1.3.11 release changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@347 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2002-12-04 00:02:25 +00:00 · 2002-12-04 00:02:25 +00:00 · 1ad262c7cb
commit 1ad262c7cb
parent a237911ebc
14 changed files with 3739 additions and 3589 deletions
--- a/STABLE/INSTALL
+++ b/STABLE/INSTALL
@ -24,8 +24,12 @@ o Unpack the tarball
 o cd to the shorewall-<version> directory
 o If you have an earlier version of Shoreline Firewall installed,see the
  upgrade instructions below
-o Edit the files policy, interfaces, rules, nat, proxyarp and masq to 
+o Edit the configuration files to fit your environment.
-  fit your environment.
+
  To do this, I strongly advise you to follow the instructions at:
      http://shorewall.sf.net/shorewall_quickstart_guide.htm
 o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
  Debian, then type "./install.sh".
 o For other distributions, determine where your distribution installs
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@ -24,6 +24,7 @@
                     <tr>
                      <td width="100%">                                 
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                      </td>
                    </tr>
@ -32,8 +33,8 @@
 </table>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
-       port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
+         port</b> 7777 to my my personal PC with IP address 192.168.1.5.
-  looked     everywhere and can't find <b>how to do it</b>.</a></p>
+I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
 <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
         but it doesn't work.<br>
@ -44,21 +45,21 @@
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
        to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
-local      network. <b>External clients can browse</b> http://www.mydomain.com 
+  local      network. <b>External clients can browse</b> http://www.mydomain.com 
-but    <b>internal  clients can't</b>.</a></p>
+  but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
         subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses 
-to   hosts   in  Z. Hosts in Z cannot communicate with each other using their 
+  to   hosts   in  Z. Hosts in Z cannot communicate with each other using 
-  external    (non-RFC1918 addresses) so they <b>can't access each other using
+their    external    (non-RFC1918 addresses) so they <b>can't access each 
-  their DNS   names.</b></a></p>
+other using   their DNS   names.</b></a></p>
 <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN 
        Messenger </b>with  Shorewall. What do I do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
        to  check my firewall and it shows <b>some ports as 'closed' rather 
-than     'blocked'.</b>  Why?</a></p>
+  than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
         of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -94,13 +95,13 @@ support?</a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
        and it has an internel  web server that allows me to configure/monitor 
-   it   but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
+     it   but as expected if I enable <b> rfc1918 blocking</b> for my eth0 
-      it also blocks the <b>cable modems  web server</b></a>.</p>
+ interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
-      IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable 
+        IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I 
-     RFC 1918  filtering on my external interface, <b>my DHCP client cannot 
+enable       RFC 1918  filtering on my external interface, <b>my DHCP client 
-  renew   its lease</b>.</a></p>
+cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
        out to  the net</b></a></p>
@ -111,15 +112,21 @@ support?</a></p>
                          <b>17</b>. <a href="#faq17">How do I find out <b>why
   this   is</b> getting  <b>logged?</b></a><br>
         <br>
-     <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b> 
+         <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip
-  with Shorewall, and maintain separate rulesets for different IPs?</a><br>
+ addresses</b>    with Shorewall, and maintain separate rulesets for different
 IPs?</a><br>
     <br>
     <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
-but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
+  but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
-<br>
+    <br>
-<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
+    <b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a 
-<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
+server.  <b>Do I have to change Shorewall to allow access to my server from 
-</a> 
+the internet?<br>
  </b><br>
  </a><a href="#faq21"><b>21. </b>I see these <b>strange log entries </b>occasionally;
 what are they?<br>
  </a><br>
 <hr>                  
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
        my my personal PC with IP address 192.168.1.5. I've looked everywhere 
@ -129,7 +136,7 @@ but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
 href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to 
        do port forwarding under Shorewall. The format of a port-forwarding 
-rule to a local system is as   follows:</p>
+  rule to a local system is as   follows:</p>
 <blockquote>                                                      
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -148,7 +155,7 @@ rule to a local system is as   follows:</p>
                        <td>DNAT</td>
                        <td>net</td>
                        <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
-port</i>&gt;]</td>
+  port</i>&gt;]</td>
                        <td><i>&lt;protocol&gt;</i></td>
                        <td><i>&lt;port #&gt;</i></td>
                        <td> <br>
@ -219,7 +226,7 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
                        <td>DNAT</td>
                        <td>net</td>
                        <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
-port</i>&gt;]</td>
+  port</i>&gt;]</td>
                        <td><i>&lt;protocol&gt;</i></td>
                        <td><i>&lt;port #&gt;</i></td>
                        <td>-</td>
@ -237,11 +244,11 @@ port</i>&gt;]</td>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-                <li>You are trying to test from inside your firewall (no, 
+                    <li>You are trying to test from inside your firewall
-that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
+(no,   that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
                    <li>You have a more basic problem with your local system
-such   as  an   incorrect default gateway configured (it should be set to
+  such   as  an   incorrect default gateway configured (it should be set
-the IP   address    of your  firewall's internal interface).</li>
+to   the IP   address    of your  firewall's internal interface).</li>
 </ul>
@ -250,30 +257,30 @@ the IP   address    of your  firewall's internal interface).</li>
        <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
-      <li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
+          <li>As root, type "iptables -t nat -Z". This clears the NetFilter 
-  in the nat table.</li>
+ counters   in the nat table.</li>
          <li>Try to connect to the redirected port from an external host.</li>
          <li>As root type "shorewall show nat"</li>
          <li>Locate the appropriate DNAT rule. It will be in a chain called
-    <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the server
+      <i>zone</i>_dnat   where <i>zone</i> is the zone that includes the 
-('loc' in the above   examples).</li>
+ ('net' in the above   examples).</li>
-      <li>Is the packet count in the first column non-zero? If so, the connection
+          <li>Is the packet count in the first column non-zero? If so, the
-  request is reaching the firewall and is being redirected to the server.
+ connection    request is reaching the firewall and is being redirected to
-In  this case, the problem is usually a missing or incorrect default gateway
+ the server.  In  this case, the problem is usually a missing or incorrect
- setting on the server (the server's default gateway should be the IP address
+ default gateway   setting on the server (the server's default gateway should
- of the firewall's interface to the server).</li>
+ be the IP address   of the firewall's interface to the server).</li>
          <li>If the packet count is zero:</li>
  <ul>
            <li>the connection request is not reaching your server (possibly
-it  is being blocked by your ISP); or</li>
+  it  is being blocked by your ISP); or</li>
-        <li>you are trying to connect to a secondary IP address on your firewall
+            <li>you are trying to connect to a secondary IP address on your 
-  and your rule is only redirecting the primary IP address (You need to specify
+ firewall   and your rule is only redirecting the primary IP address (You 
-  the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
+need to specify   the secondary IP address in the "ORIG. DEST." column in 
- or</li>
+your DNAT rule);  or</li>
-        <li>your DNAT rule doesn't match the connection request in some other
+            <li>your DNAT rule doesn't match the connection request in some 
-  way. In that case, you may have to use a packet sniffer such as tcpdump
+ other   way. In that case, you may have to use a packet sniffer such as tcpdump
-or  ethereal to further diagnose the problem.<br>
+ or  ethereal to further diagnose the problem.<br>
            </li>
  </ul>
@ -287,25 +294,25 @@ or  ethereal to further diagnose the problem.<br>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-                <li>Having an internet-accessible server in your local network
+                    <li>Having an internet-accessible server in your local
-       is  like raising foxes in the corner of your hen house. If the server 
+ network         is  like raising foxes in the corner of your hen house.
-   is      compromised, there's nothing between that server and your other 
+If  the server     is      compromised, there's nothing between that server
- internal        systems. For the cost of another NIC and a cross-over cable, 
+and  your other   internal        systems. For the cost of another NIC and
- you can   put      your server in a DMZ such that it is isolated from your 
+a cross-over  cable,   you can   put      your server in a DMZ such that
- local systems    -     assuming that the Server can be located near the Firewall,
+it is isolated  from your   local systems    -     assuming that the Server
-  of course    :-)</li>
+can be located  near the Firewall,   of course    :-)</li>
-                <li>The accessibility problem is best solved using    <a
+                    <li>The accessibility problem is best solved using  
- href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
+     <a href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> 
-a separate DNS server for local clients) such that www.mydomain.com resolves
+(or using a separate DNS server for local clients) such that www.mydomain.com 
-to 130.141.100.69     externally and 192.168.1.5 internally. That's what
+resolves to 130.141.100.69     externally and 192.168.1.5 internally. That's 
-I do here at     shorewall.net for my local systems that use static NAT.</li>
+what I do here at     shorewall.net for my local systems that use static NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem 
         rather than a DNS solution, then assuming that your external interface 
-    is  eth0  and your internal interface is eth1  and that eth1 has IP address 
+      is  eth0  and your internal interface is eth1  and that eth1 has IP 
-    192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
+address      192.168.1.254  with subnet 192.168.1.0/24, do the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
         for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -394,24 +401,24 @@ I do here at     shorewall.net for my local systems that use static NAT.</li>
 <div align="left">                  
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE 
-       client to automatically restart Shorewall each time that you get a 
+         client to automatically restart Shorewall each time that you get 
-new    IP   address.</p>
+a  new    IP   address.</p>
                 </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
        subnet and I use static NAT to assign non-RFC1918 addresses to hosts 
   in   Z.  Hosts in Z cannot communicate with each other using their external 
- (non-RFC1918     addresses) so they can't access each other using their DNS
+   (non-RFC1918     addresses) so they can't access each other using their 
- names.</h4>
+ DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
-      using Bind Version 9 "views". It allows both external and internal clients
+        using Bind Version 9 "views". It allows both external and internal 
-      to access a NATed host using the host's DNS name.</p>
+ clients       to access a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch from
         static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
-addresses      and can be accessed externally and internally using the same
+  addresses      and can be accessed externally and internally using the
-address.  </p>
+same   address.  </p>
 <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
 traffic through your firewall then:</p>
@ -513,32 +520,32 @@ traffic through your firewall then:</p>
        </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
-      to    check my firewall and it shows some ports as 'closed' rather than
+        to    check my firewall and it shows some ports as 'closed' rather 
-    'blocked'.     Why?</h4>
+ than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
-      always    rejects connection requests on TCP port 113 rather than dropping 
+        always    rejects connection requests on TCP port 113 rather than 
-      them. This is    necessary to prevent outgoing connection problems to
+dropping        them. This is    necessary to prevent outgoing connection 
-  services    that use the    'Auth' mechanism for identifying requesting 
+problems to   services    that use the    'Auth' mechanism for identifying 
-users.  Shorewall    also rejects TCP    ports 135, 137 and 139 as well as 
+requesting  users.  Shorewall    also rejects TCP    ports 135, 137 and 139 
-UDP ports  137-139.   These are ports that are    used by Windows (Windows 
+as well as  UDP ports  137-139.   These are ports that are    used by Windows 
-<u>can</u>  be configured   to use the DCE cell locator    on port 135). Rejecting
+(Windows  <u>can</u>  be configured   to use the DCE cell locator    on port 
-these  connection requests   rather than dropping them    cuts down slightly
+135). Rejecting these  connection requests   rather than dropping them   
-on the amount of Windows  chatter on LAN segments connected    to the Firewall.
+cuts down slightly on the amount of Windows  chatter on LAN segments connected 
-</p>
+    to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
-      your    ISP preventing you from running a web server in violation of 
+        your    ISP preventing you from running a web server in violation 
- your     Service    Agreement.</p>
+of   your     Service    Agreement.</p>
 <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
           firewall and it showed 100s of ports as open!!!!</h4>
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
-      section about    UDP scans. If nmap gets <b>nothing</b> back from your 
+        section about    UDP scans. If nmap gets <b>nothing</b> back from 
-   firewall   then it reports    the port as open. If you want to see which 
+your     firewall   then it reports    the port as open. If you want to see 
-  UDP ports are  really open,    temporarily change your net-&gt;all policy 
+which    UDP ports are  really open,    temporarily change your net-&gt;all 
-  to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
+policy    to REJECT, restart  Shorewall and do    the nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
        can't ping through the firewall</h4>
@ -564,8 +571,8 @@ on the amount of Windows  chatter on LAN segments connected    to the Firewall.
 syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
 href="Documentation.htm#Rules">rules</a>. The destination for messaged 
 logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
-     When you have changed /etc/syslog.conf, be sure to restart syslogd (on 
+       When you have changed /etc/syslog.conf, be sure to restart syslogd 
-  a  RedHat system, "service syslog restart"). </p>
+(on    a  RedHat system, "service syslog restart"). </p>
 <p align="left">By default, older versions of Shorewall ratelimited log messages 
        through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf 
@ -585,7 +592,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
                  <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
-              <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
+                  <a
 href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
       http://www.logwatch.org</a><br>
         </p>
@ -617,8 +625,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
 <div align="left">                  
 <p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
-      for  problems concerning the version of iptables (v1.2.3) shipped with 
+        for  problems concerning the version of iptables (v1.2.3) shipped 
-   RH7.2.</p>
+with     RH7.2.</p>
                 </div>
 <h4 align="left">      </h4>
@ -675,7 +683,7 @@ them when the authors      feel that they are ready. </p>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
        that will let all traffic to and from the 192.168.100.1 address  of
-the    modem  in/out but still block all other rfc1918 addresses.</p>
+  the    modem  in/out but still block all other rfc1918 addresses.</p>
 <p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
 than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
@ -714,10 +722,10 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
               </p>
 <p align="left">Note: If you add a second IP address to your external firewall 
-     interface to correspond to the modem address, you must also make an entry
+       interface to correspond to the modem address, you must also make an 
-     in /etc/shorewall/rfc1918 for that address. For example, if you configure
+ entry      in /etc/shorewall/rfc1918 for that address. For example, if you 
-     the address 192.168.100.2 on your firewall, then you would add two entries
+ configure      the address 192.168.100.2 on your firewall, then you would 
-     to /etc/shorewall/rfc1918:  <br>
+ add two entries      to /etc/shorewall/rfc1918:  <br>
               </p>
 <blockquote>                                             
@ -742,6 +750,7 @@ than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                       </td>
                     </tr>
    </tbody>                                             
  </table>
               </blockquote>
@ -764,8 +773,8 @@ lease.</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
        the net", I wonder  where the poster bought computers with eyes and 
-what     those computers will "see"  when things are working properly. That 
+  what     those computers will "see"  when things are working properly. That
-aside,     the most common causes of this  problem are:</p>
+  aside,     the most common causes of this  problem are:</p>
 <ol>
                    <li>                                                
@ -781,8 +790,8 @@ aside,     the most common causes of this  problem are:</p>
                    <li>                                                
    <p align="left">The DNS settings on the local systems are wrong or the 
-         user is running a DNS server on the firewall and hasn't enabled UDP
+           user is running a DNS server on the firewall and hasn't enabled 
-   and   TCP    port 53 from the firewall to the internet.</p>
+ UDP    and   TCP    port 53 from the firewall to the internet.</p>
                     </li>
 </ol>
@ -797,12 +806,12 @@ aside,     the most common causes of this  problem are:</p>
             </p>
 <h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
-         <b>Answer: </b>Logging occurs out of a number of chains (as indicated
+             <b>Answer: </b>Logging occurs out of a number of chains (as
-   in  the log message) in Shorewall:<br>
+indicated      in  the log message) in Shorewall:<br>
 <ol>
-           <li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918 
+               <li><b>man1918 - </b>The destination address is listed in
-    with a <b>logdrop </b>target -- see <a
+/etc/shorewall/rfc1918       with a <b>logdrop </b>target -- see <a
 href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
               <li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918 
      with a <b>logdrop </b>target -- see <a
@ -818,36 +827,42 @@ aside,     the most common causes of this  problem are:</p>
   <b>&lt;zone2&gt;</b> that specifies a log level and this packet is being 
     logged under that policy or this packet matches  a <a
 href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
-    <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
+        <li><b>&lt;interface&gt;_mac</b> - The packet is being logged under 
-     <b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
+ the      <b>maclist</b> <a href="Documentation.htm#Interfaces">interface 
 option</a>.<br>
        </li>
               <li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b> 
          <a href="Documentation.htm#Interfaces">interface option</a>.</li>
               <li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b> 
          <a href="Documentation.htm#Interfaces">interface option</a> as specified
-    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+      in the <b>LOGUNCLEAN </b>setting in <a
-           <li><b>blacklst</b> - The packet is being logged because the source
+ href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
-   IP  is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist 
+               <li><b>blacklst</b> - The packet is being logged because the 
-        </a>file.</li>
+ source    IP  is blacklisted in the<a
-           <li><b>newnotsyn </b>- The packet is being logged because it is
+ href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
- a  TCP   packet that is not part of any current connection yet it is not
+               <li><b>newnotsyn </b>- The packet is being logged because
-a syn  packet.   Options affecting the logging of such packets include <b>NEWNOTSYN
+it  is  a  TCP   packet that is not part of any current connection yet it
-      </b>and       <b>LOGNEWNOTSYN </b>in     <a
+is not a syn  packet.   Options affecting the logging of such packets include 
    <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN </b>in     <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-          <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP 
+              <li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source
-address    that isn't in any of your defined zones ("shorewall check" and 
+ IP  address    that isn't in any of your defined zones ("shorewall check"
-look at the   printed zone definitions) or the chain is FORWARD and the destination
+ and  look at the   printed zone definitions) or the chain is FORWARD and
- IP  isn't in any of your defined zones.</li>
+the destination  IP  isn't in any of your defined zones.</li>
     <li><b>logflags </b>- The packet is being logged because it failed the 
 checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
     </li>
 </ol>
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
    with Shorewall, and maintain separate rulesets for different IPs?</h4>
-     <b>Answer: </b>Yes. You simply use the IP address in your rules (or
+         <b>Answer: </b>Yes. You simply use the IP address in your rules
-if  you  use NAT, use the local IP address in your rules). <b>Note:</b> The 
+(or   if  you  use NAT, use the local IP address in your rules). <b>Note:</b>
-":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
+The  ":n"  notation  (e.g., eth0:0) is deprecated and will disappear eventually. 
-Neither   iproute  (ip and tc) nor iptables supports that notation so neither 
+  Neither   iproute  (ip and tc) nor iptables supports that notation so neither 
-does   Shorewall.  <br>
+  does   Shorewall.  <br>
         <br>
         <b>Example 1:</b><br>
         <br>
@ -870,27 +885,59 @@ does   Shorewall.  <br>
 <pre>     # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br>     DNAT	net	loc:10.1.1.127	tcp	smtp	-	192.0.2.127<br></pre>
 <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules 
-but they don't seem to do anything. Why?</h4>
+  but they don't seem to do anything. Why?</h4>
     You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
-so the contents of the tcrules file are simply being ignored.<br>
+  so the contents of the tcrules file are simply being ignored.<br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
-to change Shorewall to allow access to my server from the internet?</b><br>
+  to change Shorewall to allow access to my server from the internet?</b><br>
-</h4>
+    </h4>
-Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
+    Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
-that you used during your initial setup for information about how to set
+guide</a>   that you used during your initial setup for information about
-up rules for your server.<br>
+how to set  up rules for your server.<br>
-<br>
+   
 <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
 what are they?<br>
  </h4>
 <blockquote>      
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
  </blockquote>
  192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN<br>
  <br>
  <b>Answer: </b>While most people associate the Internet Control Message 
 Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. ICMP is 
 used to report problems back to the sender of a packet; this is what is happening 
 here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade), 
 there are a lot of broken implementations. That is what you are seeing with 
 these messages.<br>
  <br>
 Here is my interpretation of what is happening -- to confirm this analysis, 
 one out have to have packet sniffers placed a both ends of the connection.<br>
 <br>
 Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query 
 to 192.0.2.3 and your DNS server tried to send a response (the response information 
 is in the brackets -- note source port 53 which marks this as a DNS reply). 
 When the response was returned to to 206.124.146.179, it rewrote the destination 
 IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had 
 a connection on UDP port 2857. This causes a port unreachable (type 3, code 
 3) to be generated back to 192.0.2.3. As this packet is sent back through 
 206.124.146.179, that box correctly changes the source address in the packet 
 to 206.124.146.179 but doesn't reset the DST IP in the original DNS response 
 similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall 
 has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't 
 appear to be related to anything that was sent. The final result is that the
 packet gets logged and dropped in the all2all chain. I have also seen cases
 where the source IP in the ICMP itself isn't set back to the external IP
 of the remote NAT gateway; that causes your firewall to log and drop the packet
 out of the rfc1918 chain because the source IP is reserved by RFC 1918.<br>
  <br>
 <div align="left">     </div>
-  <font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font> 
+      <font size="2">Last updated 11/25/2002 - <a href="support.htm">Tom
-                          
+Eastep</a></font>                                 
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
         © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-     <br>
+</p>
    </p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
--- a/STABLE/documentation/download.htm
+++ b/STABLE/documentation/download.htm
@ -30,28 +30,36 @@
 <p><b>I strongly urge you to read and print a copy of the       <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>    
-    for the configuration that most closely matches your own.</b></p>
+   for the configuration that most closely matches your own.<br>
  </b></p>
-<p>Once you've done that, download <u>     one</u> of the modules:</p>
+<p>The entire set of Shorewall documentation is also available in PDF format
 at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
      <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
 <br>
 Once you've done that, download <u>     one</u> of the modules:</p>
 <ul>
              <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
-         Linux PPC</b> or     <b> TurboLinux</b> distribution     with a
+            Linux PPC</b> or     <b> TurboLinux</b> distribution     with 
-2.4   kernel,   you can use the  RPM version (note: the             RPM should
+a  2.4   kernel,   you can use the  RPM version (note: the             RPM 
- also work  with other distributions that             store init scripts
+should   also work  with other distributions that             store init scripts
 in  /etc/init.d  and that             include chkconfig or insserv). If you
 find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that 
  I can mention them here. See the   <a href="Install.htm">Installation Instructions</a> 
  if you have problems    installing the RPM.</li>
              <li>If you are running LRP, download the .lrp file (you might 
-also   want  to     download the .tgz so you will have a copy of the documentation).</li>
+ also   want  to     download the .tgz so you will have a copy of the documentation).</li>
              <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
   and   would      like a .deb package, Shorewall is in both the    <a
- href="http://packages.debian.org/testing/net/shorewall.html">Debian    
+ href="http://packages.debian.org/testing/net/shorewall.html">Debian     Testing
-Testing Branch</a> and the    <a
+Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
- Unstable Branch</a>.</li>
+Unstable Branch</a>.</li>
              <li>Otherwise, download the <i>shorewall</i>             module 
  (.tgz)</li>
@ -66,10 +74,10 @@ Testing Branch</a> and the    <a
 <ul>
              <li>RPM - "rpm -qip LATEST.rpm"</li>
-           <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name will
+              <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name
- contain    the version)</li>
+will   contain    the version)</li>
              <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar    -zxf 
-&lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
+ &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
 </ul>
@ -84,8 +92,8 @@ Testing Branch</a> and the    <a
 configuration    of your firewall, you can enable startup by removing the 
 file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates 
+<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
-to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
+  to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>                                    
  <table border="2" cellspacing="3" cellpadding="3"
@ -204,7 +212,7 @@ to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
            Download .lrp</a><br>
                  <a target="_blank"
 href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
-.md5sums</a></td>
+  .md5sums</a></td>
                  <td>       <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download 
     .rpm</a>  <br>
@ -216,18 +224,19 @@ to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
            Download .lrp</a><br>
                  <a target="_blank"
 href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
-.md5sums</a></td>
+  .md5sums</a></td>
                </tr>
                <tr>
                  <td>Paris, France</td>
                  <td>Shorewall.net</td>
-               <td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
+                  <td><a
-    .rpm</a><br>
+ href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
                    <a href="http://france.shorewall.net/pub/LATEST.tgz">Download 
            .tgz</a> <br>
                    <a href="http://france.shorewall.net/pub/LATEST.lrp">Download 
            .lrp</a><br>
-               <a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
+                  <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download          
  .md5sums</a></td>
                  <td>       <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download 
@ -283,8 +292,8 @@ to the    mirrors  occur 1-12 hours after an update to the primary site.</b></p>
 <blockquote>            
  <p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing 
-the Shorewall 1.3.10 documenation (the documentation in HTML format is included
+ the Shorewall 1.3.10 documenation (the documentation in HTML format is included 
-in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
+ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
    </blockquote>
 <blockquote>            
@ -334,7 +343,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
                <tr>
                  <td>Hamburg, Germany</td>
                  <td>Shorewall.net</td>
-               <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
+                  <td><a
 href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
                  <td><a target="_blank"
 href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
                </tr>
@ -377,7 +387,7 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
      </p>
    </blockquote>
-<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
+<p align="left"><font size="2">Last Updated 12/3/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
@ -391,5 +401,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>Shorewall 1.3 Errata</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -32,6 +33,7 @@
 <ol>
               <li>                                                     
    <p align="left">          <b><u>I</u>f you use a Windows system to download 
     a corrected     script, be sure to run the script through <u>       
    <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -39,12 +41,14 @@
     it to your Linux system.</b></p>
                            </li>
               <li>                                                     
-    <p align="left">          <b>If you are installing Shorewall for the
+                
-first time and plan to use the        .tgz and install.sh script, you can
+    <p align="left">          <b>If you are installing Shorewall for the first
-untar the archive, replace the        'firewall' script in the untarred directory
+time and plan to use the        .tgz and install.sh script, you can untar
 the archive, replace the        'firewall' script in the untarred directory 
     with the one you downloaded        below, and then run install.sh.</b></p>
                            </li>
               <li>                                                     
    <p align="left">          <b>When the instructions say to install a corrected 
     firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
    or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite 
@ -52,7 +56,7 @@ untar the archive, replace the        'firewall' script in the untarred director
           or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall 
           and /var/lib/shorewall/firewall  are symbolic links that point 
       to the 'shorewall' file used by your  system initialization scripts 
-to         start Shorewall during boot. It is  that file that must be overwritten
+ to         start Shorewall during boot. It is  that file that must be overwritten 
           with the corrected script.</b></p>
       </li>
       <li>                         
@ -66,19 +70,20 @@ example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
 <ul>
               <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-            <li>                            <b><a href="#V1.3">Problems in
+               <li>                            <b><a href="#V1.3">Problems
- Version    1.3</a></b></li>
+ in  Version    1.3</a></b></li>
               <li>                            <b><a href="errata_2.htm">Problems 
    in  Version 1.2</a></b></li>
-            <li>                            <b><font color="#660066">  <a
+               <li>                            <b><font color="#660066">
- href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
+     <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
               <li>                            <b><font color="#660066"><a
 href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
               <li>                            <b><a href="#Debug">Problems 
-with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
+ with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
-            <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
+               <li><b><a href="#SuSE">Problems installing/upgrading RPM on
-            <li><b><a href="#Multiport">Problems with iptables version 1.2.7
+ SuSE</a></b></li>
-  and       MULTIPORT=Yes</a></b></li>
+               <li><b><a href="#Multiport">Problems with iptables version 
 1.2.7    and       MULTIPORT=Yes</a></b></li>
         <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
         </li>
@ -87,18 +92,44 @@ with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
 <hr>                                   
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.11</h3>
 <ul>
    <li>When installing/upgrading using the .rpm, you may receive the following
 warnings:<br>
      <br>
       user teastep does not exist - using root<br>
       group teastep does not exist - using root<br>
      <br>
  These warnings are harmless and may be ignored. Users downloading the .rpm
 from shorewall.net or mirrors should no longer see these warnings as the
 .rpm you will get from there has been corrected.</li>
   <li>DNAT rules that exclude a source subzone (SOURCE column contains ! 
 followed by a sub-zone list) result in an error message and Shorewall fails 
 to start.<br>
     <br>
 Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this 
 corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
 Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
    <br>
 This problem is corrected in version 1.3.11a.<br>
   </li>
 </ul>
 <h3>Version 1.3.10</h3>
 <ul>
-   <li>If you experience problems connecting to a PPTP server running on
+      <li>If you experience problems connecting to a PPTP server running
-your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
+on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, 
     <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this 
-version of the firewall script</a> may help. Please report any cases where
+ version of the firewall script</a> may help. Please report any cases where 
-installing this script in /usr/lib/shorewall/firewall solved your connection
+ installing this script in /usr/lib/shorewall/firewall solved your connection 
-problems. Beginning with version 1.3.10, it is safe to save the old version
+ problems. Beginning with version 1.3.10, it is safe to save the old version 
-of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
+ of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall 
-is the real script now and not just a symbolic link to the real script.<br>
+ is the real script now and not just a symbolic link to the real script.<br>
      </li>
 </ul>
@ -106,8 +137,8 @@ is the real script now and not just a symbolic link to the real script.<br>
 <h3>Version 1.3.9a</h3>
 <ul>
-    <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
+       <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
- the following message appears during "shorewall [re]start":</li>
+ then  the following message appears during "shorewall [re]start":</li>
 </ul>
@ -116,8 +147,8 @@ is the real script now and not just a symbolic link to the real script.<br>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
- corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
+   corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
- above.<br>
+ described  above.<br>
     </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the 
@ -126,9 +157,9 @@ is the real script now and not just a symbolic link to the real script.<br>
     </blockquote>
 <ul>
-    <li>The installer (install.sh) issues a misleading message "Common functions
+       <li>The installer (install.sh) issues a misleading message "Common 
- installed in /var/lib/shorewall/functions" whereas the file is installed
+functions   installed in /var/lib/shorewall/functions" whereas the file is 
-in /usr/lib/shorewall/functions. The installer also performs incorrectly
+installed  in /usr/lib/shorewall/functions. The installer also performs incorrectly 
 when updating old configurations that had the file /etc/shorewall/functions. 
    <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here 
@ -147,10 +178,10 @@ when updating old configurations that had the file /etc/shorewall/functions.
        Version 1.3.8           
 <ul>
            <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
-of  the  policy file doesn't work.</li>
+  of  the  policy file doesn't work.</li>
            <li>A DNAT rule with the same original and new IP addresses but 
-with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
+ with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 
-tcp   25 - 10.1.1.1")<br>
+ tcp   25 - 10.1.1.1")<br>
            </li>
 </ul>
@ -190,15 +221,15 @@ tcp   25 - 10.1.1.1")<br>
                                    has two problems:</p>
 <ol>
-                                         <li>If the firewall is running a 
+                                            <li>If the firewall is running
-DHCP   server,                                   the client won't be able 
+ a  DHCP   server,                                   the client won't be
-to obtain   an IP  address                                  lease from that 
+able   to obtain   an IP  address                                  lease
-server.</li>
+from that   server.</li>
                                            <li>With this order of checking,
-the   "dhcp"                                   option cannot be used as a 
+  the   "dhcp"                                   option cannot be used as
-noise-reduction                                     measure where there are 
+a  noise-reduction                                     measure where there
-both dynamic and    static                                  clients on a LAN
+are  both dynamic and    static                                  clients
-segment.</li>
+on a LAN segment.</li>
 </ol>
@ -300,10 +331,10 @@ segment.</li>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands   
-         to not verify that the zones named in the /etc/shorewall/policy
+        to not verify that the zones named in the /etc/shorewall/policy file
-file            have been previously defined in the /etc/shorewall/zones
+           have been previously defined in the /etc/shorewall/zones file.
-file. The            "shorewall check" command does perform this verification
+The            "shorewall check" command does perform this verification so
-so it's a            good idea to run that command after you have made configuration
+it's a            good idea to run that command after you have made configuration 
                changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -314,21 +345,21 @@ so it's a            good idea to run that command after you have made configura
     that specifies an interface that you didn't            include in /etc/shorewall/interfaces. 
     To correct this problem, you            must add an entry to /etc/shorewall/interfaces. 
     Shorewall 1.3.3 and            later versions produce a clearer error 
-message    in this case.</p>
+ message    in this case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the        
   download sites contained an incorrect version of the .lrp file. That 
-           file can be identified by its size (56284 bytes). The correct
+          file can be identified by its size (56284 bytes). The correct version
-version            has a size of 38126 bytes.</p>
+           has a size of 38126 bytes.</p>
 <ul>
-                     <li>The code to detect a duplicate interface entry in
+                        <li>The code to detect a duplicate interface entry
-            /etc/shorewall/interfaces contained a typo that prevented it
+ in             /etc/shorewall/interfaces contained a typo that prevented
-from               working correctly. </li>
+it from               working correctly. </li>
-                     <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
+                        <li>"NAT_BEFORE_RULES=No" was broken; it behaved
- like   "NAT_BEFORE_RULES=Yes".</li>
+just   like   "NAT_BEFORE_RULES=Yes".</li>
 </ul>
@ -365,15 +396,15 @@ option.  For example:<br>
                        loc    eth1    dhcp<br>
                        <br>
                        Shorewall will ignore the 'dhcp' on eth1.</li>
-                     <li>Update 17 June 2002 - The bug described in the prior 
+                        <li>Update 17 June 2002 - The bug described in the
-  bullet               affects the following options: dhcp, dropunclean, logunclean,
+ prior    bullet               affects the following options: dhcp, dropunclean,
-                norfc1918, routefilter, multi, filterping and noping. An
+ logunclean,                 norfc1918, routefilter, multi, filterping and
-additional                 bug has been found that affects only the 'routestopped'
+ noping. An additional                 bug has been found that affects only
-option.<br>
+ the 'routestopped' option.<br>
                        <br>
-                     Users who downloaded the corrected script prior to 1850
+                        Users who downloaded the corrected script prior to
-  GMT   today              should download and install the corrected script
+ 1850   GMT   today              should download and install the corrected
-  again   to ensure              that this second problem is corrected.</li>
+ script   again   to ensure              that this second problem is corrected.</li>
 </ul>
@ -385,10 +416,10 @@ option.<br>
 <h3 align="left">Version 1.3.0</h3>
 <ul>
-                     <li>Folks who downloaded 1.3.0 from the links on the 
+                        <li>Folks who downloaded 1.3.0 from the links on
-download    page              before 23:40 GMT, 29 May 2002 may have downloaded 
+the   download    page              before 23:40 GMT, 29 May 2002 may have
-1.2.13    rather than              1.3.0. The "shorewall version" command 
+downloaded   1.2.13    rather than              1.3.0. The "shorewall version"
-will tell    you which version              that you have installed.</li>
+command   will tell    you which version              that you have installed.</li>
                        <li>The documentation NAT.htm file uses non-existent
             wallpaper and bullet graphic files. The           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">     
@ -408,17 +439,17 @@ will tell    you which version              that you have installed.</li>
 <blockquote>                                                       
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
-            prevent it from working with Shorewall. Regrettably,  RedHat released
+              prevent it from working with Shorewall. Regrettably,  RedHat
-   this buggy iptables in RedHat   7.2. </p>
+ released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
       corrected 1.2.3 rpm which you can download here</a>  and I have also
-built            an <a
+  built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
-iptables-1.2.4   rpm which you can download here</a>. If  you are currently
+ iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
-    running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
+     running RedHat 7.1, you can install either of these RPMs            
-      </b>you upgrade to RedHat 7.2.</p>
+ <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat 
     has   released an iptables-1.2.4 RPM of their own which you can download 
@ -451,6 +482,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
     may     experience the following:</p>
  <blockquote>                                                          
    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
               </blockquote>
@ -459,9 +491,9 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
     the     Netfilter 'mangle' table. You can correct the problem by installing
         <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
-       this iptables RPM</a>. If you are already running a 1.2.5 version of
+         this iptables RPM</a>. If you are already running a 1.2.5 version
-      iptables, you will need to specify the --oldpackage option to rpm (e.g.,
+ of       iptables, you will need to specify the --oldpackage option to rpm
-       "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+ (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
             </blockquote>
@ -490,7 +522,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
                                            <li>set MULTIPORT=No in     
                            /etc/shorewall/shorewall.conf; or </li>
                                            <li>if you are running Shorewall
-1.3.6    you may                                  install                
+  1.3.6    you may                                  install             
                   <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">    
                            this firewall script</a> in /var/lib/shorewall/firewall 
@ -508,23 +540,17 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
       Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-    The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
+       The solution is to put "no" in the LOCAL column. Kernel support for
-  has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
+ LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it. The
-  contains corrected support under a new kernel configuraiton option; see
+2.4.19 kernel   contains corrected support under a new kernel configuraiton
-<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
+option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 11/24/2002 -                            
+<p><font size="2">  Last updated 12/3/2002 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-          <br>
+  </p>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
--- a/STABLE/documentation/seattlefirewall_index.htm
+++ b/STABLE/documentation/seattlefirewall_index.htm
@ -52,6 +52,7 @@
  </tbody>                                                        
 </table>
@ -71,6 +72,7 @@
      <h2 align="left">What is it?</h2>
@ -79,9 +81,9 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
-       that can be used on a dedicated firewall system, a multi-function 
+firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -92,8 +94,8 @@
      <p>This program is free software; you can redistribute it and/or modify
                            it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
-Public License</a> as published by the Free Software        Foundation.<br>
+General Public License</a> as published by the Free Software        Foundation.<br>
                                                                  <br>
                                                                   This program 
   is  distributed       in  the   hope   that   it  will   be  useful,  
@ -121,6 +123,7 @@ Public License</a> as published by the Free Software        Foundation.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
                                                              </a>Jacques 
@ -131,12 +134,13 @@ Public License</a> as published by the Free Software        Foundation.<br>
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
          </a></p>
-      <p><b>Congratulations to Jacques and Eric on the recent release of Bering
+      <p><b>Congratulations to Jacques and Eric on the recent release of
-1.0 Final!!! </b><br>
+Bering 1.0 Final!!! </b><br>
     </p>
-      <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
+      <h2>This is a mirror of the main Shorewall web site at SourceForge
- href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
+(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -159,29 +163,48 @@ Public License</a> as published by the Free Software        Foundation.<br>
-      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
+      <p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                  </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
 with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
 don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                              </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
  documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
          <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
      </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                
                 </b></p>
      <p>In this version:</p>
      <ul>
           <li>A 'tcpflags' option has been added to entries in <a
- href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
-This option causes Shorewall to make a set of sanity check on TCP packet
+option causes Shorewall to make a set of sanity check on TCP packet header
-header flags.</li>
+flags.</li>
-        <li>It is now allowed to use 'all' in the SOURCE or DEST column in
+           <li>It is now allowed to use 'all' in the SOURCE or DEST column
-a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>. 
+ in a <a href="Documentation.htm#Rules">rule</a>.  When used, 'all' must
-When used, 'all' must appear by itself (in may not be qualified) and it does 
+appear  by itself (in may not be qualified) and it does  not enable intra-zone
-not enable intra-zone traffic. For example, the rule <br>
+traffic.  For example, the rule <br>
        <br>
        ACCEPT loc all tcp 80<br>
        <br>
    does not enable http traffic from 'loc' to 'loc'.</li>
           <li>Shorewall's use of the 'echo' command is now compatible with 
-bash clones such as ash and dash.</li>
+ bash clones such as ash and dash.</li>
-        <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
+           <li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw 
-generate a warning and are ignored</li>
+rules  generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>    
@ -212,24 +235,24 @@ generate a warning and are ignored</li>
      <ul>
-                    <li>You may now <a href="IPSEC.htm#Dynamic">define the
+                       <li>You may now <a href="IPSEC.htm#Dynamic">define 
- contents      of a zone dynamically</a> with the <a
+the   contents      of a zone dynamically</a> with the <a
 href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
        delete" commands</a>. These commands are expected to be used primarily 
     within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
     updown   scripts.</li>
                       <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>      on ethernet segments. 
-You can specify the set  of allowed   MAC addresses   on   the segment and
+ You can specify the set  of allowed   MAC addresses   on   the segment and 
-you can optionally tie each MAC address   to one or more   IP  addresses.</li>
+ you can optionally tie each MAC address   to one or more   IP  addresses.</li>
                       <li>PPTP Servers and Clients running on the firewall 
-system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
+ system    may    now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
     file.</li>
-                    <li>A new 'ipsecnat' tunnel type is supported for use 
+                       <li>A new 'ipsecnat' tunnel type is supported for
-when   the             <a href="IPSEC.htm">remote IPSEC endpoint is behind 
+use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint is
-a NAT   gateway</a>.</li>
+behind   a NAT   gateway</a>.</li>
-                    <li>The PATH used by Shorewall may now be specified in
+                       <li>The PATH used by Shorewall may now be specified
-           <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+ in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                       <li>The main firewall script is now /usr/lib/shorewall/firewall. 
        The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall 
        to do the real work. This change makes custom distributions such as
@ -244,6 +267,7 @@ a NAT   gateway</a>.</li>
      <blockquote>                                                      
        <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
               </blockquote>
@ -252,7 +276,7 @@ a NAT   gateway</a>.</li>
 href="http://www.gentoo.org"><br>
                            </a></p>
                      Alexandru Hartmann reports that his Shorewall package 
-is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo
+ is  now   a  part   of        <a href="http://www.gentoo.org">the Gentoo 
 Linux  distribution</a>.       Thanks Alex!<br>
@ -263,24 +287,25 @@ Linux  distribution</a>.       Thanks Alex!<br>
      <ul>
-                             <li>You may now <a href="IPSEC.htm#Dynamic">define 
+                                <li>You may now <a
-   the   contents      of a zone dynamically</a> with the <a
+ href="IPSEC.htm#Dynamic">define     the   contents      of a zone dynamically</a>
- href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall 
+ with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
-          delete" commands</a>. These commands are expected to be used primarily 
+ "shorewall            delete" commands</a>. These commands are expected
-       within             <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> 
+to  be used primarily         within             <a
-       updown   scripts.</li>
+ href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>         updown  
 scripts.</li>
                                <li>Shorewall can now do<a
 href="MAC_Validation.html">  MAC   verification</a>    on ethernet segments.
-    You can specify the set of  allowed   MAC addresses on   the segment and
+      You can specify the set of  allowed   MAC addresses on   the segment
-   you can optionally tie each MAC address   to one or more IP  addresses.</li>
+ and    you can optionally tie each MAC address   to one or more IP  addresses.</li>
                                <li>PPTP Servers and Clients running on the 
-firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
+ firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> 
         file.</li>
                                <li>A new 'ipsecnat' tunnel type is supported 
  for   use   when   the             <a href="IPSEC.htm">remote IPSEC endpoint 
  is   behind   a NAT   gateway</a>.</li>
-                             <li>The PATH used by Shorewall may now be specified
+                                <li>The PATH used by Shorewall may now be 
-    in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+specified      in            <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                <li>The main firewall script is now /usr/lib/shorewall/firewall.
            The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
            to do the real work. This change makes custom distributions such
@ -319,11 +344,12 @@ firewall     system    may   now be defined in the<a href="PPTP.htm"> /etc/shore
      <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                         </b></p>
                               This release rolls up fixes to the installer 
-and   to  the   firewall     script.<br>
+ and   to  the   firewall     script.<br>
                                <b><br>
                               10/6/2002 - Shorewall.net now running on RH8.0 
        </b><b><img border="0" src="images/new10.gif" width="28"
@ -343,12 +369,14 @@ and   to  the   firewall     script.<br>
      <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>                
         </b></p>
-                                        <img src="images/j0233056.gif"
+                                           <img
- alt="Brown Paper Bag" width="50" height="86" align="left">
+ src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
-                                   There is an updated firewall script at 
+ align="left">
-      <a
+                                      There is an updated firewall script 
 at        <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
                   -- copy that file to /usr/lib/shorewall/firewall.<br>
@ -356,18 +384,21 @@ and   to  the   firewall     script.<br>
      <p><b><br>
                                           </b></p>
      <p><b><br>
                                           </b></p>
      <p><b><br>
                                     9/28/2002 - Shorewall 1.3.9 </b><b>
                               </b></p>
@ -386,20 +417,20 @@ and   to  the   firewall     script.<br>
      <ul>
                                                   <li><a
 href="configuration_file_basics.htm#dnsnames">DNS   Names</a>     are now
-             allowed in Shorewall config files (although I recommend   against 
+               allowed in Shorewall config files (although I recommend  
-       using       them).</li>
+against          using       them).</li>
                                                   <li>The connection SOURCE
-may   now   be  qualified      by  both   interface      and IP address in 
+  may   now   be  qualified      by  both   interface      and IP address
-a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
+in  a <a href="Documentation.htm#Rules">Shorewall   rule</a>.</li>
-                                                <li>Shorewall startup is
+                                                   <li>Shorewall startup
-now   disabled     after    initial     installation       until the file
+is  now   disabled     after    initial     installation       until the
-/etc/shorewall/startup_disabled          is removed.     This avoids    nasty
+file  /etc/shorewall/startup_disabled          is removed.     This avoids
-  surprises at reboot for users     who    install Shorewall     but don't
+   nasty    surprises at reboot for users     who    install Shorewall  
-configure     it.</li>
+  but don't  configure     it.</li>
-                                               <li>The 'functions' and 'version'
+                                                  <li>The 'functions' and 
-    files    and   the   'firewall'      symbolic   link have been  moved
+'version'      files    and   the   'firewall'      symbolic   link have been
-from    /var/lib/shorewall       to /usr/lib/shorewall      to appease  
+ moved  from    /var/lib/shorewall       to /usr/lib/shorewall      to appease
-the LFS   police at Debian.<br>
+  the LFS   police at Debian.<br>
                                                  </li>
@ -415,6 +446,7 @@ the LFS   police at Debian.<br>
      <p><a href="News.htm">More News</a></p>
@ -423,6 +455,7 @@ the LFS   police at Debian.<br>
      <h2><a name="Donations"></a>Donations</h2>
                                     </td>
@ -440,6 +473,7 @@ the LFS   police at Debian.<br>
                                                               </div>
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
@ -462,8 +496,9 @@ the LFS   police at Debian.<br>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+               
-if       you try it and find it useful, please consider making a donation 
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
                            to       <a href="http://www.starlight.org"><font
 color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                                                              </td>
@ -471,16 +506,14 @@ if       you try it and find it useful, please consider making a donation
  </tbody>                                                        
 </table>
-<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font> 
                    <br>
-   </p>
+</p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/shoreline.htm
+++ b/STABLE/documentation/shoreline.htm
@ -37,14 +37,14 @@
  </p>
 <ul>
-          <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington 
+           <li>Born 1945 in <a
-   State</a> .</li>
+ href="http://www.experiencewashington.com">Washington     State</a> .</li>
           <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
-State    University</a>  1967</li>
+ State    University</a>  1967</li>
           <li>MA Mathematics from <a href="http://www.washington.edu">University 
   of Washington</a> 1969</li>
-          <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
+           <li>Burroughs Corporation (now <a
-   ) 1969 - 1980</li>
+ href="http://www.unisys.com">Unisys</a>    ) 1969 - 1980</li>
           <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> 
    (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
           <li>Married 1969 - no children.</li>
@ -56,8 +56,8 @@ State    University</a>  1967</li>
 <p>I became interested in Internet Security when I established a home office
   in 1999 and had DSL service installed in our       home. I investigated
-ipchains  and developed the scripts which are now collectively known as <a
+ ipchains  and developed the scripts which are now collectively known as
- href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
+<a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding
   on what I learned from Seattle Firewall, I then       designed and wrote
  Shorewall. </p>
@ -68,22 +68,23 @@ ipchains  and developed the scripts which are now collectively known as <a
 <ul>
           <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
-HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also has
+ HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also has 
 RedHat  8.0 installed.</li>
-          <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC 
+           <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
- -  My      personal Linux System which runs Samba configured as a WINS server. 
+NIC   -  My      personal Linux System which runs Samba configured as a WINS
-  This      system also has <a href="http://www.vmware.com/">VMware</a> installed 
+server.    This      system also has <a href="http://www.vmware.com/">VMware</a>
-  and      can run both <a href="http://www.debian.org">Debian Woody</a>
+installed    and      can run both <a href="http://www.debian.org">Debian
-and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
+Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual
 machines.</li>
           <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail 
 (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server 
      (Bind).</li>
           <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX  
- (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.9a  and a DHCP
+ (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.11  and a DHCP 
     server.  Also   runs PoPToP for     road warrior access.</li>
           <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's 
      personal system.</li>
-          <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 
+           <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
   and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
 </ul>
@ -105,10 +106,11 @@ and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
 src="images/apache_pb1.gif" hspace="2" width="170" height="20">
      </a>  </font></p>
-<p><font size="2">Last updated 10/28/2002 - </font><font size="2">       <a
+<p><font size="2">Last updated 11/24/2002 - </font><font size="2">      
- href="support.htm">Tom Eastep</a></font>  </p>
+<a href="support.htm">Tom Eastep</a></font>  </p>
-        <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+         <font face="Trebuchet MS"><a href="copyright.htm"><font
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">Copyright</font>       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
      <br>
     <br>
    <br>
   <br>
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@ -31,8 +31,8 @@
  </tbody>        
 </table>
-<p align="center">With thanks to Richard who reminded me once again that we
+<p align="center">With thanks to Richard who reminded me once again that
-must  all first walk before we can run.</p>
+we must  all first walk before we can run.</p>
 <h2>The Guides</h2>
@ -54,9 +54,9 @@ acting    as a    firewall/router for a small local network</li>
     quickly in the three most common Shorewall configurations.</p>
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
-    the steps necessary to set up a firewall where <b>there are multiple public
+     the steps necessary to set up a firewall where <b>there are multiple
-   IP  addresses involved or if you want to learn more about Shorewall than
+public    IP  addresses involved or if you want to learn more about Shorewall
-  is  explained in the single-address guides above.</b></p>
+than   is  explained in the single-address guides above.</b></p>
 <ul>
           <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -92,6 +92,7 @@ your   Network</a>
    <ul>
             <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
        <ul>
               <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
               <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@ -110,7 +111,7 @@ and   Ends</a></li>
           </li>
           <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
           <li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
-Starting    and    Stopping the Firewall</a></li>
+ Starting    and    Stopping the Firewall</a></li>
 </ul>
@ -154,7 +155,8 @@ Starting    and    Stopping the Firewall</a></li>
             <li><font color="#000099"><a
 href="Documentation.htm#Interfaces">interfaces</a></font></li>
             <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
-            <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
+             <li><font color="#000099"><a
 href="Documentation.htm#Policy">policy</a></font></li>
             <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
             <li><a href="Documentation.htm#Common">common</a></li>
             <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
@ -175,8 +177,8 @@ Starting    and    Stopping the Firewall</a></li>
           </li>
           <li><a href="dhcp.htm">DHCP</a></li>
           <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
-(How to extend Shorewall without modifying Shorewall  code)</li>
+to extend Shorewall without modifying Shorewall  code)</li>
           <li><a href="fallback.htm">Fallback/Uninstall</a></li>
           <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
           <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
@ -194,10 +196,12 @@ Starting    and    Stopping the Firewall</a></li>
           <li><a href="samba.htm">Samba</a></li>
           <li><font color="#000099"><a
 href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
  <ul>
     <li>Description of all /sbin/shorewall commands</li>
     <li>How to safely test a Shorewall configuration change<br>
     </li>
  </ul>
           <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
           <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
@ -218,10 +222,10 @@ Starting    and    Stopping the Firewall</a></li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 11/19/2002 - <a
+<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
-</p>
+ </p>
 <br>
 </body>
 </html>
--- a/STABLE/documentation/support.htm
+++ b/STABLE/documentation/support.htm
@ -30,12 +30,12 @@
  </tbody>        
 </table>
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
+<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
-easier to post a problem than to use your own brain" </font>-- </i> <font
+is easier to post a problem than to use your own brain" </font>-- </i> <font
 size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
-<p align="left"> <i>"Any sane computer will tell you how it works -- you just
+<p align="left"> <i>"Any sane computer will tell you how it works -- you
- have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
 <blockquote> </blockquote>
@ -46,10 +46,10 @@ easier to post a problem than to use your own brain" </font>-- </i> <font
 <h3 align="left">Before Reporting a Problem</h3>
  <b><i>"Reading the documentation fully is a prerequisite to getting help
-for your particular situation. I know it's harsh but you will have to get 
+ for your particular situation. I know it's harsh but you will have to get
-so far on your own before you can get reasonable help from a list full of 
+ so far on your own before you can get reasonable help from a list full of
-busy people. A mailing list is not a tool to speed up your day by being spoon
+ busy people. A mailing list is not a tool to speed up your day by being
-fed</i></b><i><b>".</b> </i>-- Simon White<br>
+spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
 <p>There are also a number of sources for problem solution information.</p>
@ -99,40 +99,46 @@ about         similar problems:</li>
 <h3 align="left">Problem Reporting Guideline</h3>
 <ul>
-          <li>When reporting a problem, give as much information as you can.
+           <li>When reporting a problem, give as much information as you
-  Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
+can.   Reports   that say "I tried XYZ and it didn't work" are not at all
-          <li>Please don't describe your environment and then ask us to send
+helpful.</li>
-  you             custom configuration files. We're here to answer your questions 
+           <li>Please don't describe your environment and then ask us to
-   but we           can't do your job for you.</li>
+send   you             custom configuration files. We're here to answer your
 questions     but we           can't do your job for you.</li>
           <li>Do you see any "Shorewall" messages in     /var/log/messages 
 when   you exercise the function that is giving you problems?</li>
           <li>Have you looked at the packet flow with a tool like tcpdump
     to  try to understand what is going on?</li>
           <li>Have you tried using the diagnostic capabilities of the  
  application    that isn't working? For example, if "ssh" isn't able   
-to connect, using    the "-v" option gives you a lot of valuable     diagnostic 
+ to connect, using    the "-v" option gives you a lot of valuable     diagnostic
-information.</li>
+ information.</li>
           <li>Please include any of the Shorewall configuration files (especially
-   the    /etc/shorewall/hosts file if you have modified that file) that you
+    the    /etc/shorewall/hosts file if you have modified that file) that
-   think are    relevant. If an error occurs when you try to "shorewall start",
+you    think are    relevant. If an error occurs when you try to "shorewall
-   include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
+start",    include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
    section for    instructions).</li>
           <li>The list server limits posts to 120kb so don't post GIFs of
-your             network layout, etc to the Mailing List -- your post will 
+ your             network layout, etc to the Mailing List -- your post will
-be rejected.</li>
+ be rejected.</li>
 </ul>
 <h3>Where to Send your Problem Report or to Ask for Help</h3>
             <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem 
 reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set 
- on October 3, 2002; MandrakeSoft issued a charge against my credit card
+ on October 3, 2002; MandrakeSoft issued a charge against my credit card on
-on  October 4, 2002 (they are really effecient at that part of the order
+ October 4, 2002 (they are very effecient at that part of the order process)
-process)  and I haven't heard a word from them since (although their news
+ and I haven't heard a word from them since (although their news letters
-letters boast  that 9.0 boxed sets have been shipping for the last two weeks).
+boast  that 9.0 boxed sets have been shipping for the last two weeks). If
-If they can't  fill my 9.0 order within <u>6 weeks after they have billed
+they can't  fill my 9.0 order within <u>6 weeks after they have billed my
-my credit card</u>  then I refuse to spend my free time supporting of their
+credit card</u>  then I refuse to spend my free time supporting their product
-product for them.<br>
+for them.<br>
 <br>
 <b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
 order is part of a batch of which was not correctly sent to our shipping
 handler, and so unfortunately was not processed". They further assure me
 that these mishandled orders will begin shipping on 12/2/2002.<br>
 <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
     post your question or problem to the <a
@ -153,11 +159,11 @@ product for them.<br>
 href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> 
        .</p>
-<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-</p>
+ </p>
- 
+   <br>
 </body>
 </html>
--- a/STABLE/documentation/troubleshoot.htm
+++ b/STABLE/documentation/troubleshoot.htm
@ -18,7 +18,10 @@
             <tbody>
        <tr>
               <td width="100%">                                       
-      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
 src="images/obrasinf.gif" alt="Beating head on table" width="90"
 height="90" align="middle">
      </font></h1>
               </td>
             </tr>
@ -37,8 +40,9 @@ of  the   firewall.</p>
  problems.</p>
 <h3 align="left">If the firewall fails to start</h3>
-        If you receive an error message when starting or restarting the firewall
+          If you receive an error message when starting or restarting the 
- and you can't determine the cause, then do the following:     
+firewall  and you can't determine the cause, then do the following:     
 <ul>
         <li>shorewall debug start 2&gt; /tmp/trace</li>
         <li>Look at the /tmp/trace file and see if that helps you     determine
@ -52,17 +56,17 @@ of  the   firewall.</p>
 <p>Many times when people have problems with Shorewall, the problem is  
 actually an ill-conceived network setup. Here are several popular snafus:
-</p>
+ </p>
 <ul>
-       <li>Port           Forwarding where client and server are in the same
+         <li>Port           Forwarding where client and server are in the 
- subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
         <li>Changing the IP address of a local system to be in the external
  subnet,      thinking that Shorewall will suddenly believe that the system
  is in the      'net' zone.</li>
         <li>Multiple interfaces connected to the same HUB or Switch. Given 
-the way      that the Linux kernel respond to ARP "who-has" requests, this 
+ the way      that the Linux kernel respond to ARP "who-has" requests, this 
-type of setup      does NOT work the way that you expect it to.</li>
+ type of setup      does NOT work the way that you expect it to.</li>
 </ul>
@ -71,8 +75,8 @@ type of setup      does NOT work the way that you expect it to.</li>
 <p align="left">If the appropriate policy for the connection that you are
  trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING 
  TO MAKE IT WORK. Such additional rules will NEVER make it work, they add 
-clutter to your rule set and they represent a big security hole in the event 
+ clutter to your rule set and they represent a big security hole in the event 
-that you forget to remove them later.</p>
+ that you forget to remove them later.</p>
 <p align="left">I also recommend against setting all of your policies to
       ACCEPT in an effort to make something work. That robs you of one of
@ -80,10 +84,10 @@ that you forget to remove them later.</p>
  will        generate when you try to connect in a way that isn't permitted
  by your        rule set.</p>
-<p align="left">Check your log. If you don't see Shorewall  messages, then
+<p align="left">Check your log ("/sbin/shorewall show log"). If you don't 
- your problem is probably NOT a Shorewall problem. If you DO see packet messages,
+see Shorewall  messages, then  your problem is probably NOT a Shorewall problem. 
- it may be an indication that you are missing one or more rules -- see <a
+If you DO see packet messages,  it may be an indication that you are missing 
- href="FAQ.htm#faq17">FAQ 17</a>.</p>
+one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">While you are troubleshooting, it is a good idea to clear 
        two variables in /etc/shorewall/shorewall.conf:</p>
@ -98,14 +102,15 @@ that you forget to remove them later.</p>
          <font face="Century Gothic, Arial, Helvetica">              
 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:    
   Shorewall:all2all:REJECT:IN=eth2  OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
- LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
+  LEN=67 TOS=0x00 PREC=0x00 TTL=63  ID=5805 DF PROTO=UDP SPT=1803 DPT=53
 LEN=47</font></p>
             </font>              
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
-       <li>all2all:REJECT - This packet was REJECTed out of the all2all chain
+         <li>all2all:REJECT - This packet was REJECTed out of the all2all 
- -- the packet was rejected under the     "all"-&gt;"all" REJECT policy (see
+chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT policy 
-     <a href="FAQ.htm#faq17">FAQ 17).</a></li>
+(see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
         <li>IN=eth2 - the packet entered the firewall via eth2</li>
         <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
         <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -122,7 +127,7 @@ that you forget to remove them later.</p>
   </p>
 <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information 
-about how to interpret the chain name appearing in a Shorewall log message.<br>
+ about how to interpret the chain name appearing in a Shorewall log message.<br>
   </p>
 <h3 align="left">Other Gotchas</h3>
@ -131,61 +136,61 @@ about how to interpret the chain name appearing in a Shorewall log message.<br>
         <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
       chains? This means that:                    
    <ol>
-         <li>your zone definitions are screwed up and the host that is sending
+           <li>your zone definitions are screwed up and the host that is
- the        packets or the destination host isn't in any zone (using an 
+sending   the        packets or the destination host isn't in any zone (using
-     <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
+an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
-you?);         or</li>
+are you?);         or</li>
-         <li>the source and destination hosts are both connected to the same
+           <li>the source and destination hosts are both connected to the 
-        interface and that interface doesn't have the 'multi' option specified
+same         interface and that interface doesn't have the 'multi' option 
- in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+specified  in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
    </ol>
         </li>
-       <li>Remember that Shorewall doesn't automatically allow ICMP     type
+         <li>Remember that Shorewall doesn't automatically allow ICMP   
- 8 ("ping") requests to be sent between zones. If you want     pings to be
+ type  8 ("ping") requests to be sent between zones. If you want     pings 
- allowed between zones, you need a rule of the form:<br>
+to be  allowed between zones, you need a rule of the form:<br>
          <br>
              ACCEPT    &lt;source     zone&gt;    &lt;destination zone&gt;    
  icmp        echo-request<br>
          <br>
          The ramifications of this can be subtle. For example, if you have 
-the      following in /etc/shorewall/nat:<br>
+ the      following in /etc/shorewall/nat:<br>
          <br>
              10.1.1.2    eth0        130.252.100.18<br>
          <br>
-        and you ping 130.252.100.18, unless you have allowed icmp type 8
+          and you ping 130.252.100.18, unless you have allowed icmp type
-between  the     zone containing the system you are pinging from and the
+8  between  the     zone containing the system you are pinging from and the
 zone containing       10.1.1.2, the ping requests will be dropped. This is
 true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
         <li>If you specify "routefilter" for an interface,     that interface
  must be up prior to starting the firewall.</li>
         <li>Is your routing correct? For example, internal systems usually 
-need to      be configured with their default gateway set to the IP address 
+ need to      be configured with their default gateway set to the IP address 
-of their      nearest firewall interface. One often overlooked aspect of routing
+ of their      nearest firewall interface. One often overlooked aspect of 
-is that      in order for two hosts to communicate, the routing between them
+routing is that      in order for two hosts to communicate, the routing between 
-must be set      up <u>in both directions.</u> So when setting up routing
+them must be set      up <u>in both directions.</u> So when setting up routing
  between <b>A</b>      and<b> B</b>, be sure to verify that the route from
      <b>B</b> back to <b>A</b>      is defined.</li>
         <li>Some versions of LRP (EigerStein2Beta for example) have a  
-shell  with broken variable expansion. <a
+  shell  with broken variable expansion. <a
 href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected
  shell from the Shorewall Errata download site.</a>     </li>
         <li>Do you have your kernel properly configured? <a
 href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
-       <li>Some features require the "ip" program. That     program is generally
+         <li>Some features require the "ip" program. That     program is
- included in the "iproute" package which should     be included with your
+generally   included in the "iproute" package which should     be included
-distribution (though many distributions don't install     iproute by    
+with your  distribution (though many distributions don't install     iproute
-default). You may also download the latest source tarball from <a
+by     default). You may also download the latest source tarball from <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> 
  .</li>
         <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts
  then the zone must be entirely   defined in /etc/shorewall/hosts unless
 you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
-For example, if a zone has two interfaces but   only one interface has an
+ For example, if a zone has two interfaces but   only one interface has an
-entry in /etc/shorewall/hosts then hosts attached to   the other interface
+ entry in /etc/shorewall/hosts then hosts attached to   the other interface
-will     <u>not</u> be considered part of the zone.</li>
+ will     <u>not</u> be considered part of the zone.</li>
         <li>Problems with NAT? Be sure that you let Shorewall add all  
-external  addresses to be use with NAT unless you have set <a
+  external  addresses to be use with NAT unless you have set <a
 href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No     in /etc/shorewall/shorewall.conf.</li>
 </ul>
@ -196,10 +201,12 @@ external  addresses to be use with NAT unless you have set <a
            <font face="Century Gothic, Arial, Helvetica">              
 <blockquote> </blockquote>
             </font>                
-<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-</p>
+  </p>
  <br>
 <br>
 </body>
 </html>
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
-VERSION=1.3.11
+VERSION=1.3.11a
 usage() # $1 = exit status
 {
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.3.11
+VERSION=1.3.11a
 usage() # $1 = exit status
 {
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.3.11
+%define version 1.3.11a
 %define release 1
 %define prefix /usr
@ -101,6 +101,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11a
 * Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
 - Changes version to 1.3.11
 * Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.3.11
+VERSION=1.3.11a
 usage() # $1 = exit status
 {