they?<br>
  </h4>
 <blockquote>      
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
  </blockquote>
  192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN<br>
  <br>
  <b>Answer: </b>While most people associate the Internet Control Message 
 Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. ICMP is 
 used to report problems back to the sender of a packet; this is what is happening 
 here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade), 
 there are a lot of broken implementations. That is what you are seeing with 
 these messages.<br>
  <br>
 Here is my interpretation of what is happening -- to confirm this analysis, 
 one out have to have packet sniffers placed a both ends of the connection.<br>
 <br>
 Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query 
 to 192.0.2.3 and your DNS server tried to send a response (the response information 
 is in the brackets -- note source port 53 which marks this as a DNS reply). 
 When the response was returned to to 206.124.146.179, it rewrote the destination 
 IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had 
 a connection on UDP port 2857. This causes a port unreachable (type 3, code 
 3) to be generated back to 192.0.2.3. As this packet is sent back through 
 206.124.146.179, that box correctly changes the source address in the packet 
 to 206.124.146.179 but doesn't reset the DST IP in the original DNS response 
 similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall 
 has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't 
 appear to be related to anything that was sent. The final result is that the
 packet gets logged and dropped in the all2all chain. I have also seen cases
 where the source IP in the ICMP itself isn't set back to the external IP
 of the remote NAT gateway; that causes your firewall to log and drop the packet
 out of the rfc1918 chain because the source IP is reserved by RFC 1918.<br>
  <br>
 <div align="left">     </div>
-  <font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> 
+      <font size="2">Last updated 11/25/2002 - <a href="support.htm">Tom
-                          
+Eastep</a></font>                                 
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
         © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
     <br>
 </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@ -28,13 +28,18 @@
  </tbody>                  
 </table>
 <p><b>12/3/2002 - Shorewall 1.3.11a</b></p>
 <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
 excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who don't
 need rules of this type need not upgrade to 1.3.11.</p>
 <p><b>11/24/2002 - Shorewall 1.3.11</b></p>
 <p>In this version:</p>
 <ul>
   <li>A 'tcpflags' option has been added to entries in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This option
-option causes Shorewall to make a set of sanity check on TCP packet header
+causes Shorewall to make a set of sanity check on TCP packet header flags.</li>
 flags.</li>
   <li>It is now allowed to use 'all' in the SOURCE or DEST column in a <a
 href="Documentation.htm#Rules">rule</a>. When used, 'all' must appear by 
 itself (in may not be qualified) and it does not enable intra-zone traffic. 
@ -43,11 +48,13 @@ For example, the rule <br>
     ACCEPT loc all tcp 80<br>
     <br>
 does not enable http traffic from 'loc' to 'loc'.</li>
-  <li>Shorewall's use of the 'echo' command is now compatible with bash clones
+   <li>Shorewall's use of the 'echo' command is now compatible with bash
-such as ash and dash.</li>
+clones such as ash and dash.</li>
   <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules generate 
 a warning and are ignored</li>
 </ul>
 <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b></p>
 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
@ -88,9 +95,9 @@ be  defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
      <li>The main firewall script is now /usr/lib/shorewall/firewall.  The 
 script  in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
- to do the  real work. This change makes custom distributions such as for
+to do the  real work. This change makes custom distributions such as for Debian
-Debian  and  for Gentoo easier to manage since it is /etc/init.d/shorewall
+ and  for Gentoo easier to manage since it is /etc/init.d/shorewall that
-that tends  to have distribution-dependent code</li>
+tends  to have distribution-dependent code</li>
 </ul>
@ -108,9 +115,9 @@ of  <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>. Thanks
       <li>You may now <a href="IPSEC.htm#Dynamic">define the contents  of
 a  zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
-  delete" commands</a>. These commands are expected to be used primarily within
+   delete" commands</a>. These commands are expected to be used primarily
-            <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
+within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
-  scripts.</li>
+updown   scripts.</li>
       <li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
    on ethernet segments. You can specify the set of allowed MAC addresses
 on   the segment and you can optionally tie each MAC address to one or more
@ -121,11 +128,11 @@ IP  addresses.</li>
       <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
       <li>The PATH used by Shorewall may now be specified in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-      <li>The main firewall script is now /usr/lib/shorewall/firewall.  The 
+       <li>The main firewall script is now /usr/lib/shorewall/firewall. 
- script in /etc/init.d/shorewall is very small and uses /sbin/shorewall  to
+The   script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
- do the real work. This change makes custom distributions such as for Debian
+ to  do the real work. This change makes custom distributions such as for
-  and for Gentoo easier to manage since it is /etc/init.d/shorewall that
+Debian   and for Gentoo easier to manage since it is /etc/init.d/shorewall
-tends   to have distribution-dependent code.</li>
+that tends   to have distribution-dependent code.</li>
 </ul>
       You may download the Beta from:<br>
@ -166,9 +173,9 @@ tends   to have distribution-dependent code.</li>
              </p>
 <ul>
-               <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a> 
+                <li><a href="configuration_file_basics.htm#dnsnames">DNS
-    are   now allowed in Shorewall config files (although I recommend against 
+Names</a>      are   now allowed in Shorewall config files (although I recommend
-    using  them).</li>
+against      using  them).</li>
                <li>The connection SOURCE may now be qualified by both interface
    and   IP  address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
                <li>Shorewall startup is now disabled after initial installation
@ -176,8 +183,8 @@ tends   to have distribution-dependent code.</li>
    nasty surprises  during reboot for users who install Shorewall but don't
   configure it.</li>
             <li>The 'functions' and 'version' files and the 'firewall' symbolic
-   link  have been  moved from /var/lib/shorewall to /usr/lib/shorewall to 
+    link  have been  moved from /var/lib/shorewall to /usr/lib/shorewall
- appease   the LFS police at Debian.<br>
+to   appease   the LFS police at Debian.<br>
             </li>
 </ul>
@ -185,8 +192,8 @@ tends   to have distribution-dependent code.</li>
 <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability 
        Restored</b><br>
                       </p>
-                    <img src="images/j0233056.gif" alt="Brown Paper Bag"
+                     <img src="images/j0233056.gif"
- width="50" height="86" align="left">
+ alt="Brown Paper Bag" width="50" height="86" align="left">
                 A couple of recent configuration changes at www.shorewall.net
   broke    the  Search facility:<br>
@ -199,6 +206,7 @@ tends   to have distribution-dependent code.</li>
  </ol>
                     </blockquote>
                  Hopefully these problems are now corrected.           
 <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability 
       Restored<br>
               </b></p>
@ -225,8 +233,8 @@ tends   to have distribution-dependent code.</li>
                  </p>
 <ul>
-                   <li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option
+                    <li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a>
-   has   been   added  to shorewall.conf. This option determines whether
+option    has   been   added  to shorewall.conf. This option determines whether 
 Shorewall      accepts   TCP packets  which are not part of an established 
 connection   and   that are   not 'SYN' packets  (SYN flag on and ACK flag 
 off).</li>
@ -245,8 +253,8 @@ the  chain   'za2zb'   and/or  'zb2za' exists. 'za2zb' will exist if:</li>
 <ul>
                    <li>The /etc/shorewall/blacklist file now contains three
  columns.     In  addition  to the SUBNET/ADDRESS column, there are optional
- PROTOCOL   and  PORT  columns  to block only certain applications from the 
+  PROTOCOL   and  PORT  columns  to block only certain applications from
- blacklisted   addresses.<br>
+the   blacklisted   addresses.<br>
                    </li>
 </ul>
@ -287,7 +295,8 @@ the  chain   'za2zb'   and/or  'zb2za' exists. 'za2zb' will exist if:</li>
 <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
 <p>Lorenzo Martignoni reports that the packages for version 1.3.7a  are available
-        at <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
+         at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
 <p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
         -- Shorewall 1.3.7a   released<img border="0"
@ -302,19 +311,19 @@ the  chain   'za2zb'   and/or  'zb2za' exists. 'za2zb' will exist if:</li>
 <p>Features in this release include:</p>
 <ul>
-                     <li>The 'icmp.def' file is now empty! The rules in that
+                      <li>The 'icmp.def' file is now empty! The rules in
-  file   were   required  in     ipchains firewalls but are not required
+that   file   were   required  in     ipchains firewalls but are not required 
 in   Shorewall.    Users   who have      ALLOWRELATED=No in <a
 href="Documentation.htm#Conf">shorewall.conf</a>    should     see the <a
 href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
                      <li>A 'FORWARDPING' option has been added to <a
 href="Documentation.htm#Conf">    shorewall.conf</a>. The effect of setting
-        this variable to Yes is the same as     the effect of adding an ACCEPT 
+         this variable to Yes is the same as     the effect of adding an
-     rule   for ICMP echo-request in    <a
+ACCEPT       rule   for ICMP echo-request in    <a
 href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.   Users
          who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.</li>
-                     <li>The loopback CLASS A Network (127.0.0.0/8) has been
+                      <li>The loopback CLASS A Network (127.0.0.0/8) has
-  added    to  the   rfc1918     file.</li>
+been   added    to  the   rfc1918     file.</li>
                      <li>Shorewall now works with iptables 1.2.7</li>
                      <li>The documentation and web site no longer uses FrontPage 
    themes.</li>
@ -328,8 +337,8 @@ in   Shorewall.    Users   who have      ALLOWRELATED=No in <a
 <p><b>8/13/2002 - Documentation in the <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
-<p>The Shorewall-docs project now contains just the HTML and image files -
+<p>The Shorewall-docs project now contains just the HTML and image files
-the   Frontpage files have been removed.</p>
+- the   Frontpage files have been removed.</p>
 <p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
@ -338,8 +347,8 @@ the   Frontpage files have been removed.</p>
           so you can always update from this branch to get the latest stable
    tree.</p>
-<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
+<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
-  to the <a href="errata.htm">Errata Page</a></b></p>
+added   to the <a href="errata.htm">Errata Page</a></b></p>
 <p>Now there is one place to go to look for issues involved with upgrading
         to   recent versions of Shorewall.</p>
@ -355,11 +364,11 @@ the   Frontpage files have been removed.</p>
 Guide.</a></li>
                      <li>Shorewall will now DROP TCP packets that are not
 part   of  or      related to an existing connection and that are not SYN
-packets.    These    "New      not SYN" packets may be optionally logged by
+ packets.    These    "New      not SYN" packets may be optionally logged
-setting  the  LOGNEWNOTSYN     option     in <a
+by setting  the  LOGNEWNOTSYN     option     in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-                     <li>The processing of "New not SYN" packets may be extended
+                      <li>The processing of "New not SYN" packets may be
-    by  commands    in     the new <a
+extended     by  commands    in     the new <a
 href="shorewall_extension_scripts.htm">newnotsyn   extension    script</a>.</li>
 </ul>
@ -406,8 +415,8 @@ guides.    Feedback   on the new guide is welcome.</p>
 <ul>
                      <li>Empty and invalid source and destination qualifiers 
-  are   now   detected   in     the rules file. It is a good idea to use
+  are   now   detected   in     the rules file. It is a good idea to use the
-the   'shorewall     check' command   before     you issue a 'shorewall restart'
+  'shorewall     check' command   before     you issue a 'shorewall restart' 
  command be  be   sure that you don't   have any     configuration problems 
  that will prevent   a successful restart.</li>
                      <li>Added <b>MERGE_HOSTS</b> variable in <a
@ -438,8 +447,8 @@ capabilities       in  this     release. </li>
 <ul>
                      <li>A new <a href="Documentation.htm#Routestopped"> 
-   /etc/shorewall/routestopped</a>        file has been added. This file
+   /etc/shorewall/routestopped</a>        file has been added. This file is
-is  intended to     eventually replace   the        <b>routestopped</b> option 
+ intended to     eventually replace   the        <b>routestopped</b> option
  in the     /etc/shorewall/interface   and /etc/shorewall/hosts    files.
 This new file makes     remote firewall   administration easier by  allowing
  any IP or subnet to be     enabled while   Shorewall is stopped.</li>
@ -448,8 +457,8 @@ This new file makes     remote firewall   administration easier by  allowing
       This script is invoked after Shorewall has       stopped.</li>
                      <li>A <b>DETECT_DNAT_ADDRS </b>option has been added
 to         <a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>.
-  When  this          option is selected, DNAT rules only apply when the destination
+   When  this          option is selected, DNAT rules only apply when the
-   address      is the     external interface's primary IP address.</li>
+destination    address      is the     external interface's primary IP address.</li>
                      <li>The <a href="shorewall_quickstart_guide.htm">QuickStart 
    Guide</a>     has     been broken into three guides and has been almost 
  entirely  rewritten.</li>
@ -479,8 +488,8 @@ now   validated      against  the     interfaces file.</li>
                      <li>The TARGET column in the rfc1918 file is now checked
   for   correctness.</li>
                      <li>The chain structure in the nat table has been changed 
-   to  reduce    the     number of rules that a packet must traverse and
+   to  reduce    the     number of rules that a packet must traverse and to
-to   correct  problems    with     NAT_BEFORE_RULES=No</li>
+  correct  problems    with     NAT_BEFORE_RULES=No</li>
                      <li>The "hits" command has been enhanced.</li>
 </ul>
@ -497,9 +506,9 @@ to   correct  problems    with     NAT_BEFORE_RULES=No</li>
 <p><b>6/19/2002 - Documentation Available in PDF Format</b></p>
-<p>Thanks to Mike Martinez, the Shorewall Documentation is now available for
+<p>Thanks to Mike Martinez, the Shorewall Documentation is now available
- <a href="download.htm">download</a> in <a href="http://www.adobe.com">Adobe</a>
+for  <a href="download.htm">download</a> in <a
-  PDF format.</p>
+ href="http://www.adobe.com">Adobe</a>   PDF format.</p>
 <p><b>6/16/2002 - Shorewall 1.3.2 Released</b></p>
@ -520,10 +529,10 @@ has been added.</li>
 <p><b>6/6/2002 - Why CVS Web access is Password Protected</b></p>
-<p>Last weekend, I installed the CVS Web package to provide brower-based access
+<p>Last weekend, I installed the CVS Web package to provide brower-based
-  to the Shorewall CVS repository. Since then, I have had several instances
+access   to the Shorewall CVS repository. Since then, I have had several
-where   my server was almost unusable due to the high load generated by website
+instances where   my server was almost unusable due to the high load generated
-copying   tools like HTTrack and WebStripper. These mindless tools:</p>
+by website copying   tools like HTTrack and WebStripper. These mindless tools:</p>
 <ul>
                      <li>Ignore robot.txt files.</li>
@ -535,8 +544,8 @@ copying   tools like HTTrack and WebStripper. These mindless tools:</p>
 <p>These tools/weapons are particularly damaging when combined with CVS Web
           because they doggedly follow every link in the cgi-generated HTML
   resulting      in   1000s of executions of the cvsweb.cgi script. Yesterday,
-  I spend  several    hours   implementing measures to block these tools but
+   I spend  several    hours   implementing measures to block these tools
-  unfortunately,  these    measures   resulted in my server OOM-ing under 
+but   unfortunately,  these    measures   resulted in my server OOM-ing under
 even  moderate load.</p>
 <p>Until I have the time to understand the cause of the OOM (or until I buy
@ -560,11 +569,11 @@ even  moderate load.</p>
 <ul>
                      <li>Corrects a serious problem with "all <i>&lt;zone&gt;</i>
-    CONTINUE"     policies.     This problem is present in all versions of 
+     CONTINUE"     policies.     This problem is present in all versions
- Shorewall   that   support  the     CONTINUE policy. These previous versions 
+of   Shorewall   that   support  the     CONTINUE policy. These previous
- optimized   away  the "all2<i>&lt;zone&gt;</i>"      chain and replaced it
+versions   optimized   away  the "all2<i>&lt;zone&gt;</i>"      chain and
- with the "all2all"   chain with the usual result that a     policy of REJECT
+replaced it  with the "all2all"   chain with the usual result that a    
- was enforced rather   than the intended CONTINUE policy.</li>
+policy of REJECT  was enforced rather   than the intended CONTINUE policy.</li>
                      <li>Adds an <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>
             file for defining the exact behavior of the<a
 href="Documentation.htm#Interfaces">     'norfc1918' interface option</a>.</li>
@ -578,8 +587,8 @@ even  moderate load.</p>
 <ul>
                      <li>A 'filterping' interface option that allows ICMP
-echo-request       (ping)      requests addressed to the firewall to be handled 
+ echo-request       (ping)      requests addressed to the firewall to be
-by entries     in      /etc/shorewall/rules  and /etc/shorewall/policy.</li>
+handled  by entries     in      /etc/shorewall/rules  and /etc/shorewall/policy.</li>
 </ul>
@ -602,9 +611,9 @@ by entries     in      /etc/shorewall/rules  and /etc/shorewall/policy.</li>
 <ul>
                      <li>The structure of the firewall is changed markedly.
- There    is  now   an INPUT     and a FORWARD chain for each interface; this
+  There    is  now   an INPUT     and a FORWARD chain for each interface;
- reduces    the  number   of rules that     a packet must traverse, especially
+this  reduces    the  number   of rules that     a packet must traverse,
- in complicated     setups.</li>
+especially  in complicated     setups.</li>
                      <li><a href="Documentation.htm#Exclude">Sub-zones may 
 now   be  excluded     from     DNAT and REDIRECT rules.</a></li>
                      <li>The names of the columns in a number of the configuration 
@ -624,12 +633,13 @@ by entries     in      /etc/shorewall/rules  and /etc/shorewall/policy.</li>
                      <li>Simplified rule syntax which makes the intent of
 each   rule   clearer    and     hopefully makes Shorewall easier to learn.</li>
                      <li>Upward compatibility with 1.2 configuration files 
- has   been   maintained    so     that current users can migrate to the
+ has   been   maintained    so     that current users can migrate to the new
-new  syntax   at  their convenience.</li>
+ syntax   at  their convenience.</li>
                      <li><b><font color="#cc6666">WARNING:  Compatibility
-with   the   old       parameterized sample configurations has NOT been maintained.
+ with   the   old       parameterized sample configurations has NOT been
-   Users   still        running those configurations should migrate to the
+maintained.    Users   still        running those configurations should migrate
- new  sample   configurations        before upgrading to 1.3 Beta 1.</font></b></li>
+to the  new  sample   configurations        before upgrading to 1.3 Beta
 1.</font></b></li>
 </ul>
@ -644,19 +654,19 @@ with   the   old       parameterized sample configurations has NOT been maintain
        </a>is    added.</li>
                      <li>IP addresses added under <a
 href="Documentation.htm#Conf">ADD_IP_ALIASES         and ADD_SNAT_ALIASES</a>
-    now inherit the VLSM and Broadcast Address   of  the     interface's primary
+     now inherit the VLSM and Broadcast Address   of  the     interface's
-    IP address.</li>
+primary     IP address.</li>
                      <li>The order in which port forwarding DNAT and Static
- DNAT          <a href="Documentation.htm#Conf">can now be reversed</a> so 
+  DNAT          <a href="Documentation.htm#Conf">can now be reversed</a>
- that port       forwarding    rules can override the contents of <a
+so   that port       forwarding    rules can override the contents of <a
 href="Documentation.htm#NAT">    /etc/shorewall/nat</a>.     </li>
 </ul>
 <p><b>4/30/2002 - Shorewall Debian News</b></p>
-<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the    <a
+<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the   
- href="http://packages.debian.org/testing/net/shorewall.html">Debian    
+<a href="http://packages.debian.org/testing/net/shorewall.html">Debian  
  Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian   
 Unstable Branch</a>.</p>
@ -665,7 +675,8 @@ Unstable Branch</a>.</p>
 <ul>
                      <li>The 'try' command works again</li>
-                     <li>There is now a single RPM that also works with SuSE.</li>
+                      <li>There is now a single RPM that also works with
 SuSE.</li>
 </ul>
@ -675,8 +686,8 @@ Unstable Branch</a>.</p>
 <ul>
                      <li>Shorewall 1.2.10 is in the    <a
- href="http://packages.debian.org/testing/net/shorewall.html">Debian     Testing
+ href="http://packages.debian.org/testing/net/shorewall.html">Debian    
-Branch</a></li>
+Testing Branch</a></li>
                      <li>Shorewall 1.2.11 is in the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian   
 Unstable Branch</a></li>
@ -723,7 +734,8 @@ from  being locked out of the firewall   in     the case where the new configura
 <p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there
         is   now a mirror of the Shorewall website at  <a target="_top"
- href="http://germany.shorewall.net">  http://germany.shorewall.net</a>. </p>
+ href="http://germany.shorewall.net">  http://germany.shorewall.net</a>.
 </p>
 <p><b>4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available</b></p>
@ -752,16 +764,16 @@ Shorewall installations.</p>
 <p><b>4/2/2002 - Updated Log Parser</b></p>
 <p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided an updated
-          version of his  <a href="pub/shorewall/parsefw/">CGI-based log parser</a>
+           version of his  <a href="pub/shorewall/parsefw/">CGI-based log
-        with corrected date   handling. </p>
+parser</a>         with corrected date   handling. </p>
 <p><b>3/30/2002 - Shorewall Website Search Improvements</b></p>
 <p>The quick search on the home page now excludes the mailing list archives.
           The <a href="htdig/search.html">Extended Search</a> allows excluding
-     the     archives or restricting the search to just the archives. An archive
+      the     archives or restricting the search to just the archives. An
-     search   form   is also available on the <a href="mailing_list.htm">mailing
+archive      search   form   is also available on the <a
-     list information    page</a>.</p>
+ href="mailing_list.htm">mailing      list information    page</a>.</p>
 <p><b>3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)</b></p>
@ -791,11 +803,11 @@ Unstable Distribution</a>.</li>
 start" and if   that  results in the firewall     being stopped due to an 
 error, a "shorewall   start"  command  is executed. The     'try' command 
 allows you to create  a new <a href="Documentation.htm#Configs">    configuration</a> 
- and attempt   to start    it; if there is an error that leaves     your
+ and attempt   to start    it; if there is an error that leaves     your firewall
-firewall  in the   stopped state,    it will automatically be restarted using
+ in the   stopped state,    it will automatically be restarted using    
 the  default   configuration (in   /etc/shorewall).</li>
-                     <li>A new variable ADD_SNAT_ALIASES has been added to
+                      <li>A new variable ADD_SNAT_ALIASES has been added
-        <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.
+to         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>. 
  If this           variable is set to "Yes", Shorewall will automatically 
 add IP addresses           listed in the third column of the <a
 href="Documentation.htm#Masq">     /etc/shorewall/masq</a> file.</li>
@ -809,8 +821,8 @@ firewall  in the   stopped state,    it will automatically be restarted using
 <ul>
                      <li>Filtering by <a href="Documentation.htm#MAC">MAC
-address</a>       has   been added.     MAC addresses may be used as the source
+ address</a>       has   been added.     MAC addresses may be used as the
-address   in:                                                           
+source address   in:                                                    
    <ul>
                        <li>Filtering rules (<a
@ -845,8 +857,8 @@ address   in:
 <p>Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
  problems associated with the lock file used to prevent multiple state-changing
-          operations from occuring simultaneously. My apologies for any inconvenience 
+           operations from occuring simultaneously. My apologies for any
-        my   carelessness may have caused.</p>
+inconvenience          my   carelessness may have caused.</p>
 <p><b>2/22/2002 - Shorewall 1.2.7 Released</b></p>
@ -855,9 +867,10 @@ address   in:
 <ul>
                      <li>UPnP probes (UDP destination port 1900) are now 
 silently     dropped     in the    <i>common</i> chain</li>
-                     <li>RFC 1918 checking in the mangle table has been streamlined 
+                      <li>RFC 1918 checking in the mangle table has been
-     to  no  longer     require packet marking. RFC 1918 checking in the filter
+streamlined       to  no  longer     require packet marking. RFC 1918 checking
-     table   has been     changed to require half as many rules as previously.</li>
+in the filter      table   has been     changed to require half as many rules
 as previously.</li>
                      <li>A 'shorewall check' command has been added that 
 does   a  cursory     validation      of the zones, interfaces, hosts, rules 
 and   policy  files.</li>
@ -878,9 +891,9 @@ and   policy  files.</li>
                      <li>The interfaces and hosts files now have their contents
    validated      before     any changes are made to the existing Netfilter
   configuration.     The appearance     of a zone name that isn't defined
-in  /etc/shorewall/zones     causes "shorewall     start" and "shorewall restart"
+ in  /etc/shorewall/zones     causes "shorewall     start" and "shorewall
- to abort without changing    the Shorewall state.     Unknown options in
+restart"  to abort without changing    the Shorewall state.     Unknown options
-either file cause a warning  to  be issued.</li>
+in either file cause a warning  to  be issued.</li>
                      <li>A problem occurring when BLACKLIST_LOGLEVEL was 
 not   set   has   been       corrected.</li>
@ -904,8 +917,8 @@ supported.</li>
                     <li>A "shorewall version" command has been added</li>
                     <li>The default value of the STATEDIR variable in  
  /etc/shorewall/shorewall.conf         has been changed to /var/lib/shorewall
-in     order to conform to the    GNU/Linux    File Hierarchy Standard, Version 
+ in     order to conform to the    GNU/Linux    File Hierarchy Standard,
-2.2.</li>
+Version  2.2.</li>
 </ul>
@ -942,8 +955,8 @@ and has the  name "lock".</li>
 <ul>
                     <li>Support for TCP MSS Clamp to PMTU -- This support
-is  usually     required   when     the internet connection is via PPPoE or
+ is  usually     required   when     the internet connection is via PPPoE
-PPTP  and may    be enabled  using the <a
+or PPTP  and may    be enabled  using the <a
 href="Documentation.htm#ClampMSS">CLAMPMSS</a>       option in  /etc/shorewall/shorewall.conf.</li>
 </ul>
@ -1009,11 +1022,11 @@ to  blacklist      in          <a href="Documentation.htm#Blacklist">/etc/shorew
    <ul>
-                      <li>TCP connection requests rejected because of a REJECT
+                       <li>TCP connection requests rejected because of a
-   policy    are   now         replied with a TCP RST packet.</li>
+REJECT    policy    are   now         replied with a TCP RST packet.</li>
-                      <li>TCP connection requests rejected because of a protocol=all
+                       <li>TCP connection requests rejected because of a
-      rule   in         /etc/shorewall/rules are now replied with a TCP RST
+protocol=all       rule   in         /etc/shorewall/rules are now replied
-  packet.</li>
+with a TCP RST   packet.</li>
    </ul>
@ -1033,8 +1046,8 @@ for Shorewall messages.</li>
 <ul>
                     <li>Unless you have explicitly enabled Auth connections
  (tcp   port   113)   to your     firewall, these connections will be REJECTED 
-  rather   than   DROPPED.   This     speeds up connection establishment
+  rather   than   DROPPED.   This     speeds up connection establishment to
-to   some servers.</li>
+  some servers.</li>
                     <li>Orphan DNS replies are now silently dropped.</li>
 </ul>
@ -1063,8 +1076,8 @@ corrected.</li>
 </ul>
-<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist  releasing
+<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist 
-1.2 on 12/21/2001</b></p>
+releasing 1.2 on 12/21/2001</b></p>
 <p>Version 1.2 contains the following new features:</p>
@ -1092,8 +1105,9 @@ fixes.</p>
 <p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve 
         Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web 
  site     is  mirrored at <a href="http://www.infohiiway.com/shorewall"
- target="_top">http://www.infohiiway.com/shorewall</a>  and the ftp site
+ target="_top">http://www.infohiiway.com/shorewall</a>  and the ftp site is
-is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
+at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
 <p><b>11/30/2001 - A new set of the parameterized <a
 href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample     
@ -1101,9 +1115,9 @@ Configurations</a> has been released</b>. In this version:</p>
 <ul>
                     <li>Ping is now allowed between the zones.</li>
-                    <li>In the three-interface configuration, it is now possible
+                     <li>In the three-interface configuration, it is now
-    to  configure    the     internet services that are to be available to
+possible     to  configure    the     internet services that are to be available
- servers    in the DMZ. </li>
+to  servers    in the DMZ. </li>
 </ul>
@ -1115,13 +1129,14 @@ Configurations</a> has been released</b>. In this version:</p>
                     <li>The spelling of ADD_IP_ALIASES has been corrected
 in  the   shorewall.conf          file</li>
                     <li>The logic for deleting user-defined chains has been
- simplified      so  that it     avoids a bug in the LRP version of the 'cut' 
+  simplified      so  that it     avoids a bug in the LRP version of the
- utility.</li>
+'cut'   utility.</li>
                     <li>The /var/lib/lrpkg/shorwall.conf file has been corrected 
    to  properly        display the NAT entry in that file.</li>
 </ul>
 <p><b>11/19/2001 - Thanks to <a href="mailto:shorewall@timelord.sk">Juraj 
               Ontkanin</a>, there is now a Shorewall mirror in the Slovak 
 Republic</b>.       The website is now mirrored at <a
@ -1180,8 +1195,8 @@ Beginning     with version           1.1.16, a new parameter (<a
         version:</p>
 <ul>
-                    <li>Support for nested zones has been improved. See <a
+                     <li>Support for nested zones has been improved. See
- href="Documentation.htm#Nested">  the documentation</a>  for     details</li>
+    <a href="Documentation.htm#Nested">  the documentation</a>  for     details</li>
                     <li>Shorewall now correctly checks the alternate configuration 
     directory    for     the 'zones' file.</li>
@ -1205,10 +1220,10 @@ files    that   you   want to     change.<br>
   (pings)     are   now     moved after rules created when processing the
 rules  file.   This  allows   you to     add rules that selectively allow/deny
 ping  based   on source  or  destination     address.</li>
-                    <li>Rules that specify multiple client ip addresses or
+                     <li>Rules that specify multiple client ip addresses
- subnets     no  longer   cause     startup failures.</li>
+or  subnets     no  longer   cause     startup failures.</li>
-                    <li>Zone names in the policy file are now validated against 
+                     <li>Zone names in the policy file are now validated
-   the   zones    file.</li>
+against     the   zones    file.</li>
                     <li>If you have <a
 href="Documentation.htm#MangleEnabled">packet     mangling</a>        support 
  enabled, the "<a href="Documentation.htm#Interfaces">norfc1918</a>"    
@ -1221,8 +1236,8 @@ ping  based   on source  or  destination     address.</li>
         version</p>
 <ul>
-                    <li>Shell variables can now be used to parameterize Shorewall 
+                     <li>Shell variables can now be used to parameterize
-    rules.</li>
+Shorewall      rules.</li>
                     <li>The second column in the hosts file may now contain
  a  comma-separated           list.<br>
                       <br>
@ -1250,14 +1265,14 @@ comma-separated         lists.</li>
         version</p>
 <ul>
-                    <li>A "shorewall refresh" command has been added to allow 
+                     <li>A "shorewall refresh" command has been added to
-  for       refreshing   the rules associated with the broadcast address on
+allow    for       refreshing   the rules associated with the broadcast address
-  a dynamic         interface.   This command should be used in place of
+on   a dynamic         interface.   This command should be used in place
-"shorewall       restart"  when the  internet interface's IP address changes.</li>
+of "shorewall       restart"  when the  internet interface's IP address changes.</li>
                     <li>The /etc/shorewall/start file (if any) is now processed
    after    all      temporary rules have been deleted. This change prevents
-   the accidental          removal of rules added during the processing of 
+    the accidental          removal of rules added during the processing
- that  file.</li>
+of   that  file.</li>
                     <li>The "dhcp" interface option is now applicable to 
 firewall         interfaces   used by a DHCP server running on the firewall.</li>
                     <li>The RPM can now be built from the .tgz file using
@ -1265,14 +1280,15 @@ firewall         interfaces   used by a DHCP server running on the firewall.</li
 </ul>
-<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this version</p>
+<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this
 version</p>
 <ul>
-                    <li>Shorewall now enables Ipv4 Packet Forwarding by default.
+                     <li>Shorewall now enables Ipv4 Packet Forwarding by
-    Packet    forwarding      may be disabled by specifying IP_FORWARD=Off
+default.     Packet    forwarding      may be disabled by specifying IP_FORWARD=Off 
- in       /etc/shorewall/shorewall.conf.     If you don't want Shorewall
+ in       /etc/shorewall/shorewall.conf.     If you don't want Shorewall to
-to  enable   or     disable packet forwarding,   add  IP_FORWARDING=Keep
+ enable   or     disable packet forwarding,   add  IP_FORWARDING=Keep to
-to your      /etc/shorewall/shorewall.conf  file.</li>
+your      /etc/shorewall/shorewall.conf  file.</li>
                     <li>The "shorewall hits" command no longer lists extraneous
    service         names in its last report.</li>
                     <li>Erroneous instructions in the comments at the head 
@ -1280,27 +1296,29 @@ to your      /etc/shorewall/shorewall.conf  file.</li>
 </ul>
-<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this version</p>
+<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this
 version</p>
 <ul>
                     <li>The "tunnels" file <u>really</u> is in the RPM now.</li>
                     <li>SNAT can now be applied to port-forwarded connections.</li>
-                    <li>A bug which would cause firewall start failures in
+                     <li>A bug which would cause firewall start failures
- some   dhcp   configurations        has been fixed.</li>
+in  some   dhcp   configurations        has been fixed.</li>
-                    <li>The firewall script now issues a message if you have
+                     <li>The firewall script now issues a message if you
-  the   name   of  an      interface in the second column in an entry in
+have   the   name   of  an      interface in the second column in an entry
-/etc/shorewall/masq         and that     interface is not up.</li>
+in /etc/shorewall/masq         and that     interface is not up.</li>
                     <li>You can now configure Shorewall so that it<a
- href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or     mangle
+ href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or    
-netfilter modules</a>.</li>
+mangle netfilter modules</a>.</li>
                     <li>Thanks to Alex  Polishchuk, the "hits" command 
   from   seawall     is  now in shorewall.</li>
-                    <li>Support for <a href="IPIP.htm">IPIP tunnels</a> has 
+                     <li>Support for <a href="IPIP.htm">IPIP tunnels</a>
- been   added.</li>
+has   been   added.</li>
 </ul>
-<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this version</p>
+<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this
 version</p>
 <ul>
                     <li>A typo in the sample rules file has been corrected.</li>
@ -1315,59 +1333,62 @@ netfilter modules</a>.</li>
 <p><b>6/2/2001 - The current version of Shorewall is 1.1.7.</b> In this version</p>
 <ul>
-                    <li>The TOS rules are now deleted when the firewall is
+                     <li>The TOS rules are now deleted when the firewall
- stopped.</li>
+is  stopped.</li>
                     <li>The .rpm will now install regardless of which version
   of  iptables     is       installed.</li>
                     <li>The .rpm will now install without iproute2 being 
 installed.</li>
                     <li>The documentation has been cleaned up.</li>
                     <li>The sample configuration files included in Shorewall 
-  have   been   formatted         to 80 columns for ease of editing on a
+  have   been   formatted         to 80 columns for ease of editing on a VGA
-VGA   console.</li>
+  console.</li>
 </ul>
-<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this version</p>
+<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this
 version</p>
 <ul>
-                    <li><a href="Documentation.htm#lograte">You may now rate-limit
+                     <li><a href="Documentation.htm#lograte">You may now
-     the   packet  log.</a></li>
+rate-limit      the   packet  log.</a></li>
                     <li><font face="Century Gothic, Arial, Helvetica"> Previous
    versions     of      Shorewall have an implementation of Static NAT which
    violates the    principle      of least surprise.  NAT only occurs for
 packets   arriving   at  (DNAT) or      send from (SNAT) the interface named
 in the   INTERFACE  column  of     /etc/shorewall/nat. Beginning with version
-1.1.6,   NAT effective  regardless      of which interface packets come from 
+ 1.1.6,   NAT effective  regardless      of which interface packets come
-or are   destined to. To get     compatibility  with prior versions, I have 
+from  or are   destined to. To get     compatibility  with prior versions,
-added  a new "ALL <a href="NAT.htm#AllInterFaces">"ALL     INTERFACES"  column 
+I have  added  a new "ALL <a href="NAT.htm#AllInterFaces">"ALL     INTERFACES" 
-to  /etc/shorewall/nat</a>.     By placing     "no" or "No" in the new column, 
+column  to  /etc/shorewall/nat</a>.     By placing     "no" or "No" in the
-  the NAT behavior of     prior   versions may be retained. </font></li>
+new column,    the NAT behavior of     prior   versions may be retained. </font></li>
-                    <li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC
+                     <li>The treatment of <a
-   Tunnels     where  the remote     gateway is a standalone system has been
+ href="IPSEC.htm#RoadWarrior">IPSEC    Tunnels     where  the remote    
-   improved</a>.     Previously,  it was     necessary to include an additional
+gateway is a standalone system has been    improved</a>.     Previously,
-   rule allowing    UDP port 500 traffic to     pass through the tunnel.
+ it was     necessary to include an additional    rule allowing    UDP port
-Shorewall    will now  create   this rule automatically     when you place
+500 traffic to     pass through the tunnel. Shorewall    will now  create
-the name of   the remote  peer's  zone in a new GATEWAY ZONE     column in
+  this rule automatically     when you place the name of   the remote  peer's
-/etc/shorewall/tunnels. </li>
+ zone in a new GATEWAY ZONE     column in /etc/shorewall/tunnels. </li>
 </ul>
-<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this version</p>
+<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this
 version</p>
 <ul>
-                    <li><a href="Documentation.htm#modules">You may now pass
+                     <li><a href="Documentation.htm#modules">You may now
-  parameters      when  loading     netfilter modules and you can specify
+pass   parameters      when  loading     netfilter modules and you can specify 
 the  modules to   load.</a></li>
                     <li>Compressed modules are now loaded. This requires 
 that   you   modutils     support     loading compressed modules.</li>
-                    <li><a href="Documentation.htm#TOS">You may now set the 
+                     <li><a href="Documentation.htm#TOS">You may now set
- Type   of  Service    (TOS)     field in packets.</a></li>
+the   Type   of  Service    (TOS)     field in packets.</a></li>
                     <li>Corrected rules generated for port redirection (again).</li>
 </ul>
-<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this version</p>
+<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this
 version</p>
 <ul>
                     <li> <a href="Documentation.htm#Conf">Accepting RELATED
@ -1381,19 +1402,20 @@ that   you   modutils     support     loading compressed modules.</li>
 </ul>
-<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this version</p>
+<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this
 version</p>
 <ul>
                     <li>Correct message issued when Proxy ARP address added
  (Thanks     to  Jason    Kirtland).</li>
-                    <li>/tmp/shorewallpolicy-$$ is now removed if there is
+                     <li>/tmp/shorewallpolicy-$$ is now removed if there
- an  error    while      starting the firewall.</li>
+is  an  error    while      starting the firewall.</li>
                     <li>/etc/shorewall/icmp.def and /etc/shorewall/common.def
   are   now   used     to define the icmpdef and common chains unless overridden
    by the     presence   of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
                     <li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf 
- has   been     corrected.   An extra space after "/etc/shorwall/policy"
+ has   been     corrected.   An extra space after "/etc/shorwall/policy" has
-has  been     removed    and "/etc/shorwall/rules"   has been added.</li>
+ been     removed    and "/etc/shorwall/rules"   has been added.</li>
                     <li>When a sub-shell encounters a fatal error and has
 stopped     the     firewall,  it now kills the main shell so that the main
 shell will      not    continue.</li>
@ -1401,14 +1423,15 @@ shell will      not    continue.</li>
   the   firewall      and main shell continued resulting in a perplexing 
 error   message         referring to "common.so" resulted.</li>
                     <li>Previously, placing "-" in the PORT(S) column in 
-  /etc/shorewall/rules        resulted in an error message during start.
+  /etc/shorewall/rules        resulted in an error message during start. This
-This    has been corrected.</li>
+   has been corrected.</li>
                     <li>The first line of "install.sh" has been corrected
 --  I  had     inadvertently   deleted the initial "#".</li>
 </ul>
-<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this version</p>
+<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this
 version</p>
 <ul>
                     <li>Port redirection now works again.</li>
@ -1436,8 +1459,8 @@ This    has been corrected.</li>
 and   FORWARD     before          logging occurs</li>
                     <li>The source has been cleaned up dramatically</li>
                     <li>DHCP DISCOVER packets with RFC1918 source addresses
- no  longer          generate log messages. Linux DHCP clients generate such
+  no  longer          generate log messages. Linux DHCP clients generate
-  packets  and    it's         annoying to see them logged. </li>
+such   packets  and    it's         annoying to see them logged. </li>
 </ul>
@ -1457,8 +1480,8 @@ the   source          subnetworks whose packets are dropped under the <i>norfc19
  script    when   a        chain is defined, when the firewall is initialized, 
  when   the firewall    is       started, when the firewall is stopped and 
  when the  firewall is  cleared.</li>
-                    <li>The Linux kernel's route filtering facility can now 
+                     <li>The Linux kernel's route filtering facility can
- be  specified            selectively on network interfaces.</li>
+now   be  specified            selectively on network interfaces.</li>
 </ul>
@ -1474,8 +1497,8 @@ in  the new configuration             file /etc/shorewall/zones. The /etc/shorew
 the         /etc/shorewall/rules    file.</li>
                     <li>Correct handling of the icmp-def chain so that only
  ICMP   packets     are        sent through the chain.</li>
-                    <li>Compresses the output of "shorewall monitor" if awk 
+                     <li>Compresses the output of "shorewall monitor" if
- is        installed.   Allows the command to work if awk isn't installed 
+awk   is        installed.   Allows the command to work if awk isn't installed
 (although           it's not   pretty).</li>
 </ul>
@ -1486,8 +1509,8 @@ the         /etc/shorewall/rules    file.</li>
 <ul>
                     <li>The PATH variable in the firewall script now includes
   /usr/local/bin             and /usr/local/sbin.</li>
-                    <li>DMZ-related chains are now correctly deleted if the 
+                     <li>DMZ-related chains are now correctly deleted if
- DMZ   is  deleted.</li>
+the   DMZ   is  deleted.</li>
                     <li>The interface OPTIONS for "gw" interfaces are no 
 longer          ignored.</li>
@ -1498,28 +1521,11 @@ longer          ignored.</li>
    tunnels    with end-points on the firewall. There is also a .lrp available 
    now.</b></p>
-<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a>
         </font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">     Copyright</font>
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">    
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-                   <br>
+</p>
                 <br>
                <br>
               <br>
              <br>
             <br>
            <br>
           <br>
          <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -30,15 +30,23 @@
 <p><b>I strongly urge you to read and print a copy of the       <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>    
-    for the configuration that most closely matches your own.</b></p>
+   for the configuration that most closely matches your own.<br>
  </b></p>
-<p>Once you've done that, download <u>     one</u> of the modules:</p>
+<p>The entire set of Shorewall documentation is also available in PDF format
 at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
      <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
 <br>
 Once you've done that, download <u>     one</u> of the modules:</p>
 <ul>
              <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
-         Linux PPC</b> or     <b> TurboLinux</b> distribution     with a
+            Linux PPC</b> or     <b> TurboLinux</b> distribution     with 
-2.4   kernel,   you can use the  RPM version (note: the             RPM should
+a  2.4   kernel,   you can use the  RPM version (note: the             RPM 
- also work  with other distributions that             store init scripts
+should   also work  with other distributions that             store init scripts
 in  /etc/init.d  and that             include chkconfig or insserv). If you
 find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that 
@ -48,8 +56,8 @@ find  that it works   in other cases, let <a
 also   want  to     download the .tgz so you will have a copy of the documentation).</li>
              <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
   and   would      like a .deb package, Shorewall is in both the    <a
- href="http://packages.debian.org/testing/net/shorewall.html">Debian    
+ href="http://packages.debian.org/testing/net/shorewall.html">Debian     Testing
-Testing Branch</a> and the    <a
+Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
 Unstable Branch</a>.</li>
              <li>Otherwise, download the <i>shorewall</i>             module 
@ -66,8 +74,8 @@ Testing Branch</a> and the    <a
 <ul>
              <li>RPM - "rpm -qip LATEST.rpm"</li>
-           <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name will
+              <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name
- contain    the version)</li>
+will   contain    the version)</li>
              <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf 
 &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
@ -84,7 +92,7 @@ Testing Branch</a> and the    <a
 configuration    of your firewall, you can enable startup by removing the 
 file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates 
+<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
  to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>                                    
@ -221,13 +229,14 @@ to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
                <tr>
                  <td>Paris, France</td>
                  <td>Shorewall.net</td>
-               <td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
+                  <td><a
-    .rpm</a><br>
+ href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
                    <a href="http://france.shorewall.net/pub/LATEST.tgz">Download 
            .tgz</a> <br>
                    <a href="http://france.shorewall.net/pub/LATEST.lrp">Download 
            .lrp</a><br>
-               <a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
+                  <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download          
  .md5sums</a></td>
                  <td>       <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download 
@ -334,7 +343,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
                <tr>
                  <td>Hamburg, Germany</td>
                  <td>Shorewall.net</td>
-               <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
+                  <td><a
 href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
                  <td><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
                </tr>
@ -377,7 +387,7 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
      </p>
    </blockquote>
-<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
+<p align="left"><font size="2">Last Updated 12/3/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
@ -391,5 +401,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -32,6 +33,7 @@
 <ol>
               <li>                                                     
    <p align="left">          <b><u>I</u>f you use a Windows system to download 
     a corrected     script, be sure to run the script through <u>       
    <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -39,12 +41,14 @@
     it to your Linux system.</b></p>
                            </li>
               <li>                                                     
-    <p align="left">          <b>If you are installing Shorewall for the
+                
-first time and plan to use the        .tgz and install.sh script, you can
+    <p align="left">          <b>If you are installing Shorewall for the first
-untar the archive, replace the        'firewall' script in the untarred directory
+time and plan to use the        .tgz and install.sh script, you can untar
 the archive, replace the        'firewall' script in the untarred directory 
     with the one you downloaded        below, and then run install.sh.</b></p>
                            </li>
               <li>                                                     
    <p align="left">          <b>When the instructions say to install a corrected 
     firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
    or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite 
@ -66,19 +70,20 @@ example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
 <ul>
               <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-            <li>                            <b><a href="#V1.3">Problems in
+               <li>                            <b><a href="#V1.3">Problems
- Version    1.3</a></b></li>
+ in  Version    1.3</a></b></li>
               <li>                            <b><a href="errata_2.htm">Problems 
    in  Version 1.2</a></b></li>
-            <li>                            <b><font color="#660066">  <a
+               <li>                            <b><font color="#660066">
- href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
+     <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
               <li>                            <b><font color="#660066"><a
 href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
               <li>                            <b><a href="#Debug">Problems 
 with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
-            <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
+               <li><b><a href="#SuSE">Problems installing/upgrading RPM on
-            <li><b><a href="#Multiport">Problems with iptables version 1.2.7
+ SuSE</a></b></li>
-  and       MULTIPORT=Yes</a></b></li>
+               <li><b><a href="#Multiport">Problems with iptables version 
 1.2.7    and       MULTIPORT=Yes</a></b></li>
         <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
         </li>
@ -87,11 +92,37 @@ with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
 <hr>                                   
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.11</h3>
 <ul>
    <li>When installing/upgrading using the .rpm, you may receive the following
 warnings:<br>
      <br>
       user teastep does not exist - using root<br>
       group teastep does not exist - using root<br>
      <br>
  These warnings are harmless and may be ignored. Users downloading the .rpm
 from shorewall.net or mirrors should no longer see these warnings as the
 .rpm you will get from there has been corrected.</li>
   <li>DNAT rules that exclude a source subzone (SOURCE column contains ! 
 followed by a sub-zone list) result in an error message and Shorewall fails 
 to start.<br>
     <br>
 Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this 
 corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
 Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
    <br>
 This problem is corrected in version 1.3.11a.<br>
   </li>
 </ul>
 <h3>Version 1.3.10</h3>
 <ul>
-   <li>If you experience problems connecting to a PPTP server running on
+      <li>If you experience problems connecting to a PPTP server running
-your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
+on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, 
     <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this 
 version of the firewall script</a> may help. Please report any cases where 
@ -106,8 +137,8 @@ is the real script now and not just a symbolic link to the real script.<br>
 <h3>Version 1.3.9a</h3>
 <ul>
-    <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
+       <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
- the following message appears during "shorewall [re]start":</li>
+ then  the following message appears during "shorewall [re]start":</li>
 </ul>
@ -116,8 +147,8 @@ is the real script now and not just a symbolic link to the real script.<br>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
- corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
+   corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
- above.<br>
+ described  above.<br>
     </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the 
@ -126,9 +157,9 @@ is the real script now and not just a symbolic link to the real script.<br>
     </blockquote>
 <ul>
-    <li>The installer (install.sh) issues a misleading message "Common functions
+       <li>The installer (install.sh) issues a misleading message "Common 
- installed in /var/lib/shorewall/functions" whereas the file is installed
+functions   installed in /var/lib/shorewall/functions" whereas the file is 
-in /usr/lib/shorewall/functions. The installer also performs incorrectly
+installed  in /usr/lib/shorewall/functions. The installer also performs incorrectly 
 when updating old configurations that had the file /etc/shorewall/functions. 
    <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here 
@ -190,15 +221,15 @@ tcp   25 - 10.1.1.1")<br>
                                    has two problems:</p>
 <ol>
-                                         <li>If the firewall is running a 
+                                            <li>If the firewall is running
-DHCP   server,                                   the client won't be able 
+ a  DHCP   server,                                   the client won't be
-to obtain   an IP  address                                  lease from that 
+able   to obtain   an IP  address                                  lease
-server.</li>
+from that   server.</li>
                                            <li>With this order of checking,
-the   "dhcp"                                   option cannot be used as a 
+  the   "dhcp"                                   option cannot be used as
-noise-reduction                                     measure where there are 
+a  noise-reduction                                     measure where there
-both dynamic and    static                                  clients on a LAN
+are  both dynamic and    static                                  clients
-segment.</li>
+on a LAN segment.</li>
 </ol>
@ -300,10 +331,10 @@ segment.</li>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands   
-         to not verify that the zones named in the /etc/shorewall/policy
+        to not verify that the zones named in the /etc/shorewall/policy file
-file            have been previously defined in the /etc/shorewall/zones
+           have been previously defined in the /etc/shorewall/zones file.
-file. The            "shorewall check" command does perform this verification
+The            "shorewall check" command does perform this verification so
-so it's a            good idea to run that command after you have made configuration
+it's a            good idea to run that command after you have made configuration 
                changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -320,15 +351,15 @@ message    in this case.</p>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the        
   download sites contained an incorrect version of the .lrp file. That 
-           file can be identified by its size (56284 bytes). The correct
+          file can be identified by its size (56284 bytes). The correct version
-version            has a size of 38126 bytes.</p>
+           has a size of 38126 bytes.</p>
 <ul>
-                     <li>The code to detect a duplicate interface entry in
+                        <li>The code to detect a duplicate interface entry
-            /etc/shorewall/interfaces contained a typo that prevented it
+ in             /etc/shorewall/interfaces contained a typo that prevented
-from               working correctly. </li>
+it from               working correctly. </li>
-                     <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
+                        <li>"NAT_BEFORE_RULES=No" was broken; it behaved
- like   "NAT_BEFORE_RULES=Yes".</li>
+just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -365,15 +396,15 @@ option.  For example:<br>
                        loc    eth1    dhcp<br>
                        <br>
                        Shorewall will ignore the 'dhcp' on eth1.</li>
-                     <li>Update 17 June 2002 - The bug described in the prior 
+                        <li>Update 17 June 2002 - The bug described in the
-  bullet               affects the following options: dhcp, dropunclean, logunclean,
+ prior    bullet               affects the following options: dhcp, dropunclean,
-                norfc1918, routefilter, multi, filterping and noping. An
+ logunclean,                 norfc1918, routefilter, multi, filterping and
-additional                 bug has been found that affects only the 'routestopped'
+ noping. An additional                 bug has been found that affects only
-option.<br>
+ the 'routestopped' option.<br>
                        <br>
-                     Users who downloaded the corrected script prior to 1850
+                        Users who downloaded the corrected script prior to
-  GMT   today              should download and install the corrected script
+ 1850   GMT   today              should download and install the corrected
-  again   to ensure              that this second problem is corrected.</li>
+ script   again   to ensure              that this second problem is corrected.</li>
 </ul>
@ -385,10 +416,10 @@ option.<br>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
-                     <li>Folks who downloaded 1.3.0 from the links on the 
+                        <li>Folks who downloaded 1.3.0 from the links on
-download    page              before 23:40 GMT, 29 May 2002 may have downloaded 
+the   download    page              before 23:40 GMT, 29 May 2002 may have
-1.2.13    rather than              1.3.0. The "shorewall version" command 
+downloaded   1.2.13    rather than              1.3.0. The "shorewall version"
-will tell    you which version              that you have installed.</li>
+command   will tell    you which version              that you have installed.</li>
                        <li>The documentation NAT.htm file uses non-existent
             wallpaper and bullet graphic files. The           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">     
@ -408,8 +439,8 @@ will tell    you which version              that you have installed.</li>
 <blockquote>                                                       
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
-            prevent it from working with Shorewall. Regrettably,  RedHat released
+              prevent it from working with Shorewall. Regrettably,  RedHat
-   this buggy iptables in RedHat   7.2. </p>
+ released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
@ -417,8 +448,8 @@ will tell    you which version              that you have installed.</li>
  built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
 iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
-    running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
+     running RedHat 7.1, you can install either of these RPMs            
-      </b>you upgrade to RedHat 7.2.</p>
+ <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat 
     has   released an iptables-1.2.4 RPM of their own which you can download 
@ -451,6 +482,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
     may     experience the following:</p>
  <blockquote>                                                          
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
               </blockquote>
@ -459,9 +491,9 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
     the     Netfilter 'mangle' table. You can correct the problem by installing
         <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
-       this iptables RPM</a>. If you are already running a 1.2.5 version of
+         this iptables RPM</a>. If you are already running a 1.2.5 version
-      iptables, you will need to specify the --oldpackage option to rpm (e.g.,
+ of       iptables, you will need to specify the --oldpackage option to rpm
-       "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+ (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
             </blockquote>
@ -508,23 +540,17 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
       Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-    The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
+       The solution is to put "no" in the LOCAL column. Kernel support for
-  has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
+ LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it. The
-  contains corrected support under a new kernel configuraiton option; see
+2.4.19 kernel   contains corrected support under a new kernel configuraiton
-<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 11/24/2002 -                            
+<p><font size="2">  Last updated 12/3/2002 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-          <br>
+  </p>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -52,6 +52,7 @@
  </tbody>                                                        
 </table>
@ -71,6 +72,7 @@
      <h2 align="left">What is it?</h2>
@ -79,9 +81,9 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
-       that can be used on a dedicated firewall system, a multi-function 
+firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -92,8 +94,8 @@
      <p>This program is free software; you can redistribute it and/or modify
                            it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
-Public License</a> as published by the Free Software        Foundation.<br>
+General Public License</a> as published by the Free Software        Foundation.<br>
                                                                  <br>
                                                                   This program 
   is  distributed       in  the   hope   that   it  will   be  useful,  
@ -121,6 +123,7 @@ Public License</a> as published by the Free Software        Foundation.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
                                                              </a>Jacques 
@ -131,12 +134,13 @@ Public License</a> as published by the Free Software        Foundation.<br>
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
          </a></p>
-      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
+      <p><b>Congratulations to Jacques and Eric on the recent release of
-1.0 Final!!! </b><br>
+Bering 1.0 Final!!! </b><br>
     </p>
-      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
+      <h2>This is a mirror of the main Shorewall web site at SourceForge
- href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
+(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -159,29 +163,48 @@ Public License</a> as published by the Free Software        Foundation.<br>
-      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
+      <p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                  </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
 with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
 don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                              </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
  documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
          <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
      </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                
                 </b></p>
      <p>In this version:</p>
      <ul>
           <li>A 'tcpflags' option has been added to entries in <a
- href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
-This option causes Shorewall to make a set of sanity check on TCP packet
+option causes Shorewall to make a set of sanity check on TCP packet header
-header flags.</li>
+flags.</li>
-        <li>It is now allowed to use 'all' in the SOURCE or DEST column in
+           <li>It is now allowed to use 'all' in the SOURCE or DEST column
-a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. 
+ in a <a href="Documentation.htm#Rules">rule</a>.  When used, 'all' must
-When used, 'all' must appear by itself (in may not be qualified) and it does 
+appear  by itself (in may not be qualified) and it does  not enable intra-zone
-not enable intra-zone traffic. For example, the rule <br>
+traffic.  For example, the rule <br>
        <br>
        ACCEPT loc all tcp 80<br>
        <br>
    does not enable http traffic from 'loc' to 'loc'.</li>
           <li>Shorewall's use of the 'echo' command is now compatible with 
 bash clones such as ash and dash.</li>
-        <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
+           <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw 
-generate a warning and are ignored</li>
+rules  generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>    
@ -212,8 +235,8 @@ generate a warning and are ignored</li>
      <ul>
-                    <li>You may now <a href="IPSEC.htm#Dynamic">define the
+                       <li>You may now <a href="IPSEC.htm#Dynamic">define 
- contents      of a zone dynamically</a> with the <a
+the   contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
        delete" commands</a>. These commands are expected to be used primarily 
     within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
@ -225,11 +248,11 @@ you can optionally tie each MAC address   to one or more   IP  addresses.</li>
                       <li>PPTP Servers and Clients running on the firewall 
 system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
     file.</li>
-                    <li>A new 'ipsecnat' tunnel type is supported for use 
+                       <li>A new 'ipsecnat' tunnel type is supported for
-when   the             <a href="IPSEC.htm">remote IPSEC endpoint is behind 
+use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint is
-a NAT   gateway</a>.</li>
+behind   a NAT   gateway</a>.</li>
-                    <li>The PATH used by Shorewall may now be specified in
+                       <li>The PATH used by Shorewall may now be specified
-           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+ in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                       <li>The main firewall script is now /usr/lib/shorewall/firewall. 
        The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
        to do the real work. This change makes custom distributions such as
@ -244,6 +267,7 @@ a NAT   gateway</a>.</li>
      <blockquote>                                                      
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
               </blockquote>
@ -263,24 +287,25 @@ Linux  distribution</a>.       Thanks Alex!<br>
      <ul>
-                             <li>You may now <a href="IPSEC.htm#Dynamic">define 
+                                <li>You may now <a
-   the   contents      of a zone dynamically</a> with the <a
+ href="IPSEC.htm#Dynamic">define     the   contents      of a zone dynamically</a>
- href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
+ with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
-          delete" commands</a>. These commands are expected to be used primarily 
+ "shorewall            delete" commands</a>. These commands are expected
-       within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
+to  be used primarily         within             <a
-       updown   scripts.</li>
+ href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>         updown  
 scripts.</li>
                                <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments.
-    You can specify the set of  allowed   MAC addresses on   the segment and
+      You can specify the set of  allowed   MAC addresses on   the segment
-   you can optionally tie each MAC address   to one or more IP  addresses.</li>
+ and    you can optionally tie each MAC address   to one or more IP  addresses.</li>
                                <li>PPTP Servers and Clients running on the 
 firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
         file.</li>
                                <li>A new 'ipsecnat' tunnel type is supported 
  for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint 
  is   behind   a NAT   gateway</a>.</li>
-                             <li>The PATH used by Shorewall may now be specified
+                                <li>The PATH used by Shorewall may now be 
-    in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+specified      in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                <li>The main firewall script is now /usr/lib/shorewall/firewall.
            The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
            to do the real work. This change makes custom distributions such
@ -319,6 +344,7 @@ firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shore
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                         </b></p>
@ -343,12 +369,14 @@ and   to  the   firewall     script.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>                
         </b></p>
-                                        <img src="images/j0233056.gif"
+                                           <img
- alt="Brown Paper Bag" width="50" height="86" align="left">
+ src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
-                                   There is an updated firewall script at 
+ align="left">
-      <a
+                                      There is an updated firewall script 
 at        <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
                   -- copy that file to /usr/lib/shorewall/firewall.<br>
@ -356,18 +384,21 @@ and   to  the   firewall     script.<br>
      <p><b><br>
                                           </b></p>
      <p><b><br>
                                           </b></p>
      <p><b><br>
                                     9/28/2002 - Shorewall 1.3.9 </b><b>
                               </b></p>
@ -386,19 +417,19 @@ and   to  the   firewall     script.<br>
      <ul>
                                                   <li><a
 href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now
-             allowed in Shorewall config files (although I recommend   against 
+               allowed in Shorewall config files (although I recommend  
-       using       them).</li>
+against          using       them).</li>
                                                   <li>The connection SOURCE
-may   now   be  qualified      by  both   interface      and IP address in 
+  may   now   be  qualified      by  both   interface      and IP address
-a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+in  a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
-                                                <li>Shorewall startup is
+                                                   <li>Shorewall startup
-now   disabled     after    initial     installation       until the file
+is  now   disabled     after    initial     installation       until the
-/etc/shorewall/startup_disabled          is removed.     This avoids    nasty
+file  /etc/shorewall/startup_disabled          is removed.     This avoids
-  surprises at reboot for users     who    install Shorewall     but don't
+   nasty    surprises at reboot for users     who    install Shorewall  
-configure     it.</li>
+  but don't  configure     it.</li>
-                                               <li>The 'functions' and 'version'
+                                                  <li>The 'functions' and 
-    files    and   the   'firewall'      symbolic   link have been  moved
+'version'      files    and   the   'firewall'      symbolic   link have been
-from    /var/lib/shorewall       to /usr/lib/shorewall      to appease  
+ moved  from    /var/lib/shorewall       to /usr/lib/shorewall      to appease
  the LFS   police at Debian.<br>
                                                  </li>
@ -415,6 +446,7 @@ the LFS   police at Debian.<br>
      <p><a href="News.htm">More News</a></p>
@ -423,6 +455,7 @@ the LFS   police at Debian.<br>
      <h2><a name="Donations"></a>Donations</h2>
                                     </td>
@ -440,6 +473,7 @@ the LFS   police at Debian.<br>
                                                               </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
@ -462,8 +496,9 @@ the LFS   police at Debian.<br>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+               
-if       you try it and find it useful, please consider making a donation 
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
                            to       <a href="http://www.starlight.org"><font
 color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                                                              </td>
@ -471,16 +506,14 @@ if       you try it and find it useful, please consider making a donation
  </tbody>                                                        
 </table>
-<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font> 
                    <br>
 </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -37,14 +37,14 @@
  </p>
 <ul>
-          <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington 
+           <li>Born 1945 in <a
-   State</a> .</li>
+ href="http://www.experiencewashington.com">Washington     State</a> .</li>
           <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
 State    University</a>  1967</li>
           <li>MA Mathematics from <a href="http://www.washington.edu">University 
   of Washington</a> 1969</li>
-          <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
+           <li>Burroughs Corporation (now <a
-   ) 1969 - 1980</li>
+ href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
           <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> 
    (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
           <li>Married 1969 - no children.</li>
@ -56,8 +56,8 @@ State    University</a>  1967</li>
 <p>I became interested in Internet Security when I established a home office
   in 1999 and had DSL service installed in our       home. I investigated
-ipchains  and developed the scripts which are now collectively known as <a
+ ipchains  and developed the scripts which are now collectively known as
- href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
+<a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding
   on what I learned from Seattle Firewall, I then       designed and wrote
  Shorewall. </p>
@ -70,20 +70,21 @@ ipchains  and developed the scripts which are now collectively known as <a
           <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
 HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also has 
 RedHat  8.0 installed.</li>
-          <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC 
+           <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
- -  My      personal Linux System which runs Samba configured as a WINS server. 
+NIC   -  My      personal Linux System which runs Samba configured as a WINS
-  This      system also has <a href="http://www.vmware.com/">VMware</a> installed 
+server.    This      system also has <a href="http://www.vmware.com/">VMware</a>
-  and      can run both <a href="http://www.debian.org">Debian Woody</a>
+installed    and      can run both <a href="http://www.debian.org">Debian
-and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
+Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual
 machines.</li>
           <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail 
 (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server 
      (Bind).</li>
           <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX  
- (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.9a  and a DHCP
+ (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.11  and a DHCP 
     server.  Also   runs PoPToP for     road warrior access.</li>
           <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's 
      personal system.</li>
-          <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 
+           <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
   and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
 </ul>
@ -105,10 +106,11 @@ and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
 src="images/apache_pb1.gif" hspace="2" width="170" height="20">
      </a>  </font></p>
-<p><font size="2">Last updated 10/28/2002 - </font><font size="2">       <a
+<p><font size="2">Last updated 11/24/2002 - </font><font size="2">      
- href="support.htm">Tom Eastep</a></font>  </p>
+<a href="support.htm">Tom Eastep</a></font>  </p>
-        <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+         <font face="Trebuchet MS"><a href="copyright.htm"><font
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">Copyright</font>       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
      <br>
     <br>
    <br>
   <br>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -31,8 +31,8 @@
  </tbody>        
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.</p>
+we must  all first walk before we can run.</p>
 <h2>The Guides</h2>
@ -54,9 +54,9 @@ acting    as a    firewall/router for a small local network</li>
     quickly in the three most common Shorewall configurations.</p>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
-    the steps necessary to set up a firewall where <b>there are multiple public
+     the steps necessary to set up a firewall where <b>there are multiple
-   IP  addresses involved or if you want to learn more about Shorewall than
+public    IP  addresses involved or if you want to learn more about Shorewall
-  is  explained in the single-address guides above.</b></p>
+than   is  explained in the single-address guides above.</b></p>
 <ul>
           <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -92,6 +92,7 @@ your   Network</a>
    <ul>
             <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
        <ul>
               <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
               <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@ -154,7 +155,8 @@ Starting    and    Stopping the Firewall</a></li>
             <li><font color="#000099"><a
 href="Documentation.htm#Interfaces">interfaces</a></font></li>
             <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
-            <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
+             <li><font color="#000099"><a
 href="Documentation.htm#Policy">policy</a></font></li>
             <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
             <li><a href="Documentation.htm#Common">common</a></li>
             <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
@ -175,8 +177,8 @@ Starting    and    Stopping the Firewall</a></li>
           </li>
           <li><a href="dhcp.htm">DHCP</a></li>
           <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
-(How to extend Shorewall without modifying Shorewall  code)</li>
+to extend Shorewall without modifying Shorewall  code)</li>
           <li><a href="fallback.htm">Fallback/Uninstall</a></li>
           <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
           <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
@ -194,10 +196,12 @@ Starting    and    Stopping the Firewall</a></li>
           <li><a href="samba.htm">Samba</a></li>
           <li><font color="#000099"><a
 href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
  <ul>
     <li>Description of all /sbin/shorewall commands</li>
     <li>How to safely test a Shorewall configuration change<br>
     </li>
  </ul>
           <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
           <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
@ -218,10 +222,10 @@ Starting    and    Stopping the Firewall</a></li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 11/19/2002 - <a
+<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
 </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -30,12 +30,12 @@
  </tbody>        
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
+<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
-easier to post a problem than to use your own brain" </font>-- </i> <font
+is easier to post a problem than to use your own brain" </font>-- </i> <font
 size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer will tell you how it works -- you just
+<p align="left"> <i>"Any sane computer will tell you how it works -- you
- have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
 <blockquote> </blockquote>
@ -48,8 +48,8 @@ easier to post a problem than to use your own brain" </font>-- </i> <font
  <b><i>"Reading the documentation fully is a prerequisite to getting help
 for your particular situation. I know it's harsh but you will have to get
 so far on your own before you can get reasonable help from a list full of
-busy people. A mailing list is not a tool to speed up your day by being spoon
+ busy people. A mailing list is not a tool to speed up your day by being
-fed</i></b><i><b>".</b> </i>-- Simon White<br>
+spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
 <p>There are also a number of sources for problem solution information.</p>
@ -99,11 +99,12 @@ about         similar problems:</li>
 <h3 align="left">Problem Reporting Guideline</h3>
 <ul>
-          <li>When reporting a problem, give as much information as you can.
+           <li>When reporting a problem, give as much information as you
-  Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
+can.   Reports   that say "I tried XYZ and it didn't work" are not at all
-          <li>Please don't describe your environment and then ask us to send
+helpful.</li>
-  you             custom configuration files. We're here to answer your questions 
+           <li>Please don't describe your environment and then ask us to
-   but we           can't do your job for you.</li>
+send   you             custom configuration files. We're here to answer your
 questions     but we           can't do your job for you.</li>
           <li>Do you see any "Shorewall" messages in     /var/log/messages 
 when   you exercise the function that is giving you problems?</li>
           <li>Have you looked at the packet flow with a tool like tcpdump
@ -113,9 +114,9 @@ about         similar problems:</li>
 to connect, using    the "-v" option gives you a lot of valuable     diagnostic
 information.</li>
           <li>Please include any of the Shorewall configuration files (especially
-   the    /etc/shorewall/hosts file if you have modified that file) that you
+    the    /etc/shorewall/hosts file if you have modified that file) that
-   think are    relevant. If an error occurs when you try to "shorewall start",
+you    think are    relevant. If an error occurs when you try to "shorewall
-   include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
+start",    include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
    section for    instructions).</li>
           <li>The list server limits posts to 120kb so don't post GIFs of
 your             network layout, etc to the Mailing List -- your post will
@ -126,13 +127,18 @@ be rejected.</li>
 <h3>Where to Send your Problem Report or to Ask for Help</h3>
             <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem 
 reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set 
- on October 3, 2002; MandrakeSoft issued a charge against my credit card
+ on October 3, 2002; MandrakeSoft issued a charge against my credit card on
-on  October 4, 2002 (they are really effecient at that part of the order
+ October 4, 2002 (they are very effecient at that part of the order process)
-process)  and I haven't heard a word from them since (although their news
+ and I haven't heard a word from them since (although their news letters
-letters boast  that 9.0 boxed sets have been shipping for the last two weeks).
+boast  that 9.0 boxed sets have been shipping for the last two weeks). If
-If they can't  fill my 9.0 order within <u>6 weeks after they have billed
+they can't  fill my 9.0 order within <u>6 weeks after they have billed my
-my credit card</u>  then I refuse to spend my free time supporting of their
+credit card</u>  then I refuse to spend my free time supporting their product
-product for them.<br>
+for them.<br>
 <br>
 <b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
 order is part of a batch of which was not correctly sent to our shipping
 handler, and so unfortunately was not processed". They further assure me
 that these mishandled orders will begin shipping on 12/2/2002.<br>
 <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
     post your question or problem to the <a
@ -153,11 +159,11 @@ product for them.<br>
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> 
        .</p>
-<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 </p>
- 
+   <br>
 </body>
 </html>
--- a/STABLE/documentation/troubleshoot.htm
+++ b/STABLE/documentation/troubleshoot.htm
@ -18,7 +18,10 @@
             <tbody>
        <tr>
               <td width="100%">                                       
-      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
 src="images/obrasinf.gif" alt="Beating head on table" width="90"
 height="90" align="middle">
      </font></h1>
               </td>
             </tr>
@ -37,8 +40,9 @@ of  the   firewall.</p>
  problems.</p>
 <h3 align="left">If the firewall fails to start</h3>
-        If you receive an error message when starting or restarting the firewall
+          If you receive an error message when starting or restarting the 
- and you can't determine the cause, then do the following:     
+firewall  and you can't determine the cause, then do the following:     
 <ul>
         <li>shorewall debug start 2&gt; /tmp/trace</li>
         <li>Look at the /tmp/trace file and see if that helps you     determine
@ -55,8 +59,8 @@ of  the   firewall.</p>
 </p>
 <ul>
-       <li>Port           Forwarding where client and server are in the same
+         <li>Port           Forwarding where client and server are in the 
- subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
         <li>Changing the IP address of a local system to be in the external
  subnet,      thinking that Shorewall will suddenly believe that the system
  is in the      'net' zone.</li>
@ -80,10 +84,10 @@ that you forget to remove them later.</p>
  will        generate when you try to connect in a way that isn't permitted
  by your        rule set.</p>
-<p align="left">Check your log. If you don't see Shorewall  messages, then
+<p align="left">Check your log ("/sbin/shorewall show log"). If you don't 
- your problem is probably NOT a Shorewall problem. If you DO see packet messages,
+see Shorewall  messages, then  your problem is probably NOT a Shorewall problem. 
- it may be an indication that you are missing one or more rules -- see <a
+If you DO see packet messages,  it may be an indication that you are missing 
- href="FAQ.htm#faq17">FAQ 17</a>.</p>
+one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">While you are troubleshooting, it is a good idea to clear 
        two variables in /etc/shorewall/shorewall.conf:</p>
@ -98,14 +102,15 @@ that you forget to remove them later.</p>
          <font face="Century Gothic, Arial, Helvetica">              
 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
- LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
+  LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53
 LEN=47</font></p>
             </font>              
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
-       <li>all2all:REJECT - This packet was REJECTed out of the all2all chain
+         <li>all2all:REJECT - This packet was REJECTed out of the all2all 
- -- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
+chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT policy 
-     <a href="FAQ.htm#faq17">FAQ 17).</a></li>
+(see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
         <li>IN=eth2 - the packet entered the firewall via eth2</li>
         <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
         <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -131,19 +136,19 @@ about how to interpret the chain name appearing in a Shorewall log message.<br>
         <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
       chains? This means that:                    
    <ol>
-         <li>your zone definitions are screwed up and the host that is sending
+           <li>your zone definitions are screwed up and the host that is
- the        packets or the destination host isn't in any zone (using an 
+sending   the        packets or the destination host isn't in any zone (using
-     <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
+an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
-you?);         or</li>
+are you?);         or</li>
-         <li>the source and destination hosts are both connected to the same
+           <li>the source and destination hosts are both connected to the 
-        interface and that interface doesn't have the 'multi' option specified
+same         interface and that interface doesn't have the 'multi' option 
- in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+specified  in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
    </ol>
         </li>
-       <li>Remember that Shorewall doesn't automatically allow ICMP     type
+         <li>Remember that Shorewall doesn't automatically allow ICMP   
- 8 ("ping") requests to be sent between zones. If you want     pings to be
+ type  8 ("ping") requests to be sent between zones. If you want     pings 
- allowed between zones, you need a rule of the form:<br>
+to be  allowed between zones, you need a rule of the form:<br>
          <br>
              ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
  icmp        echo-request<br>
@ -153,17 +158,17 @@ the      following in /etc/shorewall/nat:<br>
          <br>
              10.1.1.2    eth0        130.252.100.18<br>
          <br>
-        and you ping 130.252.100.18, unless you have allowed icmp type 8
+          and you ping 130.252.100.18, unless you have allowed icmp type
-between  the     zone containing the system you are pinging from and the
+8  between  the     zone containing the system you are pinging from and the
 zone containing       10.1.1.2, the ping requests will be dropped. This is
 true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
         <li>If you specify "routefilter" for an interface,     that interface
  must be up prior to starting the firewall.</li>
         <li>Is your routing correct? For example, internal systems usually 
 need to      be configured with their default gateway set to the IP address 
-of their      nearest firewall interface. One often overlooked aspect of routing
+ of their      nearest firewall interface. One often overlooked aspect of 
-is that      in order for two hosts to communicate, the routing between them
+routing is that      in order for two hosts to communicate, the routing between 
-must be set      up <u>in both directions.</u> So when setting up routing
+them must be set      up <u>in both directions.</u> So when setting up routing
  between <b>A</b>      and<b> B</b>, be sure to verify that the route from
      <b>B</b> back to <b>A</b>      is defined.</li>
         <li>Some versions of LRP (EigerStein2Beta for example) have a  
@ -172,10 +177,10 @@ shell  with broken variable expansion. <a
  shell from the Shorewall Errata download site.</a>     </li>
         <li>Do you have your kernel properly configured? <a
 href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
-       <li>Some features require the "ip" program. That     program is generally
+         <li>Some features require the "ip" program. That     program is
- included in the "iproute" package which should     be included with your
+generally   included in the "iproute" package which should     be included
-distribution (though many distributions don't install     iproute by    
+with your  distribution (though many distributions don't install     iproute
-default). You may also download the latest source tarball from <a
+by     default). You may also download the latest source tarball from <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
  .</li>
         <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts
@ -196,10 +201,12 @@ external  addresses to be use with NAT unless you have set <a
            <font face="Century Gothic, Arial, Helvetica">              
 <blockquote> </blockquote>
             </font>                
-<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.11
+VERSION=1.3.11a
 usage() # $1 = exit status
 {
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.11
+VERSION=1.3.11a
 usage() # $1 = exit status
 {
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.11
+%define version 1.3.11a
 %define release 1
 %define prefix /usr
@ -101,6 +101,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11a
 * Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11
 * Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.11
+VERSION=1.3.11a
 usage() # $1 = exit status
 {