1.3.13 Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@399 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-28 02:23:20 +01:00 · 2003-01-14 17:18:42 +00:00 · 2003-01-14 17:18:42 +00:00 · 2024554eec
commit 2024554eec
parent bdcf22b4f8
36 changed files with 11973 additions and 10880 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
--- a/Shorewall-docs/Documentation_Index.htm
+++ b/Shorewall-docs/Documentation_Index.htm
@ -1,28 +1,31 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
 <meta http-equiv="Content-Language" content="en-us">
 <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
 <meta name="ProgId" content="FrontPage.Editor.Document">
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>The Documentation Index</title>
 </head>
-<body>
+  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>The Documentation Index</title>
 </head>
  <body>
 <h1 align="center">The Shorewall Documentation Index</h1>
 <h1 align="center">has Moved
 <a href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
-                                            <p><font size="2">
+<h1 align="center">has Moved <a
-Last updated 8/9/2002
+ href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
- -
+                                                  
-                                            <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2"> Last updated 8/9/2002  -                              
-  </p>
+              <a href="support.htm">Tom Eastep</a></font>   </p>
-  <p>
+     
-  <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p>   <a href="copyright.htm"><font size="2">Copyright</font>    © <font
-  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
   <br>
 </body>
 </html>
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -30,6 +30,7 @@
                                    <td width="100%">                   
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                                    </td>
                                  </tr>
@ -51,21 +52,22 @@
 <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
               to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 
-in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com
+   in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com 
         but    <b>internal  clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
                subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
-      to   hosts   in  Z. Hosts in Z cannot communicate with each other using
+         to   hosts   in  Z. Hosts in Z cannot communicate with each other
-    their    external    (non-RFC1918 addresses) so they <b>can't access
+ using      their    external    (non-RFC1918 addresses) so they <b>can't
-each     other using   their DNS   names.</b></a></p>
+access each     other using   their DNS   names.</b></a></p>
-<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
+<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b> 
-            Messenger </b>with  Shorewall. What do I do?</a></p>
+or <b>MSN                Instant Messenger </b>with  Shorewall. What do I 
 do?</a></p>
 <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
               to  check my firewall and it shows <b>some ports as 'closed' 
-rather       than     'blocked'.</b>  Why?</a></p>
+  rather       than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
                of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -76,16 +78,25 @@ rather       than     'blocked'.</b>  Why?</a></p>
 <p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> 
                written and  how do I <b>change the destination</b>?</a></p>
 <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> 
                that work with Shorewall?</a></p>
-                                                  
+<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
 href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
 requests. Can i exclude these error messages for this port temporarily from
 logging in Shorewall?</a><br>
 </p>
 <p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
 of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>. 
 They get dropped, but what the heck are they?</a><br>
 </p>
 <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 
- 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
+'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
                work?</a></p>
 <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
               on RedHat</b> I get messages about insmod failing -- what's 
-wrong?</a></p>
+  wrong?</a></p>
 <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
               my  interfaces </b>properly?</a></p>
@ -94,7 +105,7 @@ wrong?</a></p>
               it  work with?</a></p>
 <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
- support?</a></p>
+support?</a></p>
 <p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
@ -102,13 +113,13 @@ wrong?</a></p>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
               and it has an internel  web server that allows me to configure/monitor 
-         it   but as expected if I enable <b> rfc1918 blocking</b> for my
+            it   but as expected if I enable <b> rfc1918 blocking</b> for 
-eth0     interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
+my   eth0     interface,       it also blocks the <b>cable modems  web server</b></a>.</p>
 <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
               IP  addresses, my ISP's DHCP server has an RFC 1918 address. 
-If   I  enable       RFC 1918  filtering on my external interface, <b>my
+  If   I  enable       RFC 1918  filtering on my external interface, <b>my 
-DHCP  client  cannot    renew   its lease</b>.</a></p>
+ DHCP  client  cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
               out to  the net</b></a></p>
@ -116,29 +127,37 @@ DHCP  client  cannot    renew   its lease</b>.</a></p>
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
                all over my console</b> making it unusable!<br>
                           </a></p>
-                                 <b>17</b>. <a href="#faq17">How do I find
+                                        <b>17</b>. <a href="#faq17">How do
- out   <b>why    this traffic   is</b> getting  <b>logged?</b></a><br>
+ I  find   out   <b>why    this traffic   is</b> getting  <b>logged?</b></a><br>
                       <br>
-                <b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
+                       <b>18.</b> <a href="#faq18">Is there any way to use
-   ip  addresses</b>    with Shorewall, and maintain separate rulesets for
+ <b>aliased      ip  addresses</b>    with Shorewall, and maintain separate
- different   IPs?</a><br>
+ rulesets for    different   IPs?</a><br>
                   <br>
-            <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b> 
+                   <b>19. </b><a href="#faq19">I have added <b>entries to 
-     but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
+/etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do anything</b>. 
 Why?</a><br>
                  <br>
-           <b>20. </b><a href="#faq20">I have just set  up  a  server.  <b>Do 
+                  <b>20. </b><a href="#faq20">I have just set  up  a  server. 
-I have to change Shorewall to allow access to my server   from  the internet?<br>
+   <b>Do  I have to change Shorewall to allow access to my server   from 
 the  internet?<br>
        <br>
        </b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
-</b>occasionally;    what are they?<br>
+    </b>occasionally;    what are they?<br>
                </a><br>
- <b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
+        <b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that 
-want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
+  I  want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
      <br>
      <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b> on
 your   <b>web site</b>?</a><br>
   <br>
   <b>24: </b><a href="#faq24">How can I <b>allow conections</b> to let's 
 say  the ssh port only<b> from specific IP Addresses</b> on the internet?</a><br>
 <hr>                                
 <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
-            my my personal PC with IP address 192.168.1.5. I've looked everywhere
+               my my personal PC with IP address 192.168.1.5. I've looked 
-        and    can't find how to do it.</h4>
+everywhere           and    can't find how to do it.</h4>
 <p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
@ -258,11 +277,13 @@ want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
 <ul>
-                           <li>You are trying to test from inside your firewall 
+                                  <li>You are trying to test from inside
-   (no,   that    won't    work -- see <a href="#faq2">FAQ #2</a>).</li>
+your   firewall     (no,   that    won't    work -- see <a href="#faq2">FAQ
-                           <li>You have a more basic problem with your local
+#2</a>).</li>
-  system    such   as  an   incorrect default gateway configured (it should
+                                  <li>You have a more basic problem with
-  be set to   the IP   address    of your  firewall's internal interface).</li>
+your   local    system    such   as  an   incorrect default gateway configured 
 (it  should    be set to   the IP   address    of your  firewall's internal 
 interface).</li>
 </ul>
@ -271,33 +292,36 @@ want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
                      <b>Answer: </b>To further diagnose this problem:<br>
 <ul>
-                 <li>As root, type "iptables -t nat -Z". This clears the
+                        <li>As root, type "iptables -t nat -Z". This clears 
-NetFilter      counters   in the nat table.</li>
+ the   NetFilter      counters   in the nat table.</li>
-                 <li>Try to connect to the redirected port from an external 
+                        <li>Try to connect to the redirected port from an 
- host.</li>
+external     host.</li>
                        <li>As root type "shorewall show nat"</li>
-                 <li>Locate the appropriate DNAT rule. It will be in a chain
+                        <li>Locate the appropriate DNAT rule. It will be
-  called        <i>zone</i>_dnat   where <i>zone</i> is the zone that includes
+in  a  chain    called        <i>zone</i>_dnat   where <i>zone</i> is the
-  the    ('net' in the above   examples).</li>
+zone  that  includes    the    ('net' in the above   examples).</li>
-                 <li>Is the packet count in the first column non-zero? If 
+                        <li>Is the packet count in the first column non-zero? 
-so,   the   connection    request is reaching the firewall and is being redirected 
+  If  so,   the   connection    request is reaching the firewall and is being
-  to   the server.  In  this case, the problem is usually a missing or incorrect 
+   redirected    to   the server.  In  this case, the problem is usually
-    default gateway   setting on the server (the server's default gateway 
+a  missing  or incorrect      default gateway   setting on the server (the
-should    be the IP address   of the firewall's interface to the server).</li>
+server's  default  gateway  should    be the IP address   of the firewall's
 interface  to the  server).</li>
                        <li>If the packet count is zero:</li>
  <ul>
-                   <li>the connection request is not reaching your server 
+                          <li>the connection request is not reaching your 
-(possibly      it  is being blocked by your ISP); or</li>
+server    (possibly      it  is being blocked by your ISP); or</li>
-                   <li>you are trying to connect to a secondary IP address
+                          <li>you are trying to connect to a secondary IP 
- on  your   firewall   and your rule is only redirecting the primary IP address 
+address     on  your   firewall   and your rule is only redirecting the primary 
-  (You  need to specify   the secondary IP address in the "ORIG. DEST." column 
+IP  address    (You  need to specify   the secondary IP address in the "ORIG. 
-  in  your DNAT rule);  or</li>
+ DEST." column    in  your DNAT rule);  or</li>
-                   <li>your DNAT rule doesn't match the connection request
+                          <li>your DNAT rule doesn't match the connection 
- in  some   other   way. In that case, you may have to use a packet sniffer
+request     in  some   other   way. In that case, you may have to use a packet 
- such  as tcpdump  or  ethereal to further diagnose the problem.<br>
+sniffer     such  as tcpdump  or  ethereal to further diagnose the problem.<br>
                          </li>
  </ul>
 </ul>
@ -310,27 +334,28 @@ should    be the IP address   of the firewall's interface to the server).</li>
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
 <ul>
-                           <li>Having an internet-accessible server in your 
+                                  <li>Having an internet-accessible server
- local    network         is  like raising foxes in the corner of your hen 
+ in  your   local    network         is  like raising foxes in the corner
- house.  If  the server     is      compromised, there's nothing between that
+of your  hen   house.  If  the server     is      compromised, there's nothing 
- server  and  your other   internal        systems. For the cost of another
+ between  that  server  and  your other   internal        systems. For the 
- NIC and  a cross-over  cable,   you can   put      your server in a DMZ
+ cost of another  NIC and  a cross-over  cable,   you can   put      your 
-such  that it is isolated  from your   local systems    -     assuming that
+server in a DMZ such  that it is isolated  from your   local systems    - 
-the  Server can be located  near the Firewall,   of course    :-)</li>
+    assuming that the  Server can be located  near the Firewall,   of course 
-                           <li>The accessibility problem is best solved using 
+   :-)</li>
-         <a href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a>
+                                  <li>The accessibility problem is best solved
-    (or using a separate DNS server for local clients) such that www.mydomain.com
+   using           <a href="shorewall_setup_guide.htm#DNS">Bind Version 
-    resolves to 130.141.100.69     externally and 192.168.1.5 internally.
+   9 "views"</a>     (or using a separate DNS server for local clients) such
-That's    what I do here at     shorewall.net for my local systems that use
+  that www.mydomain.com     resolves to 130.141.100.69     externally and
-static   NAT.</li>
+192.168.1.5   internally. That's    what I do here at     shorewall.net for
 my local systems   that use static   NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility problem 
                rather than a DNS solution, then assuming that your external 
-interface          is  eth0  and your internal interface is eth1  and that
+   interface          is  eth0  and your internal interface is eth1  and that
-eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24, do
+   eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24, do
-the following:</p>
+  the following:</p>
 <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
                for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -423,14 +448,14 @@ the following:</p>
 <div align="left">                                
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE 
                client to automatically restart Shorewall each time that you
-get    a  new    IP   address.</p>
+   get    a  new    IP   address.</p>
                               </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
-            subnet and I use static NAT to assign non-RFC1918 addresses to
+               subnet and I use static NAT to assign non-RFC1918 addresses 
- hosts      in   Z.  Hosts in Z cannot communicate with each other using
+ to   hosts      in   Z.  Hosts in Z cannot communicate with each other using 
-their  external      (non-RFC1918     addresses) so they can't access each
+  their  external      (non-RFC1918     addresses) so they can't access each 
-other  using their    DNS  names.</h4>
+  other  using their    DNS  names.</h4>
 <p align="left"><b>Answer: </b>This is another problem that is best solved 
               using Bind Version 9 "views". It allows both external and internal
@ -438,11 +463,11 @@ other  using their    DNS  names.</h4>
 <p align="left">Another good way to approach this problem is to switch from
                static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
-     addresses      and can be accessed externally and internally using the 
+         addresses      and can be accessed externally and internally using
-  same   address.  </p>
+  the    same   address.  </p>
-<p align="left">If you don't like those solutions and prefer routing all
+<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
-Z-&gt;Z traffic through your firewall then:</p>
+traffic through your firewall then:</p>
 <p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
           (If you are running a Shorewall version earlier than 1.3.9).<br>
@ -540,29 +565,32 @@ Z-&gt;Z traffic through your firewall then:</p>
  </table>
                                </blockquote>
-<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger
+<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting or MSN Instant 
-            with Shorewall. What do I do?</h4>
+Messenger                with Shorewall. What do I do?</h4>
 <p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
-            tracking/NAT module</a> that may help. Also check the Netfilter
+               tracking/NAT module</a> that may help with Netmeeting. Look 
-  mailing        list  archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
+<a href="http://linux-igd.sourceforge.net">here</a> for a solution for MSN 
 IM but be aware that there are significant security risks involved with this 
 solution. Also check the Netfilter      mailing        list  archives at <a
 href="http://www.netfilter.org">http://www.netfilter.org</a>.          
    </p>
 <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
-            to    check my firewall and it shows some ports as 'closed' rather
+               to    check my firewall and it shows some ports as 'closed' 
-     than     'blocked'.     Why?</h4>
+ rather       than     'blocked'.     Why?</h4>
 <p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
               always    rejects connection requests on TCP port 113 rather 
-than     dropping        them. This is    necessary to prevent outgoing connection
+  than     dropping        them. This is    necessary to prevent outgoing 
-    problems to   services    that use the    'Auth' mechanism for identifying
+connection       problems to   services    that use the    'Auth' mechanism 
-    requesting  users.  Shorewall    also rejects TCP    ports 135, 137 and
+for identifying       requesting  users.  Shorewall    also rejects TCP  
-  139  as well as  UDP ports  137-139.   These are ports that are    used
+ ports 135, 137 and    139  as well as  UDP ports  137-139.   These are ports
-by  Windows  (Windows  <u>can</u>  be configured   to use the DCE cell locator
+that are    used  by  Windows  (Windows  <u>can</u>  be configured   to use
-     on port  135). Rejecting these  connection requests   rather than dropping
+the DCE cell locator       on port  135). Rejecting these  connection requests
-  them    cuts down slightly on the amount of Windows  chatter on LAN segments
+  rather than dropping    them    cuts down slightly on the amount of Windows
-  connected      to the Firewall. </p>
+ chatter on LAN segments    connected      to the Firewall. </p>
 <p align="left">If you are seeing port 80 being 'closed', that's probably 
               your    ISP preventing you from running a web server in violation 
@ -573,10 +601,10 @@ by  Windows  (Windows  <u>can</u>  be configured   to use the DCE cell locator
 <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
               section about    UDP scans. If nmap gets <b>nothing</b> back 
-from     your     firewall   then it reports    the port as open. If you
+  from     your     firewall   then it reports    the port as open. If you 
-want to   see  which    UDP ports are  really open,    temporarily change
+ want to   see  which    UDP ports are  really open,    temporarily change 
-your net-&gt;all     policy    to REJECT, restart  Shorewall and do    the
+ your net-&gt;all     policy    to REJECT, restart  Shorewall and do    the 
-nmap UDP scan again.</p>
+ nmap UDP scan again.</p>
 <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
               can't ping through the firewall</h4>
@ -587,7 +615,7 @@ nmap UDP scan again.</p>
 <p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
                                b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
                                c) Add the following to /etc/shorewall/icmpdef: 
-</p>
+   </p>
 <blockquote>                                                             
@ -601,12 +629,12 @@ nmap UDP scan again.</p>
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
                and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
-syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
+(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-facility (see "man openlog") and you get to choose the log level (again,
+(see "man openlog") and you get to choose the log level (again, see "man
-see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
+syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
- and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged 
- logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
+logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
              When you have changed /etc/syslog.conf, be sure to restart syslogd
       (on    a  RedHat system, "service syslog restart"). </p>
@ -636,19 +664,45 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
                     http://www.logwatch.org</a><br>
               </p>
             </blockquote>
-      I personnaly use Logwatch. It emails me a report each day from my various
+             I personnaly use Logwatch. It emails me a report each day from 
-   systems with each report summarizing the logged activity on the corresponding
+ my  various    systems with each report summarizing the logged activity on
-   system.                                                               
+ the  corresponding    system.                                          
 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
 are <b>flooding the logs</b> with their connect requests. Can i exclude these
 error messages for this port temporarily from logging in Shorewall?</h4>
 Temporarily add the following rule:<br>
 <pre>	DROP    net    fw    udp    10619</pre>
 <h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow
 of these DROP messages from port 53 to some high numbered port.  They get
 dropped, but what the heck are they?</h4>
 <pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
 <b>Answer: </b>There are two possibilities:<br>
 <ol>
  <li>They are late-arriving replies to DNS queries.</li>
  <li>They are corrupted reply packets.</li>
 </ol>
 You can distinguish the difference by setting the <b>logunclean</b> option
 (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) on
 your external interface (eth0 in the above example). If they get logged twice,
 they are corrupted. I solve this problem by using an /etc/shorewall/common
 file like this:<br>
 <blockquote>
  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
 </blockquote>
 The above file is also include in all of my sample configurations available
 in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
-            stop', I can't connect to anything. Why doesn't that command work?</h4>
+                stop', I can't connect to anything. Why doesn't that command
   work?</h4>
 <p align="left">The 'stop' command is intended to place your firewall into 
               a safe state whereby only those hosts listed in /etc/shorewall/routestopped' 
-are    activated.         If you want to totally open up your firewall, you
+   are    activated.         If you want to totally open up your firewall, 
-must    use the 'shorewall         clear' command. </p>
+ you  must    use the 'shorewall         clear' command. </p>
 <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, 
-I get messages about insmod failing -- what's wrong?</h4>
+   I get messages about insmod failing -- what's wrong?</h4>
 <p align="left"><b>Answer: </b>The output you will see looks something like 
               this:</p>
@ -685,9 +739,9 @@ I get messages about insmod failing -- what's wrong?</h4>
                               </div>
 <div align="left">                                  
-<p align="left"><b>Answer: </b>The above output is perfectly normal. The
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
-Net    zone is defined as all hosts that are connected through eth0 and the
+   zone is defined as all hosts that are connected through eth0 and the local
-local    zone is defined as all hosts connected through eth1</p>
+   zone is defined as all hosts connected through eth1</p>
                               </div>
 <h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
@ -703,31 +757,32 @@ local    zone is defined as all hosts connected through eth1</p>
 <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-<p align="left"><b>Answer: </b>Every time I've started to work on one, I
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
-find myself doing      other things. I guess I just don't care enough if
+myself doing      other things. I guess I just don't care enough if Shorewall
-Shorewall has a GUI to      invest the effort to create one myself. There
+has a GUI to      invest the effort to create one myself. There are several
-are several Shorewall GUI      projects underway however and I will publish
+Shorewall GUI      projects underway however and I will publish links to
-links to them when the authors      feel that they are ready. </p>
+them when the authors      feel that they are ready. </p>
 <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
 <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" 
               (<a href="http://www.cityofshoreline.com">the      city where 
-I  live</a>)          and "Fire<u>wall</u>". The full name of the product
+   I  live</a>)          and "Fire<u>wall</u>". The full name of the product 
-is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
+   is actually "Shoreline Firewall" but "Shorewall" is must more commonly 
 used.</p>
 <h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
               and it has an  internal web server that allows me to configure/monitor 
-         it   but as expected if I  enable rfc1918 blocking for my eth0 interface
+            it   but as expected if I  enable rfc1918 blocking for my eth0 
-        (the  internet one), it also blocks  the cable modems web server.</h4>
+ interface          (the  internet one), it also blocks  the cable modems 
 web server.</h4>
 <p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
               that will let all traffic to and from the 192.168.100.1 address 
      of   the    modem  in/out but still block all other rfc1918 addresses?</p>
-<p align="left"><b>Answer: </b>If you are running a version of Shorewall
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
-earlier than      1.3.1, create /etc/shorewall/start and in it, place the
+than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
 following:</p>
 <div align="left">                                  
 <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -766,10 +821,10 @@ following:</p>
                             </p>
 <p align="left">Note: If you add a second IP address to your external firewall 
-           interface to correspond to the modem address, you must also make
+              interface to correspond to the modem address, you must also 
-  an   entry      in /etc/shorewall/rfc1918 for that address. For example,
+make     an   entry      in /etc/shorewall/rfc1918 for that address. For example,
   if you   configure      the address 192.168.100.2 on your firewall, then
-you would   add two entries      to /etc/shorewall/rfc1918:  <br>
+  you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                             </p>
 <blockquote>                                                             
@ -796,6 +851,7 @@ you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                                   </tr>
    </tbody>                                                             
  </table>
@ -803,10 +859,10 @@ you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                               </div>
 <div align="left">                                  
-<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
-IP    addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
+   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
-RFC 1918    filtering on my external interface, my DHCP client cannot renew
+1918    filtering on my external interface, my DHCP client cannot renew its
-its lease.</h4>
+lease.</h4>
                                </div>
 <div align="left">                                  
@ -818,9 +874,9 @@ its lease.</h4>
               the  net</h4>
 <p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
-            the net", I wonder  where the poster bought computers with eyes
+               the net", I wonder  where the poster bought computers with 
-  and    what     those computers will "see"  when things are working properly.
+eyes     and    what     those computers will "see"  when things are working 
-   That   aside,     the most common causes of this  problem are:</p>
+properly.      That   aside,     the most common causes of this  problem are:</p>
 <ol>
                                  <li>                                  
@ -839,8 +895,8 @@ its lease.</h4>
    <p align="left">The DNS settings on the local systems are wrong or the 
-               user is running a DNS server on the firewall and hasn't enabled
+                  user is running a DNS server on the firewall and hasn't 
-     UDP    and   TCP    port 53 from the firewall to the internet.</p>
+enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p>
                                   </li>
 </ol>
@ -851,59 +907,60 @@ its lease.</h4>
 <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
               to your startup    scripts or place it in /etc/shorewall/start. 
     Under      RedHat,    the max log level    that is sent to the console 
-is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
+  is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
                           </p>
 <h4><a name="faq17"></a>17. How do I find out why this traffic is getting 
-logged?</h4>
+   logged?</h4>
-                    <b>Answer: </b>Logging occurs out of a number of chains 
+                           <b>Answer: </b>Logging occurs out of a number
- (as   indicated      in  the log message) in Shorewall:<br>
+of  chains    (as   indicated      in  the log message) in Shorewall:<br>
 <ol>
-                      <li><b>man1918 - </b>The destination address is listed
+                             <li><b>man1918 - </b>The destination address 
-  in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target -- see <a
+is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target
- href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
+ --  see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
-                      <li><b>rfc1918</b> - The source address is listed in
+                             <li><b>rfc1918</b> - The source address is listed
- /etc/shorewall/rfc1918          with a <b>logdrop </b>target -- see <a
+   in  /etc/shorewall/rfc1918          with a <b>logdrop </b>target -- see
- href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
+     <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                            <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
-or      <b>all2all          </b>-  You have a<a
+    or      <b>all2all          </b>-  You have a<a
 href="Documentation.htm#Policy"> policy</a> that     specifies a  log level 
-  and this packet is being logged under that policy.     If you intend  to
+     and this packet is being logged under that policy.     If you intend 
- ACCEPT this traffic then you need a  <a href="Documentation.htm#Rules">rule</a>
+ to   ACCEPT this traffic then you need a  <a
- to that effect.<br>
+ href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                            </li>
-                      <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you 
+                             <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either
-have   a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; 
+  you   have   a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
-    </b>to       <b>&lt;zone2&gt;</b> that specifies a log level and this 
+        </b>to       <b>&lt;zone2&gt;</b> that specifies a log level and
-packet is being         logged under that policy or this packet matches  a
+this     packet is being         logged under that policy or this packet
-    <a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
+matches    a     <a href="Documentation.htm#Rules">rule</a> that includes
-               <li><b>&lt;interface&gt;_mac</b> - The packet is being logged
+a log level.</li>
-  under    the      <b>maclist</b> <a
+                      <li><b>&lt;interface&gt;_mac</b> - The packet is being
  logged    under    the      <b>maclist</b> <a
 href="Documentation.htm#Interfaces">interface     option</a>.<br>
                      </li>
-                      <li><b>logpkt</b> - The packet is being logged under
+                             <li><b>logpkt</b> - The packet is being logged 
- the       <b>logunclean</b>            <a
+ under    the       <b>logunclean</b>            <a
 href="Documentation.htm#Interfaces">interface   option</a>.</li>
-                      <li><b>badpkt </b>- The packet is being logged under
+                             <li><b>badpkt </b>- The packet is being logged 
- the       <b>dropunclean</b>            <a
+ under    the       <b>dropunclean</b>            <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified  
-     in the <b>LOGUNCLEAN </b>setting in <a
+    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
- href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
+                             <li><b>blacklst</b> - The packet is being logged 
-                      <li><b>blacklst</b> - The packet is being logged because
+  because     the   source    IP  is blacklisted in the<a
   the   source    IP  is blacklisted in the<a
 href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
-                      <li><b>newnotsyn </b>- The packet is being logged because 
+                             <li><b>newnotsyn </b>- The packet is being logged
-   it  is  a  TCP   packet that is not part of any current connection yet 
+   because     it  is  a  TCP   packet that is not part of any current connection
-it   is not a syn  packet.   Options affecting the logging of such packets 
+   yet  it   is not a syn  packet.   Options affecting the logging of such
-include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN </b>in    
+ packets   include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN
-    <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
+    </b>in         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
-                     <li><b>INPUT</b> or <b>FORWARD</b> - The packet has
+                            <li><b>INPUT</b> or <b>FORWARD</b> - The packet 
-a  source    IP  address    that isn't in any of your defined zones ("shorewall
+ has   a  source    IP  address    that isn't in any of your defined zones 
- check"    and  look at the   printed zone definitions) or the chain is FORWARD
+ ("shorewall    check"    and  look at the   printed zone definitions) or 
- and   the destination  IP  isn't in any of your defined zones.</li>
+the chain is FORWARD   and   the destination  IP  isn't in any of your defined 
-            <li><b>logflags </b>- The packet is being logged because it failed
+ zones.</li>
-   the   checks implemented by the <b>tcpflags </b><a
+                   <li><b>logflags </b>- The packet is being logged because 
 it  failed    the   checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
                   </li>
@ -911,11 +968,11 @@ a  source    IP  address    that isn't in any of your defined zones ("shorewall
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
           with Shorewall, and maintain separate rulesets for different IPs?</h4>
-                <b>Answer: </b>Yes. You simply use the IP address in your 
+                       <b>Answer: </b>Yes. You simply use the IP address
-rules    (or   if  you  use NAT, use the local IP address in your rules). 
+in  your   rules    (or   if  you  use NAT, use the local IP address in your 
-<b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated and will 
+rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated 
-disappear eventually.      Neither   iproute  (ip and tc) nor iptables supports 
+and will   disappear eventually.      Neither   iproute  (ip and tc) nor iptables
-that notation so  neither    does   Shorewall.  <br>
+supports   that notation so  neither    does   Shorewall.  <br>
                       <br>
                       <b>Example 1:</b><br>
                       <br>
@ -923,7 +980,8 @@ that notation so  neither    does   Shorewall.  <br>
 <pre wrap=""><span class="moz-txt-citetags"></span>     # Accept AUTH but only on address 192.0.2.125<br><span
 class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span>     ACCEPT	net	fw:192.0.2.125	tcp	auth<br><span
 class="moz-txt-citetags"></span></pre>
-                <span class="moz-txt-citetags"></span><b>Example 2 (NAT):</b><br>
+                       <span class="moz-txt-citetags"></span><b>Example 2 
 (NAT):</b><br>
                       <br>
                       <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
@ -945,9 +1003,10 @@ that notation so  neither    does   Shorewall.  <br>
 <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
         to change Shorewall to allow access to my server from the internet?</b><br>
                  </h4>
-           Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart 
+                  Yes. Consult the <a
-   guide</a>   that you used during your initial setup for information about 
+ href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that
-   how to set  up rules for your server.<br>
+you used during your initial setup for information about      how to set
 up rules for your server.<br>
 <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
        what are they?<br>
@ -956,64 +1015,76 @@ that notation so  neither    does   Shorewall.  <br>
 <blockquote>                                                
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
                </blockquote>
-         192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal 
+                192.0.2.3 is external on my firewall... 172.16.0.0/24 is
-  LAN<br>
+my  internal     LAN<br>
                <br>
                <b>Answer: </b>While most people associate the Internet Control 
-Message     Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet.
+   Message     Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. 
-ICMP   is  used to report problems back to the sender of a packet; this is
+   ICMP   is  used to report problems back to the sender of a packet; this 
-what  is happening  here. Unfortunately, where NAT is involved (including
+ is  what  is happening  here. Unfortunately, where NAT is involved (including 
-SNAT,  DNAT and Masquerade),  there are a lot of broken implementations.
+   SNAT,  DNAT and Masquerade),  there are a lot of broken implementations. 
-That is  what you are seeing with  these messages.<br>
+  That is  what you are seeing with  these messages.<br>
                <br>
-        Here is my interpretation of what is happening -- to confirm this 
+               Here is my interpretation of what is happening -- to confirm 
-analysis,    one would have to have packet sniffers placed a both ends of 
+ this   analysis,    one would have to have packet sniffers placed a both 
-the connection.<br>
+ends of   the connection.<br>
               <br>
-        Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
+               Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a 
- query    to 192.0.2.3 and your DNS server tried to send a response (the
+UDP   DNS   query    to 192.0.2.3 and your DNS server tried to send a response 
-response   information  is in the brackets -- note source port 53 which marks
+ (the response   information  is in the brackets -- note source port 53 which 
-this as  a DNS reply).  When the response was returned to to 206.124.146.179,
+ marks this as  a DNS reply).  When the response was returned to to 206.124.146.179, 
-it rewrote  the destination  IP TO 172.16.1.10 and forwarded the packet to
+  it rewrote  the destination  IP TO 172.16.1.10 and forwarded the packet 
-172.16.1.10  who no longer had  a connection on UDP port 2857. This causes
+to  172.16.1.10  who no longer had  a connection on UDP port 2857. This causes 
-a port unreachable  (type 3, code  3) to be generated back to 192.0.2.3.
+  a port unreachable  (type 3, code  3) to be generated back to 192.0.2.3. 
-As this packet is sent  back through  206.124.146.179, that box correctly
+ As this packet is sent  back through  206.124.146.179, that box correctly 
-changes the source address  in the packet  to 206.124.146.179 but doesn't
+ changes the source address  in the packet  to 206.124.146.179 but doesn't 
-reset the DST IP in the original   DNS response  similarly. When the ICMP
+ reset the DST IP in the original   DNS response  similarly. When the ICMP 
-reaches your firewall (192.0.2.3),   your firewall  has no record of having
+ reaches your firewall (192.0.2.3),   your firewall  has no record of having 
-sent a DNS reply to 172.16.1.10 so   this ICMP doesn't  appear to be related
+ sent a DNS reply to 172.16.1.10 so   this ICMP doesn't  appear to be related 
-to anything that was sent. The final   result is that the packet gets logged
+ to anything that was sent. The final   result is that the packet gets logged 
-and dropped in the all2all chain. I  have also seen cases where the source
+ and dropped in the all2all chain. I  have also seen cases where the source 
-IP in the ICMP itself isn't set back  to the external IP of the remote NAT
+ IP in the ICMP itself isn't set back  to the external IP of the remote NAT 
-gateway; that causes your firewall to  log and drop the packet out of the
+ gateway; that causes your firewall to  log and drop the packet out of the 
-rfc1918 chain because the source IP is  reserved by RFC 1918.<br>
+ rfc1918 chain because the source IP is  reserved by RFC 1918.<br>
 <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
-I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
+    I want to <b>run when Shorewall starts.</b> Which file do I put them
 in?</h4>
                You can place these commands in one of the <a
- href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
+ href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
-sure that you look at the contents of the chain(s) that you will be modifying 
+Be sure that you look at the contents of the chain(s) that you will be modifying
-with your commands to be sure that the commands will do what they are intended. 
+    with your commands to be sure that the commands will do what they are
-Many iptables commands published in HOWTOs and other instructional material 
+intended.    Many iptables commands published in HOWTOs and other instructional
-use the -A command which adds the rules to the end of the chain. Most chains 
+material    use the -A command which adds the rules to the end of the chain.
-that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT 
+Most chains    that Shorewall constructs end with an unconditional DROP,
-rule and any rules that you add after that will be ignored. Check "man iptables" 
+ACCEPT or REJECT    rule and any rules that you add after that will be ignored.
-and look at the -I (--insert) command.<br>
+Check "man iptables"   and look at the -I (--insert) command.<br>
- <br>
+           
 <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
   web site?</h4>
      The Shorewall web site is almost font neutral (it doesn't explicitly
  specify fonts except on a few pages) so the fonts you see are largely the
 default fonts configured  in your browser. If you don't like them then reconfigure
 your browser.<br>
 <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say 
 the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
   In the SOURCE column of the rule, follow "net" by a colon and a list of
 the host/subnet addresses as a comma-separated list.<br>
 <pre>    net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
   Example:<br>
 <pre>    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22<br></pre>
 <div align="left">     </div>
-             <font size="2">Last updated 12/13/2002 - <a
+                    <font size="2">Last updated 1/8/2003 - <a
 href="support.htm">Tom   Eastep</a></font>                              
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+<p><a href="copyright.htm"><font size="2">Copyright</font>              
-             © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/IPIP.htm
+++ b/Shorewall-docs/IPIP.htm
@ -188,8 +188,8 @@ system. The systems in the two masqueraded subnetworks can now talk to each
 other</p>
 <p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
 Eastep</a> </font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font> 
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 </body>
--- a/Shorewall-docs/IPSEC.htm
+++ b/Shorewall-docs/IPSEC.htm
@ -359,8 +359,8 @@ script will issue the command":<br>
 <p><font size="2">Last updated 10/23/2002 - </font><font size="2">       
 <a href="support.htm">Tom Eastep</a></font>  </p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">     
+<p><a href="copyright.htm"><font size="2">     
-   Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+   Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
     <br>
 <br>
 </body>
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@ -199,8 +199,8 @@ by     traffic control/shaping.</li>
 <p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> 
 </font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font> 
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
   <br>
 <br>
 </body>
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@ -28,34 +28,34 @@
      <br>
      Beginning with Shorewall version 1.3.10, all traffic from an interface
  or  from a subnet on an interface can be verified to originate from a defined
-  set of MAC addresses. Furthermore, each MAC address may be optionally associated 
+   set of MAC addresses. Furthermore, each MAC address may be optionally
-  with one or more IP addresses. <br>
+associated    with one or more IP addresses. <br>
  <br>
- <b>You must have the iproute package (ip utility) installed to use MAC Verification
+  <b>You must have the iproute package (ip utility) installed to use MAC
-and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
+Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
-module name ipt_mac.o).</b><br>
+- module name ipt_mac.o).</b><br>
  <br>
  There are four components to this facility.<br>
 <ol>
        <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
-option is specified, all traffic arriving on the interface is subjet to MAC
+this option is specified, all traffic arriving on the interface is subjet
-verification.</li>
+to MAC verification.</li>
        <li>The <b>maclist </b>option in <a
 href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option 
 is specified for a subnet, all traffic from that subnet  is subject to MAC 
 verification.</li>
        <li>The /etc/shorewall/maclist file. This file is used to associate 
- MAC  addresses with interfaces and to optionally associate IP addresses
+ MAC  addresses with interfaces and to optionally associate IP addresses with
-with  MAC  addresses.</li>
+ MAC  addresses.</li>
        <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
-  in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
+   in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
-  MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
+The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
-  the disposition of connection requests that fail MAC verification. The
+determines   the disposition of connection requests that fail MAC verification.
-MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection requests
+The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
-that fail verification  are to be logged. If set the the empty value (e.g.,
+requests that fail verification  are to be logged. If set the the empty value
-MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
+(e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
        </li>
 </ol>
@ -63,7 +63,7 @@ MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
 <ul>
        <li>INTERFACE - The name of an ethernet interface on the Shorewall
-system.</li>
+ system.</li>
        <li>MAC - The MAC address of a device on the ethernet segment connected
   by INTERFACE. It is not necessary to use the Shorewall MAC format in this
   column although you may use that format if you so choose.</li>
@ -81,9 +81,9 @@ for   the device whose MAC is listed in the MAC column.</li>
 <pre>     #ZONE           INTERFACE       BROADCAST       OPTIONS<br>     net             eth0            206.124.146.255 norfc1918,filterping,dhcp,blacklist<br>     loc             eth2            192.168.1.255   dhcp,filterping,maclist<br>     dmz             eth1            192.168.2.255   filterping<br>     net             eth3            206.124.146.255 filterping,blacklist<br>     -               texas           192.168.9.255   filterping<br>     loc             ppp+            -               filterping<br></pre>
      <b>/etc/shorewall/maclist:</b><br>
-<pre>     #INTERFACE              MAC                     IP ADDRESSES (Optional)<br>     eth2                    00:A0:CC:63:66:89       192.168.1.3     #Wookie<br>     eth2                    00:10:B5:EC:FD:0B       192.168.1.4     #Tarry<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.5     #Ursa<br>     eth2                    00:06:25:aa:a8:0f       192.168.1.7     #Eastept1 (Wireless)<br>     eth2                    00:04:5A:0E:85:B9       192.168.1.250   #Wap<br></pre>
+<pre>     #INTERFACE              MAC                     IP ADDRESSES (Optional)<br>     eth2                    00:A0:CC:63:66:89       192.168.1.3      #Wookie<br>     eth2                    00:10:B5:EC:FD:0B       192.168.1.4      #Tarry<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.5      #Ursa<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.128/26 #PPTP Clients to server on Ursa<br>     eth2                    00:06:25:aa:a8:0f       192.168.1.7      #Eastept1 (Wireless)<br>     eth2                    00:04:5A:0E:85:B9       192.168.1.250    #Wap<br></pre>
-     As shown above, I use MAC Verification on <a href="myfiles.htm">my local 
+      As shown above, I use MAC Verification on <a href="myfiles.htm">my
-  zone</a>.<br>
+local    zone</a>.<br>
 <h3>Example 2: Router in Local Zone</h3>
      Suppose now that I add a second ethernet segment to my local zone and 
@ -96,16 +96,16 @@ in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorew
      This entry accomodates traffic from the router itself (192.168.1.253) 
 and  from the second LAN segment (192.168.2.0/24). Remember that all traffic
  being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded
- by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) 
+  by the router so that traffic's MAC address will be that of the router
-  and not that of the host sending the traffic.     
+(00:06:43:45:C6:15)    and not that of the host sending the traffic.    
-<p><font size="2">   Updated 12/29/2002 - <a href="support.htm">Tom  Eastep</a>
+ 
 <p><font size="2">   Updated 1/7/2002 - <a href="support.htm">Tom  Eastep</a> 
      </font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
-       &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  <br>
+</p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/NAT.htm
+++ b/Shorewall-docs/NAT.htm
@ -1,43 +1,59 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>Shorewall NAT</title>
 <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
 <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-<body>
+  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall NAT</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
  <body>
 <blockquote>     
-    <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+  <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
       <tbody>
      <tr>
         <td width="100%">         
-        <h1 align="center"><font color="#FFFFFF">Static NAT</font></h1>
+        <h1 align="center"><font color="#ffffff">Static NAT</font></h1>
         </td>
       </tr>
    </tbody>
  </table>
-    <p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward 
+     
-    ports to servers behind your firewall, you do NOT want to use static NAT. 
+  <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
-    Port forwarding can be accomplished with simple entries in the
+     ports to servers behind your firewall, you do NOT want to use static
 NAT.      Port forwarding can be accomplished with simple entries in the 
   <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
-    <p>Static NAT is a way to make systems behind a
+     
-    firewall and configured with private IP addresses (those
+  <p>Static NAT is a way to make systems behind a     firewall and configured
-    reserved for private use in RFC1918) appear to have public IP
+with private IP addresses (those     reserved for private use in RFC1918)
-    addresses.</p>
+appear to have public IP     addresses. Before you try to use this technique,
-    <p>The following figure represents a static NAT
+I strongly recommend that you read the <a
-    environment.</p>
+ href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
-    <p align="center"><strong>
+     
-    <img src="images/staticnat.png" width="435" height="397"></strong></p>
+  <p>The following figure represents a static NAT     environment.</p>
-    <blockquote>
+     
-    </blockquote>
+  <p align="center"><strong>     <img src="images/staticnat.png"
 width="435" height="397">
  </strong></p>
  <blockquote>     </blockquote>
  <p align="left">Static NAT can be used to make the systems with the   
-    10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we
+ 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
-    assume that the interface to the upper subnet is eth0, then the following
+we     assume that the interface to the upper subnet is eth0, then the following 
-    /etc/shorewall/NAT file would make the lower left-hand system appear to have
+    /etc/shorewall/NAT file would make the lower left-hand system appear
-    IP address 130.252.100.18 and the right-hand one to have IP address
+to have     IP address 130.252.100.18 and the right-hand one to have IP address 
    130.252.100.19.</p>
-    <table border="2" cellpadding="2" style="border-collapse: collapse">
+     
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
       <tbody>
      <tr>
         <td><b>EXTERNAL</b></td>
         <td><b>INTERFACE</b></td>
@ -59,34 +75,40 @@
         <td>yes</td>
         <td>yes</td>
       </tr>
    </tbody>
  </table>
  <p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above 
    example) is (are) not included in any specification in /etc/shorewall/masq 
    or /etc/shorewall/proxyarp.</p>
-    <p><a name="AllInterFaces"></a>Note 1: The &quot;ALL INTERFACES&quot; column
+     
-    is used to specify whether access to the external IP from all firewall
+  <p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column    
 is used to specify whether access to the external IP from all firewall  
  interfaces should undergo NAT (Yes or yes) or if only access from the 
   interface in the INTERFACE column should undergo NAT. If you leave this 
-    column empty, &quot;Yes&quot; is assumed.&nbsp;The ALL INTERFACES column was
+    column empty, "Yes" is assumed. The ALL INTERFACES column was     added
-    added in version 1.1.6.</p>
+in version 1.1.6.</p>
  <p>Note 2: Shorewall will automatically add the external address to the 
-    specified interface unless you specify <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>=&quot;no&quot;
+    specified interface unless you specify <a
-    (or &quot;No&quot;) in /etc/shorewall/shorewall.conf; If you do not set
+ href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no"     (or "No") in
-    ADD_IP_ALIASES or if you set it to &quot;Yes&quot; or &quot;yes&quot; then you must NOT configure your own alias(es).</p>
+/etc/shorewall/shorewall.conf; If you do not set     ADD_IP_ALIASES or if
-    <p><a name="LocalPackets"></a>Note 3: The contents of the &quot;LOCAL&quot;
+you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p>
    column determine whether packets originating on the firewall itself and
    destined for the EXTERNAL address are redirected to the internal ADDRESS. If
    this column contains &quot;yes&quot; or &quot;Yes&quot; (and the ALL
    INTERFACES COLUMN also contains &quot;Yes&quot; or &quot;yes&quot;) then
    such packets are redirected; otherwise, such packets are not redirected. The
    LOCAL column was added in version 1.1.8.</p>
 </blockquote>
-<blockquote>
+  <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"     column
-</blockquote>
+determine whether packets originating on the firewall itself and     destined
 for the EXTERNAL address are redirected to the internal ADDRESS. If     this
 column contains "yes" or "Yes" (and the ALL     INTERFACES COLUMN also contains
 "Yes" or "yes") then     such packets are redirected; otherwise, such packets
 are not redirected. The     LOCAL column was added in version 1.1.8.</p>
 </blockquote>
-<p><font size="2">Last updated 3/27/2002 - </font><font size="2">
+<blockquote> </blockquote>
-<a href="support.htm">Tom
+  
-Eastep</a></font> </p>
+<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
-<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+ href="support.htm">Tom Eastep</a></font> </p>
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
+ <a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
--- a/Shorewall-docs/PPTP.htm
+++ b/Shorewall-docs/PPTP.htm
@ -891,8 +891,8 @@ yet and reject the initial TCP connection request if I enable ECN :-(  </p>
 <p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> 
+<p><a href="copyright.htm"> <font size="2">Copyright</font> 
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 <br>
 <br>
 </body>
--- a/Shorewall-docs/ProxyARP.htm
+++ b/Shorewall-docs/ProxyARP.htm
@ -1,42 +1,56 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+ 
-<title>Shorewall Proxy ARP</title>
+  <meta http-equiv="Content-Type"
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+ content="text/html; charset=windows-1252">
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Shorewall Proxy ARP</title>
-<meta name="Microsoft Theme" content="none">
+  
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" width="100%" id="AutoNumber1"
-    <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ bgcolor="#400169" height="90">
       <tbody>
    <tr>
         <td width="100%">         
-        <h1 align="center"><font color="#FFFFFF">Proxy ARP</font></h1>
+      <h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
         </td>
       </tr>
-    </table>
+     
-    <p>Proxy ARP allows you to insert a firewall in front of a set of servers 
+  </tbody>
-    without changing their IP addresses and without having to re-subnet.</p>
+</table>
-    <p>The following figure represents a Proxy ARP
+     
-    environment.</p>
+<p>Proxy ARP allows you to insert a firewall in front of a set of servers
     without changing their IP addresses and without having to re-subnet.
 Before you try to use this technique, I strongly recommend that you read
 the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
 <p>The following figure represents a Proxy ARP     environment.</p>
 <blockquote>     
-    <p align="center"><strong>
+  <p align="center"><strong>     <img src="images/proxyarp.png"
-    <img src="images/proxyarp.png" width="519" height="397"></strong></p>
+ width="519" height="397">
-    <blockquote>
+  </strong></p>
  <blockquote>     </blockquote>
 </blockquote>
 </blockquote>
-    <p align="left">Proxy ARP can be used to make the systems with addresses 
+<p align="left">Proxy ARP can be used to make the systems with addresses
     130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
-    subnet.&nbsp; Assuming that the upper firewall interface is eth0 and the 
+     subnet.  Assuming that the upper firewall interface is eth0 and the
-    lower interface is eth1, this is accomplished using the following entries in 
+     lower interface is eth1, this is accomplished using the following entries
-    /etc/shorewall/proxyarp:</p>
+in      /etc/shorewall/proxyarp:</p>
 <blockquote>     
-    <table border="2" cellpadding="2" style="border-collapse: collapse">
+  <table border="2" cellpadding="2" style="border-collapse: collapse;">
       <tbody>
      <tr>
         <td><b>ADDRESS</b></td>
         <td><b>INTERFACE</b></td>
@ -55,52 +69,96 @@
         <td>eth0</td>
         <td>no</td>
       </tr>
    </table>
 </blockquote>
-    <p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19&nbsp; 
+    </tbody>
  </table>
 </blockquote>
 <p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
     in the above example) are not included in any specification in     
-    /etc/shorewall/masq or /etc/shorewall/nat.</p>
+/etc/shorewall/masq or /etc/shorewall/nat.</p>
-    <p>Note that I've used an RFC1918 IP address for eth1 - that IP address is 
+     
 <p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
     irrelevant. </p>
-    <p>The lower systems (130.252.100.18 and 130.252.100.19) should have their 
+     
-    subnet mask and default gateway configured exactly the same way that the 
+<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
-    Firewall system's eth0 is configured.</p>
+     subnet mask and default gateway configured exactly the same way that
 the      Firewall system's eth0 is configured.</p>
 <div align="left">   
-  <p align="left">A word of warning is in order here. ISPs typically configure 
+<p align="left">A word of warning is in order here. ISPs typically configure
   their routers with a long ARP cache timeout. If you move a system from
   parallel to your firewall to behind your firewall with Proxy ARP, it will
-  probably be HOURS before that system can communicate with the internet. You 
+   probably be HOURS before that system can communicate with the internet.
-  can call your ISP and ask them to purge the stale ARP cache entry but many 
+There are a couple of things that you can try:<br>
-  either can't or won't purge individual entries. You can determine if your 
+</p>
-  ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we 
+<ol>
-  suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. 
+  <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
-  On the firewall, run tcpdump as follows:</div>
+Vol 1</i> reveals that a <br>
-<div align="left">
+    <br>
-  <pre>	tcpdump -nei eth0 icmp</pre>
+"gratuitous" ARP packet should cause the ISP's router to refresh their ARP
-</div>
+cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
-<div align="left">
+address for its own IP; in addition to ensuring that the IP address isn't
-  <p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we will 
+a duplicate...<br>
-  assume is 130.252.100.254):</div>
+    <br>
-<div align="left">
+"if the host sending the gratuitous ARP has just changed its hardware address...,
-  <pre>	ping 130.252.100.254</pre>
+this packet causes any other host...that has an entry in its cache for the
-</div>
+old hardware address to update its ARP cache entry accordingly."<br>
-<div align="left">
+    <br>
-  <p align="left">We can now observe the tcpdump output:</div>
+Which is, of course, exactly what you want to do when you switch a host from
-<div align="left">
+being exposed to the Internet to behind Shorewall using proxy ARP (or static
-  <pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)
+NAT for that matter). Happily enough, recent versions of Redhat's iputils
-	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
+package include "arping", whose "-U" flag does just that:<br>
-</div>
+    <br>
-<div align="left">
+    <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied
-  <p align="left">Notice that the source MAC address in the echo request is 
+IP&gt;</i></b></font><br>
-  different from the destination MAC address in the echo reply!! In this case 
+    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
-  0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 
+    <br>
-  was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still 
+Stevens goes on to mention that not all systems respond correctly to gratuitous
-  associates 130.252.100.19 with the NIC in that system rather than with the firewall's 
+ARPs, but googling for "arping -U" seems to support the idea that it works
-  eth0.</div>
+most of the time.<br>
    <br>
  </li>
  <li>You    can call your ISP and ask them to purge the stale ARP cache
 entry but many    either can't or won't purge individual entries.</li>
 </ol>
 You can determine if your    ISP's gateway ARP cache is stale using ping
 and tcpdump. Suppose that we    suspect that the gateway router has a stale
 ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
-<p><font size="2">Last updated 8/17/2002 - </font><font size="2">
+<div align="left">   
-<a href="support.htm">Tom
+<pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
-Eastep</a></font> </p>
+ </div>
-<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+ 
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
+<div align="left">   
 <p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
 will    assume is 130.252.100.254):</p>
 </div>
 <div align="left">   
 <pre>	<b><font color="#009900">ping 130.252.100.254</font></b></pre>
 </div>
 <div align="left">   
 <p align="left">We can now observe the tcpdump output:</p>
 </div>
 <div align="left">   
 <pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
 </div>
 <div align="left">   
 <p align="left">Notice that the source MAC address in the echo request is
   different from the destination MAC address in the echo reply!! In this
 case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
   was the MAC address of the system on the lower left. In other words, the
 gateway's ARP cache still    associates 130.252.100.19 with the NIC in that
 system rather than with the firewall's    eth0.</p>
 </div>
 <p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
 <a href="copyright.htm"><font size="2">Copyright</font>  © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_CA_html.html
+++ b/Shorewall-docs/Shorewall_CA_html.html
@ -29,9 +29,9 @@
 I can hardly justify paying $200US+ a year to a Certificate Authority such 
 as Thawte (A Division of VeriSign) for an X.509 certificate to prove that 
 I am who I am. I have therefore established my own Certificate Authority (CA)
-and sign my own X.509 certificates. I use these certificates on my web server
+and sign my own X.509 certificates. I use these certificates on my mail server
-(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well
+(<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>)
-as on my mail server (mail.shorewall.net).<br>
+which hosts parts of this web site.<br>
 <br>
 X.509 certificates are the basis for the Secure Socket Layer (SSL). As part 
 of establishing an SSL session (URL https://...), your browser verifies the 
@ -57,7 +57,7 @@ to accept the sleezy X.509 certificate being presented by my server. <br>
 There are two things that you can do:<br>
 <ol>
-   <li>You can accept the www.shorewall.net certificate when your browser 
+   <li>You can accept the mail.shorewall.net certificate when your browser 
 asks -- your acceptence of the certificate can be temporary (for that access 
 only) or perminent.</li>
   <li>You can download and install <a href="ca.crt">my (self-signed) CA
@ -75,14 +75,14 @@ intented to go to your bank's server to one of my systems that will present
 your browser with a bogus certificate claiming that my server is that of
 your bank.</li>
   <li>If you only accept my server's certificate when prompted then the
-most that you have to loose is that when you connect to https://www.shorewall.net, 
+most that you have to loose is that when you connect to https://mail.shorewall.net, 
 the server you are connecting to might not be mine.</li>
 </ol>
 I have my CA certificate loaded into all of my browsers but I certainly
 won't be offended if you decline to load it into yours... :-)<br>
-<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -37,9 +37,11 @@
                           <td width="100%" bgcolor="#ffffff">          
      <ul>
                             <li> <a href="seattlefirewall_index.htm">Home</a></li>
-                                   <li> <a href="shorewall_features.htm">Features</a></li>
+                                     <li> <a
 href="shorewall_features.htm">Features</a></li>
                             <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
                             <li> <a href="download.htm">Download</a><br>
                     </li>
@ -64,6 +66,7 @@
          <ul>
                               <li><a target="_top"
 href="http://slovakia.shorewall.net">Slovak    Republic</a></li>
@ -93,7 +96,8 @@
      <ul>
                             <li>   <a href="News.htm">News Archive</a></li>
-                           <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
+                             <li> <a href="Shorewall_CVS_Access.html">CVS 
 Repository</a></li>
                             <li> <a href="quotes.htm">Quotes from Users</a></li>
                             <li> <a href="shoreline.htm">About the Author</a></li>
                             <li> <a
@ -123,7 +127,7 @@
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
                         <font face="Arial">   <input type="hidden"
- name="exclude" value="[http://www.shorewall.net/pipermail/*]">   </font> 
+ name="exclude" value="[http://mail.shorewall.net/pipermail/*]">   </font> 
    </form>
 <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
@ -140,5 +144,7 @@
     <br>
    <br>
   <br>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -30,6 +30,7 @@
                            <td width="100%" height="90">               
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                            </td>
                          </tr>
@ -37,6 +38,7 @@
                            <td width="100%" bgcolor="#ffffff">         
      <ul>
                              <li> <a href="seattlefirewall_index.htm">Home</a></li>
                                      <li> <a
@ -52,7 +54,8 @@
                       </li>
                                              <li> <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
-                            <li> <a href="Documentation.htm">Reference Manual</a></li>
+                              <li> <a href="Documentation.htm">Reference
 Manual</a></li>
                              <li> <a href="FAQ.htm">FAQs</a></li>
                               <li><a href="useful_links.html">Useful Links</a><br>
                               </li>
@ -96,7 +99,7 @@
      <ul>
                              <li>   <a href="News.htm">News Archive</a></li>
                              <li> <a href="Shorewall_CVS_Access.html">CVS
-Repository</a></li>
+ Repository</a></li>
                              <li> <a href="quotes.htm">Quotes from Users</a></li>
                              <li> <a href="shoreline.htm">About the Author</a></li>
                              <li> <a
@ -126,7 +129,7 @@ Repository</a></li>
 type="hidden" name="config" value="htdig">     <input type="submit"
 value="Search"></font>      </p>
                          <font face="Arial">   <input type="hidden"
- name="exclude" value="[http://www.shorewall.net/pipermail/*]">   </font>
+ name="exclude" value="[http://mail.shorewall.net/pipermail/*]">   </font>
     </form>
 <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
@ -141,5 +144,7 @@ Repository</a></li>
     <br>
    <br>
   <br>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/copyright.htm
+++ b/Shorewall-docs/copyright.htm
@ -1,34 +1,45 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+ 
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="ProgId" content="FrontPage.Editor.Document">
+ 
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-<title>Copyright</title>
+ 
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Copyright</title>
 </head>
  <body>
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
   <tbody>
    <tr>
     <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Copyright</font></h1>
+      <h1 align="center"><font color="#ffffff">Copyright</font></h1>
     </td>
   </tr>
  </tbody>
 </table>
-<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp; 2000, 2001 
+ 
-Thomas M Eastep<br>
+<p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001,
-&nbsp;</p>
+2003  Thomas M Eastep<br>
  </p>
 <blockquote>   
-  <p align="left">Permission is granted to copy, distribute and/or modify this 
+  <p align="left">Permission is granted to copy, distribute and/or modify
-  document under the terms of the GNU Free Documentation License, Version 1.1 or 
+this    document under the terms of the GNU Free Documentation License, Version
-  any later version published by the Free Software Foundation; with no Invariant 
+1.1 or    any later version published by the Free Software Foundation; with
-  Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the 
+no Invariant    Sections, with no Front-Cover, and with no Back-Cover Texts.
-  license is included in the section entitled &quot;<a href="GnuCopyright.htm">GNU Free Documentation License</a>&quot;.<br>
+A copy of the    license is included in the section entitled "<a
-&nbsp;</p>
+ href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
-</blockquote>
+  </p>
-
+ </blockquote>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -28,43 +28,46 @@
  </tbody>              
 </table>
 <p><b>I strongly urge you to read and print a copy of the       <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>   
    for the configuration that most closely matches your own.<br>
     </b></p>
-<p>The entire set of Shorewall documentation is available in PDF format  at:</p>
+<p>The entire set of Shorewall documentation is available in PDF format 
 at:</p>
 <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
         <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
        <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a> 
  </p>
-<p>The documentation in HTML format is included   in the .rpm and in the .tgz
+<p>The documentation in HTML format is included   in the .rpm and in the
-packages below.</p>
+.tgz packages below.</p>
 <p>  Once you've done that, download <u>     one</u> of the modules:</p>
 <ul>
                 <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> 
             Linux PPC</b> or     <b> TurboLinux</b> distribution     with
- a  2.4   kernel,   you can use the  RPM version (note: the             RPM 
+  a  2.4   kernel,   you can use the  RPM version (note: the            
- should   also work  with other distributions that             store init 
+RPM   should   also work  with other distributions that             store
-scripts in  /etc/init.d  and that             include chkconfig or insserv). 
+init  scripts in  /etc/init.d  and that             include chkconfig or
-If you find  that it works   in other cases, let <a
+insserv).  If you find  that it works   in other cases, let <a
 href="mailto:teastep@shorewall.net">     me</a>                know so that
-   I can mention them here. See the   <a href="Install.htm">Installation Instructions</a>
+    I can mention them here. See the   <a href="Install.htm">Installation
-   if you have problems    installing the RPM.</li>
+Instructions</a>    if you have problems    installing the RPM.</li>
-                <li>If you are running LRP, download the .lrp file (you might 
+                 <li>If you are running LRP, download the .lrp file (you
-  also   want  to     download the .tgz so you will have a copy of the documentation).</li>
+might    also   want  to     download the .tgz so you will have a copy of
 the documentation).</li>
                 <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> 
    and   would      like a .deb package, Shorewall is included in both the
    <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
     Testing Branch</a> and the    <a
 href="http://packages.debian.org/unstable/net/shorewall.html">Debian   
-Unstable Branch</a>.</li>
+ Unstable Branch</a>.</li>
                 <li>Otherwise, download the <i>shorewall</i>           
-module    (.tgz)</li>
+ module    (.tgz)</li>
 </ul>
@ -72,32 +75,32 @@ module    (.tgz)</li>
       and  there is an documentation .deb that also contains the documentation.</p>
 <p>Please verify the version that you have        downloaded -- during the
-      release of a new version of Shorewall, the links        below may  point
+       release of a new version of Shorewall, the links        below may
-     to a newer or an older version than is shown below.</p>
+ point      to a newer or an older version than is shown below.</p>
 <ul>
                 <li>RPM - "rpm -qip LATEST.rpm"</li>
                 <li>TARBALL - "tar -ztf LATEST.tgz" (the directory    name 
 will   contain    the version)</li>
                 <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar  
-zxf   &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
+ -zxf   &lt;downloaded     .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
  </li>
 </ul>
-<p><font face="Arial">Once you have verified the        version, check the 
+<p>Once you have verified the        version, check the        <font
-      </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
+ color="#ff0000"> <a href="errata.htm"> errata</a></font>           to see
- face="Arial">          to see if there are updates that apply to the version 
+if there are updates that apply to the version        that you have     
-      that you have       downloaded.</font></p>
+ downloaded.</p>
-<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY 
+<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY        INSTALL
-      INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
+THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION      
-      IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed 
+ IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed   configuration
- configuration    of your firewall, you can enable startup by removing the 
+   of your firewall, you can enable startup by removing the   file /etc/shorewall/startup_disabled.</b></font></p>
 file /etc/shorewall/startup_disabled.</b></font></p>
-<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
+<p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates 
-   to the    mirrors  occur 1-12 hours after an update to the Washington
+   to the    mirrors  occur 1-12 hours after an update to the Washington State
-State site.</b></p>
+site.</b></p>
 <blockquote>                                             
  <table border="2" cellspacing="3" cellpadding="3"
@ -236,9 +239,11 @@ State site.</b></p>
                     <td><a
 href="http://france.shorewall.net/pub/LATEST.rpm">Download      .rpm</a><br>
                       <a
- href="http://france.shorewall.net/pub/LATEST.tgz">Download              .tgz</a> <br>
+ href="http://france.shorewall.net/pub/LATEST.tgz">Download             
 .tgz</a> <br>
                       <a
- href="http://france.shorewall.net/pub/LATEST.lrp">Download              .lrp</a><br>
+ href="http://france.shorewall.net/pub/LATEST.lrp">Download             
 .lrp</a><br>
                     <a
 href="http://france.shorewall.net/pub/LATEST.md5sums">Download         
   .md5sums</a></td>
@ -356,8 +361,8 @@ State site.</b></p>
                     <td>Shorewall.net</td>
                     <td><a
 href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
-                    <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
+                     <td><a
- target="_blank">Browse</a></td>
+ href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
                    </tr>
@ -371,17 +376,18 @@ State site.</b></p>
  <p align="left">The <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS  repository at
       cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
-      component. There's no guarantee that what you find there will work at
+       component. There's no guarantee that what you find there will work
-   all.<br>
+at    all.<br>
         </p>
       </blockquote>
-<p align="left"><font size="2">Last Updated 12/12/2002 - <a
+<p align="left"><font size="2">Last Updated 1/13/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font>         © <font
-       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -42,27 +42,30 @@
                               </li>
                  <li>                                                  
-    <p align="left">          <b>If you are installing Shorewall for the first
+    <p align="left">          <b>If you are installing Shorewall for the
-time and plan to use the        .tgz and install.sh script, you can untar
+first time and plan to use the        .tgz and install.sh script, you can
-the archive, replace the        'firewall' script in the untarred directory 
+untar the archive, replace the        'firewall' script in the untarred directory
       with the one you downloaded        below, and then run install.sh.</b></p>
                               </li>
                  <li>                                                  
-    <p align="left">          <b>When the instructions say to install a corrected 
+    <p align="left">          <b>If you are running a Shorewall version earlier
-      firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
+than 1.3.11, when the instructions say to install a corrected        firewall
 script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall   
   or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite 
     the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall 
            or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall 
            and /var/lib/shorewall/firewall  are symbolic links that point 
        to the 'shorewall' file used by your  system initialization scripts 
  to         start Shorewall during boot. It is  that file that must be overwritten 
-            with the corrected script.</b></p>
+            with the corrected script. Beginning with Shorewall 1.3.11, you
 may rename the existing file before copying in the new file.</b></p>
          </li>
          <li>                                        
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
    ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
- example,  do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
+  example,  do NOT install the 1.3.9a firewall script if you are running
 1.3.7c.</font></b><br>
                      </p>
          </li>
@ -82,7 +85,7 @@ on RH7.2</a></font></b></li>
                  <li>                            <b><a href="#Debug">Problems
   with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
                  <li><b><a href="#SuSE">Problems installing/upgrading RPM
-on  SuSE</a></b></li>
+ on  SuSE</a></b></li>
                  <li><b><a href="#Multiport">Problems with iptables version
  1.2.7    and       MULTIPORT=Yes</a></b></li>
            <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
@ -94,18 +97,31 @@ on  SuSE</a></b></li>
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.12</h3>
 <ul>
  <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the
 same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected
 by <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
 firewall script</a> which may be installed in /usr/lib/shorewall as described
 above.<br>
  </li>
 </ul>
 <h3>Version 1.3.12 LRP</h3>
 <ul>
   <li>The .lrp was missing the /etc/shorewall/routestopped file -- a new 
 lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
   </li>
 </ul>
 <h3>Version 1.3.11a</h3>
 <ul>
    <li><a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
-copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
+ copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
    </li>
 </ul>
@ -113,18 +129,18 @@ copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.
 <h3>Version 1.3.11</h3>
 <ul>
-      <li>When installing/upgrading using the .rpm, you may receive the following
+       <li>When installing/upgrading using the .rpm, you may receive the
-  warnings:<br>
+following   warnings:<br>
         <br>
          user teastep does not exist - using root<br>
          group teastep does not exist - using root<br>
         <br>
     These warnings are harmless and may be ignored. Users downloading the
-.rpm  from shorewall.net or mirrors should no longer see these warnings as 
+ .rpm  from shorewall.net or mirrors should no longer see these warnings
-the .rpm you will get from there has been corrected.</li>
+as  the .rpm you will get from there has been corrected.</li>
      <li>DNAT rules that exclude a source subzone (SOURCE column contains
-!  followed by a sub-zone list) result in an error message and Shorewall fails
+ !  followed by a sub-zone list) result in an error message and Shorewall
- to start.<br>
+fails  to start.<br>
        <br>
    Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
@ -165,8 +181,8 @@ the .rpm you will get from there has been corrected.</li>
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> 
-    corrects this problem.Copy the script to /usr/lib/shorewall/firewall
+    corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
-as   described  above.<br>
+  described  above.<br>
        </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -176,9 +192,9 @@ as   described  above.<br>
 <ul>
          <li>The installer (install.sh) issues a misleading message "Common
- functions   installed in /var/lib/shorewall/functions" whereas the file is
+  functions   installed in /var/lib/shorewall/functions" whereas the file
- installed  in /usr/lib/shorewall/functions. The installer also performs incorrectly
+is  installed  in /usr/lib/shorewall/functions. The installer also performs
- when updating old configurations that had the file /etc/shorewall/functions. 
+incorrectly  when updating old configurations that had the file /etc/shorewall/functions.
      <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
    is an updated version that corrects these problems.<br>
@ -198,7 +214,7 @@ script    at  <a
               <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns 
   of  the  policy file doesn't work.</li>
               <li>A DNAT rule with the same original and new IP addresses
-but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 
+ but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
   tcp   25 - 10.1.1.1")<br>
               </li>
@ -241,8 +257,8 @@ but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:
 <ol>
                                               <li>If the firewall is running 
  a  DHCP   server,                                   the client won't be 
-able   to obtain   an IP  address                                  lease
+able   to obtain   an IP  address                                  lease from
-from that   server.</li>
+that   server.</li>
                                               <li>With this order of checking, 
   the   "dhcp"                                   option cannot be used as 
 a  noise-reduction                                     measure where there 
@ -256,7 +272,8 @@ on a LAN segment.</li>
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                           This version of the 1.3.7a firewall script </a> 
                                     corrects the problem. It must be installed
-      in /var/lib/shorewall                                as described above.</p>
+       in /var/lib/shorewall                                as described
 above.</p>
 <h3>Version 1.3.7</h3>
@ -280,7 +297,7 @@ on a LAN segment.</li>
    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
       an error occurs when the firewall            script attempts to add
-an   SNAT   alias.  </p>
+ an   SNAT   alias.  </p>
                </li>
                <li>                                                    
@ -327,8 +344,8 @@ an   SNAT   alias.  </p>
 <div align="left">                  
 <p align="left">That capability was lost in version 1.3.4 so that it is only
-          possible to  include a single host specification on each line. This
+           possible to  include a single host specification on each line.
-        problem is corrected by    <a
+This         problem is corrected by    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
           modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
           as instructed above.</p>
@ -350,10 +367,10 @@ an   SNAT   alias.  </p>
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands  
-        to not verify that the zones named in the /etc/shorewall/policy file
+         to not verify that the zones named in the /etc/shorewall/policy
-           have been previously defined in the /etc/shorewall/zones file.
+file            have been previously defined in the /etc/shorewall/zones
-The            "shorewall check" command does perform this verification so
+file. The            "shorewall check" command does perform this verification
-it's a            good idea to run that command after you have made configuration 
+so it's a            good idea to run that command after you have made configuration
                  changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -361,17 +378,17 @@ it's a            good idea to run that command after you have made configuratio
 <p align="left">If you have upgraded from Shorewall 1.2 and after       
    "Activating rules..." you see the message: "iptables: No            chains/target/match
       by that name" then you probably have an entry in            /etc/shorewall/hosts
-      that specifies an interface that you didn't            include in /etc/shorewall/interfaces. 
+       that specifies an interface that you didn't            include in
-      To correct this problem, you            must add an entry to /etc/shorewall/interfaces. 
+/etc/shorewall/interfaces.        To correct this problem, you          
-      Shorewall 1.3.3 and            later versions produce a clearer error 
+ must add an entry to /etc/shorewall/interfaces.        Shorewall 1.3.3 and
-  message    in this case.</p>
+           later versions produce a clearer error    message    in this case.</p>
 <h3 align="left">Version 1.3.2</h3>
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the       
    download sites contained an incorrect version of the .lrp file. That
-          file can be identified by its size (56284 bytes). The correct version
+           file can be identified by its size (56284 bytes). The correct
-           has a size of 38126 bytes.</p>
+version            has a size of 38126 bytes.</p>
 <ul>
                           <li>The code to detect a duplicate interface entry 
@ -403,26 +420,26 @@ it's a            good idea to run that command after you have made configuratio
 <ul>
                           <li>TCP SYN packets may be double counted when 
           LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e.,
-each              packet is sent through the limit chain twice).</li>
+ each              packet is sent through the limit chain twice).</li>
                           <li>An unnecessary jump to the policy chain is 
 sometimes                 generated for a CONTINUE policy.</li>
-                          <li>When an option is given for more than one interface 
+                           <li>When an option is given for more than one
-    in               /etc/shorewall/interfaces then depending on the option, 
+interface      in               /etc/shorewall/interfaces then depending
-   Shorewall                may ignore all but the first appearence of the 
+on the option,     Shorewall                may ignore all but the first
- option.  For example:<br>
+appearence of the   option.  For example:<br>
                           <br>
                           net    eth0    dhcp<br>
                           loc    eth1    dhcp<br>
                           <br>
                           Shorewall will ignore the 'dhcp' on eth1.</li>
                           <li>Update 17 June 2002 - The bug described in 
-the   prior    bullet               affects the following options: dhcp,
+the   prior    bullet               affects the following options: dhcp, dropunclean,
-dropunclean,   logunclean,                 norfc1918, routefilter, multi,
+  logunclean,                 norfc1918, routefilter, multi, filterping and
-filterping and   noping. An additional                 bug has been found
+  noping. An additional                 bug has been found that affects only
-that affects only   the 'routestopped' option.<br>
+  the 'routestopped' option.<br>
                           <br>
                           Users who downloaded the corrected script prior
-to  1850   GMT   today              should download and install the corrected
+ to  1850   GMT   today              should download and install the corrected 
  script   again   to ensure              that this second problem is corrected.</li>
 </ul>
@ -435,10 +452,11 @@ to  1850   GMT   today              should download and install the corrected
 <h3 align="left">Version 1.3.0</h3>
 <ul>
-                          <li>Folks who downloaded 1.3.0 from the links on
+                           <li>Folks who downloaded 1.3.0 from the links
- the   download    page              before 23:40 GMT, 29 May 2002 may have
+on  the   download    page              before 23:40 GMT, 29 May 2002 may
- downloaded   1.2.13    rather than              1.3.0. The "shorewall version"
+have  downloaded   1.2.13    rather than              1.3.0. The "shorewall
- command   will tell    you which version              that you have installed.</li>
+version"  command   will tell    you which version              that you
 have installed.</li>
                           <li>The documentation NAT.htm file uses non-existent 
              wallpaper and bullet graphic files. The           <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
@ -457,6 +475,7 @@ to  1850   GMT   today              should download and install the corrected
       iptables version 1.2.3</font></h3>
 <blockquote>                                                             
  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
               prevent it from working with Shorewall. Regrettably,  RedHat 
  released    this buggy iptables in RedHat   7.2. </p>
@ -467,7 +486,7 @@ to  1850   GMT   today              should download and install the corrected
        corrected 1.2.3 rpm which you can download here</a>  and I have also 
   built            an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
- iptables-1.2.4   rpm which you can download here</a>. If  you are currently 
+iptables-1.2.4   rpm which you can download here</a>. If  you are currently
       running RedHat 7.1, you can install either of these RPMs         
    <b><u>before</u>        </b>you upgrade to RedHat 7.2.</p>
@ -514,8 +533,8 @@ to  1850   GMT   today              should download and install the corrected
          <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
          this iptables RPM</a>. If you are already running a 1.2.5 version 
-  of       iptables, you will need to specify the --oldpackage option to
+  of       iptables, you will need to specify the --oldpackage option to rpm
-rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+  (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
                </blockquote>
@ -567,15 +586,16 @@ for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it.
 The  2.4.19 kernel   contains corrected support under a new kernel configuraiton 
 option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 12/28/2002 -                           
+<p><font size="2">  Last updated 1/3/2003 -                             
 <a href="support.htm">Tom Eastep</a></font> </p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font>          © <font
-        © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata_1.htm
+++ b/Shorewall-docs/errata_1.htm
@ -207,8 +207,8 @@ ignored<br>
 <a href="support.htm">Tom Eastep</a></font>
 </p>
-<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
+<p align="left"><a href="copyright.htm">
-<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 </body>
--- a/Shorewall-docs/fallback.htm
+++ b/Shorewall-docs/fallback.htm
@ -70,5 +70,5 @@ type &quot;rpm -e shorewall&quot;.</p>
 <p><font size="2">Last updated 3/26/2001 - </font><font size="2">
 <a href="support.htm">Tom
 Eastep</a></font> </p>
-<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<a href="copyright.htm"><font size="2">Copyright</font> 
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
+© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
--- a/Shorewall-docs/kernel.htm
+++ b/Shorewall-docs/kernel.htm
@ -142,5 +142,5 @@ the options selected above built as modules:</p>
 <p><font size="2">Last updated 3/10/2002 - </font><font size="2">
 <a href="support.htm">Tom
 Eastep</a></font> </p>
-<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<a href="copyright.htm"><font size="2">Copyright</font> 
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
+© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -22,39 +22,45 @@
 border="0">
                  <tbody>
                   <tr>
-                 <td width="100%">                                      
+                    <td width="33%" valign="middle">                    
      <h1 align="center"><a
 href="http://www.centralcommand.com/linux_products.html"><img
 src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
 height="79" align="left">
-            </a><a
+               </a></h1>
      <h1 align="center"><a
 href="http://www.gnu.org/software/mailman/mailman.html">         <img
 border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
- height="35">
+ height="35" alt="">
-                  </a><a href="http://www.postfix.org/">       <img
+                     </a></h1>
      <p align="right"><br>
       <font color="#ffffff"><b>            </b></font>     </p>
                     </td>
       <td valign="middle" width="34%" align="center">       
      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
       </td>
       <td valign="middle" width="33%">       
      <h1 align="center"><a href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
- height="45">
+ height="45" alt="(Postfix Logo)">
-                  </a><font color="#ffffff">Shorewall Mailing Lists<a
+                     </a></h1>
- href="http://www.inter7.com/courierimap/"><img
+       <br>
 src="images/courier-imap.png" alt="Courier-Imap" width="100"
 height="38" align="right">
          </a></font></h1>
-                            
+      <div align="right"><br>
-      <p align="right"><font color="#ffffff"><b><br>
+       <b><font color="#ffffff">Powered by Postfix    </font></b><br>
-          </b></font></p>
+       </div>
      <p align="right"><font color="#ffffff"><b><br>
    Powered by Postfix         </b></font>     </p>
       </td>
                  </tr>
  </tbody>               
 </table>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
 <h2 align="left">Not getting List Mail? -- <a
 href="mailing_list_problems.htm">Check Here</a></h2>
@ -76,34 +82,39 @@
 <ol>
             <li>against <a href="http://spamassassin.org">Spamassassin</a> 
-(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
+ (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
     </li>
             <li>to ensure that the sender address is fully qualified.</li>
-          <li>to verify that the sender's domain has an A or MX record in 
+             <li>to verify that the sender's domain has an A or MX record 
-DNS.</li>
+in  DNS.</li>
-          <li>to ensure that the host name in the HELO/EHLO command is a
+             <li>to ensure that the host name in the HELO/EHLO command is 
-valid    fully-qualified  DNS name that resolves.</li>
+a  valid    fully-qualified  DNS name that resolves.</li>
 </ol>
 <h2>Please post in plain text</h2>
-  A growing number of MTAs serving list subscribers are rejecting all HTML 
+     A growing number of MTAs serving list subscribers are rejecting all
-traffic. At least one MTA has gone so far as to blacklist shorewall.net "for 
+HTML   traffic. At least one MTA has gone so far as to blacklist shorewall.net
-continuous abuse" because it has been my policy to allow HTML in list posts!!<br>
+"for  continuous abuse" because it has been my policy to allow HTML in list
 posts!!<br>
     <br>
     I think that blocking all HTML is a Draconian way to control spam  and 
-that the ultimate losers here are not the spammers but the list subscribers
+ that the ultimate losers here are not the spammers but the list subscribers 
  whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
-to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
+ to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
-life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
+ life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
-to allow subscribers to receive list posts as must as possible, I have now 
+ to allow subscribers to receive list posts as must as possible, I have now
-configured the list server at shorewall.net to strip all HTML from outgoing
+ configured the list server at shorewall.net to strip all HTML from outgoing
-posts.<br>
+ posts. This means that HTML-only posts will be bounced by the list server.<br>
 <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
  </p>
 <h2>Other Mail Delivery Problems</h2>
-If you find that you are missing an occasional list post, your e-mail admin
+   If you find that you are missing an occasional list post, your e-mail
-may be blocking mail whose <i>Received:</i> headers contain the names of
+admin  may be blocking mail whose <i>Received:</i> headers contain the names
-certain ISPs. Again, I believe that such policies hurt more than they help
+of certain ISPs. Again, I believe that such policies hurt more than they
-but I'm not prepared to go so far as to start stripping <i>Received:</i>
+help but I'm not prepared to go so far as to start stripping <i>Received:</i> 
 headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
@ -130,34 +141,34 @@ headers to circumvent those policies.<br>
  <option value="revtime">Reverse Time </option>
  <option value="revtitle">Reverse Title </option>
  </select>
-            </font> <input type="hidden" name="config" value="htdig"> <input
+               </font> <input type="hidden" name="config" value="htdig">
- type="hidden" name="restrict"
+  <input type="hidden" name="restrict"
 value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-            Search: <input type="text" size="30" name="words" value=""> <input
+               Search: <input type="text" size="30" name="words"
- type="submit" value="Search"> </p>
+ value="">    <input type="submit" value="Search"> </p>
               </form>
-<h2 align="left"><font color="#ff0000">Please do not try to download the entire
+<h2 align="left"><font color="#ff0000">Please do not try to download the
-Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
+entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
-stand the traffic. If I catch you, you will be blacklisted.<br>
+won't stand the traffic. If I catch you, you will be blacklisted.<br>
        </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
-          If you want to trust X.509 certificates issued by Shoreline Firewall
+             If you want to trust X.509 certificates issued by Shoreline
-   (such   as the one used on my web site), you may <a
+Firewall     (such   as the one used on my web site), you may <a
 href="Shorewall_CA_html.html">download and install my CA certificate</a> 
      in your browser. If you don't wish to trust my certificates then you 
-can    either use unencrypted access when subscribing to Shorewall mailing
+ can    either use unencrypted access when subscribing to Shorewall mailing 
-lists    or you can use secure access (SSL) and accept the server's certificate
+ lists    or you can use secure access (SSL) and accept the server's certificate 
  when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users 
       to get answers to questions and to report problems. Information of 
-general       interest to the Shorewall user community is also posted to
+general       interest to the Shorewall user community is also posted to this
-this list.</p>
+list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see 
       the <a href="support.htm">problem reporting guidelines</a>.</b></p>
@ -174,9 +185,9 @@ this list.</p>
 <p align="left">The list archives are at <a
 href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
-at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
+<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
-list may be found at <a
+may be found at <a
 href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
 <h2 align="left">Shorewall Announce Mailing List</h2>
@ -213,7 +224,7 @@ list may be found at <a
 <p align="left">There seems to be near-universal confusion about unsubscribing 
        from Mailman-managed lists although Mailman 2.1 has attempted to make
-this less confusing. To unsubscribe:</p>
+ this less confusing. To unsubscribe:</p>
 <ul>
                  <li>                                                  
@ -225,7 +236,7 @@ this less confusing. To unsubscribe:</p>
    <p align="left">Down at the bottom of that page is the following text: 
       " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password 
-reminder,         or change your subscription options enter your subscription 
+ reminder,         or change your subscription options enter your subscription
          email address:". Enter your email  address   in the box and click 
  on the "<b>Unsubscribe</b> or edit options" button.</p>
                  </li>
@ -243,14 +254,17 @@ reminder,         or change your subscription options enter your subscription
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 12/29/2002 - <a
+<p align="left"><font size="2">Last updated 12/31/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
+<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
      </p>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list_problems.htm
+++ b/Shorewall-docs/mailing_list_problems.htm
@ -40,21 +40,10 @@
 <p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
+<p align="left"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
+ size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></p>
 <p align="left"> </p>
 <br>
           <br>
          <br>
         <br>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@ -20,6 +20,7 @@
                <tbody>
           <tr>
                  <td width="100%">                                     
      <h1 align="center"><font color="#ffffff">About My Network</font></h1>
                  </td>
                </tr>
@ -32,6 +33,13 @@
 <h1>My Current Network </h1>
 <blockquote>                                                 
  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
 use a combination of Static NAT and Proxy ARP, neither of which are relevant
 to a simple configuration with a single public IP address.</small></b></big><big><b><small>
 If you have just a single public IP address, most of what you see here won't
 apply to your setup so beware of copying parts of this configuration and
 expecting them to work for you. They may or may not work in your setup. </small></b></big><br>
  </p>
  <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
    My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) 
   is connected to eth0. I have a local network connected to eth2 (subnet 
@ -43,10 +51,10 @@
  <ul>
           <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 
   and external address 206.124.146.178.</li>
-        <li>Proxy ARP for wookie (my Linux System). This system has two IP
+           <li>Proxy ARP for wookie (my Linux System). This system has two
- addresses:  192.168.1.3/24 and 206.124.146.179/24.</li>
+ IP  addresses:  192.168.1.3/24 and 206.124.146.179/24.</li>
-        <li>SNAT through the primary gateway address (206.124.146.176) for  
+           <li>SNAT through the primary gateway address (206.124.146.176) 
- my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
+for    my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
  </ul>
@ -62,8 +70,8 @@ the   PopTop server running on my firewall. </p>
  <p> The single system in the DMZ (address 206.124.146.177) runs postfix, 
   Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
-  (Pure-ftpd). The system   also runs fetchmail to fetch our email from our 
+   (Pure-ftpd). The system   also runs fetchmail to fetch our email from
-  old and current ISPs. That server is managed through Proxy ARP.</p>
+our    old and current ISPs. That server is managed through Proxy ARP.</p>
  <p> The firewall system itself runs a DHCP server that serves the local 
     network.</p>
@ -91,11 +99,14 @@ the   PopTop server running on my firewall. </p>
 below).</p>
  <p>A similar setup is used on eth3 (192.168.3.1) which                 
-           interfaces to my laptop (206.124.146.180).</p>
+          interfaces to my laptop (206.124.146.180).<br>
    </p>
-  <p><font color="#ff0000" size="5">                           Note: My files
+  <p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
-   use features not available before                            Shorewall
+ access.<br>
-version  1.3.4.</font></p>
+    </p>
  <p><font color="#ff0000" size="5"></font></p>
  </blockquote>
 <h3>Shorewall.conf</h3>
@ -109,8 +120,8 @@ version  1.3.4.</font></p>
 <h3>Interfaces File: </h3>
 <blockquote>                                                     
-  <p> This is set up so that I can start the firewall before bringing up
+  <p> This is set up so that I can start the firewall before bringing up my
-my Ethernet  interfaces. </p>
+Ethernet  interfaces. </p>
            </blockquote>
 <pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp,filterping,maclist<br>	dmz	eth1 		206.124.146.255	filterping<br>	net	eth3		206.124.146.255 filterping,blacklist<br>	-	texas 		-               filterping<br>	loc	ppp+		-		filterping<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -125,8 +136,7 @@ my Ethernet  interfaces. </p>
 <h3>Common File: </h3>
-<pre><font size="2" face="Courier">	. /etc/shorewall/common.def<br>	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br>	run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
+<pre><font size="2" face="Courier">	. /etc/shorewall/common.def<br>	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
 <h3>Policy File:</h3>
 <pre><font size="2" face="Courier">
@ -140,9 +150,10 @@ my Ethernet  interfaces. </p>
 <h3>Masq File: </h3>
 <blockquote>                                                             
  <p> Although most of our internal systems use static NAT, my wife's system 
    (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with 
-laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
+ laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
         </blockquote>
 <pre><font size="2" face="Courier">	#INTERFACE 	SUBNET		ADDRESS<br>	eth0 		192.168.1.0/24	206.124.146.176<br>        texas           206.124.146.179 192.168.1.254<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
@ -154,22 +165,23 @@ laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
 <h3>Proxy ARP File:</h3>
 <pre><font face="Courier" size="2">     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROU</font><font
- face="Courier" size="2">TE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br></font><font
+ face="Courier" size="2">TE<br>	206.124.146.177 eth1 		eth0 		No<br>	206.124.146.180	eth3		eth0		No<br></font><pre><font
- face="Courier" size="2">	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
+ face="Courier" size="2">	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre></pre>
 <h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
 <pre><small>	#TYPE           ZONE    GATEWAY</small><small>	<br>	gre             net     $TEXAS</small><small><br>	#LAST LINE -- DO NOT REMOVE<br></small></pre>
 <h3>Rules File (The shell variables                                      
     are set in /etc/shorewall/params):</h3>
-<pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	ACCEPT		net		fw			tcp	1723<br>	ACCEPT		net		fw			gre<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
+<pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	ACCEPT		net		loc:192.168.1.5		tcp	1723<br>	ACCEPT		net		loc:192.168.1.5		gre<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
-<p><font size="2"> Last updated 10/14/2002  - </font><font size="2">     
+<p><font size="2"> Last updated 1/12/2003  - </font><font size="2">      
                                      <a href="support.htm">Tom Eastep</a></font>
      </p>
-       <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+          <a href="copyright.htm"><font size="2">Copyright</font>      ©
-     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@ -26,11 +26,11 @@ way. This page describes how it now works.<br>
 There are several aspects to Shorewall Ping management:<br>
 <ol>
  <li>The <b>noping</b> and <b>filterping </b>interface options in <a
- href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
  <li>The <b>FORWARDPING</b> option in<a
- href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
+ href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
  <li>Explicit rules in <a
- href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
+ href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 </ol>
 There are two cases to consider:<br>
 <ol>
@ -81,10 +81,10 @@ then the request is responded to with an ICMP echo-reply.</li>
 is either rejected or simply ignored.</li>
 </ol>
 <p><font size="2">Updated 12/13/2002 - <a
- href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
+ href="support.htm">Tom Eastep</a> </font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+<p><a href="copyright.htm"><font size="2">Copyright</font>
- &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@ -187,8 +187,8 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
 <p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-   <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+   <a href="copyright.htm"><font size="2">Copyright</font>
-  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
  <br>
 <br>
 </body>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -5,6 +5,7 @@
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -23,6 +24,7 @@
 bgcolor="#4b017c">
              <tbody>
           <tr>
                    <td width="100%" height="90">                       
@ -33,13 +35,15 @@
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-       </a></i></font><font color="#ffffff">Shorewall      1.3   -      
+               </a></i></font><font color="#ffffff">Shorewall      1.3  
-       <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
+-               <font size="4">"<i>iptables                   made easy"</i></font></font></h1>
@ -50,7 +54,9 @@
      <div align="center"><a
 href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
        </div>
        <br>
                    </td>
@ -60,6 +66,7 @@
  </tbody>                                                              
 </table>
@ -74,6 +81,7 @@
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                <tbody>
           <tr>
                      <td width="90%">                                  
@ -84,6 +92,7 @@
      <h2 align="left">What is it?</h2>
@ -114,18 +123,18 @@ General Public License</a> as published by the Free Software        Foundation.<
                   <br>
-      This   program     is  distributed       in  the   hope   that   it 
+              This   program     is  distributed       in  the   hope   that
- will     be  useful,    but         WITHOUT  ANY    WARRANTY;   without 
+    it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;  
- even the   implied    warranty      of MERCHANTABILITY             or FITNESS
+without      even the   implied    warranty      of MERCHANTABILITY     
-  FOR   A PARTICULAR      PURPOSE.        See the  GNU General     Public
+       or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the  GNU
-License           for  more details.<br>
+General     Public  License           for  more details.<br>
                   <br>
-      You   should    have   received     a  copy   of  the   GNU   General 
+              You   should    have   received     a  copy   of  the   GNU 
-     Public      License             along  with   this program;    if  not,
+  General         Public      License             along  with   this program; 
-   write  to  the    Free Software        Foundation,            Inc., 675
+    if  not,    write  to  the    Free Software        Foundation,       
-    Mass  Ave,  Cambridge,  MA  02139,      USA</p>
+    Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
@ -135,7 +144,8 @@ License           for  more details.<br>
-      <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
+      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -148,19 +158,22 @@ License           for  more details.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-       </a>Jacques              Nilo   and   Eric   Wolzak    have   a  LEAF 
+               </a>Jacques              Nilo   and   Eric   Wolzak    have
-(router/firewall/gateway         on  a floppy,   CD  or compact  flash) distribution 
+   a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or compact
-      called              <i>Bering</i>    that          features     Shorewall-1.3.10 
+   flash)  distribution        called              <i>Bering</i>    that
-and    Kernel-2.4.18.       You    can  find    their   work at:         
+         features      Shorewall-1.3.10  and    Kernel-2.4.18.       You
-      <a href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
+   can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                              </a></p>
      <p><b>Congratulations to Jacques and Eric on the recent release of
 Bering 1.0 Final!!! </b><br>
                         </p>
      <h2>This is a mirror of the main Shorewall web site at SourceForge
 (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -174,6 +187,7 @@ Bering 1.0 Final!!! </b><br>
      <h2>News</h2>
@ -183,6 +197,7 @@ Bering 1.0 Final!!! </b><br>
      <h2></h2>
@ -190,52 +205,134 @@ Bering 1.0 Final!!! </b><br>
-      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
+      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
- border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+ src="images/new10.gif" width="28" height="12" alt="(New)">
                                                      </b><br>
      </p>
      <p>Just includes a few things that I had on the burner:<br>
 </p>
      <ol>
        <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules 
 file. DNAT- is intended for advanced users who wish to minimize the number 
 of rules that connection requests must traverse.<br>
     <br>
 A Shorewall DNAT rule actually generates two iptables rules: a header rewriting 
 rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- 
 rule only generates the first of these rules. This is handy when you have 
 several DNAT rules that would generate the same ACCEPT rule.<br>
     <br>
    Here are three rules from my previous rules file:<br>
     <br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
     <br>
    These three rules ended up generating _three_ copies of<br>
     <br>
          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
     <br>
    By writing the rules this way, I end up with only one copy of the ACCEPT
 rule.<br>
     <br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
     <br>
   </li>
        <li>The 'shorewall check' command now prints out the applicable policy
 between each pair of zones.<br>
     <br>
   </li>
        <li>A new CLEAR_TC option has been added to shorewall.conf. If this
 option is set to 'No' then Shorewall won't clear the current traffic control
 rules during [re]start. This setting is intended for use by people that prefer 
 to configure traffic shaping when the network interfaces come up rather than 
 when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes 
 and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, 
 your traffic shaping rules can still use the 'fwmark' classifier based on 
 packet marking defined in /etc/shorewall/tcrules.<br>
     <br>
   </li>
        <li>A new SHARED_DIR variable has been added that allows distribution
 packagers to easily move the shared directory (default /usr/lib/shorewall).
 Users should never have a need to change the value of this shorewall.conf
 setting.<br>
   </li>
      </ol>
      <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
                                                     </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall
   Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
            </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
                                                  </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 
   documenation.        the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                         <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                     </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>               
                                </b></p>
      <p>     Features include:<br>
                  </p>
      <ol>
-        <li>"shorewall refresh" now reloads the traffic shaping rules (tcrules 
+                <li>"shorewall refresh" now reloads the traffic shaping rules 
-  and tcstart).</li>
+  (tcrules     and tcstart).</li>
-        <li>"shorewall debug [re]start" now turns off debugging after an
+                <li>"shorewall debug [re]start" now turns off debugging after 
-error   occurs. This places the point of the failure near the end of the
+  an  error   occurs. This places the point of the failure near the end of 
-trace rather   than up in the middle of it.</li>
+ the trace rather   than up in the middle of it.</li>
-        <li>"shorewall [re]start" has been speeded up by more than 40% with
+                <li>"shorewall [re]start" has been speeded up by more than
- my  configuration. Your milage may vary.</li>
+ 40%   with   my  configuration. Your milage may vary.</li>
-        <li>A "shorewall show classifiers" command has been added which shows
+                <li>A "shorewall show classifiers" command has been added 
-  the current packet classification filters. The output from this command
+which    shows   the current packet classification filters. The output from 
-is  also added as a separate page in "shorewall monitor"</li>
+this  command  is  also added as a separate page in "shorewall monitor"</li>
-        <li>ULOG (must be all caps) is now accepted as a valid syslog level
+                <li>ULOG (must be all caps) is now accepted as a valid syslog 
- and  causes the subject packets to be logged using the ULOG target rather
+  level   and  causes the subject packets to be logged using the ULOG target 
- than  the LOG target. This allows you to run ulogd (available from <a
+  rather   than  the LOG target. This allows you to run ulogd (available from
- href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-  and log all Shorewall messages <a
+      and log all Shorewall messages <a href="shorewall_logging.html">to a
- href="shorewall_logging.html">to a separate log file</a>.</li>
+ separate  log file</a>.</li>
-        <li>If you are running a kernel that has a FORWARD chain in the mangle 
+                <li>If you are running a kernel that has a FORWARD chain
-  table ("shorewall show mangle" will show you the chains in the mangle table), 
+in  the   mangle    table ("shorewall show mangle" will show you the chains 
-  you can set MARK_IN_FORWARD_CHAIN=Yes in <a
+in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
     input packets based on their destination even when you are using  Masquerading
     or SNAT.</li>
-        <li>I have cluttered up the /etc/shorewall directory with empty 'init', 
+                <li>I have cluttered up the /etc/shorewall directory with 
-  'start', 'stop' and 'stopped' files. If you already have a file with one 
+empty    'init',    'start', 'stop' and 'stopped' files. If you already have 
- of these names, don't worry -- the upgrade process won't overwrite your file.</li>
+a file    with one   of these names, don't worry -- the upgrade process won't 
 overwrite    your file.</li>
                <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
-the syslog level at which packets are logged as a result of entries in the
+    the syslog level at which packets are logged as a result of entries in
-/etc/shorewall/rfc1918 file. Previously, these packets were always logged
+ the   /etc/shorewall/rfc1918 file. Previously, these packets were always
-at the 'info' level.<br>
+logged   at the 'info' level.<br>
           </li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
               </p>
- This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL 
+         This version corrects a problem with Blacklist logging. In Beta
-was set to anything but ULOG, the firewall would fail to start and "shorewall 
+2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would 
-refresh" would also fail.<br>
+ fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                          </p>
@ -245,93 +342,106 @@ refresh" would also fail.<br>
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                 
                            </b></p>
-     The first public Beta version of Shorewall 1.3.12 is now available (Beta
+             The first public Beta version of Shorewall 1.3.12 is now available 
- 1 was made available to a limited audience). <br>
+   (Beta  1 was made available to a limited audience). <br>
              <br>
              Features include:<br>
              <br>
      <ol>
-             <li>"shorewall refresh" now reloads the traffic shaping rules
+                     <li>"shorewall refresh" now reloads the traffic shaping
- (tcrules  and tcstart).</li>
+  rules    (tcrules  and tcstart).</li>
-             <li>"shorewall debug [re]start" now turns off debugging after
+                     <li>"shorewall debug [re]start" now turns off debugging
- an  error occurs. This places the point of the failure near the end of the
+  after    an  error occurs. This places the point of the failure near the
- trace  rather than up in the middle of it.</li>
+ end of the   trace  rather than up in the middle of it.</li>
-             <li>"shorewall [re]start" has been speeded up by more than 40% 
+                     <li>"shorewall [re]start" has been speeded up by more
- with  my configuration. Your milage may vary.</li>
+ than   40%   with  my configuration. Your milage may vary.</li>
-             <li>A "shorewall show classifiers" command has been added which
+                     <li>A "shorewall show classifiers" command has been
-  shows the current packet classification filters. The output from this command
+added    which    shows the current packet classification filters. The output
-  is also added as a separate page in "shorewall monitor"</li>
+from    this command    is also added as a separate page in "shorewall monitor"</li>
-             <li>ULOG (must be all caps) is now accepted as a valid syslog
+                     <li>ULOG (must be all caps) is now accepted as a valid 
- level  and causes the subject packets to be logged using the ULOG target
+ syslog    level  and causes the subject packets to be logged using the ULOG 
-rather than the LOG target. This allows you to run ulogd (available from
+ target   rather than the LOG target. This allows you to run ulogd (available 
-          <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
+ from            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-  and log all Shorewall messages <a
+      and log all Shorewall messages <a href="shorewall_logging.html">to a
- href="shorewall_logging.html">to a separate log file</a>.</li>
+ separate  log file</a>.</li>
-             <li>If you are running a kernel that has a FORWARD chain in
+                     <li>If you are running a kernel that has a FORWARD chain 
-the   mangle table ("shorewall show mangle" will show you the chains in the
+  in  the   mangle table ("shorewall show mangle" will show you the chains 
-mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
+ in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
-This allows  for  marking input packets based on their destination even when
+    This allows  for  marking input packets based on their destination even
-you are using  Masquerading or SNAT.</li>
+  when  you are using  Masquerading or SNAT.</li>
-             <li>I have cluttered up the /etc/shorewall directory with empty
+                     <li>I have cluttered up the /etc/shorewall directory 
-  'init', 'start', 'stop' and 'stopped' files. If you already have a file
+with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
-with  one of these names, don't worry -- the upgrade process won't overwrite
+have   a file  with  one of these names, don't worry -- the upgrade process 
-your  file.</li>
+won't   overwrite  your  file.</li>
      </ol>
              You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="21" border="0">
                </a></b></p>
-       Shorewall is at the center of MandrakeSoft's recently-announced <a
+               Shorewall is at the center of MandrakeSoft's recently-announced
         <a
 href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi 
       Network Firewall (MNF)</a> product. Here is the <a
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
       release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
-     delivered. I have installed 9.0 on one of my systems and I am now in
+         delivered. I have installed 9.0 on one of my systems and I am now
-a  position   to support Shorewall users who run Mandrake 9.0.</p>
+ in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
                         </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
-      with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
+          with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
-   who   don't need rules of this type need not upgrade to 1.3.11.</p>
+ users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
                                        </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 
            documenation. the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                              <a
@ -339,30 +449,34 @@ a  position   to support Shorewall users who run Mandrake 9.0.</p>
                          </p>
      <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>                
                 </b></p>
      <p>In this version:</p>
      <ul>
-                       <li>A 'tcpflags' option has been added to entries
+                               <li>A 'tcpflags' option has been added to
-in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
+entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
     This option causes Shorewall to make a set of sanity check on TCP packet 
-header flags.</li>
+    header flags.</li>
-                       <li>It is now allowed to use 'all' in the SOURCE or
+                               <li>It is now allowed to use 'all' in the
- DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.  When
+SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>. 
-used,  'all'   must  appear  by itself (in may not be qualified) and it does
+ When   used,  'all'   must  appear  by itself (in may not be qualified) and
- not  enable   intra-zone  traffic.  For example, the rule <br>
+it does   not  enable   intra-zone  traffic.  For example, the rule <br>
                            <br>
                            ACCEPT loc all tcp 80<br>
                            <br>
                        does not enable http traffic from 'loc' to 'loc'.</li>
-                       <li>Shorewall's use of the 'echo' command is now compatible
+                               <li>Shorewall's use of the 'echo' command
-     with   bash clones such as ash and dash.</li>
+is  now   compatible      with   bash clones such as ash and dash.</li>
-                       <li>fw-&gt;fw policies now generate a startup error. 
+                               <li>fw-&gt;fw policies now generate a startup
- fw-&gt;fw      rules  generate a warning and are ignored</li>
+  error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
      </ul>
@ -370,6 +484,7 @@ used,  'all'   must  appear  by itself (in may not be qualified) and it does
      <p><b></b><a href="News.htm">More News</a></p>
@ -380,6 +495,7 @@ used,  'all'   must  appear  by itself (in may not be qualified) and it does
      <h2><a name="Donations"></a>Donations</h2>
                                                         </td>
@ -392,6 +508,7 @@ used,  'all'   must  appear  by itself (in may not be qualified) and it does
  </tbody>                                                              
 </table>
@ -405,7 +522,9 @@ used,  'all'   must  appear  by itself (in may not be qualified) and it does
 <table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
         <tbody>
           <tr>
               <td width="100%" style="margin-top: 1px;">               
@ -416,6 +535,7 @@ used,  'all'   must  appear  by itself (in may not be qualified) and it does
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
@ -429,6 +549,7 @@ used,  'all'   must  appear  by itself (in may not be qualified) and it does
      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
                                      to       <a
@ -436,18 +557,20 @@ but if       you try it and find it useful, please consider making a donation
 Children's Foundation.</font></a> Thanks!</font></p>
               </td>
           </tr>
  </tbody>                                                              
 </table>
-<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font> 
+<p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font> 
                              <br>
 </p>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -6,6 +6,7 @@
 content="text/html; charset=windows-1252">
  <title>About the Shorewall Author</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
@ -58,7 +59,7 @@ present</li>
 <p>I became interested in Internet Security when I established a home office
     in 1999 and had DSL service installed in our       home. I investigated
   ipchains  and developed the scripts which are now collectively known as
-<a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding 
+ <a href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding
     on what I learned from Seattle Firewall, I then       designed and wrote
    Shorewall. </p>
@ -69,22 +70,23 @@ present</li>
 <ul>
               <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
-IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system. Also 
+ IDE   HDs   and LNE100TX      (Tulip) NIC - My personal Windows system.
-has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
+Serves as a PPTP server for Road Warrior access. Also  has <a
 href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
               <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
- NIC   -  My      personal Linux System which runs Samba configured as a WINS
+  NIC   -  My      personal Linux System which runs Samba configured as a
- server.    This      system also has <a href="http://www.vmware.com/">VMware</a>
+WINS  server.    This      system also has <a
- installed    and      can run both <a href="http://www.debian.org">Debian
+ href="http://www.vmware.com/">VMware</a>  installed    and      can run
- Woody</a> and         <a href="http://www.suse.com">SuSE 8.1</a> in virtual
+both <a href="http://www.debian.org">Debian  Woody</a> and         <a
- machines.</li>
+ href="http://www.suse.com">SuSE 8.1</a> in virtual  machines.</li>
-              <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
+               <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
-Email   (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS 
+- Email   (Postfix  &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd),
-server        (Bind).</li>
+DNS  server        (Bind).</li>
               <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI  HD - 3      LNE100TX  
-   (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.11  and a DHCP
+   (Tulip) and 1 TLAN NICs  - Firewall running Shorewall  1.3.12+  and a
-       server.  Also   runs PoPToP for     road warrior access.</li>
+DHCP        server.</li>
               <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
-wife's        personal system.</li>
+ wife's        personal system.</li>
               <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard 
 EEPRO100     and     EEPRO100 in expansion base and LinkSys WAC11 - My main 
 work system.</li>
@ -114,11 +116,10 @@ work system.</li>
 width="125" height="40" hspace="4">
            </font></p>
-<p><font size="2">Last updated 12/7/2002 - </font><font size="2">       <a
+<p><font size="2">Last updated 1/7/2003 - </font><font size="2">       <a
 href="support.htm">Tom Eastep</a></font>  </p>
             <font face="Trebuchet MS"><a href="copyright.htm"><font
- size="2">Copyright</font>       © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">Copyright</font>       © <font size="2">2001, 2002, 2003 Thomas
-         <br>
+M. Eastep.</font></a></font><br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_logging.html
+++ b/Shorewall-docs/shorewall_logging.html
@ -2,11 +2,14 @@
 <html>
 <head>
  <title>Shorewall Logging</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-<body>
+  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
@ -14,19 +17,20 @@
                    <tr>
                     <td width="100%">                                  
      <h1 align="center"><font color="#ffffff">Logging</font></h1>
                     </td>
                   </tr>
  </tbody>                
 </table>
-<br>
+  <br>
-By default, Shorewall directs NetFilter to log using syslog (8). Syslog 
+  By default, Shorewall directs NetFilter to log using syslog (8). Syslog 
  classifies log messages by a <i>facility</i> and a <i>priority</i> (using
   the notation <i>facility.priority</i>). <br>
      <br>
      The facilities defined by syslog are <i>auth, authpriv, cron, daemon, 
-kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
+ kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
  <i>local7</i>.<br>
      <br>
      Throughout the Shorewall documentation, I will use the term <i>level</i>
@ -36,33 +40,33 @@ kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
 <h3>Syslog Levels<br>
        </h3>
        Syslog levels are a method of describing to syslog (8) the importance 
-  of  a message and a number of Shorewall parameters have a syslog level as
+   of  a message and a number of Shorewall parameters have a syslog level 
-  their  value.<br>
+as   their  value.<br>
          <br>
          Valid levels are:<br>
          <br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-debug<br>
+ debug<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-info<br>
+ info<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-notice<br>
+ notice<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-warning<br>
+ warning<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-err<br>
+ err<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-crit<br>
+ crit<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-alert<br>
+ alert<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-emerg<br>
+ emerg<br>
          <br>
-        For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
+          For most Shorewall logging, a level of 6 (info) is appropriate. 
-    log messages are generated by NetFilter and are logged using the <i>kern</i> 
+Shorewall     log messages are generated by NetFilter and are logged using 
-  facility  and the level that you specify. If you are unsure of the level 
+the <i>kern</i>    facility  and the level that you specify. If you are unsure 
-  to choose,  6 (info) is a safe bet. You may specify levels by name or by 
+of the level    to choose,  6 (info) is a safe bet. You may specify levels 
- number.<br>
+by name or by   number.<br>
        <br>
        Syslogd writes log messages to files (typically in /var/log/*) based
  on  their facility and level. The mapping of these facility/level pairs
@ -79,17 +83,28 @@ file,  you must restart syslogd before the changes can take effect.<br>
    <li>All kernel.info messages will go to that destination and not just 
  those from NetFilter.<br>
          </li>
 </ol>
-      Beginning with Shorewall version 1.3.12, if your kernel has ULOG target 
+        Beginning with Shorewall version 1.3.12, if your kernel has ULOG
-  support (and most vendor-supplied kernels do), you may also specify a log
+target    support (and most vendor-supplied kernels do), you may also specify
- level of ULOG (must be all caps). When  ULOG is used, Shorewall will direct
+a log  level of ULOG (must be all caps). When  ULOG is used, Shorewall will 
- netfilter to log the related messages  via the ULOG target which will send
+direct  netfilter to log the related messages  via the ULOG target which will
- them to a process called 'ulogd'. The  ulogd program is available from http://www.gnumonks.org/projects/ulogd
+send  them to a process called 'ulogd'. The  ulogd program is available from
- and  can be configured to log all Shorewall message to their own log file.<br>
+http://www.gnumonks.org/projects/ulogd  and  can be configured to log all
 Shorewall message to their own log file.<br>
 <br>
-  Download the ulod tar file and:<br>
+ <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from 
 syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely 
 no effect on your Shorewall logging (except for Shorewall status messages 
 which still go to syslog).<br>
    <br>
 You will need to have the kernel source available to compile ulogd.<br>
 <br>
 Download the ulod tar file and:<br>
 <ol>
    <li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
  </li>
  <li>cd /usr/local/src (or wherever you do your builds)</li>
    <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
    <li>cd ulogd-<i>version</i><br>
@ -98,9 +113,10 @@ file,  you must restart syslogd before the changes can take effect.<br>
    <li>make</li>
    <li>make install<br>
      </li>
 </ol>
    If you are like me and don't have a development environment on your firewall,
- you can do the first five steps on another system then either NFS mount
+  you can do the first six steps on another system then either NFS mount
 your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
  directory and move it to your firewall system.<br>
    <br>
@ -109,29 +125,32 @@ your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
 <ol>
    <li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
    <li>syslogsync 1</li>
 </ol>
-  I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
+    I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init 
- /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
+to  /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
- to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
+  to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
- --level 3 ulogd on" starts ulogd during boot up. Your init system may need
+"chkconfig   --level 3 ulogd on" starts ulogd during boot up. Your init system
- something else done to activate the script.<br>
+may need   something else done to activate the script.<br>
 <br>
 You will need to change all instances of log levels (usually 'info') in
 your configuration files to 'ULOG' - this includes entries in the policy,
 rules and shorewall.conf files. Here's what I have:<br>
 <pre>	[root@gateway shorewall]# grep ULOG *<br>	policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br>	policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br>	policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br>	rules:REJECT:ULOG loc net tcp 6667<br>	shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br>	shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br>	[root@gateway shorewall]#<br></pre>
    Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
-that  you wish to log to&gt;</i>. This tells the /sbin/shorewall program
+ that  you wish to log to&gt;</i>. This tells the /sbin/shorewall program
 where to look for the log when processing its "show log", "logwatch" and
 "monitor"  commands.<br>
-<p><font size="2">   Updated 12/29/2002 - <a
+<p><font size="2">   Updated 1/11/2003 - <a href="support.htm">Tom  Eastep</a> 
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a> 
          </font></p>
-<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
+<p><a href="copyright.htm"><font size="2">Copyright</font>           &copy; 
-          &copy; <font size="2">2001, 2002 Thomas M. Eastep</font></a></font><br>
+<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
     </p>
 <h2><br>
 </h2>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -24,7 +24,9 @@
                   <tr>
                    <td width="100%">                                   
-      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
+ 
      <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides 
 (HOWTO's)<br>
                Version 3.1</font></h1>
                    </td>
                  </tr>
@ -44,11 +46,11 @@ must  all first walk before we can run.</p>
 <ul>
                  <li><a href="standalone.htm">Standalone</a> Linux System</li>
-                <li><a href="two-interface.htm">Two-interface</a> Linux System
+                  <li><a href="two-interface.htm">Two-interface</a> Linux 
-   acting    as a    firewall/router for a small local network</li>
+System    acting    as a    firewall/router for a small local network</li>
                  <li><a href="three-interface.htm">Three-interface</a> Linux 
- System    acting  as a    firewall/router for a small local network and a
+  System    acting  as a    firewall/router for a small local network and 
- DMZ.</li>
+a  DMZ.</li>
 </ul>
@ -62,22 +64,22 @@ must  all first walk before we can run.</p>
 <ul>
                  <li><a href="shorewall_setup_guide.htm#Introduction">1.0
-Introduction</a></li>
+ Introduction</a></li>
                  <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
    Concepts</a></li>
-                <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
+                  <li><a href="shorewall_setup_guide.htm#Interfaces">3.0
-   Interfaces</a></li>
+Network     Interfaces</a></li>
-                <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
+                  <li><a href="shorewall_setup_guide.htm#Addressing">4.0
-     Subnets  and Routing</a>                                           
+Addressing,       Subnets  and Routing</a>                              
    <ul>
-                  <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
+                    <li><a href="shorewall_setup_guide.htm#Addresses">4.1 
- Addresses</a></li>
+IP  Addresses</a></li>
                                <li><a
 href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
                    <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
                    <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address 
-Resolution      Protocol</a></li>
+ Resolution      Protocol</a></li>
    </ul>
@ -85,7 +87,7 @@ Resolution      Protocol</a></li>
    <ul>
                    <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 
-1918</a></li>
+ 1918</a></li>
    </ul>
@ -101,23 +103,27 @@ Resolution      Protocol</a></li>
    <ul>
-                  <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> 
+                    <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 
 Non-routed</a>                                                           
        <ul>
-                    <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
+                      <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
-                    <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
+SNAT</a></li>
                      <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
 DNAT</a></li>
                      <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
  Proxy    ARP</a></li>
                      <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
   NAT</a></li>
        </ul>
                    </li>
                    <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
                    <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 
-Odds   and   Ends</a></li>
+ Odds   and   Ends</a></li>
    </ul>
@ -133,12 +139,13 @@ Odds   and   Ends</a></li>
 <p>The following documentation covers a variety of topics and <b>supplements 
       the  <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> 
-described      above</b>. Please review the appropriate guide before trying 
+ described      above</b>. Please review the appropriate guide before trying 
-to use this    documentation directly.</p>
+ to use this    documentation directly.</p>
 <ul>
                  <li><a href="blacklisting_support.htm">Blacklisting</a> 
    <ul>
                    <li>Static Blacklisting using /etc/shorewall/blacklist</li>
                    <li>Dynamic Blacklisting using /sbin/shorewall</li>
@ -151,24 +158,25 @@ to use this    documentation directly.</p>
    <ul>
                    <li><a href="configuration_file_basics.htm#Comments">Comments
-in configuration files</a></li>
+ in configuration files</a></li>
                    <li><a
 href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
                    <li><a href="configuration_file_basics.htm#Ports">Port
-Numbers/Service Names</a></li>
+ Numbers/Service Names</a></li>
                    <li><a href="configuration_file_basics.htm#Ranges">Port
-Ranges</a></li>
+ Ranges</a></li>
-                  <li><a href="configuration_file_basics.htm#Variables">Using
+                    <li><a
-Shell Variables</a></li>
+ href="configuration_file_basics.htm#Variables">Using  Shell Variables</a></li>
                    <li><a href="configuration_file_basics.htm#dnsnames">Using
-DNS Names</a><br>
+ DNS Names</a><br>
               </li>
-                  <li><a href="configuration_file_basics.htm#Compliment">Complementing
+                    <li><a
-an IP address or Subnet</a></li>
+ href="configuration_file_basics.htm#Compliment">Complementing an IP address 
 or Subnet</a></li>
                    <li><a href="configuration_file_basics.htm#Configs">Shorewall
-Configurations (making a test configuration)</a></li>
+ Configurations (making a test configuration)</a></li>
-                  <li><a href="configuration_file_basics.htm#MAC">Using MAC
+                    <li><a href="configuration_file_basics.htm#MAC">Using 
-Addresses in Shorewall</a></li>
+MAC Addresses in Shorewall</a></li>
    </ul>
@ -214,7 +222,8 @@ Addresses in Shorewall</a></li>
 href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
 (How to extend Shorewall without modifying Shorewall  code)</li>
                  <li><a href="fallback.htm">Fallback/Uninstall</a></li>
-                <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
+                  <li><a href="shorewall_firewall_structure.htm">Firewall 
 Structure</a></li>
                  <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
     <li><a href="shorewall_logging.html">Logging</a><br>
     </li>
@ -245,7 +254,10 @@ Addresses in Shorewall</a></li>
  </ul>
                  <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
-                <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
+  <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with
 Shorewall</a><br>
  </li>
                  <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
                  <li>VPN                                               
    <ul>
@ -259,16 +271,19 @@ Addresses in Shorewall</a></li>
    </ul>
                  </li>
                  <li><a href="whitelisting_under_shorewall.htm">White List 
-Creation</a></li>
+ Creation</a></li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 12/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p>
-<p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
+<p><a href="copyright.htm"><font size="2">Copyright  2002, 2003 Thomas M.
-</p>
+Eastep</font></a><br>
  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@ -58,12 +58,12 @@
 more  about Shorewall than is contained in the  <a
 href="shorewall_quickstart_guide.htm">single-address  guides</a>. Because
  the  range of possible applications is so broad, the Guide will give you
-general  guidelines and will point you to other resources as necessary.</p>
+ general  guidelines and will point you to other resources as necessary.</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-       If you run LEAF Bering, your Shorewall configuration is NOT what I 
+         If you run LEAF Bering, your Shorewall configuration is NOT what 
-release -- I  suggest that you consider installing a stock Shorewall lrp from
+I  release -- I  suggest that you consider installing a stock Shorewall lrp 
-the  shorewall.net site before you proceed.</p>
+from the  shorewall.net site before you proceed.</p>
 <p>This guide assumes that you have the iproute/iproute2 package installed
  (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
@ -81,16 +81,16 @@ for this  program:</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
         If you edit your configuration files on a Windows system, you must 
-save them as  Unix files if your editor supports that option or you must run
+ save them as  Unix files if your editor supports that option or you must 
-them through  dos2unix before trying to use them with Shorewall. Similarly, 
+run them through  dos2unix before trying to use them with Shorewall. Similarly, 
-if you copy a configuration file  from your Windows hard drive to a floppy 
+ if you copy a configuration file  from your Windows hard drive to a floppy 
-disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+ disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
  of    dos2unix</a></li>
       <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
-Version  of    dos2unix</a></li>
+ Version  of    dos2unix</a></li>
 </ul>
@ -142,8 +142,8 @@ in this guide. Skeleton files are created during the <a
 <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
  to  zone names. Zones are entirely what YOU make of them. That means that
- you should  not expect Shorewall to do something special "because this is
+  you should  not expect Shorewall to do something special "because this
- the internet zone"  or "because that is the DMZ".</p>
+is   the internet zone"  or "because that is the DMZ".</p>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
        Edit the  /etc/shorewall/zones file and make any changes necessary.</p>
@ -152,8 +152,8 @@ in this guide. Skeleton files are created during the <a
  in  terms of zones.</p>
 <ul>
-     <li>You express your default policy for connections from one zone to 
+       <li>You express your default policy for connections from one zone
-another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
+to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy 
     </a>file.</li>
       <li>You define exceptions to those default policies in the   <a
 href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -166,7 +166,7 @@ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
  tracking function</a> that allows what is often referred to   as <i>stateful
  inspection</i> of packets. This stateful property allows   firewall rules
  to be defined in terms of <i>connections</i> rather than   in terms of
-packets.  With Shorewall, you:</p>
+ packets.  With Shorewall, you:</p>
 <ol>
             <li>  Identify the source zone.</li>
@ -174,9 +174,9 @@ packets.  With Shorewall, you:</p>
             <li>  If the POLICY from the client's zone to the server's zone
  is what you       want for this client/server pair, you need do nothing
 further.</li>
-           <li>  If the POLICY is not what you want, then you must add a
+             <li>  If the POLICY is not what you want, then you must add
-rule.  That rule       is expressed in terms of the client's zone and the
+a  rule.  That rule       is expressed in terms of the client's zone and
-server's  zone.</li>
+the  server's  zone.</li>
 </ol>
@ -238,18 +238,18 @@ the  request  is first checked against the rules in /etc/shorewall/common.def.</
 <ol>
       <li>allow all connection requests from your local network to the internet</li>
       <li>drop (ignore) all connection requests from the internet to your
-firewall     or local network and log a message at the <i>info</i> level
+ firewall     or local network and log a message at the <i>info</i> level
-(<a href="shorewall_logging.html">here</a> is a description
+(<a href="shorewall_logging.html">here</a> is a description of log levels).</li>
-of log levels).</li>
+       <li>reject all other connection requests and log a message at the
-     <li>reject all other connection requests and log a message at the <i>info</i>
+    <i>info</i>      level. When a request is rejected, the firewall will
-    level. When a request is rejected, the firewall will return an RST (if
+return an RST (if   the    protocol is TCP) or an ICMP port-unreachable packet
- the    protocol is TCP) or an ICMP port-unreachable packet for other protocols.</li>
+for other protocols.</li>
 </ol>
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
        At this point, edit your /etc/shorewall/policy and make any changes 
-that you  wish.</p>
+ that you  wish.</p>
 <h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -261,11 +261,11 @@ that you  wish.</p>
 <ul>
       <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
-to  isolate your  internet-accessible servers from your local systems so
+ to  isolate your  internet-accessible servers from your local systems so
 that  if one of those  servers is compromised, you still have the firewall
 between  the compromised  system and your local systems. </li>
-     <li>The Local Zone consists of systems Local 1, Local 2 and Local 3. 
+       <li>The Local Zone consists of systems Local 1, Local 2 and Local
-  </li>
+3.    </li>
       <li>All systems from the ISP outward comprise the Internet Zone. </li>
 </ul>
@ -275,8 +275,8 @@ between  the compromised  system and your local systems. </li>
    </p>
 <p align="left">The simplest way to define zones is to simply associate the
- zone  name (previously defined in /etc/shorewall/zones) with a network interface.
+  zone  name (previously defined in /etc/shorewall/zones) with a network
- This  is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+interface.   This  is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
   file.</p>
 <p align="left">The firewall illustrated above has three network interfaces.
@ -284,33 +284,33 @@ between  the compromised  system and your local systems. </li>
   Interface</i> will be the Ethernet adapter that is connected to that "Modem"
   (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
  <u>P</u>rotocol  over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
- <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface
+  <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
- will be a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular
+Interface   will be a ppp  interface (e.g., <b>ppp0</b>). If you connect
- modem, your External  Interface will also be <b>ppp0</b>. If you connect
+via a regular   modem, your External  Interface will also be <b>ppp0</b>.
-using ISDN, you external  interface will be <b>ippp0.</b></p>
+If you connect  using ISDN, you external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
        If  your external interface is <b>ppp0</b> or <b>ippp0 </b>then you 
-will want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+ will want to set  CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
   eth1 or eth2) and will be connected to a hub or switch. Your local computers
-  will be connected to the same switch (note: If you have only a single local
+   will be connected to the same switch (note: If you have only a single
- system,  you can connect the firewall directly to the computer using a <i>cross-over
+local   system,  you can connect the firewall directly to the computer using
- </i> cable).</p>
+a <i>cross-over   </i> cable).</p>
 <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
  (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ
-computers will  be connected to the same switch (note: If you have only a
+ computers will  be connected to the same switch (note: If you have only
-single DMZ system,  you can connect the firewall directly to the computer
+a  single DMZ system,  you can connect the firewall directly to the computer
-using a <i>cross-over </i> cable).</p>
+ using a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
    </b></u>Do not connect more than one interface  to the same hub or switch
  (even for testing). It won't work the way that you  expect it to and you
-will end up confused and believing that Linux networking doesn't work at
+ will end up confused and believing that Linux networking doesn't work at
 all.</p>
 <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -370,7 +370,8 @@ all.</p>
         Edit the /etc/shorewall/interfaces file and define the network interfaces
  on  your firewall and associate each interface with a zone. If you have
 a  zone that  is interfaced through more than one interface, simply include
-one entry for each  interface and repeat the zone name as many times as necessary.</p>
+ one entry for each  interface and repeat the zone name as many times as
 necessary.</p>
 <p align="left">Example:</p>
@ -446,10 +447,10 @@ one entry for each  interface and repeat the zone name as many times as necessar
 <h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2>
 <p align="left">Normally, your ISP will assign you a set of <i> Public</i>
- IP addresses. You will configure your firewall's external interface to use
+  IP addresses. You will configure your firewall's external interface to
-  one of those addresses permanently and you will then have to decide how
+use    one of those addresses permanently and you will then have to decide
-you are  going to use the rest of your addresses. Before we tackle that question
+how  you are  going to use the rest of your addresses. Before we tackle that
- though, some  background is in order.</p>
+question   though, some  background is in order.</p>
 <p align="left">If you are thoroughly familiar with IP addressing and routing,
   you may <a href="#Options">go to the next section</a>.</p>
@ -481,8 +482,8 @@ value  "w", the next  byte has value "x", etc. If we take the address 192.0.2.14
 <p align="left">You will still hear the terms "Class A network", "Class B
   network" and "Class C network". In the early days of IP,  networks only
-came  in three sizes (there were also Class D networks but they were used
+ came  in three sizes (there were also Class D networks but they were used
-differently):</p>
+ differently):</p>
 <blockquote>               
  <p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
@ -495,10 +496,10 @@ differently):</p>
 <p align="left">The class of a network was uniquely determined by the value
  of the high  order byte of its address so you could look at an IP address
  and immediately  determine the associated <i>netmask</i>. The netmask is
-a number that when  logically ANDed with an address isolates the <i>network
+ a number that when  logically ANDed with an address isolates the <i>network
  number</i>; the  remainder of the address is the <i>host number</i>. For
-example, in the Class C  address 192.0.2.14, the network number is hex C00002
+ example, in the Class C  address 192.0.2.14, the network number is hex C00002
-and the host number is hex  0E.</p>
+ and the host number is hex  0E.</p>
 <p align="left">As the internet grew, it became clear that such a gross  partitioning
 of the 32-bit address space was going to be very limiting (early  on, large
@ -533,15 +534,15 @@ to as
 <p align="left">As you can see by this definition, in each subnet of size
  <b>n</b>    there are (<b>n</b> - 2) usable addresses (addresses that can
- be assigned to    hosts). The first and last address in the subnet are used
+  be assigned to    hosts). The first and last address in the subnet are
- for the subnet    address and subnet broadcast address respectively. Consequently,
+used   for the subnet    address and subnet broadcast address respectively.
- small    subnetworks are more wasteful of IP addresses than are large ones.
+Consequently,   small    subnetworks are more wasteful of IP addresses than
- </p>
+are large ones.   </p>
 <p align="left">Since <b>n</b> is a power of two, we can easily calculate
- the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more common
+  the   <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more
- subnet sizes, the size and its natural logarithm are given in the    following
+common   subnet sizes, the size and its natural logarithm are given in the
- table:</p>
+   following   table:</p>
 <blockquote>               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -630,7 +631,7 @@ to as
 <p align="left">You will notice that the above table also contains a column
     for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
  Mask</i> for a network of size <b>n</b>.    From the above table, we can
-derive the following one which is a little easier to use.</p>
+ derive the following one which is a little easier to use.</p>
 <blockquote>               
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -738,12 +739,13 @@ subnet mask  has 26 leading one bits:</p>
 <p align="left">The subnet mask has the property that if you logically AND
  the    subnet mask with an address in the subnet, the result is the subnet
  address.    Just as important, if you logically AND the subnet mask with
-an address    outside the subnet, the result is NOT the subnet address. As
+ an address    outside the subnet, the result is NOT the subnet address.
-we will see    below, this property of subnet masks is very useful in routing.</p>
+As  we will see    below, this property of subnet masks is very useful in
 routing.</p>
 <p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose
     Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork as
-"<b>a.b.c.d/v</b>"    using <i>CIDR</i> <i>Notation</i>.  </p>
+ "<b>a.b.c.d/v</b>"    using <i>CIDR</i> <i>Notation</i>.  </p>
 <p align="left">Example:</p>
@ -835,9 +837,9 @@ to VLSM <b>/v</b>.</p>
  the  Dallas, Texas area.<br>
     <br>
     The first three routes are <i>host routes</i> since they indicate how
-to  get to  a single host. In the 'netstat' output this can be seen by the
+ to  get to  a single host. In the 'netstat' output this can be seen by the
-"Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column.
+ "Genmask"  (Subnet  Mask) of 255.255.255.255 and the "H" in the Flags column.
-The remainder  are 'net' routes since they tell the  kernel how to route
+ The remainder  are 'net' routes since they tell the  kernel how to route
 packets to a subnetwork.  The last route is the <i>default  route</i> and
 the gateway mentioned in that route is called the <i>default  gateway</i>.</p>
@ -883,8 +885,8 @@ router at your  ISP.</p>
 <p align="left">Lets take an example. Suppose that we want to route a packet
  to  192.168.1.5. That address clearly doesn't match any of the host routes
- in the  table but if we logically and that address with 255.255.255.0, the
+  in the  table but if we logically and that address with 255.255.255.0,
- result is  192.168.1.0 which matches this routing table entry:</p>
+the   result is  192.168.1.0 which matches this routing table entry:</p>
 <div align="left">       
 <blockquote>                 
@ -956,11 +958,11 @@ with IP  address  192.168.1.19 is 0:6:25:aa:8a:f0.</p>
     </blockquote>
 <p align="left">The leading question marks are a result of my having specified
-  the 'n' option (Windows 'arp' doesn't allow that option) which causes the
+   the 'n' option (Windows 'arp' doesn't allow that option) which causes
- 'arp'  program to forego IP-&gt;DNS name translation. Had I not given that
+the   'arp'  program to forego IP-&gt;DNS name translation. Had I not given
- option, the  question marks would have been replaced with the FQDN corresponding
+that   option, the  question marks would have been replaced with the FQDN
- to each IP  address. Notice that the last entry in the table records the
+corresponding   to each IP  address. Notice that the last entry in the table
-information we saw  using tcpdump above.</p>
+records the  information we saw  using tcpdump above.</p>
 <h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
@ -971,7 +973,7 @@ information we saw  using tcpdump above.</p>
 sub-Sahara Africa is delegated to the <i><a href="http://www.arin.net">American
   Registry for Internet Numbers</a> </i>(ARIN). These RIRs may in turn delegate
  to  national registries. Most of us don't deal with these registrars but
-rather get  our IP addresses from our ISP.</p>
+ rather get  our IP addresses from our ISP.</p>
 <p align="left">It's a fact of life that most of us can't afford as many
 Public  IP addresses as we have devices to assign them to so we end up making
@ -985,9 +987,9 @@ ranges for this  purpose:</p>
 <div align="left">       
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
  to    as <i>non-routable</i> because the Internet backbone routers don't
-forward    packets which have an RFC-1918 destination address. This is understandable
+ forward    packets which have an RFC-1918 destination address. This is understandable
     given that anyone can select any of these addresses for their private
-use.</p>
+ use.</p>
    </div>
 <div align="left">       
@ -1005,7 +1007,7 @@ more      organizations (including ISPs) are beginning to use RFC 1918 addresses
      <li>                    
    <p align="left">You don't want to use addresses that are being used by
       your ISP or by another organization with whom you want to establish
-a VPN      relationship.    </p>
+ a VPN      relationship.    </p>
      </li>
 </ul>
@ -1033,9 +1035,9 @@ your  ISP will    handle that set of addresses in one of two ways:</p>
         <li>                       
    <p align="left"><b>Routed - </b>Traffic to any of your addresses will
  be    routed through a single <i>gateway address</i>. This will generally
- only be    done if your ISP has assigned you a complete subnet (/29 or larger).
+  only be    done if your ISP has assigned you a complete subnet (/29 or
- In this    case, you will assign the gateway address as the IP address of
+larger).   In this    case, you will assign the gateway address as the IP
- your    firewall/router's external interface.     </p>
+address of   your    firewall/router's external interface.     </p>
      </li>
      <li>                       
    <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
@ -1048,18 +1050,22 @@ your  ISP will    handle that set of addresses in one of two ways:</p>
 <div align="left">       
 <p align="left">In the subsections that follow, we'll look at each of these
     separately.<br>
-</p>
+  </p>
 <p align="left">Before we begin, there is one thing for you to check:</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
       If you are using the Debian package, please check your shorewall.conf 
-file to ensure that the following are set correctly; if they are not, change 
+ file to ensure that the following are set correctly; if they are not, change 
-them appropriately:<br>
+ them appropriately:<br>
    </p>
 <ul>
    <li>NAT_ENABLED=Yes</li>
    <li>IP_FORWARDING=On<br>
     </li>
 </ul>
    </div>
@ -1092,12 +1098,12 @@ the local    network would be 192.0.2.73.</p>
 <div align="left">       
 <p align="left">Notice that this arrangement is rather wasteful of public
- IP    addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet addresses,
+  IP    addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
-    192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and 192.0.2.66
+addresses,      192.0.2.71 and 192.0.2.79 for subnet broadcast addresses
- and    168.0.2.73 for internal addresses on the firewall/router. Nevertheless,
+and 192.0.2.66   and    168.0.2.73 for internal addresses on the firewall/router.
- it    shows how subnetting can work and if we were dealing with a /24 rather
+Nevertheless,   it    shows how subnetting can work and if we were dealing
- than a    /28 network, the use of 6 IP addresses out of 256 would be justified
+with a /24 rather   than a    /28 network, the use of 6 IP addresses out
- because    of the simplicity of the setup.</p>
+of 256 would be justified   because    of the simplicity of the setup.</p>
    </div>
 <div align="left">       
@ -1116,10 +1122,10 @@ routing  table on    DMZ 1 will look like this:</p>
 <div align="left">       
 <p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
     request and no device on the DMZ Ethernet segment has that IP address.
- Oddly    enough, the firewall will respond to the request with the MAC address
+  Oddly    enough, the firewall will respond to the request with the MAC
- of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames addressed
+address   of its   <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames
- to that    MAC address and the frames will be received (correctly) by the
+addressed   to that    MAC address and the frames will be received (correctly)
- firewall/router.</p>
+by the   firewall/router.</p>
    </div>
 <div align="left">       
@ -1128,8 +1134,8 @@ the    Linux Kernel that prompts the warning earlier in this guide regarding
 the    connecting of multiple firewall/router interfaces to the same hub
 or switch.    When an ARP request for one of the firewall/router's IP addresses
 is sent by    another system connected to the hub/switch, all    of the firewall's
- interfaces that connect to the hub/switch can respond! It    is then a race
+  interfaces that connect to the hub/switch can respond! It    is then a
- as to which "here-is" response reaches the sender first.</p>
+race   as to which "here-is" response reaches the sender first.</p>
    </div>
 <div align="left">       
@ -1152,7 +1158,7 @@ IP    addresses to set up our networks as shown in the preceding example
 <div align="left">       
 <p align="left"><b>For the remainder of this section, assume that  your ISP
  has    assigned you IP addresses 192.0.2.176-180 and has told you to use
-netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
+ netmask    255.255.255.0 and default gateway 192.0.2.254.</b></p>
    </div>
 <div align="left">       
@ -1196,17 +1202,17 @@ these    will be discussed in the sections that follow.</p>
 <p align="left">With SNAT, an internal LAN segment is configured using RFC
  1918    addresses. When a host <b>A </b>on this internal segment initiates
  a    connection to host <b>B</b> on the internet, the firewall/router rewrites
- the    IP header in the request to use one of your public IP addresses as
+  the    IP header in the request to use one of your public IP addresses
- the source    address. When <b>B</b> responds and the response is received
+as   the source    address. When <b>B</b> responds and the response is received
  by the firewall,    the firewall changes the destination address back to
-the RFC 1918 address of   <b>A</b> and forwards the response back to <b>A.</b></p>
+ the RFC 1918 address of   <b>A</b> and forwards the response back to <b>A.</b></p>
    </div>
 <div align="left">       
 <p align="left">Let's suppose that you decide to use SNAT on your local zone
-    and use public address 192.0.2.176 as both your firewall's external IP
+     and use public address 192.0.2.176 as both your firewall's external
- address    and the source IP address of internet requests sent from that
+IP   address    and the source IP address of internet requests sent from
-zone.</p>
+that  zone.</p>
    </div>
 <div align="left">       
@ -1223,7 +1229,7 @@ zone.</p>
 <div align="left">   <img border="0" src="images/BD21298_2.gif"
 width="13" height="13">
        The systems in    the local zone would be configured with a default 
-gateway of 192.168.201.1    (the IP address of the firewall's local interface).</div>
+ gateway of 192.168.201.1    (the IP address of the firewall's local interface).</div>
 <div align="left">    </div>
@ -1255,11 +1261,11 @@ gateway of 192.168.201.1    (the IP address of the firewall's local interface).<
 <div align="left">       
 <p align="left">This example used the normal technique of assigning the same
-    public IP address for the firewall external interface and for SNAT. If
+     public IP address for the firewall external interface and for SNAT.
- you    wanted to use a different IP address, you would either have to use
+If   you    wanted to use a different IP address, you would either have to
- your    distributions network configuration tools to add that IP address
+use   your    distributions network configuration tools to add that IP address
-to the    external interface or you could set ADD_SNAT_ALIASES=Yes in   
+ to the    external interface or you could set ADD_SNAT_ALIASES=Yes in  
-/etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
+ /etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
    </div>
 <div align="left">       
@ -1268,9 +1274,9 @@ to the    external interface or you could set ADD_SNAT_ALIASES=Yes in
 <div align="left">       
 <p align="left">When SNAT is used, it is impossible for hosts on the internet
-    to initiate a connection to one of the internal systems since those systems
+     to initiate a connection to one of the internal systems since those
- do    not have a public IP address. DNAT provides a way to allow selected
+systems   do    not have a public IP address. DNAT provides a way to allow
-    connections from the internet.</p>
+selected      connections from the internet.</p>
    </div>
 <div align="left">       
@ -1368,8 +1374,8 @@ will respond    (with the MAC if the firewall interface to <b>H</b>).   </p>
 <div align="left">   Here, we've assigned the IP addresses 192.0.2.177 to
  system DMZ 1 and    192.0.2.178 to DMZ 2. Notice that we've just assigned
  an arbitrary RFC 1918 IP    address and subnet mask to the DMZ interface
-on the firewall. That address and    netmask isn't relevant - just be sure
+ on the firewall. That address and    netmask isn't relevant - just be sure
-it doesn't overlap another subnet that    you've defined.</div>
+ it doesn't overlap another subnet that    you've defined.</div>
 <div align="left">    </div>
@ -1409,32 +1415,74 @@ it doesn't overlap another subnet that    you've defined.</div>
 <div align="left">       
 <p align="left">Because the HAVE ROUTE column contains No, Shorewall will
- add    host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</p>
+  add    host routes thru eth2 to 192.0.2.177 and 192.0.2.178.<br>
 </p>
 <p align="left">The ethernet interfaces on DMZ 1 and DMZ 2 should be configured
 to have the IP addresses shown but should have the same default gateway as
 the firewall itself -- namely 192.0.2.254.<br>
 </p>
    </div>
 <div align="left">       
 <p align="left"></p>
 </div>
 <div align="left"> 
 <div align="left">    
 <p align="left">A word of warning is in order here. ISPs typically configure 
   their routers with a long ARP cache timeout. If you move a system from 
-    parallel to your firewall to behind your firewall with Proxy ARP, it
+   parallel to your firewall to behind your firewall with Proxy ARP, it will 
-will     probably be HOURS before that system can communicate with the internet.
+   probably be HOURS before that system can communicate with the internet. 
- You    can call your ISP and ask them to purge the stale ARP cache entry
+There are a couple of things that you can try:<br>
-but many    either can't or won't purge individual entries. You can determine
+  </p>
- if your    ISP's gateway ARP cache is stale using ping and tcpdump. Suppose
+   
- that we    suspect that the gateway router has a stale ARP cache entry for
+<ol>
- 192.0.2.177.    On the firewall, run tcpdump as follows:</p>
+   <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, 
 Vol 1</i> reveals that a <br>
     <br>
 "gratuitous" ARP packet should cause the ISP's router to refresh their ARP 
 cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC 
 address for its own IP; in addition to ensuring that the IP address isn't 
 a duplicate,...<br>
      <br>
  "if the host sending the gratuitous ARP has just changed its hardware address...,
 this packet causes any other host...that has an entry in its cache for the
 old hardware address to update its ARP cache entry accordingly."<br>
      <br>
  Which is, of course, exactly what you want to do when you switch a host 
 from being exposed to the Internet to behind Shorewall using proxy ARP  (or 
 static NAT for that matter). Happily enough, recent versions of Redhat's iputils
 package include "arping", whose "-U" flag does just that:<br>
      <br>
      <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly proxied 
 IP&gt;</b></font><br>
      <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
      <br>
  Stevens goes on to mention that not all systems respond correctly to gratuitous
 ARPs, but googling for "arping -U" seems to support the idea that it works
 most of the time.<br>
      <br>
    </li>
   <li>You    can call your ISP and ask them to purge the stale ARP cache 
 entry but many    either can't or won't purge individual entries.</li>
 </ol>
  You can determine if your    ISP's gateway ARP cache is stale using ping 
 and tcpdump. Suppose that we    suspect that the gateway router has a stale 
 ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
 <div align="left">    
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
  </div>
 <div align="left">    
-<pre>	tcpdump -nei eth0 icmp</pre>
+<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we 
 will    assume is 130.252.100.254):</p>
 </div>
 <div align="left">    
-<p align="left">Now from 192.0.2.177, ping the default gateway (which we
+<pre>	<b><font color="#009900">ping 130.252.100.254</font></b></pre>
 are    assuming is 192.0.2.254):</p>
  </div>
 <div align="left">     
 <pre>	ping 192.0.2.254</pre>
         </div>
 <div align="left">       
@ -1450,8 +1498,8 @@ are    assuming is 192.0.2.254):</p>
     different from the destination MAC address in the echo reply!! In this
  case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
     was the MAC address of DMZ 1. In other words, the gateway's ARP cache
-still    associates 192.0.2.177 with the NIC in DMZ 1 rather than with the
+ still    associates 192.0.2.177 with the NIC in DMZ 1 rather than with the
-firewall's    eth0.</p>
+ firewall's    eth0.</p>
    </div>
 <div align="left">       
@ -1503,8 +1551,9 @@ firewall's    eth0.</p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
           Suppose now that you have decided to give your daughter her own
-IP  address    (192.0.2.179) for both inbound and outbound connections. You
+ IP  address    (192.0.2.179) for both inbound and outbound connections.
-would  do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
+You  would  do that by    adding an entry in <a
 href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
    </div>
 <div align="left">       
@ -1540,10 +1589,10 @@ would  do that by    adding an entry in <a href="Documentation.htm#NAT">/etc/sho
 <div align="left">       
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-         Once the relationship between 192.0.2.179 and 192.168.201.4 is established
+           Once the relationship between 192.0.2.179 and 192.168.201.4 is 
- by    the nat file entry above, it is no longer    appropriate to use a
+established  by    the nat file entry above, it is no longer    appropriate 
-DNAT  rule for you daughter's web server -- you would    rather just use
+to use a DNAT  rule for you daughter's web server -- you would    rather just
-an ACCEPT  rule:</p>
+use an ACCEPT  rule:</p>
    </div>
 <div align="left">       
@ -1582,12 +1631,13 @@ an ACCEPT  rule:</p>
 <div align="left">       
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
-         With the default policies, your local systems (Local 1-3) can access
+           With the default policies, your local systems (Local 1-3) can
- any    servers on the internet and the DMZ can't access any other host (including
+access   any    servers on the internet and the DMZ can't access any other
- the    firewall). With the exception of <a href="#DNAT">DNAT rules</a> which
+host (including   the    firewall). With the exception of <a
- cause    address translation and allow the translated connection request
+ href="#DNAT">DNAT rules</a> which   cause    address translation and allow
-to pass    through the firewall, the way to allow connection requests through
+the translated connection request  to pass    through the firewall, the way
- your    firewall is to use ACCEPT rules.</p>
+to allow connection requests through   your    firewall is to use ACCEPT
 rules.</p>
    </div>
 <div align="left">       
@ -1887,8 +1937,9 @@ I prefer    to use NAT only in cases where a system that is part of an RFC
           If you haven't already, it would be a good idea to browse through 
   <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just
  to see    if there is anything there that might be of interest. You might
- also want to    look at the other configuration files that you haven't touched
+  also want to    look at the other configuration files that you haven't
- yet just to get    a feel for the other things that Shorewall can do.</p>
+touched   yet just to get    a feel for the other things that Shorewall can
 do.</p>
    </div>
 <div align="left">       
@ -1939,10 +1990,10 @@ site-specific).</p>
 <div align="left">       
 <p align="left">The setup described here requires that your network interfaces
-    be brought up before Shorewall can start. This opens a short window during
+     be brought up before Shorewall can start. This opens a short window
-    which you have no firewall protection. If you replace 'detect' with the
+during      which you have no firewall protection. If you replace 'detect'
- actual    broadcast addresses in the entries above, you can bring up Shorewall
+with the   actual    broadcast addresses in the entries above, you can bring
- before    you bring up your network interfaces.</p>
+up Shorewall   before    you bring up your network interfaces.</p>
    </div>
 <div align="left">       
@ -2289,11 +2340,11 @@ DNS servers.    You can  combine the two into a single BIND 9 server using
 <div align="left">       
 <p align="left">Suppose that your domain is foobar.net and you want the two
     DMZ systems named www.foobar.net and mail.foobar.net and you want the
-three    local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net.
+ three    local systems named "winken.foobar.net, blinken.foobar.net and
-    You want your firewall to be known as firewall.foobar.net externally
+nod.foobar.net.      You want your firewall to be known as firewall.foobar.net
-and  it's    interface to the local network to be know as gateway.foobar.net
+externally and  it's    interface to the local network to be know as gateway.foobar.net
 and  its    interface to the dmz as dmz.foobar.net. Let's have the DNS server
-on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
+ on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
    </div>
 <div align="left">       
@ -2307,7 +2358,7 @@ on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
         </div>
  <div align="left">                   
-  <pre>#<br># This is the view presented to our internal systems<br>#<br><br>view "internal" {<br>	#<br>	# These are the clients that see this view<br>	#<br>	match-clients { 192.168.201.0/29;<br>			192.168.202.0/29;<br>			127.0.0/24;<br>			192.0.2.176/32; <br>			192.0.2.178/32;<br>			192.0.2.179/32;<br>			192.0.2.180/32; };<br>	#<br>	# If this server can't complete the request, it should use outside<br>	# servers to do so<br>	#<br>	recursion yes;<br><br>	zone "." in {<br>		type hint;<br>		file "int/root.cache";<br>	};<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.foobar";<br>	};<br><br>	zone "0.0.127.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.127.0.0";	<br>	};<br><br>	zone "201.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.201";<br>	};<br><br>	zone "202.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.202";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.176";<br>	};<br><br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.206.124.146.179";<br>	};<br><br>};<br>#<br># This is the view that we present to the outside world<br>#<br>view "external" {<br>	match-clients { any; };<br>	#<br>	# If we can't answer the query, we tell the client so<br>	#<br>	recursion no;<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify yes;<br>		allow-update {none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "ext/db.foobar";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br> 		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.176";<br>	};<br><br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.179";<br>	};<br>};</pre>
+  <pre>#<br># This is the view presented to our internal systems<br>#<br><br>view "internal" {<br>	#<br>	# These are the clients that see this view<br>	#<br>	match-clients { 192.168.201.0/29;<br>			192.168.202.0/29;<br>			127.0.0/24;<br>			192.0.2.176/32; <br>			192.0.2.178/32;<br>			192.0.2.179/32;<br>			192.0.2.180/32; };<br>	#<br>	# If this server can't complete the request, it should use outside<br>	# servers to do so<br>	#<br>	recursion yes;<br><br>	zone "." in {<br>		type hint;<br>		file "int/root.cache";<br>	};<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.foobar";<br>	};<br><br>	zone "0.0.127.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.127.0.0";	<br>	};<br><br>	zone "201.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.201";<br>	};<br><br>	zone "202.168.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "int/db.192.168.202";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.176";<br>	};<br> (or status NAT for that matter)<br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify no;<br>		allow-update { none; };<br>		file "db.206.124.146.179";<br>	};<br><br>};<br>#<br># This is the view that we present to the outside world<br>#<br>view "external" {<br>	match-clients { any; };<br>	#<br>	# If we can't answer the query, we tell the client so<br>	#<br>	recursion no;<br><br>	zone "foobar.net" in {<br>		type master;<br>		notify yes;<br>		allow-update {none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "ext/db.foobar";<br>	};<br><br>	zone "176.2.0.192.in-addr.arpa" in {<br> 		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.176";<br>	};<br><br>	zone "177.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.177";<br>	};<br><br>	zone "178.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.178";<br>	};<br><br>	zone "179.2.0.192.in-addr.arpa" in {<br>		type master;<br>		notify yes;<br>		allow-update { none; };<br>		allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br>		file "db.192.0.2.179";<br>	};<br>};</pre>
         </div>
       </blockquote>
     </div>
@ -2430,26 +2481,28 @@ on    192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
 <div align="left">       
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
 height="13">
-         Edit the /etc/shorewall/routestopped file and configure those systems
+           Edit the /etc/shorewall/routestopped file and configure those
- that you    want to be able to access the firewall when it is stopped.</p>
+systems   that you    want to be able to access the firewall when it is stopped.</p>
    </div>
 <div align="left">       
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
  the    internet, do not issue a "shorewall stop" command unless you have
-added an    entry for the IP address that you are connected from to   <a
+ added an    entry for the IP address that you are connected from to   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.  
 Also, I don't recommend using "shorewall restart"; it is better to create
  an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
  and    test it using the <a href="Documentation.htm#Starting">"shorewall
-try" command</a>.</p>
+ try" command</a>.</p>
    </div>
-<p align="left"><font size="2">Last updated 12/13/2002 - <a
+<p align="left"><font size="2">Last updated 1/13/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
- M. Eastep</font></a></p>
+Thomas  M. Eastep</font></a></p>
          <br>
    <br>
   <br>
  <br>
 <br>
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -13,7 +13,8 @@
-                                      <base target="_self">
+                                                                  <base
 target="_self">
 </head>
  <body>
@ -41,9 +42,10 @@
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
-                </a></i></font><font color="#ffffff">Shorewall      1.3 
+                       </a></i></font><font color="#ffffff">Shorewall   
- -               <font size="4">"<i>iptables                   made easy"</i></font></font><a
+  1.3     -               <font size="4">"<i>iptables                   made
- href="http://www.sf.net">            </a></h1>
+ easy"</i></font></font><a href="http://www.sf.net">            </a></h1>
@ -85,6 +87,7 @@
      <h2 align="left">What is it?</h2>
@ -96,9 +99,9 @@
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
-      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
-       that can be used on a dedicated firewall system, a multi-function 
+firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
@ -112,22 +115,22 @@
      <p>This program is free software; you can redistribute it and/or modify
                                          it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
-Public License</a> as published by the Free Software        Foundation.<br>
+General Public License</a> as published by the Free Software        Foundation.<br>
                           <br>
-               This   program     is  distributed       in  the   hope  
+                      This   program     is  distributed       in  the  
-that     it   will     be  useful,    but         WITHOUT  ANY    WARRANTY;
+hope     that     it   will     be  useful,    but         WITHOUT  ANY 
-  without      even the   implied    warranty      of MERCHANTABILITY   
+  WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY 
            or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the 
-GNU General     Public  License           for  more details.<br>
+ GNU General     Public  License           for  more details.<br>
                           <br>
-               You   should    have   received     a  copy   of  the   GNU
+                      You   should    have   received     a  copy   of  the 
-   General         Public      License             along  with   this program;
+   GNU     General         Public      License             along  with   this
-     if  not,    write  to  the    Free Software        Foundation,     
+  program;       if  not,    write  to  the    Free Software        Foundation,
             Inc.,  675     Mass  Ave,  Cambridge,  MA  02139,      USA</p>
@ -139,7 +142,8 @@ GNU General     Public  License           for  more details.<br>
-      <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
+      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -153,14 +157,14 @@ GNU General     Public  License           for  more details.<br>
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
-                </a>Jacques              Nilo   and   Eric   Wolzak    have 
+                       </a>Jacques              Nilo   and   Eric   Wolzak
-   a   LEAF  (router/firewall/gateway         on  a floppy,   CD  or compact 
+    have     a   LEAF  (router/firewall/gateway         on  a floppy,   CD 
-   flash)  distribution        called              <i>Bering</i>    that 
+  or compact     flash)  distribution        called              <i>Bering</i> 
-        features      Shorewall-1.3.10  and    Kernel-2.4.18.       You 
+     that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
-  can  find    their    work at:                <a
+     You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
-                        <b>Congratulations to Jacques and Eric on the recent
+                               <b>Congratulations to Jacques and Eric on
-  release     of  Bering  1.0 Final!!! <br>
+the   recent    release     of  Bering  1.0 Final!!! <br>
                               </b>                                     
@ -177,53 +181,133 @@ GNU General     Public  License           for  more details.<br>
-      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
+   
- border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+      <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
 src="images/new10.gif" width="28" height="12" alt="(New)">
                                                      </b><br>
 </p>
      <p>Just includes a few things that I had on the burner:<br>
 </p>
      <ol>
        <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules 
 file. DNAT- is intended for advanced users who wish to minimize the number 
 of rules that connection requests must traverse.<br>
     <br>
 A Shorewall DNAT rule actually generates two iptables rules: a header rewriting 
 rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- 
 rule only generates the first of these rules. This is handy when you have 
 several DNAT rules that would generate the same ACCEPT rule.<br>
     <br>
    Here are three rules from my previous rules file:<br>
     <br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
     <br>
    These three rules ended up generating _three_ copies of<br>
     <br>
          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
     <br>
    By writing the rules this way, I end up with only one copy of the ACCEPT
 rule.<br>
     <br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
     <br>
   </li>
        <li>The 'shorewall check' command now prints out the applicable policy
 between each pair of zones.<br>
     <br>
   </li>
        <li>A new CLEAR_TC option has been added to shorewall.conf. If this
 option is set to 'No' then Shorewall won't clear the current traffic control
 rules during [re]start. This setting is intended for use by people that prefer 
 to configure traffic shaping when the network interfaces come up rather than 
 when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes 
 and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, 
 your traffic shaping rules can still use the 'fwmark' classifier based on 
 packet marking defined in /etc/shorewall/tcrules.<br>
     <br>
   </li>
        <li>A new SHARED_DIR variable has been added that allows distribution
 packagers to easily move the shared directory (default /usr/lib/shorewall).
 Users should never have a need to change the value of this shorewall.conf
 setting.</li>
      </ol>
      <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> 
                                                    </b></p>
      <p><b>Until further notice, I will not be involved in either Shorewall 
  Development or Shorewall Support</b></p>
      <p><b>-Tom Eastep</b><br>
      </p>
      <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>   
                                                 </b></p>
      <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
   documenation.        the PDF may be downloaded from</p>
      <p>    <a
 href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
 target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
                        <a
 href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
                    </p>
      <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>                
                                </b></p>
      <p>     Features include:<br>
                  </p>
      <ol>
-         <li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
+                <li>"shorewall refresh" now reloads the traffic shaping rules 
-   and tcstart).</li>
+  (tcrules     and tcstart).</li>
-         <li>"shorewall debug [re]start" now turns off debugging after an 
+                <li>"shorewall debug [re]start" now turns off debugging after 
-error   occurs. This places the point of the failure near the end of the trace
+  an  error   occurs. This places the point of the failure near the end of 
-rather   than up in the middle of it.</li>
+ the trace rather   than up in the middle of it.</li>
-         <li>"shorewall [re]start" has been speeded up by more than 40% with 
+                <li>"shorewall [re]start" has been speeded up by more than
- my  configuration. Your milage may vary.</li>
+ 40%   with   my  configuration. Your milage may vary.</li>
-         <li>A "shorewall show classifiers" command has been added which
+                <li>A "shorewall show classifiers" command has been added 
-shows   the current packet classification filters. The output from this command 
+which    shows   the current packet classification filters. The output from 
-is  also added as a separate page in "shorewall monitor"</li>
+this  command  is  also added as a separate page in "shorewall monitor"</li>
-         <li>ULOG (must be all caps) is now accepted as a valid syslog level 
+                <li>ULOG (must be all caps) is now accepted as a valid syslog 
- and  causes the subject packets to be logged using the ULOG target rather 
+  level   and  causes the subject packets to be logged using the ULOG target 
- than  the LOG target. This allows you to run ulogd (available from <a
+  rather   than  the LOG target. This allows you to run ulogd (available from
- href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
+            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-   and log all Shorewall messages <a
+      and log all Shorewall messages <a href="shorewall_logging.html">to a
- href="shorewall_logging.html">to a separate log file</a>.</li>
+ separate log file</a>.</li>
-         <li>If you are running a kernel that has a FORWARD chain in the
+                <li>If you are running a kernel that has a FORWARD chain
-mangle    table ("shorewall show mangle" will show you the chains in the
+in  the   mangle    table ("shorewall show mangle" will show you the chains 
-mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
+in  the  mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This allows for  marking
     input packets based on their destination even when you are using  Masquerading
     or SNAT.</li>
-         <li>I have cluttered up the /etc/shorewall directory with empty
+                <li>I have cluttered up the /etc/shorewall directory with 
-'init',    'start', 'stop' and 'stopped' files. If you already have a file
+empty    'init',    'start', 'stop' and 'stopped' files. If you already have 
-with one   of these names, don't worry -- the upgrade process won't overwrite
+a file    with one   of these names, don't worry -- the upgrade process won't 
-your file.</li>
+overwrite    your file.</li>
                <li>I have added a new RFC1918_LOG_LEVEL variable to <a
 href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
-the syslog level at which packets are logged as a result of entries in the 
+    the syslog level at which packets are logged as a result of entries in
-/etc/shorewall/rfc1918 file. Previously, these packets were always logged 
+ the   /etc/shorewall/rfc1918 file. Previously, these packets were always
-at the 'info' level.</li>
+logged   at the 'info' level.</li>
      </ol>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
          </p>
-   This version corrects a problem with Blacklist logging. In Beta 2, if
+          This version corrects a problem with Blacklist logging. In Beta 
-BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would fail
+2,  if  BLACKLIST_LOG_LEVEL  was set to anything but ULOG, the firewall would
-to start and "shorewall  refresh" would also fail.<br>
+  fail  to start and "shorewall  refresh" would also fail.<br>
      <p>     You may download the Beta from:<br>
                                          </p>
@ -233,49 +317,54 @@ to start and "shorewall  refresh" would also fail.<br>
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>                  
                            </b></p>
             The first public Beta version of Shorewall 1.3.12 is now available 
-(Beta  1 was made available only to a limited audience). <br>
+   (Beta  1 was made available only to a limited audience). <br>
              <br>
              Features include:<br>
              <br>
      <ol>
-              <li>"shorewall refresh" now reloads the traffic shaping rules 
+                     <li>"shorewall refresh" now reloads the traffic shaping
- (tcrules  and tcstart).</li>
+  rules    (tcrules  and tcstart).</li>
-              <li>"shorewall debug [re]start" now turns off debugging after 
+                     <li>"shorewall debug [re]start" now turns off debugging
- an  error occurs. This places the point of the failure near the end of the 
+  after    an  error occurs. This places the point of the failure near the
- trace  rather than up in the middle of it.</li>
+ end of the   trace  rather than up in the middle of it.</li>
-              <li>"shorewall [re]start" has been speeded up by more than
+                     <li>"shorewall [re]start" has been speeded up by more
-40%   with  my configuration. Your milage may vary.</li>
+ than   40%   with  my configuration. Your milage may vary.</li>
-              <li>A "shorewall show classifiers" command has been added which 
+                     <li>A "shorewall show classifiers" command has been
-  shows the current packet classification filters. The output from this command 
+added    which    shows the current packet classification filters. The output
-  is also added as a separate page in "shorewall monitor"</li>
+from    this command    is also added as a separate page in "shorewall monitor"</li>
-              <li>ULOG (must be all caps) is now accepted as a valid syslog 
+                     <li>ULOG (must be all caps) is now accepted as a valid 
- level  and causes the subject packets to be logged using the ULOG target 
+ syslog    level  and causes the subject packets to be logged using the ULOG 
-rather than the LOG target. This allows you to run ulogd (available from 
+ target   rather than the LOG target. This allows you to run ulogd (available 
-         <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
+ from            <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
-   and log all Shorewall messages <a
+      and log all Shorewall messages <a href="shorewall_logging.html">to a
- href="shorewall_logging.html">to a separate log file</a>.</li>
+ separate log file</a>.</li>
-              <li>If you are running a kernel that has a FORWARD chain in 
+                     <li>If you are running a kernel that has a FORWARD chain 
-the   mangle table ("shorewall show mangle" will show you the chains in the 
+  in  the   mangle table ("shorewall show mangle" will show you the chains 
-mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. 
+ in the  mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
-This allows  for  marking input packets based on their destination even when 
+    This allows  for  marking input packets based on their destination even
-you are using  Masquerading or SNAT.</li>
+  when  you are using  Masquerading or SNAT.</li>
-              <li>I have cluttered up the /etc/shorewall directory with empty 
+                     <li>I have cluttered up the /etc/shorewall directory 
-  'init', 'start', 'stop' and 'stopped' files. If you already have a file 
+with   empty    'init', 'start', 'stop' and 'stopped' files. If you already 
-with  one of these names, don't worry -- the upgrade process won't overwrite 
+have   a file  with  one of these names, don't worry -- the upgrade process 
-your  file.</li>
+won't   overwrite  your  file.</li>
      </ol>
              You may download the Beta from:<br>
      <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
                <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
 target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
              </blockquote>
      <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
 href="http://www.mandrakesoft.com"><img src="images/logo2.png"
 alt="Powered by Mandrake Linux" width="150" height="23" border="0">
@ -287,30 +376,35 @@ your  file.</li>
 href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press 
       release</a>.<br>
      <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>       
                                    </b></p>
      <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
-     delivered. I have installed 9.0 on one of my systems and I am now in 
+         delivered. I have installed 9.0 on one of my systems and I am now
-a  position   to support Shorewall users who run Mandrake 9.0.</p>
+ in   a  position   to support Shorewall users who run Mandrake 9.0.</p>
      <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
                         </p>
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
      <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>                        
                   </b></p>
      <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
-      with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users 
+          with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
-   who   don't need rules of this type need not upgrade to 1.3.11.</p>
+ users      who   don't need rules of this type need not upgrade to 1.3.11.</p>
      <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
@ -335,31 +429,35 @@ a  position   to support Shorewall users who run Mandrake 9.0.</p>
          </b></p>
      <p>In this version:</p>
      <ul>
-                         <li>A 'tcpflags' option has been added to entries
+                                <li>A 'tcpflags' option has been added to 
- in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. 
+entries     in            <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
      This option causes Shorewall to make a set of sanity check on TCP packet
     header flags.</li>
-                         <li>It is now allowed to use 'all' in the SOURCE 
+                                <li>It is now allowed to use 'all' in the 
-or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.  When
+SOURCE    or  DEST   column    in a <a href="Documentation.htm#Rules">rule</a>.
- used,  'all'   must  appear  by itself (in may not be qualified) and it
+  When   used,  'all'   must  appear  by itself (in may not be qualified)
-does   not  enable   intra-zone  traffic.  For example, the rule <br>
+and it does   not  enable   intra-zone  traffic.  For example, the rule <br>
                             <br>
                             ACCEPT loc all tcp 80<br>
                             <br>
                         does not enable http traffic from 'loc' to 'loc'.</li>
-                         <li>Shorewall's use of the 'echo' command is now 
+                                <li>Shorewall's use of the 'echo' command 
-compatible      with   bash clones such as ash and dash.</li>
+is  now   compatible      with   bash clones such as ash and dash.</li>
-                         <li>fw-&gt;fw policies now generate a startup error. 
+                                <li>fw-&gt;fw policies now generate a startup 
-  fw-&gt;fw      rules  generate a warning and are ignored</li>
+  error.    fw-&gt;fw      rules  generate a warning and are ignored</li>
      </ul>
      <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>    
                             </b></p>
@ -380,18 +478,21 @@ compatible      with   bash clones such as ash and dash.</li>
      <p><b></b></p>
      <ul>
      </ul>
      <p><b></b><a href="News.htm">More News</a></p>
@ -403,10 +504,12 @@ compatible      with   bash clones such as ash and dash.</li>
      <h2> </h2>
      <h1 align="center"><a href="http://www.sf.net"><img align="left"
 alt="SourceForge Logo"
 src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -414,10 +517,12 @@ compatible      with   bash clones such as ash and dash.</li>
      <h4>       </h4>
      <h2>This site is hosted by the generous folks at <a
 href="http://www.sf.net">SourceForge.net</a>         </h2>
@ -428,8 +533,8 @@ compatible      with   bash clones such as ash and dash.</li>
                                                                 </td>
-                       <td width="88" bgcolor="#4b017c" valign="top"
+                              <td width="88" bgcolor="#4b017c"
- align="center">              <br>
+ valign="top" align="center">              <br>
                                               </td>
                          </tr>
@ -465,6 +570,7 @@ compatible      with   bash clones such as ash and dash.</li>
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
@ -479,11 +585,12 @@ compatible      with   bash clones such as ash and dash.</li>
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
+                    
-if       you try it and find it useful, please consider making a donation 
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free
 but if       you try it and find it useful, please consider making a donation
                                          to       <a
- href="http://www.starlight.org"><font color="#ffffff">Starlight         Children's
+ href="http://www.starlight.org"><font color="#ffffff">Starlight        
-Foundation.</font></a> Thanks!</font></p>
+Children's Foundation.</font></a> Thanks!</font></p>
                       </td>
@ -499,11 +606,10 @@ Foundation.</font></a> Thanks!</font></p>
-<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                  <br>
 </p>
 <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -41,12 +41,12 @@
 <p>   If you have a permanent internet connection such as DSL     or Cable,
  I  recommend that you start the firewall     automatically at boot. Once
-you  have installed      "firewall" in your init.d directory, simply type 
+ you  have installed      "firewall" in your init.d directory, simply type
-    "chkconfig --add firewall". This will start the     firewall in run levels 
+     "chkconfig --add firewall". This will start the     firewall in run
- 2-5 and stop it in run levels 1 and 6.     If you want to configure your 
+levels   2-5 and stop it in run levels 1 and 6.     If you want to configure
-firewall differently from this     default, you can use the "--level" option 
+your  firewall differently from this     default, you can use the "--level"
-in     chkconfig (see "man chkconfig") or using your     favorite graphical 
+option  in     chkconfig (see "man chkconfig") or using your     favorite
-run-level editor.</p>
+graphical  run-level editor.</p>
@ -92,22 +92,27 @@ run-level editor.</p>
        addresses  of firewall interfaces and the black and white lists.</li>
 </ul>
 If you include the keyword <i>debug</i> as the first argument, then a shell
 trace of the command is produced as in:<br>
 <pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
 <p>The above command would trace the 'start' command and place the trace
 information in the file /tmp/trace</p>
 <p>   The "shorewall" program may also be used to monitor the     firewall.</p>
 <ul>
        <li>shorewall status - produce a verbose report about the firewall
           (iptables -L -n -v)</li>
-       <li>shorewall show <i>chain</i> - produce a verbose report about <i>chain 
+        <li>shorewall show <i>chain</i> - produce a verbose report about
-           </i>(iptables -L <i>chain</i> -n -v)</li>
+    <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
        <li>shorewall show nat - produce a verbose report about the nat table
            (iptables -t nat -L -n -v)</li>
        <li>shorewall show tos - produce a verbose report about the mangle
-table          (iptables -t mangle -L -n -v)</li>
+ table          (iptables -t mangle -L -n -v)</li>
        <li>shorewall show log - display the last 20 packet log entries.</li>
        <li>shorewall show connections - displays the IP connections currently
  being     tracked by the firewall.</li>
@ -122,16 +127,17 @@ table          (iptables -t mangle -L -n -v)</li>
 packet  log          messages in the current /var/log/messages file.</li>
        <li>shorewall version -  Displays the installed     version number.</li>
        <li>shorewall check -  Performs a <u>cursory</u> validation     of
-the  zones, interfaces, hosts, rules and policy files.    <font size="4"
+ the  zones, interfaces, hosts, rules and policy files.    <font
- color="#ff6666"><b>The "check" command does not parse and     validate the 
+ size="4" color="#ff6666"><b>The "check" command does not parse and     validate
- generated iptables commands so even though the "check" command     completes 
+the   generated iptables commands so even though the "check" command    
- successfully, the configuration may fail to start. See the     recommended 
+completes   successfully, the configuration may fail to start. See the  
- way to make configuration changes described below. </b></font>    </li>
+  recommended   way to make configuration changes described below. </b></font>
   </li>
        <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> 
 ]  -  Restart shorewall using the     specified configuration and if an error
  occurs or if the<i> timeout </i>    option is given and the new configuration
- has been up for that many seconds     then shorewall is restarted using the
+  has been up for that many seconds     then shorewall is restarted using
- standard configuration.</li>
+the  standard configuration.</li>
        <li>shorewall deny, shorewall reject, shorewall accept and shorewall
  save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
        <li>shorewall logwatch (added in version 1.3.2) - Monitors the  
@ -140,22 +146,22 @@ the  zones, interfaces, hosts, rules and policy files.    <font size="4"
 </ul>
  Finally, the "shorewall" program may be used to dynamically alter the contents
-of a zone.<br>
+ of a zone.<br>
 <ul>
    <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
-specified interface (and host if included) to the specified zone.</li>
+ specified interface (and host if included) to the specified zone.</li>
    <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
-the specified interface (and host if included) from the specified zone.</li>
+ the specified interface (and host if included) from the specified zone.</li>
 </ul>
 <blockquote>Examples:<br>
-  <blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 
+  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-from interface ipsec0 to the zone vpn1<br>
+-- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
- shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 
+    <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-from interface ipsec0 from zone vpn1<br>
+-- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
    </blockquote>
  </blockquote>
@ -175,8 +181,8 @@ from interface ipsec0 from zone vpn1<br>
 <p>  If a <i>configuration-directory</i> is specified, each time that Shorewall 
   is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> 
-    . If the file is present in the <i>configuration-directory</i>, that
+    . If the file is present in the <i>configuration-directory</i>, that file
-file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
+   will be used; otherwise, the file in /etc/shorewall will be used.</p>
@ -189,18 +195,18 @@ file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
 <ul>
-               <li>mkdir /etc/test</li>
+                <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
-               <li>cd /etc/test</li>
+                <li><font color="#009900"><b>cd /etc/test</b></font></li>
                <li>&lt;copy any files that you need to change from /etc/shorewall
  to . and change them here&gt;</li>
-               <li>shorewall -c . check</li>
+                <li><font color="#009900"><b>shorewall -c . check</b></font></li>
                <li>&lt;correct any errors found by check and check again&gt;</li>
-               <li>/sbin/shorewall try .</li>
+                <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
 </ul>
@ -219,29 +225,30 @@ file    will be used; otherwise, the file in /etc/shorewall will be used.</p>
 <ul>
-               <li>cp * /etc/shorewall</li>
+                <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
-               <li>cd</li>
+                <li><font color="#009900"><b>cd</b></font></li>
-               <li>rm -rf /etc/test</li>
+                <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
 </ul>
-<p><font size="2">   Updated 11/21/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 1/9/2003 - <a href="support.htm">Tom  Eastep</a> 
     </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+     © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
                               <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -30,6 +30,7 @@
                                  <td width="100%">                     
      <h1 align="center"><font color="#ffffff">Shorewall Support<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
                   </font></h1>
@ -40,58 +41,55 @@
  </tbody>                             
 </table>
-<p> <br>
+<p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently 
-     <span style="font-weight: 400;"></span></p>
+  not involved in either Shorewall development or Shorewall support. Nevertheless,
  the mailing list is being ably manned by other Shorewall users.</font></big><span
 style="font-weight: 400;"></span></big></b></p>
-<h2><big><font color="#ff0000"><b>I  don't look at problems sent to me directly 
+<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
  but I try  to spend some amount          of time each day responding to 
 problems  posted  on the Shorewall mailing list.</b></font></big></h2>
 <h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
 <h2>Before Reporting a Problem</h2>
-                           
+                                   There are a number of sources for problem
-<h3>T<b>here are a number of sources for problem solution information. Please
+  solution information. Please     try these before you post.           
   try these before you post.</b></h3>
 <h3>                                     </h3>
 <h3>                     </h3>
 <ul>
-       <li>                         
+             <li>More than half of the questions posted on the support list 
-    <h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to  more than 20 common 
+ have answers directly accessible from the <a
-    problems.</b></h3>
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
       <br>
     </li>
     <li>                                   The <a href="FAQ.htm">FAQ</a> 
 has  solutions to  more than 20 common      problems.         </li>
 </ul>
 <h3>                     </h3>
 <ul>
-       <li>                         
+             <li>                                   The <a
-    <h3><b>The <a href="troubleshoot.htm">Troubleshooting</a>  Information 
+ href="troubleshoot.htm">Troubleshooting</a>  Information          contains
-        contains  a    number of tips to help you solve common problems.</b></h3>
+   a    number of tips to help you solve common problems.         </li>
       </li>
 </ul>
 <h3>                     </h3>
 <ul>
-       <li>                         
+             <li>                                   The <a
-    <h3><b>The <a href="errata.htm">   Errata</a> has links  to  download 
+ href="errata.htm">   Errata</a> has links  to  download        updated  
-      updated      components.</b></h3>
+   components.         </li>
       </li>
 </ul>
 <h3>                     </h3>
 <ul>
-       <li>                         
+             <li>                                   The Mailing List Archives
-    <h3><b>The Mailing List Archives search facility can locate   posts  
+  search facility can locate   posts    about         similar problems: 
 about         similar problems:</b></h3>
       </li>
 </ul>
@ -102,6 +100,7 @@ problems  posted  on the Shorewall mailing list.</b></font></big></h2>
 <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
  <p> <font size="-1"> Match:                                           
  <select name="method">
@ -127,94 +126,172 @@ problems  posted  on the Shorewall mailing list.</b></font></big></h2>
  </select>
                           </font> <input type="hidden" name="config"
 value="htdig">    <input type="hidden" name="restrict"
- value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
+ value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
-                     Search: <input type="text" size="30" name="words"
+                           Search: <input type="text" size="30"
- value="">    <input type="submit" value="Search"> </p>
+ name="words" value="">    <input type="submit" value="Search"> </p>
      </form>
-<h2>Problem Reporting Guidelines</h2>
+<h2>Problem Reporting Guidelines </h2>
-    <i>"Let me see if I can translate your message into a real-world example. 
+          <i>"Let me see if I can translate your message into a real-world
-  It would be like saying that you have three rooms at home, and when you
+ example.      It would be like saying that you have three rooms at home,
-walk  into one of the rooms, you detect this strange smell.  Can anyone tell
+and when you   walk  into one of the rooms, you detect this strange smell.
-you  what that strange smell is?<br>
+ Can anyone tell  you  what that strange smell is?<br>
          <br>
-    Now, all of us could do some wonderful guessing as to the smell and even
+          Now, all of us could do some wonderful guessing as to the smell 
-  what's causing it.  You would be absolutely amazed at the range and variety
+and   even   what's causing it.  You would be absolutely amazed at the range 
-  of smells we could come up with.  Even more amazing is that all of the
+and   variety   of smells we could come up with.  Even more amazing is that 
-explanations   for the smells would be completely plausible."<br>
+all   of the explanations   for the smells would be completely plausible."<br>
          </i><br>
-<div align="center">   - Russell Mosemann<br>
+<div align="center">   - <i>Russell Mosemann</i> on the Postfix mailing list<br>
          </div>
          <br>
 <h3>                     </h3>
 <ul>
-       <li>                         
+      <li>Please remember we only know what is posted in your message.  Do
-    <h3><b>When reporting a problem, give as much information  as  you   can.
+ not  leave out any information that appears to be correct,  or was mentioned
-  Reports   that say "I tried XYZ and it didn't work" are not at all   helpful.</b></h3>
+ in  a previous post. There have been countless  posts by people who were
 sure  that some part of their  configuration was correct when it actually
 contained  a small error.  We tend to be skeptics where detail is lacking.<br>
        <br>
      </li>
      <li>Please keep in mind that you're asking for <strong>free</strong>
 technical  support. Any help we offer is an act of generosity, not an obligation.
 Try  to make it easy for us to help you. Follow good, courteous practices
 in writing  and formatting your e-mail. Provide details that we need if
 you  expect good  answers. <em>Exact quoting </em> of error messages, log
 entries,  command output, and other output is better than a paraphrase or
 summary.<br>
        <br>
      </li>
      <li>                                   Please don't describe your environment
  and then  ask  us  to  send   you             custom configuration files.
  We're here  to answer   your  questions     but we           can't do your
  job for you.<br>
        <br>
             </li>
      <li>When reporting a problem, <strong>ALWAYS</strong> include this
 information:</li>
 </ul>
 <ul>
  <ul>
        <li>the exact version of Shorewall you are running.<br>
          <br>
          <b><font color="#009900">shorewall version</font><br>
     </b>    <br>
        </li>
  </ul>
  <ul>
        <li>the exact kernel version you are running<br>
          <br>
          <font color="#009900"><b>uname -a<br>
          <br>
          </b></font></li>
  </ul>
  <ul>
        <li>the complete, exact output of<br>
          <br>
          <font color="#009900"><b>ip addr show<br>
          <br>
          </b></font></li>
  </ul>
  <ul>
        <li>the complete, exact output of<br>
          <br>
          <font color="#009900"><b>ip route show<br>
          <br>
          </b></font></li>
  </ul>
  <ul>
        <li>If your kernel is modularized, the exact output from<br>
          <br>
          <font color="#009900"><b>lsmod</b></font><br>
          <br>
        </li>
        <li>the exact wording of any <code
 style="color: green; font-weight: bold;">ping</code> failure responses.<br>
          <br>
        </li>
  </ul>
 </ul>
 <ul>
      <li><b>NEVER </b>include the output of "<b><font color="#009900">iptables
  -L</font></b>". Instead, please post the exact output of<br>
        <br>
        <b><font color="#009900">/sbin/shorewall status<br>
        <br>
        </font></b>Since that command generates a lot of output, we suggest 
 that you redirect the output to a file and attach the file to your post<br>
        <br>
        <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
        <br>
      </li>
      <li>As a general matter, please <strong>do not edit the diagnostic
 information</strong>   in an attempt to conceal your IP address, netmask,
 nameserver addresses,  domain name, etc. These aren't secrets, and concealing
 them often misleads  us (and 80% of the time, a hacker could derive them
 anyway from information  contained in the SMTP headers of your post).<strong></strong></li>
 </ul>
 <ul>
 </ul>
 <h3>                     </h3>
 <ul>
       <li>                         
    <h3><b>Please don't describe your environment and then  ask  us  to  send
  you             custom configuration files. We're here  to answer   your
 questions     but we           can't do your job for you.</b></h3>
       </li>
 </ul>
 <h3>                     </h3>
 <ul>
-       <li>                         
+             <li>                                   Do you see any "Shorewall"
-    <h3><b>Do you see any "Shorewall" messages in     /var/log/messages  
+  messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
-    when   you exercise the function that is giving you problems?</b></h3>
+        when   you exercise the function that is giving you problems? If
 so,   include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
  file.<br>
        <br>
      </li>
-         
+      <li>Please include any of the Shorewall configuration  files    (especially 
 </ul>
 <h3>                     </h3>
 <ul>
       <li>                         
    <h3><b>Have you looked at the packet flow with a tool  like  tcpdump 
       to  try to understand what is going on?</b></h3>
       </li>
 </ul>
 <h3>                     </h3>
 <ul>
       <li>                         
    <h3><b>Have you tried using the diagnostic capabilities  of  the     
 application    that isn't working? For example, if "ssh" isn't  able   
 to connect, using    the "-v" option gives you a lot of valuable      diagnostic 
     information.</b></h3>
       </li>
 </ul>
 <h3>                     </h3>
 <ul>
       <li>                         
    <h3><b>Please include any of the Shorewall configuration  files    (especially 
          the    /etc/shorewall/hosts file if you have modified  that   file) 
- that  you    think are    relevant.</b></h3>
+    that  you    think are    relevant. If you include /etc/shorewall/rules,
-     </li>
+  please include /etc/shorewall/policy as well (rules are meaningless unless
-     <li>               
+  one also knows the policies).                      </li>
-    <h3><b>If an error occurs when you try   to "shorewall  start",    include 
+                     
- a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>      section
+</ul>
- for    instructions).</b></h3>
+                     
-       </li>
+<h3>                     </h3>
 <ul>
 </ul>
 <h3>                     </h3>
 <ul>
                    <li>                         If an error occurs when
 you   try   to "<font color="#009900"><b>shorewall  start</b></font>",  
 include     a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
     section  for    instructions).         </li>
 </ul>
@ -223,46 +300,42 @@ explanations   for the smells would be completely plausible."<br>
 <ul>
             <li>                                                       
    <h3><b>The list server limits posts to 120kb so don't  post  GIFs   of 
-   your             network layout, etc to the Mailing List  -- your  post 
+      your             network layout, etc. to the Mailing List  -- your 
-   will  be rejected.</b></h3>
+post      will  be rejected.</b></h3>
      </li>
 </ul>
-         
+    The author gratefully acknowleges that the above list was heavily plagiarized
-<h3>                                     </h3>
+  from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
-                                              <br>
+at  <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
 <h2>Please post in plain text</h2>
-<blockquote>      
+<blockquote>            </blockquote>
-  <h3>  A growing number of MTAs serving list subscribers are rejecting all
+      A growing number of MTAs serving list subscribers are rejecting all 
-HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
+ HTML  traffic. At least one MTA has gone so far as to blacklist shorewall.net
-"for continuous abuse" because it has been my policy to allow HTML in list
+  "for continuous abuse" because it has been my policy to allow HTML in list 
-posts!!<br>
+  posts!!<br>
        <br>
-   I think that blocking all HTML is a Draconian way to control spam  and
+         I think that blocking all HTML is a Draconian way to control spam
-that the ultimate losers here are not the spammers but the list subscribers
+  and  that the ultimate losers here are not the spammers but the list subscribers
- whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
+    whose MTAs are bouncing all shorewall.net mail. As one list subscriber
-to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i> 
+ wrote  to me privately "These e-mail admin's need to get a <i>(expletive
-life instead of trying to rid the planet of HTML based e-mail". Nevertheless, 
+deleted)</i>  life instead of trying to rid the planet of HTML based e-mail".
-to allow subscribers to receive list posts as must as possible, I have now
+Nevertheless,  to allow subscribers to receive list posts as must as possible,
- configured the list server at shorewall.net to strip all HTML from outgoing 
+I have now   configured the list server at shorewall.net to strip all HTML
-posts.<br>
+from outgoing  posts.<br>
 </h3>
  <h3></h3>
 </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
-<h3></h3>
+<h2>Where to Send your Problem Report or to Ask for Help</h2>
 <blockquote>                                 
  <h4>If you run Shorewall under Bering -- <span
 style="font-weight: 400;">please           post your question or problem 
     to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing 
     list</a>.</span></h4>
-   <b>If you run Shorewall under MandrakeSoft Multi Network Firewall (MNF) 
+         <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
-and you have not purchased an MNF license from MandrakeSoft then you can post
+ (MNF)   and you have not purchased an MNF license from MandrakeSoft then
-non MNF-specific Shorewall questions to the </b><a
+you can  post non MNF-specific Shorewall questions to the </b><a
 href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
       <b>Do not expect to get free MNF support on the list.</b><br>
@ -272,19 +345,18 @@ non MNF-specific Shorewall questions to the </b><a
 <p align="center"><big><font color="#ff0000"><b></b></font></big></p>
 <p>To Subscribe to the  mailing list go to <a
 href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
                   .</p>
-<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
  </p>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@ -38,46 +38,74 @@
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
 <ul>
-          <li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
+            <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. 
-    Shaping  also requires that you enable packet mangling.<br>
+Traffic     Shaping  also requires that you enable packet mangling.</li>
  <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in Shorewall
 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the setting of
 this variable determines whether Shorewall clears the traffic shaping configuration
 during Shorewall [re]start and Shorewall stop. <br>
  </li>
-          <li>/etc/shorewall/tcrules - A file where you can specify     firewall 
+            <li><b>/etc/shorewall/tcrules</b> - A file where you can specify 
-   marking of packets. The firewall mark value may be used to classify   
+    firewall     marking of packets. The firewall mark value may be used to
- packets  for traffic shaping/control.<br>
+classify     packets  for traffic shaping/control.<br>
            </li>
-          <li>/etc/shorewall/tcstart - A user-supplied file that is     sourced 
+            <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that 
-   by Shorewall during "shorewall start" and which you can     use to define 
+is     sourced     by Shorewall during "shorewall start" and which you can 
-   your traffic shaping disciplines and classes. I have provided     a <a
+    use to define     your traffic shaping disciplines and classes. I have 
- href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does   
+provided     a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> 
- table-driven CBQ shaping but if you read the traffic shaping sections of 
+that does     table-driven CBQ shaping but if you read the traffic shaping 
-   the     HOWTO mentioned above, you can probably code your own faster than 
+sections of     the     HOWTO mentioned above, you can probably code your 
-   you can     learn how to use my sample. I personally use <a
+own faster than     you can     learn how to use my sample. I personally use
- href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see below). HTB
+    <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see below). 
-        support may eventually become an integral part of Shorewall since
+HTB         support may eventually become an integral part of Shorewall since
-HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
+ HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
 HTB is a standard     part of the kernel but iproute2 must be patched  in
 order  to     use it.<br>
              <br>
-            In tcstart, when you want to run the 'tc' utility, use the run_tc 
+              In tcstart, when you want to run the 'tc' utility, use the
-  function      supplied by shorewall if you want tc errors to stop the firewall.<br>
+run_tc    function      supplied by shorewall if you want tc errors to stop
 the firewall.<br>
        <br>
-  You can generally use off-the-shelf traffic shaping scripts by simply copying
+    You can generally use off-the-shelf traffic shaping scripts by simply 
- them to /etc/shorewall/tcstart. I use <a
+copying  them to /etc/shorewall/tcstart. I use <a
 href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
-that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
+ that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
 modified  it according to the Wonder Shaper README). <b>WARNING: </b>If you
 use use Masquerading or SNAT (i.e., you only have one external IP address)
 then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
 script won't work. Traffic shaping occurs after SNAT has already been applied
 so when traffic shaping happens, all outbound traffic will have as a source 
-address the IP addresss of your firewall's external interface.<br>
+ address the IP addresss of your firewall's external interface.<br>
      </li>
-          <li>/etc/shorewall/tcclear - A user-supplied file that is     sourced 
+            <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that 
-   by Shorewall when it is clearing traffic shaping. This file is     normally 
+is     sourced     by Shorewall when it is clearing traffic shaping. This 
-   not required as Shorewall's method of clearing qdisc and filter     definitions 
+file is     normally     not required as Shorewall's method of clearing qdisc 
-   is pretty general.</li>
+and filter     definitions     is pretty general.</li>
 </ul>
 Shorewall allows you to start traffic shaping when Shorewall itself starts
 or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
 <br>
 To start traffic shaping when Shorewall starts:<br>
 <ol>
  <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
  <li>Supply an /etc/shorewall/tcstart script to configure your traffic shaping
 rules.</li>
  <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
 shaping. That is usually unnecessary.</li>
  <li>If your tcstart script uses the 'fwmark' classifier, you can mark packets
 using entries in /etc/shorewall/tcrules.</li>
 </ol>
 To start traffic shaping when you bring up your network interfaces, you will
 have to arrange for your traffic shaping configuration script to be run at
 that time. How you do that is distribution dependent and will not be covered
 here. You then should:<br>
 <ol>
  <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
  <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
  <li value="4">If your tcstart script uses the 'fwmark' classifier, you
 can mark packets using entries in /etc/shorewall/tcrules.</li>
 </ol>
 <h3 align="left">Kernel Configuration</h3>
@ -91,27 +119,28 @@ address the IP addresss of your firewall's external interface.<br>
 <p align="left">The fwmark classifier provides a convenient way to classify
     packets for traffic shaping. The /etc/shorewall/tcrules file provides
-a  means  for specifying these marks in a tabular fashion.<br>
+ a  means  for specifying these marks in a tabular fashion.<br>
-</p>
+  </p>
 <p align="left">Normally, packet marking occurs in the PREROUTING chain before
-any address rewriting takes place. This makes it impossible to mark inbound
+ any address rewriting takes place. This makes it impossible to mark inbound
-packets based on their destination address when SNAT or Masquerading are
+ packets based on their destination address when SNAT or Masquerading are
 being used. Beginning with Shorewall 1.3.12, you can cause packet marking
 to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
 <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
-</p>
+  </p>
 <p align="left">Columns in the file are as follows:</p>
 <ul>
-          <li>MARK - Specifies the mark value is to be assigned in case of
+            <li>MARK - Specifies the mark value is to be assigned in case 
-     a match. This is an integer in the range 1-255.<br>
+of      a match. This is an integer in the range 1-255.<br>
              <br>
              Example - 5<br>
            </li>
            <li>SOURCE - The source of the packet. If the packet originates 
     on  the firewall, place "fw" in this column. Otherwise, this is a   
-comma-separated   list of interface names, IP addresses, MAC addresses in
+ comma-separated   list of interface names, IP addresses, MAC addresses in
   <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
              <br>
              Examples<br>
@ -122,12 +151,12 @@ comma-separated   list of interface names, IP addresses, MAC addresses in
     IP  addresses and/or subnets.<br>
            </li>
            <li>PROTO - Protocol - Must be the name of a protocol from  
-/etc/protocol,    a number or "all"<br>
+  /etc/protocol,    a number or "all"<br>
            </li>
            <li>PORT(S) - Destination Ports. A comma-separated list of Port 
     names  (from /etc/services), port numbers or port ranges (e.g., 21:22);
-  if     the  protocol is "icmp", this column is interpreted as the     destination 
+   if     the  protocol is "icmp", this column is interpreted as the    
-  icmp  type(s).<br>
+destination    icmp  type(s).<br>
            </li>
            <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
     omitted,  any source port is acceptable. Specified as a comma-separate
@ -137,7 +166,7 @@ comma-separated   list of interface names, IP addresses, MAC addresses in
 <p align="left">Example 1 - All packets arriving on eth1 should be marked 
    with 1. All packets arriving on eth2 and eth3 should be marked with 2. 
-All packets   originating on the firewall itself should be marked with 3.</p>
+ All packets   originating on the firewall itself should be marked with 3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
            <tbody>
@ -193,7 +222,7 @@ All packets   originating on the firewall itself should be marked with 3.</p>
 <p align="left">Example 2 - All GRE (protocol 47) packets not originating 
    on the firewall and destined for 155.186.235.151 should be marked with 
-12.</p>
+ 12.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
            <tbody>
@ -247,9 +276,9 @@ All packets   originating on the firewall itself should be marked with 3.</p>
 <p>While I am currently using the HTB version of <a
 href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
-wshaper.htb  to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
+ wshaper.htb  to <b>/etc/shorewall/tcstart</b> and modified it as shown in 
-README),  I have also run with the following set of hand-crafted rules in
+the Wondershaper README),  I have also run with the following set of hand-crafted 
-my tcstart  file:<br>
+rules in my <b>/etc/shorewall/tcstart</b>  file:<br>
    </p>
 <blockquote>            
@ -284,10 +313,12 @@ can  use all available bandwidth if there is no traffic from the local systems
 </ol>
-<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last Updated 12/31/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
     © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-</p>
+  </p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@ -41,50 +41,51 @@
   problems.</p>
 <h3 align="left">If the firewall fails to start</h3>
-            If you receive an error message when starting or restarting the 
+             If you receive an error message when starting or restarting
- firewall  and you can't determine the cause, then do the following:     
+the   firewall  and you can't determine the cause, then do the following:
 <ul>
            <li>Make a note of the error message that you see.<br>
   </li>
   <li>shorewall debug start 2&gt; /tmp/trace</li>
            <li>Look at the /tmp/trace file and see if that helps you   
-determine    what the problem is. Be sure you find the place in the log where
+ determine    what the problem is. Be sure you find the place in the log
-the error message you saw is generated -- in 99.9% of the cases, it will
+where the error message you saw is generated -- in 99.9% of the cases, it
-not be near the end of the log because after startup errors, Shorewall goes
+will not be near the end of the log because after startup errors, Shorewall
-through a "shorewall stop" phase which will also be traced.</li>
+goes through a "shorewall stop" phase which will also be traced.</li>
            <li>If you still can't determine what's wrong then see the  
      <a href="support.htm">support page</a>.</li>
 </ul>
-Here's an example. During startup, a user sees the following:<br>
+ Here's an example. During startup, a user sees the following:<br>
 <blockquote>   
  <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
-</blockquote>
+ </blockquote>
-A search through the trace for "No chain/target/match by that name" turned
+ A search through the trace for "No chain/target/match by that name" turned 
 up the following:  
 <blockquote>   
  <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
-</blockquote>
+ </blockquote>
-The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
+ The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with 
 tcp-reset". In this case, the user had compiled his own kernel and had forgotten 
 to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
 <h3>Your network environment</h3>
 <p>Many times when people have problems with Shorewall, the problem is   
- actually an ill-conceived network setup. Here are several popular snafus:
+actually an ill-conceived network setup. Here are several popular snafus: 
  </p>
 <ul>
-           <li>Port           Forwarding where client and server are in the 
+            <li>Port           Forwarding where client and server are in
- same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
+the   same  subnet. See <a href="FAQ.htm">FAQ           2.</a></li>
            <li>Changing the IP address of a local system to be in the external 
   subnet,      thinking that Shorewall will suddenly believe that the system 
   is in the      'net' zone.</li>
-           <li>Multiple interfaces connected to the same HUB or Switch. Given 
+            <li>Multiple interfaces connected to the same HUB or Switch.
-  the way      that the Linux kernel respond to ARP "who-has" requests, this 
+Given    the way      that the Linux kernel respond to ARP "who-has" requests,
-  type of setup      does NOT work the way that you expect it to.</li>
+this    type of setup      does NOT work the way that you expect it to.</li>
 </ul>
@ -92,9 +93,9 @@ to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
 <p align="left">If the appropriate policy for the connection that you are 
   trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
-   TO MAKE IT WORK. Such additional rules will NEVER make it work, they add 
+    TO MAKE IT WORK. Such additional rules will NEVER make it work, they
-  clutter to your rule set and they represent a big security hole in the event
+add    clutter to your rule set and they represent a big security hole in
-  that you forget to remove them later.</p>
+the event   that you forget to remove them later.</p>
 <p align="left">I also recommend against setting all of your policies to 
      ACCEPT in an effort to make something work. That robs you of one of 
@ -103,9 +104,9 @@ to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
   by your        rule set.</p>
 <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
- see Shorewall  messages, then  your problem is probably NOT a Shorewall problem.
+  see Shorewall  messages, then  your problem is probably NOT a Shorewall
- If you DO see packet messages,  it may be an indication that you are missing
+problem.  If you DO see packet messages,  it may be an indication that you
- one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
+are missing  one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
 <p align="left">While you are troubleshooting, it is a good idea to clear
          two variables in /etc/shorewall/shorewall.conf:</p>
@ -128,8 +129,8 @@ LEN=47</font></p>
 <ul>
            <li>all2all:REJECT - This packet was REJECTed out of the all2all
- chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT policy 
+  chain  -- the packet was rejected under the     "all"-&gt;"all" REJECT
- (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
+policy   (see      <a href="FAQ.htm#faq17">FAQ 17).</a></li>
            <li>IN=eth2 - the packet entered the firewall via eth2</li>
            <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
            <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -149,19 +150,24 @@ LEN=47</font></p>
   about how to interpret the chain name appearing in a Shorewall log message.<br>
      </p>
 <h3 align="left">'Ping' Problems?</h3>
 Either can't ping when you think you should be able to or are able to ping
 when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
 href="ping.html"> is described here</a>.<br>
 <h3 align="left">Other Gotchas</h3>
 <ul>
            <li>Seeing rejected/dropped packets logged out of the INPUT or
-FORWARD        chains? This means that:                              
+ FORWARD        chains? This means that:                                
    <ol>
-             <li>your zone definitions are screwed up and the host that is
+              <li>your zone definitions are screwed up and the host that
- sending   the        packets or the destination host isn't in any zone (using
+is  sending   the        packets or the destination host isn't in any zone
- an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
+(using  an       <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
-are you?);         or</li>
+file are you?);         or</li>
-             <li>the source and destination hosts are both connected to the 
+              <li>the source and destination hosts are both connected to
- same         interface and that interface doesn't have the 'multi' option 
+the   same         interface and that interface doesn't have the 'multi'
- specified  in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
+option   specified  in       <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
    </ol>
            </li>
@ -178,26 +184,26 @@ have   the      following in /etc/shorewall/nat:<br>
                 10.1.1.2    eth0        130.252.100.18<br>
             <br>
             and you ping 130.252.100.18, unless you have allowed icmp type 
- 8  between  the     zone containing the system you are pinging from and
+ 8  between  the     zone containing the system you are pinging from and the
-the  zone containing       10.1.1.2, the ping requests will be dropped. This
+ zone containing       10.1.1.2, the ping requests will be dropped. This is
-is  true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
+ true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
            <li>If you specify "routefilter" for an interface,     that interface 
   must be up prior to starting the firewall.</li>
            <li>Is your routing correct? For example, internal systems usually
   need to      be configured with their default gateway set to the IP address
-  of their      nearest firewall interface. One often overlooked aspect of 
+   of their      nearest firewall interface. One often overlooked aspect
- routing is that      in order for two hosts to communicate, the routing between
+of   routing is that      in order for two hosts to communicate, the routing
- them must be set      up <u>in both directions.</u> So when setting up routing
+between  them must be set      up <u>in both directions.</u> So when setting
-  between <b>A</b>      and<b> B</b>, be sure to verify that the route from
+up routing   between <b>A</b>      and<b> B</b>, be sure to verify that the
-      <b>B</b> back to <b>A</b>      is defined.</li>
+route from       <b>B</b> back to <b>A</b>      is defined.</li>
            <li>Some versions of LRP (EigerStein2Beta for example) have a 
    shell  with broken variable expansion. <a
 href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You     can get a corrected 
   shell from the Shorewall Errata download site.</a>     </li>
            <li>Do you have your kernel properly configured? <a
 href="kernel.htm">Click     here to see my kernel configuration.</a> </li>
-           <li>Some features require the "ip" program. That     program is
+            <li>Some features require the "ip" program. That     program
- generally   included in the "iproute" package which should     be included
+is  generally   included in the "iproute" package which should     be included 
 with your  distribution (though many distributions don't install     iproute 
 by     default). You may also download the latest source tarball from <a
 href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
@ -205,8 +211,8 @@ is  true even if you  have     NOT specified 'noping' for eth0 in /etc/shorewall
            <li>If you have <u>any</u>   entry for a zone in /etc/shorewall/hosts 
   then the zone must be entirely   defined in /etc/shorewall/hosts unless 
 you  have      specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). 
-  For example, if a zone has two interfaces but   only one interface has
+  For example, if a zone has two interfaces but   only one interface has an
-an   entry in /etc/shorewall/hosts then hosts attached to   the other interface
+  entry in /etc/shorewall/hosts then hosts attached to   the other interface 
  will     <u>not</u> be considered part of the zone.</li>
            <li>Problems with NAT? Be sure that you let Shorewall add all 
    external  addresses to be use with NAT unless you have set <a
@ -216,19 +222,16 @@ an   entry in /etc/shorewall/hosts then hosts attached to   the other interface
 <h3>Still Having Problems?</h3>
-<p>See the<a href="support.htm"> support page.</a></p>
+<p>See the<a href="support.htm"> support page.<br>
 </a></p>
               <font face="Century Gothic, Arial, Helvetica">           
 <blockquote> </blockquote>
                </font>                   
-<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font>  </p>
+<p><font size="2">Last updated 1/7/2003 - Tom Eastep</font>  </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
      © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
-    </p>
+</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -31,8 +31,8 @@
 </table>
 <p align="left">Setting up a Linux system as a firewall for a small network
-    is a  fairly straight-forward task if you understand the basics and follow 
+     is a  fairly straight-forward task if you understand the basics and
-    the  documentation.</p>
+follow      the  documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features of
      Shorewall. It rather focuses on what is required to configure Shorewall
@ -43,7 +43,7 @@
 network.</li>
             <li>Single public IP address.</li>
             <li>Internet connection through cable modem, DSL, ISDN, Frame
-Relay,    dial-up    ...</li>
+ Relay,    dial-up    ...</li>
 </ul>
@ -61,32 +61,32 @@ Relay,    dial-up    ...</li>
 <p>This guide assumes that you have the iproute/iproute2 package installed
     (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
-  if  this  package is installed by the presence of an <b>ip</b> program on
+   if  this  package is installed by the presence of an <b>ip</b> program
-  your  firewall  system. As root, you can use the 'which' command to check
+on   your  firewall  system. As root, you can use the 'which' command to
-  for this  program:</p>
+check   for this  program:</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
 <p>I recommend that you first read through the  guide to familiarize yourself
     with what's involved then go back through it again  making your configuration
-    changes. Points at which configuration changes are  recommended are flagged 
+     changes. Points at which configuration changes are  recommended are
-    with <img border="0" src="images/BD21298_.gif" width="13"
+flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
          .</p>
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-              If you edit your configuration files on a Windows system, you 
+               If you edit your configuration files on a Windows system,
- must   save them as  Unix files if your editor supports that option or you 
+you   must   save them as  Unix files if your editor supports that option
- must  run them through  dos2unix before trying to use them. Similarly, if 
+or you   must  run them through  dos2unix before trying to use them. Similarly,
- you copy  a configuration file  from your Windows hard drive to a floppy 
+if   you copy  a configuration file  from your Windows hard drive to a floppy
-disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
+ disk, you must run dos2unix against the  copy before using it with Shorewall.</p>
 <ul>
             <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
-Version     of    dos2unix</a></li>
+ Version     of    dos2unix</a></li>
             <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version 
- of    dos2unix</a></li>
+of    dos2unix</a></li>
 </ul>
@ -95,8 +95,8 @@ Version     of    dos2unix</a></li>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
       The configuration files for Shorewall are contained in the directory 
-  /etc/shorewall -- for simple setups, you will only need to deal with a
+  /etc/shorewall -- for simple setups, you will only need to deal with a few
-few  of  these as described in this guide.  After you have <a
+ of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
     un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
@ -107,8 +107,8 @@ few  of  these as described in this guide.  After you have <a
     and default entries.</p>
 <p>Shorewall views the network where it is running as being composed of a
-    set of  <i>zones.</i> In the two-interface sample configuration, the following
+     set of  <i>zones.</i> In the two-interface sample configuration, the
-    zone names are used:</p>
+following     zone names are used:</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
@ -154,8 +154,8 @@ zone   to  another    zone in the<a href="Documentation.htm#Policy"> /etc/shorew
   the request is first  checked against the rules in /etc/shorewall/common
  (the samples provide that  file for you).</p>
-<p>The /etc/shorewall/policy file included with the two-interface sample has
+<p>The /etc/shorewall/policy file included with the two-interface sample
-the  following policies:</p>
+has the  following policies:</p>
 <blockquote>                                 
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -197,7 +197,7 @@ the  following policies:</p>
 <blockquote>                               
  <p>In the two-interface sample, the line below is included but commented
     out. If  you want your firewall system to have full access to servers
-on   the internet,  uncomment that line.</p>
+ on   the internet,  uncomment that line.</p>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -226,8 +226,8 @@ on   the internet,  uncomment that line.</p>
 <ol>
             <li>allow all connection requests from your local network to 
 the   internet</li>
-            <li>drop (ignore) all connection requests from the internet to
+             <li>drop (ignore) all connection requests from the internet
- your   firewall     or local network</li>
+to  your   firewall     or local network</li>
             <li>optionally accept all connection requests from the firewall
  to  the     internet (if you uncomment the additional policy)</li>
             <li>reject all other connection requests.</li>
@ -244,15 +244,15 @@ changes     that you  wish.</p>
 height="635">
          </p>
-<p align="left">The firewall has two network interfaces. Where Internet 
+<p align="left">The firewall has two network interfaces. Where Internet  connectivity
-connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
+is through a cable or DSL "Modem", the <i>External Interface</i>  will be
- will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
+the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
     <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
-     over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
+      over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
-    <u>P</u>rotocol </i>(PPTP) in which case the External Interface will
+<u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External
-be   a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
+Interface will be   a ppp  interface (e.g., <b>ppp0</b>). If you connect
-  your External  Interface will also be <b>ppp0</b>. If you connect via ISDN,
+via a regular modem,   your External  Interface will also be <b>ppp0</b>.
-  your external  interface will be <b>ippp0.</b></p>
+If you connect via ISDN,   your external  interface will be <b>ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
@ -261,26 +261,26 @@ then   you   will want to  set CLAMPMSS=yes in <a
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
-    (eth1  or eth0) and will be connected to a hub or switch. Your other computers
+     (eth1  or eth0) and will be connected to a hub or switch. Your other
-    will be  connected to the same hub/switch (note: If you have only a single
+computers     will be  connected to the same hub/switch (note: If you have
-    internal system,  you can connect the firewall directly to the computer
+only a single     internal system,  you can connect the firewall directly
-  using  a <i>cross-over </i> cable).</p>
+to the computer   using  a <i>cross-over </i> cable).</p>
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
-         </b></u>Do not connect the internal and external interface  to the 
+          </b></u>Do not connect the internal and external interface  to
- same   hub or switch (even for testing). It won't work the way that you think
+the   same   hub or switch (even for testing). It won't work the way that
- that   it will and you will end up confused and  believing that Shorewall
+you think  that   it will and you will end up confused and  believing that
-  doesn't   work at all.</p>
+Shorewall   doesn't   work at all.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
              The Shorewall two-interface sample configuration assumes that 
-  the   external  interface is <b>eth0</b> and the internal interface is
+  the   external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
-<b>eth1</b>.     If your  configuration is different, you will have to modify
+    If your  configuration is different, you will have to modify the sample
-the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
+   <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
-file    accordingly.  While you are there, you may wish to  review the list
+   accordingly.  While you are there, you may wish to  review the list of
-of options   that are  specified for the interfaces. Some hints:</p>
+options   that are  specified for the interfaces. Some hints:</p>
 <ul>
             <li>                                                     
@ -290,7 +290,7 @@ of options   that are  specified for the interfaces. Some hints:</p>
            <li>                                                     
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
     or if you have a static IP    address, you can remove "dhcp" from the
-option    list. </p>
+ option    list. </p>
            </li>
 </ul>
@ -298,17 +298,17 @@ option    list. </p>
 <h2 align="left">IP Addresses</h2>
 <p align="left">Before going further, we should say a few words about Internet
-     Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a 
+      Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
-single    <i> Public</i> IP address. This address may be assigned via the<i> 
+a  single    <i> Public</i> IP address. This address may be assigned via
-Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of establishing 
+the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
-your  connection   when you dial in (standard modem) or establish your PPP 
+establishing  your  connection   when you dial in (standard modem) or establish
-connection.  In rare   cases, your ISP may assign you a<i> static</i> IP address;
+your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
-that  means that  you  configure your firewall's external interface to use
+IP address; that  means that  you  configure your firewall's external interface
-that  address permanently.<i>  </i>However your external address is assigned,
+to use that  address permanently.<i>  </i>However your external address is
-it  will be shared by all of your systems when you access the  Internet.
+assigned, it  will be shared by all of your systems when you access the 
-You will have to assign your  own addresses in your  internal network (the
+Internet. You will have to assign your  own addresses in your  internal network
-Internal  Interface on your firewall  plus your other  computers). RFC 1918
+(the Internal  Interface on your firewall  plus your other  computers). RFC
-reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
+1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
 <div align="left">             
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@ -328,9 +328,9 @@ entry  in    /etc/shorewall/interfaces.</p>
 sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
        to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
     will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
-  is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as
+   is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved
-  the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is
+as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet
- described  using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
+is  described  using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless 
 InterDomain Routing  </i>(CIDR)  notation</a> with consists of the subnet 
 address followed    by "/24". The  "24" refers to the number of    consecutive 
 leading "1" bits from the left  of the subnet mask. </p>
@ -390,8 +390,8 @@ be  the IP address   of the firewall's internal    interface.<i>
          </div>
 <p align="left">The foregoing short discussion barely scratches the surface
-     regarding subnetting and routing. If you are interested in learning more
+      regarding subnetting and routing. If you are interested in learning
-    about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
+more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
     What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
    A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
@ -408,23 +408,23 @@ be  the IP address   of the firewall's internal    interface.<i>
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred
     to as <i>non-routable</i> because the Internet backbone routers don't
-forward    packets  which have an RFC-1918 destination address. When one of
+ forward    packets  which have an RFC-1918 destination address. When one
-your local    systems  (let's assume computer 1) sends a connection request 
+of your local    systems  (let's assume computer 1) sends a connection request
-to an internet    host, the  firewall must perform <i>Network Address Translation 
+ to an internet    host, the  firewall must perform <i>Network Address Translation
  </i>(NAT).    The firewall  rewrites the source address in the packet to
-be the address    of the firewall's  external interface; in other words, the
+ be the address    of the firewall's  external interface; in other words,
-firewall makes    it look as if the firewall  itself is initiating the connection. 
+the firewall makes    it look as if the firewall  itself is initiating the
-This is   necessary so that the  destination host will be able to route return
+connection.  This is   necessary so that the  destination host will be able
-packets   back to the firewall  (remember that packets whose destination
+to route return packets   back to the firewall  (remember that packets whose
-address is   reserved by RFC 1918 can't  be routed across the internet so
+destination address is   reserved by RFC 1918 can't  be routed across the
-the remote host  can't address its response to  computer 1). When the firewall
+internet so the remote host  can't address its response to  computer 1).
-receives a return packet, it  rewrites the destination address  back to 10.10.10.1
+When the firewall receives a return packet, it  rewrites the destination
- and  forwards the packet on to computer 1. </p>
+address  back to 10.10.10.1  and  forwards the packet on to computer 1. </p>
-<p align="left">On Linux systems, the above process is often referred to as<i>
+<p align="left">On Linux systems, the above process is often referred to
- IP Masquerading</i> but you will also see the term <i>Source Network Address
+as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
- Translation </i>(SNAT) used. Shorewall follows the convention used with
+Address  Translation </i>(SNAT) used. Shorewall follows the convention used
- Netfilter:</p>
+with  Netfilter:</p>
 <ul>
             <li>                                                     
@ -434,8 +434,8 @@ receives a return packet, it  rewrites the destination address  back to 10.10.10
            </li>
            <li>                                                     
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
-    the    source address that you want outbound packets from your local network
+     the    source address that you want outbound packets from your local
-    to use.    </p>
+network     to use.    </p>
            </li>
 </ul>
@ -446,22 +446,24 @@ receives a return packet, it  rewrites the destination address  back to 10.10.10
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
-             If your external firewall interface is <b>eth0</b>, you do not 
+              If your external firewall interface is <b>eth0</b>, you do
-  need   to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq 
+not    need   to modify the file provided with the sample. Otherwise, edit
-    and change the first column to the name of your external  interface and 
+ /etc/shorewall/masq      and change the first column to the name of your
-  the  second column to the name of your internal interface.</p>
+external  interface and    the  second column to the name of your internal
 interface.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
              If your external IP is  static, you can enter it in the third 
 column    in the /etc/shorewall/masq entry if  you like although your firewall 
- will    work fine if you leave that column empty.  Entering your static
+ will    work fine if you leave that column empty.  Entering your static IP
-IP  in column    3 makes processing outgoing packets a little  more efficient.<br>
+ in column    3 makes processing outgoing packets a little  more efficient.<br>
  <br>
- <img border="0" src="images/BD21298_.gif" width="13" height="13" alt="">
+  <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
      If you are using the Debian package, please check your shorewall.conf
-file to ensure that the following are set correctly; if they are not, change 
+ file to ensure that the following are set correctly; if they are not, change
-them appropriately:<br>
+ them appropriately:<br>
  </p>
 <ul>
@ -475,12 +477,12 @@ them appropriately:<br>
 <p align="left">One of your goals may be to run one or more servers on your
      local computers. Because these computers have RFC-1918 addresses, it
-is   not  possible for clients on the internet to connect directly to them. 
+ is   not  possible for clients on the internet to connect directly to them.
-It   is rather  necessary for those clients to address their connection requests 
+ It   is rather  necessary for those clients to address their connection
-   to the firewall  who rewrites the destination address to the address of 
+requests     to the firewall  who rewrites the destination address to the
- your   server and forwards  the packet to that server. When your server responds,
+address of   your   server and forwards  the packet to that server. When
-    the firewall automatically  performs SNAT to rewrite the source address
+your server responds,     the firewall automatically  performs SNAT to rewrite
-  in  the response.</p>
+the source address   in  the response.</p>
 <p align="left">The above process is called<i> Port Forwarding</i> or <i> 
     Destination Network Address Translation</i> (DNAT). You configure port 
@ -557,7 +559,7 @@ It   is rather  necessary for those clients to address their connection requests
 href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
             <li>Many ISPs block incoming connection requests to port 80. 
 If  you   have     problems connecting to your web server, try the following
-rule and  try     connecting to port 5000.</li>
+ rule and  try     connecting to port 5000.</li>
 </ul>
@ -598,33 +600,34 @@ rules    that  you require.</p>
     an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
    will be  automatically configured (e.g., the /etc/resolv.conf file will
  be  written).  Alternatively, your ISP may have given you the IP address
-of a  pair of DNS <i> name servers</i> for you to manually configure as your 
+ of a  pair of DNS <i> name servers</i> for you to manually configure as
-  primary  and secondary  name servers. Regardless of how DNS gets configured 
+your    primary  and secondary  name servers. Regardless of how DNS gets
-  on your  firewall, it is <u>your</u> responsibility to configure the resolver 
+configured    on your  firewall, it is <u>your</u> responsibility to configure
-  in your   internal systems. You can take one of two approaches:</p>
+the resolver    in your   internal systems. You can take one of two approaches:</p>
 <ul>
             <li>                                                     
    <p align="left">You can configure your internal systems to use your ISP's
-    name    servers. If you ISP gave you the addresses of their servers or 
+     name    servers. If you ISP gave you the addresses of their servers
- if   those    addresses are available on their web site, you can configure 
+or   if   those    addresses are available on their web site, you can configure
- your   internal    systems to use those addresses. If that information isn't 
+  your   internal    systems to use those addresses. If that information
- available,   look in    /etc/resolv.conf on your firewall system -- the name
+isn't   available,   look in    /etc/resolv.conf on your firewall system
- servers are  given in    "nameserver" records in that file.   </p>
+-- the name  servers are  given in    "nameserver" records in that file.
  </p>
            </li>
            <li>                                                     
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
              You can configure a<i> Caching Name Server </i>on your    firewall.<i>
         </i>Red Hat has an RPM for a caching name server (the RPM also 
-requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp. If
+  requires    the 'bind' RPM) and for Bering users, there is dnscache.lrp.
-you    take   this approach, you configure your internal systems to use the
+If you    take   this approach, you configure your internal systems to use
-firewall    itself as their primary (and only) name server. You use the internal
+the firewall    itself as their primary (and only) name server. You use the
-IP     address of the firewall (10.10.10.254 in the example above) for the
+internal IP     address of the firewall (10.10.10.254 in the example above)
-name       server address. To allow your local systems to talk to your caching
+for the name       server address. To allow your local systems to talk to
-name      server, you must open port 53 (both UDP and TCP) from the local
+your caching name      server, you must open port 53 (both UDP and TCP) from
-network   to the    firewall; you do that by adding the following rules in
+the local network   to the    firewall; you do that by adding the following
-/etc/shorewall/rules.       </p>
+rules in /etc/shorewall/rules.       </p>
            </li>
 </ul>
@ -839,14 +842,14 @@ network   to the    firewall; you do that by adding the following rules in
          </div>
 <div align="left">             
-<p align="left">If you don't know what port and protocol a particular    application
+<p align="left">If you don't know what port and protocol a particular   
-uses, look <a href="ports.htm">here</a>.</p>
+application uses, look <a href="ports.htm">here</a>.</p>
          </div>
 <div align="left">             
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
-       the internet because it uses clear text (even for login!). If you want
+        the internet because it uses clear text (even for login!). If you
-    shell    access to your firewall from the internet, use SSH:</p>
+want     shell    access to your firewall from the internet, use SSH:</p>
          </div>
 <div align="left">             
@ -908,8 +911,8 @@ other    connections  as required.</p>
 <div align="left">             
 <p align="left">The firewall is started using the "shorewall start" command
-       and stopped using "shorewall stop". When the firewall is stopped, routing
+        and stopped using "shorewall stop". When the firewall is stopped,
-    is    enabled on those hosts that have an entry in   <a
+routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
        running firewall may be restarted using the "shorewall restart" command.
     If    you want to totally remove any trace of Shorewall from your Netfilter
@ -920,7 +923,7 @@ other    connections  as required.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
              The two-interface sample assumes that you want to enable  
-routing     to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
+ routing     to/from <b>eth1 </b>(the local network) when Shorewall is stopped. 
 If    your local network isn't connected to <b>eth1</b> or if you wish to 
 enable       access to/from other hosts, change /etc/shorewall/routestopped 
 accordingly.</p>
@ -928,9 +931,9 @@ accordingly.</p>
 <div align="left">             
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from
-    the    internet, do not issue a "shorewall stop" command unless you have 
+     the    internet, do not issue a "shorewall stop" command unless you
-   added an    entry for the IP address that you are connected from to   <a
+have     added an    entry for the IP address that you are connected from
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
   Also, I don't recommend using "shorewall restart"; it is better to create
     an   <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
     and    test it using the <a
@ -952,5 +955,6 @@ accordingly.</p>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>