Some post-1.2.12 documentation cleanup

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@389 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-25 20:22:12 +02:00 · 2002-12-29 18:23:07 +00:00 · 2002-12-29 18:23:07 +00:00 · 2565081ff9
commit 2565081ff9
parent 4710fc7bdb
14 changed files with 1526 additions and 1449 deletions
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
@ -755,7 +755,7 @@ in both the  SOURCE and DEST columns.</li>
                                       <li>   <b>   LOG LEVEL</b> - Optional. 
  If  left  empty, no log message is generated when       the policy is applied.
    Otherwise,  this column should contain an integer  or       name indicating
-    a <a href="configuration_file_basics.htm#Levels">syslog level</a>.</li>
+    a <a href="shorewall_logging.html">syslog level</a>.</li>
                                       <li>   <b>LIMIT:BURST </b>- Optional.
  If  left   empty, TCP    connection requests from the <b>SOURCE</b> zone
@ -1251,7 +1251,7 @@ here   as  in  the       policy file above.</li>
    </ul>
    <p>The ACTION may optionally be followed by     ":" and a <a
- href="file:///home/teastep/Shorewall-docs/configuration_file_basics.htm#Levels">syslog 
+ href="shorewall_logging.html">syslog 
 level</a> (example: REJECT:info). This causes the     packet to be logged 
 at   the specified level prior to being processed according     to the specified 
    ACTION.<br>
@ -2243,7 +2243,7 @@ is assumed.<br>
 This parameter determines the level at which packets logged under the <a
 href="file:///home/teastep/Shorewall-docs/Documentation.htm#rfc1918">'norfc1918'
 mechanism </a> are logged. The value must be a valid <a
- href="file:///home/teastep/Shorewall-docs/configuration_file_basics.htm#Levels">syslog 
+ href="shorewall_logging.html">syslog 
 level</a> and if no level is given, then info is assumed. Prior to Shorewall 
 version 1.3.12, these packets are always logged at the info level.</li>
  <li><b>TCP_FLAGS_DISPOSITION - </b>Added in Version 1.3.11<br>
@ -2254,7 +2254,7 @@ DROP   (ignore the packet). If not set or if set to the empty value (e.g.,
 TCP_FLAGS_DISPOSITION="")   then TCP_FLAGS_DISPOSITION=DROP is assumed.</li>
      <li><b>TCP_FLAGS_LOG_LEVEL - </b>Added in Version 1.3.11<br>
    Determines the <a
- href="file:///home/teastep/Shorewall-docs/configuration_file_basics.htm#Levels">syslog 
+ href="shorewall_logging.html">syslog 
 level</a> for logging packets that fail the checks  enabled by the <a
 href="#Interfaces">tcpflags</a> interface option.The value  must be  a valid 
 syslogd log level. If you don't want to log these packets,    set to the empty
@ -2268,7 +2268,7 @@ or DROP (ignore the connection request). If not set or if set to the empty
 value (e.g., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed.</li>
         <li><b>MACLIST_LOG_LEVEL </b>- Added in Version 1.3.10<br>
       Determines the <a
- href="file:///home/teastep/Shorewall-docs/configuration_file_basics.htm#Levels">syslog 
+ href="shorewall_logging.html">syslog 
 level</a> for logging connection requests that  fail      <a
 href="MAC_Validation.html">MAC Verification</a>. The value must  be  a valid 
 syslogd log level. If you don't want to log these connection requests,  set 
@ -2295,7 +2295,7 @@ unless   they are handled  by an     explicit entry in the <a
               Beginning with version 1.3.6, Shorewall drops non-SYN TCP
 packets     that  are     not part of an existing connection. If you would
 like to  log   these  packets,     set LOGNEWNOTSYN to the <a
- href="file:///home/teastep/Shorewall-docs/configuration_file_basics.htm#Levels">syslog 
+ href="shorewall_logging.html">syslog 
 level</a> at which you want   the packets  logged.     Example: LOGNEWNOTSYN=ULOG|<br>
               <br>
               <b>Note: </b>Packets logged under this option are usually
@ -2612,7 +2612,7 @@ assumed.</li>
                                                                    at. Its 
  value                                                                  
 is a <a
- href="file:///home/teastep/Shorewall-docs/configuration_file_basics.htm#Levels">syslog 
+ href="shorewall_logging.html">syslog 
 level</a>                                                                
    (Example:                                                           
         BLACKLIST_LOGLEVEL=debug).                                     
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -616,7 +616,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
 <div align="left">                         
 <pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
- href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
+ href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
                         </div>
 <h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work 
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@ -31,28 +31,31 @@
  set of MAC addresses. Furthermore, each MAC address may be optionally associated 
  with one or more IP addresses. <br>
 <br>
-<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
+ <b>You must have the iproute package (ip utility) installed to use MAC Verification
 and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
 module name ipt_mac.o).</b><br>
 <br>
 There are four components to this facility.<br>
 <ol>
       <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
-this option is specified, all traffic arriving on the interface is subjet
+option is specified, all traffic arriving on the interface is subjet to MAC
-to MAC verification.</li>
+verification.</li>
-      <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
+       <li>The <b>maclist </b>option in <a
-  When this option is specified for a subnet, all traffic from that subnet
+ href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option
- is subject to MAC verification.</li>
+is specified for a subnet, all traffic from that subnet  is subject to MAC
 verification.</li>
       <li>The /etc/shorewall/maclist file. This file is used to associate
-MAC  addresses with interfaces and to optionally associate IP addresses with
+ MAC  addresses with interfaces and to optionally associate IP addresses
- MAC  addresses.</li>
+with  MAC  addresses.</li>
       <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables 
-  in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
+  in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
-The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
+  MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
-determines   the disposition of connection requests that fail MAC verification.
+  the disposition of connection requests that fail MAC verification. The
-The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
+MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection requests
-requests that fail verification  are to be logged. If set the the empty value
+that fail verification  are to be logged. If set the the empty value (e.g.,
-(e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
+MACLIST_LOG_LEVEL="")   then failing connection requests are not logged.<br>
       </li>
 </ol>
@ -64,8 +67,8 @@ system.</li>
       <li>MAC - The MAC address of a device on the ethernet segment connected 
  by INTERFACE. It is not necessary to use the Shorewall MAC format in this 
  column although you may use that format if you so choose.</li>
-      <li>IP Address - An optional comma-separated list of IP addresses for 
+       <li>IP Address - An optional comma-separated list of IP addresses
- the device whose MAC is listed in the MAC column.</li>
+for   the device whose MAC is listed in the MAC column.</li>
 </ul>
@ -85,8 +88,8 @@ system.</li>
 <h3>Example 2: Router in Local Zone</h3>
     Suppose now that I add a second ethernet segment to my local zone and
 gateway  that segment via a router with MAC address 00:06:43:45:C6:15 and
-IP address  192.168.1.253. Hosts in the second segment have IP addresses in
+ IP address  192.168.1.253. Hosts in the second segment have IP addresses
-the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
+in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist 
  file:<br>
 <pre>     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24<br></pre>
@ -95,7 +98,7 @@ and  from the second LAN segment (192.168.2.0/24). Remember that all traffic
 being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded 
 by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) 
  and not that of the host sending the traffic.     
-<p><font size="2">   Updated 12/22/2002 - <a href="support.htm">Tom  Eastep</a> 
+<p><font size="2">   Updated 12/29/2002 - <a href="support.htm">Tom  Eastep</a>
      </font></p>
@ -104,9 +107,5 @@ and  from the second LAN segment (192.168.2.0/24). Remember that all traffic
       &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
  <br>
 <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
@ -52,7 +52,7 @@ the current packet classification filters. The output from this command is
 the LOG target. This allows you to run ulogd (available from <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
- href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
+ href="shorewall_logging.html">to a separate log file</a>.</li>
  <li>If you are running a kernel that has a FORWARD chain in the mangle 
 table ("shorewall show mangle" will show you the chains in the mangle table), 
  you can set MARK_IN_FORWARD_CHAIN=Yes in <a
@ -98,7 +98,7 @@ is  also added as a separate page in "shorewall monitor"</li>
 than  the LOG target. This allows you to run ulogd (available from <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
- href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
+ href="shorewall_logging.html">to a separate log file</a>.</li>
       <li>If you are running a kernel that has a FORWARD chain in the mangle 
  table ("shorewall show mangle" will show you the chains in the mangle table), 
  you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -34,7 +34,7 @@
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">       dos2unix</a>
       before you use them with Shorewall.</b></p>
-<h2>Files</h2>
+<h2><a name="Files"></a>Files</h2>
 <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
@ -54,10 +54,10 @@ terms    of  individual           hosts and subnetworks.</li>
                       <li>/etc/shorewall/masq - directs the firewall where 
 to  use   many-to-one            (dynamic) Network Address Translation (a.k.a.
   Masquerading)   and  Source          Network Address Translation (SNAT).</li>
-                      <li>/etc/shorewall/modules - directs the firewall to
+                       <li>/etc/shorewall/modules - directs the firewall
- load   kernel    modules.</li>
+to  load   kernel    modules.</li>
-                      <li>/etc/shorewall/rules - defines rules that are exceptions
+                       <li>/etc/shorewall/rules - defines rules that are
-     to  the         overall policies established in /etc/shorewall/policy.</li>
+exceptions      to  the         overall policies established in /etc/shorewall/policy.</li>
                       <li>/etc/shorewall/nat - defines static NAT rules.</li>
                       <li>/etc/shorewall/proxyarp - defines use of Proxy 
 ARP.</li>
@ -83,7 +83,7 @@ completion of a "shorewall stop".<br>
 </ul>
-<h2>Comments</h2>
+<h2><a name="Comments"></a>Comments</h2>
 <p>You may place comments in configuration files by making the first non-whitespace 
             character a pound sign ("#"). You may also place comments at 
@ -96,7 +96,7 @@ of   the line  with a pound sign.</p>
 <pre>ACCEPT	net	fw	tcp	www	#This is an end-of-line comment</pre>
-<h2>Line Continuation</h2>
+<h2><a name="Continuation"></a>Line Continuation</h2>
 <p>You may continue lines in the configuration files using the usual backslash
       ("\") followed        immediately by a new line character.</p>
@ -133,8 +133,8 @@ occur   after the firewall    has started have absolutely no effect on the
 <p align="left">     If your firewall rules include DNS names then:</p>
 <ul>
-               <li>If your /etc/resolv.conf is wrong then your firewall won't 
+                <li>If your /etc/resolv.conf is wrong then your firewall
-      start.</li>
+won't        start.</li>
                <li>If your /etc/nsswitch.conf is wrong then your firewall
 won't        start.</li>
                <li>If your Name Server(s) is(are) down then your firewall
@ -151,9 +151,9 @@ won't        start.</li>
 </ul>
 <p align="left"> Each DNS name much be fully qualified and include a minumum
-      of two periods (although one may be trailing). This restriction is imposed
+       of two periods (although one may be trailing). This restriction is
-      by Shorewall to insure backward compatibility with existing configuration
+imposed       by Shorewall to insure backward compatibility with existing
-      files.<br>
+configuration       files.<br>
               <br>
               Examples of valid DNS names:<br>
               </p>
@ -182,14 +182,14 @@ won't        start.</li>
               These restrictions are not imposed by Shorewall simply for 
 your inconvenience but are rather limitations of iptables.<br>
-<h2>Complementing an Address or Subnet</h2>
+<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
 <p>Where specifying an IP address, a subnet or an interface, you can    
   precede the item with "!" to specify the complement of the item. For 
-     example, !192.168.1.4 means "any host but 192.168.1.4". There must be
+      example, !192.168.1.4 means "any host but 192.168.1.4". There must
-no white space following the "!".</p>
+be no white space following the "!".</p>
-<h2>Comma-separated Lists</h2>
+<h2><a name="Lists"></a>Comma-separated Lists</h2>
 <p>Comma-separated lists are allowed in a number of contexts within the  
     configuration files. A comma separated list:</p>
@ -199,29 +199,29 @@ no white space following the "!".</p>
                       Valid: routestopped,dhcp,norfc1918<br>
                       Invalid: routestopped,     dhcp,              norfc1818</li>
                       <li>If you use line continuation to break a comma-separated
-    list,   the          continuation line(s) must begin in column 1 (or there
+     list,   the          continuation line(s) must begin in column 1 (or
-    would  be embedded          white space)</li>
+there     would  be embedded          white space)</li>
                       <li>Entries in a comma-separated list may appear in
 any   order.</li>
 </ul>
-<h2>Port Numbers/Service Names</h2>
+<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
 <p>Unless otherwise specified, when giving a port number you can use    
   either an integer or a service name from /etc/services. </p>
-<h2>Port Ranges</h2>
+<h2><a name="Ranges"></a>Port Ranges</h2>
 <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
              port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
-     if you want to forward the range of tcp ports 4000 through 4100 to local
+      if you want to forward the range of tcp ports 4000 through 4100 to
-     host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
+local      host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
            </p>
 <pre>     DNAT	net	loc:192.168.1.3	tcp	4000:4100<br></pre>
-<h2>Using Shell Variables</h2>
+<h2><a name="Variables"></a>Using Shell Variables</h2>
 <p>You may use the /etc/shorewall/params     file to set shell variables
  that you can then use in some of the other    configuration files.</p>
@ -261,7 +261,7 @@ any   order.</li>
 <p>Variables may be used anywhere in the              other configuration
       files.</p>
-<h2>Using MAC Addresses</h2>
+<h2><a name="MAC"></a>Using MAC Addresses</h2>
 <p>Media Access Control (MAC)        addresses can be used to specify packet
       source in several of the        configuration files. To use this feature,
@ -290,120 +290,24 @@ series    of  6  hex numbers        separated by colons. Example:<br>
                     <br>
                     Because Shorewall uses colons as a separator for address 
  fields,     Shorewall requires        MAC addresses to be written in another 
-  way. In   Shorewall, MAC addresses        begin with a tilde ("~") and
+  way. In   Shorewall, MAC addresses        begin with a tilde ("~") and consist
-consist   of 6  hex numbers separated by        hyphens. In Shorewall, the
+  of 6  hex numbers separated by        hyphens. In Shorewall, the MAC address
-MAC address    in  the example above would be        written "~02-00-08-E3-FA-55".<br>
+   in  the example above would be        written "~02-00-08-E3-FA-55".<br>
          </p>
 <p><b>Note: </b>It is not necessary to use the special Shorewall notation
     in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
          </p>
-<h2><a name="Levels"></a>Logging</h2>
+<h2><a name="Levels"></a>Shorewall Configurations</h2>
     By default, Shorewall directs NetFilter to log using syslog (8). Syslog
  classifies log messages by a <i>facility</i> and a <i>priority</i> (using 
 the notation <i>facility.priority</i>). <br>
   <br>
   The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
 kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through 
 <i>local7</i>.<br>
   <br>
   Throughout the Shorewall documentation, I will use the term <i>level</i> 
 rather than <i>priority</i> since <i>level</i> is the term used by NetFilter. 
 The syslog documentation uses the term <i>priority</i>.<br>
 <h3>Syslog Levels<br>
     </h3>
     Syslog levels are a method of describing to syslog (8) the importance
  of  a message and a number of Shorewall parameters have a syslog level
 as   their  value.<br>
       <br>
       Valid levels are:<br>
       <br>
              7       debug<br>
              6       info<br>
              5       notice<br>
              4       warning<br>
              3       err<br>
              2       crit<br>
              1       alert<br>
              0       emerg<br>
       <br>
       For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall 
   log messages are generated by NetFilter and are logged using the <i>kern</i>
  facility  and the level that you specify. If you are unsure of the level
  to choose,  6 (info) is a safe bet. You may specify levels by name or by
 number.<br>
     <br>
     Syslogd writes log messages to files (typically in /var/log/*) based 
 on  their facility and level. The mapping of these facility/level pairs to 
 log  files is done in /etc/syslog.conf (5). If you make changes to this file,
 you must restart syslogd before the changes can take effect.<br>
 <h3>Configuring a Separate Log for Shorewall Messages</h3>
     There are a couple of limitations to syslogd-based logging:<br>
 <ol>
       <li>If you give, for example, kern.info it's own log destination then 
  that destination will also receive all kernel messages of levels 5 (notice) 
  through 0 (emerg).</li>
       <li>All kernel.info messages will go to that destination and not just
  those from NetFilter.<br>
       </li>
 </ol>
     Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
  support (and most vendor-supplied kernels do), you may also specify a log 
 level of ULOG (must be all caps). When  ULOG is used, Shorewall will direct 
 netfilter to log the related messages  via the ULOG target which will send 
 them to a process called 'ulogd'. The  ulogd program is available from http://www.gnumonks.org/projects/ulogd 
 and  can be configured to log all Shorewall message to their own log file.<br>
 <br>
 Download the ulod tar file and:<br>
 <ol>
   <li>cd /usr/local/src (or wherever you do your builds)</li>
   <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
   <li>cd ulogd-<i>version</i><br>
   </li>
   <li>./configure</li>
   <li>make</li>
   <li>make install<br>
   </li>
 </ol>
 If you are like me and don't have a development environment on your firewall, 
 you can do the first five steps on another system then either NFS mount your 
 /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> 
 directory and move it to your firewall system.<br>
 <br>
 Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
 <ol>
   <li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
   <li>syslogsync 1</li>
 </ol>
 I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to 
 /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" 
 to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig 
 --level 3 ulogd on" starts ulogd during boot up. Your init system may need 
 something else done to activate the script.<br>
 <br>
 Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that 
 you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
 look for the log when processing its "show log", "logwatch" and "monitor" 
 commands.<br>
 <h2><a name="Configs"></a>Shorewall Configurations</h2>
 <p>  Shorewall allows you to have configuration  directories other than /etc/shorewall.
-      The <a href="starting_and_stopping_shorewall.htm">shorewall start and 
+       The <a href="starting_and_stopping_shorewall.htm">shorewall start
-  restart</a>       commands allow you to specify an alternate configuration 
+and    restart</a>       commands allow you to specify an alternate configuration
   directory and    Shorewall will use the files in the alternate directory
- rather than the  corresponding  files in /etc/shorewall. The alternate directory 
+  rather than the  corresponding  files in /etc/shorewall. The alternate
-  need not contain a complete  configuration; those files not in the alternate 
+directory    need not contain a complete  configuration; those files not
-  directory  will be read from  /etc/shorewall.</p>
+in the alternate    directory  will be read from  /etc/shorewall.</p>
 <p>  This facility permits you to easily create a test or temporary configuration
        by:</p>
@ -422,7 +326,7 @@ and</li>
-<p><font size="2">   Updated 12/20/2002 - <a href="support.htm">Tom  Eastep</a>
+<p><font size="2">   Updated 12/29/2002 - <a href="support.htm">Tom  Eastep</a> 
          </font></p>
@ -432,5 +336,6 @@ and</li>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -42,23 +42,22 @@
                              </li>
                 <li>                                                   
-    <p align="left">          <b>If you are installing Shorewall for the
+    <p align="left">          <b>If you are installing Shorewall for the first
-first time and plan to use the        .tgz and install.sh script, you can
+time and plan to use the        .tgz and install.sh script, you can untar
-untar the archive, replace the        'firewall' script in the untarred directory
+the archive, replace the        'firewall' script in the untarred directory 
      with the one you downloaded        below, and then run install.sh.</b></p>
                              </li>
                 <li>                                                   
    <p align="left">          <b>When the instructions say to install a corrected 
      firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall 
-     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to
+     or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
-overwrite      the        existing file. DO  NOT REMOVE OR RENAME THE OLD
+     the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
-/etc/shorewall/firewall             or /var/lib/shorewall/firewall  before
+            or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
-you do that. /etc/shorewall/firewall             and /var/lib/shorewall/firewall
+            and /var/lib/shorewall/firewall  are symbolic links that point
- are symbolic links that point         to the 'shorewall' file used by your
+        to the 'shorewall' file used by your  system initialization scripts
- system initialization scripts   to         start Shorewall during boot.
+  to         start Shorewall during boot. It is  that file that must be overwritten
-It is  that file that must be overwritten             with the corrected
+            with the corrected script.</b></p>
 script.</b></p>
         </li>
         <li>                                   
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS 
@ -75,10 +74,11 @@ script.</b></p>
  in  Version    1.3</a></b></li>
                 <li>                            <b><a
 href="errata_2.htm">Problems      in  Version 1.2</a></b></li>
-                <li>                            <b><font color="#660066"> 
+                 <li>                            <b><font
-     <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
+ color="#660066">       <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
-                <li>                            <b><font color="#660066"><a
+                 <li>                            <b><font
- href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
+ color="#660066"><a href="#iptables">    Problem with iptables version 1.2.3
 on RH7.2</a></font></b></li>
                 <li>                            <b><a href="#Debug">Problems 
  with   kernels  &gt;= 2.4.18 and            RedHat iptables</a></b></li>
                 <li><b><a href="#SuSE">Problems installing/upgrading RPM 
@ -93,13 +93,23 @@ on  SuSE</a></b></li>
 <hr>                                     
 <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
 <h3>Version 1.3.12 LRP</h3>
 <ul>
  <li>The .lrp was missing the /etc/shorewall/routestopped file -- a new
 lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
  </li>
 </ul>
 <h3>Version 1.3.11a</h3>
 <ul>
   <li><a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This 
 copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
   </li>
 </ul>
 <h3>Version 1.3.11</h3>
 <ul>
@ -113,8 +123,8 @@ copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.
 .rpm  from shorewall.net or mirrors should no longer see these warnings as 
 the .rpm you will get from there has been corrected.</li>
     <li>DNAT rules that exclude a source subzone (SOURCE column contains 
-!  followed by a sub-zone list) result in an error message and Shorewall
+!  followed by a sub-zone list) result in an error message and Shorewall fails
-fails  to start.<br>
+ to start.<br>
       <br>
   Install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this 
@ -155,8 +165,8 @@ on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
 <blockquote> The updated firewall script at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-   corrects this problem.Copy the script to /usr/lib/shorewall/firewall as 
+    corrects this problem.Copy the script to /usr/lib/shorewall/firewall
- described  above.<br>
+as   described  above.<br>
       </blockquote>
 <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the 
@ -166,9 +176,9 @@ on  your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
 <ul>
         <li>The installer (install.sh) issues a misleading message "Common 
- functions   installed in /var/lib/shorewall/functions" whereas the file
+ functions   installed in /var/lib/shorewall/functions" whereas the file is
-is  installed  in /usr/lib/shorewall/functions. The installer also performs
+ installed  in /usr/lib/shorewall/functions. The installer also performs incorrectly
-incorrectly  when updating old configurations that had the file /etc/shorewall/functions.
+ when updating old configurations that had the file /etc/shorewall/functions. 
     <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here 
   is an updated version that corrects these problems.<br>
@ -177,8 +187,8 @@ incorrectly  when updating old configurations that had the file /etc/shorewall/f
 </ul>
 <h3>Version 1.3.9</h3>
-         <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
+          <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
-   at  <a
+script    at  <a
 href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
 target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
    -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
@ -230,17 +240,18 @@ but   with   different  port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:
 <ol>
                                              <li>If the firewall is running
- a  DHCP   server,                                   the client won't be able
+  a  DHCP   server,                                   the client won't be
-  to obtain   an IP  address                                  lease from
+able   to obtain   an IP  address                                  lease
-that   server.</li>
+from that   server.</li>
                                              <li>With this order of checking,
   the   "dhcp"                                   option cannot be used as
 a  noise-reduction                                     measure where there
-are  both dynamic and    static                                  clients on
+ are  both dynamic and    static                                  clients
-a LAN segment.</li>
+on a LAN segment.</li>
 </ol>
 <p>                               <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">    
                          This version of the 1.3.7a firewall script </a>
@ -316,8 +327,8 @@ an   SNAT   alias.  </p>
 <div align="left">                 
 <p align="left">That capability was lost in version 1.3.4 so that it is only 
-          possible to  include a single host specification on each line.
+          possible to  include a single host specification on each line. This
-This         problem is corrected by    <a
+        problem is corrected by    <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this 
          modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall 
          as instructed above.</p>
@ -339,10 +350,10 @@ This         problem is corrected by    <a
 <h3 align="left">Version 1.3.n, n &lt; 4</h3>
 <p align="left">The "shorewall start" and "shorewall restart" commands   
-         to not verify that the zones named in the /etc/shorewall/policy
+        to not verify that the zones named in the /etc/shorewall/policy file
-file            have been previously defined in the /etc/shorewall/zones
+           have been previously defined in the /etc/shorewall/zones file.
-file. The            "shorewall check" command does perform this verification
+The            "shorewall check" command does perform this verification so
-so it's a            good idea to run that command after you have made configuration
+it's a            good idea to run that command after you have made configuration 
                 changes.</p>
 <h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -359,8 +370,8 @@ so it's a            good idea to run that command after you have made configura
 <p align="left">Until approximately 2130 GMT on 17 June 2002, the        
   download sites contained an incorrect version of the .lrp file. That 
-           file can be identified by its size (56284 bytes). The correct
+          file can be identified by its size (56284 bytes). The correct version
-version            has a size of 38126 bytes.</p>
+           has a size of 38126 bytes.</p>
 <ul>
                          <li>The code to detect a duplicate interface entry
@ -393,8 +404,8 @@ just   like   "NAT_BEFORE_RULES=Yes".</li>
                          <li>TCP SYN packets may be double counted when
           LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e., 
 each              packet is sent through the limit chain twice).</li>
-                         <li>An unnecessary jump to the policy chain is sometimes 
+                          <li>An unnecessary jump to the policy chain is
-               generated for a CONTINUE policy.</li>
+sometimes                 generated for a CONTINUE policy.</li>
                          <li>When an option is given for more than one interface 
    in               /etc/shorewall/interfaces then depending on the option, 
   Shorewall                may ignore all but the first appearence of the 
@ -404,11 +415,11 @@ each              packet is sent through the limit chain twice).</li>
                          loc    eth1    dhcp<br>
                          <br>
                          Shorewall will ignore the 'dhcp' on eth1.</li>
-                         <li>Update 17 June 2002 - The bug described in the 
+                          <li>Update 17 June 2002 - The bug described in
- prior    bullet               affects the following options: dhcp, dropunclean, 
+the   prior    bullet               affects the following options: dhcp,
- logunclean,                 norfc1918, routefilter, multi, filterping and 
+dropunclean,   logunclean,                 norfc1918, routefilter, multi,
- noping. An additional                 bug has been found that affects only 
+filterping and   noping. An additional                 bug has been found
- the 'routestopped' option.<br>
+that affects only   the 'routestopped' option.<br>
                          <br>
                          Users who downloaded the corrected script prior 
 to  1850   GMT   today              should download and install the corrected
@ -450,6 +461,7 @@ command   will tell    you which version              that you have installed.</
               prevent it from working with Shorewall. Regrettably,  RedHat
  released    this buggy iptables in RedHat   7.2. </p>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
        corrected 1.2.3 rpm which you can download here</a>  and I have also
@ -465,6 +477,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
         </font>I have installed this RPM   on my firewall and it works fine.</p>
  <p align="left">If you         would like to patch iptables 1.2.3 yourself, 
      the patches are available         for download. This <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
@ -473,6 +486,7 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
               corrects a problem in handling the  TOS target.</p>
  <p align="left">To install one of the above patches:</p>
  <ul>
@ -500,8 +514,8 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
          <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
          this iptables RPM</a>. If you are already running a 1.2.5 version
- of       iptables, you will need to specify the --oldpackage option to rpm 
+  of       iptables, you will need to specify the --oldpackage option to
- (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
+rpm   (e.g.,        "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
               </blockquote>
@ -540,20 +554,20 @@ iptables-1.2.4   rpm which you can download here</a>. If  you are currently
 <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
            </h3>
-        /etc/shorewall/nat entries of the following form will result in Shorewall
+         /etc/shorewall/nat entries of the following form will result in
-    being unable to start:<br>
+Shorewall     being unable to start:<br>
         <br>
 <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22      eth0            192.168.9.22    yes                     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
         Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
-        The solution is to put "no" in the LOCAL column. Kernel support for 
+         The solution is to put "no" in the LOCAL column. Kernel support
- LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it. The 
+for   LOCAL=yes   has never worked properly and 2.4.18-10 has disabled it.
-2.4.19 kernel   contains corrected support under a new kernel configuraiton 
+The  2.4.19 kernel   contains corrected support under a new kernel configuraiton
 option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
-<p><font size="2">  Last updated 12/3/2002 -                            
+<p><font size="2">  Last updated 12/28/2002 -                           
   <a href="support.htm">Tom Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
@ -562,5 +576,6 @@ option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentati
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/gnu_mailman.htm
+++ b/Shorewall-docs/gnu_mailman.htm
@ -45,11 +45,11 @@ and group mailman. Like:<br>
   <br>
   alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
   <br>
- Make sure that /var/mailman/aliases.db is owned by mailman user (this may
+   Make sure that /var/mailman/aliases.db is owned by mailman user (this
-be  done by executing postalias as mailman userid).<br>
+may  be  done by executing postalias as mailman userid).<br>
   <br>
- Next, instead of using mailman-suggested aliases entries with wrapper, use
+   Next, instead of using mailman-suggested aliases entries with wrapper, 
-the  following:<br>
+use the  following:<br>
   <br>
   instead of<br>
   mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
@ -63,14 +63,17 @@ the  following:<br>
   mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
   ...</p>
-<h4>The Shorewall mailing lists are currently running Postfix 1.1.11 together
+<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something 
- with the stock RedHat Mailman-2.0.13 RPM configured as shown above.</h4>
+very similar so that no workaround is necessary. See the README.POSTFIX file
 included with Mailman-2.1. </h4>
-<p align="left"><font size="2">Last updated 9/14/2002 - <a
+<p align="left"><font size="2">Last updated 12/29/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
    <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -12,6 +12,7 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Mailing Lists</title>
  <meta name="Microsoft Theme" content="none">
 </head>
  <body>
@ -27,9 +28,10 @@
 href="http://www.centralcommand.com/linux_products.html"><img
 src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
 height="79" align="left">
-          </a><a href="http://www.gnu.org/software/mailman/mailman.html"> 
+            </a><a
-       <img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
+ href="http://www.gnu.org/software/mailman/mailman.html">         <img
- width="110" height="35">
+ border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
 height="35">
                  </a><a href="http://www.postfix.org/">       <img
 src="images/small-picture.gif" align="right" border="0" width="115"
 height="45">
@ -64,9 +66,8 @@
 <p align="left">You can report such problems by sending mail to tom dot eastep
       at hp dot com.</p>
-<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
+<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
- src="images/but3.png" hspace="3" width="88" height="31">
+ href="http://osirusoft.com/"> </a></h2>
          </a><a href="http://osirusoft.com/"> </a></h2>
 <p>Before subscribing please read my <a href="spam_filters.htm">policy  
    about list traffic that bounces.</a> Also please note that the mail server
@ -74,38 +75,40 @@
        </p>
 <ol>
-        <li>against the open   relay        databases at <a
+          <li>against <a href="http://spamassassin.org">Spamassassin</a>
- href="http://ordb.org">ordb.org.</a></li>
+(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
  </li>
          <li>to ensure that the sender address is fully qualified.</li>
-        <li>to verify that the sender's domain has an A or MX record in DNS.</li>
+          <li>to verify that the sender's domain has an A or MX record in 
-        <li>to ensure that the host name in the HELO/EHLO command is a valid
+DNS.</li>
-  fully-qualified  DNS name.</li>
+          <li>to ensure that the host name in the HELO/EHLO command is a
 valid    fully-qualified  DNS name that resolves.</li>
 </ol>
 <h2>Please post in plain text</h2>
 While the list server here at shorewall.net accepts and distributes HTML
 posts, a growing number of MTAs serving list subscribers are rejecting this
 HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
 "for continuous abuse"!!<br>
 <br>
 I think that blocking all HTML is a rather draconian way to control spam
 and that the unltimate loser here is not the spammers but the list subscribers
 whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
 can help by restricting your list posts to plain text.<br>
 <br>
 And as a bonus, subscribers who use email clients like pine and mutt will
 be able to read your plain text posts whereas they are most likely simply
 ignoring your HTML posts.<br>
 <br>
 A final bonus for the use of HTML is that it cuts down the size of messages
 by a large percentage -- that is important when the same message must be
 sent 500 times over the slow DSL line connecting the list server to the internet.<br>
-<h2></h2>
+<h2>Please post in plain text</h2>
  A growing number of MTAs serving list subscribers are rejecting all HTML 
 traffic. At least one MTA has gone so far as to blacklist shorewall.net "for 
 continuous abuse" because it has been my policy to allow HTML in list posts!!<br>
  <br>
  I think that blocking all HTML is a Draconian way to control spam  and
 that the ultimate losers here are not the spammers but the list subscribers
 whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
 to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
 life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
 to allow subscribers to receive list posts as must as possible, I have now 
 configured the list server at shorewall.net to strip all HTML from outgoing
 posts.<br>
 <h2>Other Mail Delivery Problems</h2>
 If you find that you are missing an occasional list post, your e-mail admin
 may be blocking mail whose <i>Received:</i> headers contain the names of
 certain ISPs. Again, I believe that such policies hurt more than they help
 but I'm not prepared to go so far as to start stripping <i>Received:</i>
 headers to circumvent those policies.<br>
 <h2 align="left">Mailing Lists Archive Search</h2>
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">  
+<form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch">
  <p> <font size="-1"> Match:                                  
  <select name="method">
@ -129,15 +132,15 @@ sent 500 times over the slow DSL line connecting the list server to the internet
  </select>
            </font> <input type="hidden" name="config" value="htdig"> <input
 type="hidden" name="restrict"
- value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
+ value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
 name="exclude" value=""> <br>
            Search: <input type="text" size="30" name="words" value=""> <input
 type="submit" value="Search"> </p>
            </form>
 <h2 align="left"><font color="#ff0000">Please do not try to download the entire
-Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
+Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
-stand the traffic. If I catch you, you'll be blacklisted.<br>
+stand the traffic. If I catch you, you will be blacklisted.<br>
     </font></h2>
 <h2 align="left">Shorewall CA Certificate</h2>
@ -152,23 +155,24 @@ when   prompted by your browser.<br>
 <h2 align="left">Shorewall Users Mailing List</h2>
 <p align="left">The Shorewall Users Mailing list provides a way for users
-     to get answers to questions and to report problems. Information of general
+      to get answers to questions and to report problems. Information of
-     interest to the Shorewall user community is also posted to this list.</p>
+general       interest to the Shorewall user community is also posted to
 this list.</p>
 <p align="left"><b>Before posting a problem report to this list, please see
      the <a href="support.htm">problem reporting guidelines</a>.</b></p>
 <p align="left">To subscribe to the mailing list, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
+ href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
     SSL: <a
- href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
+ href="https://mail.shorewall.net/mailman/listinfo/shorewall-users"
- target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
+ target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p>
 <p align="left">To post to the list, post to <a
 href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
 <p align="left">The list archives are at <a
- href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
+ href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
 <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
 at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
@ -179,13 +183,13 @@ list may be found at <a
 <p align="left">This list is for announcements of general interest to the 
      Shorewall community. To subscribe, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
+ href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a>
     SSL: <a
- href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
+ href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce"
- target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
+ target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br>
          </a><br>
          The list archives are at <a
- href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
+ href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p>
 <h2 align="left">Shorewall Development Mailing List</h2>
@ -194,35 +198,39 @@ list may be found at <a
     ongoing Shorewall Development.</p>
 <p align="left">To subscribe to the mailing list, go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
+ href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a>
     SSL: <a
- href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
+ href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel"
- target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
+ target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
          To post to the list, post to <a
 href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
 <p align="left">The list archives are at <a
- href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
+ href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p>
 <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
      the  Mailing Lists</h2>
 <p align="left">There seems to be near-universal confusion about unsubscribing
-      from Mailman-managed lists. To unsubscribe:</p>
+       from Mailman-managed lists although Mailman 2.1 has attempted to make
 this less confusing. To unsubscribe:</p>
 <ul>
               <li>                                                     
    <p align="left">Follow the same link above that you used to subscribe
      to the  list.</p>
               </li>
               <li>                                                     
    <p align="left">Down at the bottom of that page is the following text:
-     "To  change your subscription (set options like digest and delivery
+      " 	To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
-modes,      get a  reminder of your password, <b>or unsubscribe</b> from
+reminder,         or change your subscription options enter your subscription 
-&lt;name  of   list&gt;), enter  your subscription email address:". Enter
+        email address:". Enter your email  address   in the box and click
-your email  address   in the box and click  on the "Edit Options" button.</p>
+ on the "<b>Unsubscribe</b> or edit options" button.</p>
               </li>
               <li>                                                     
    <p align="left">There will now be a box where you can enter your password
      and  click on "Unsubscribe"; if you have forgotten your password, there
    is  another  button that will cause your password to be emailed to you.</p>
@ -235,12 +243,14 @@ your email  address   in the box and click  on the "Edit Options" button.</p>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 12/27/2002 - <a
+<p align="left"><font size="2">Last updated 12/29/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
   </p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -213,7 +213,7 @@ is  also added as a separate page in "shorewall monitor"</li>
 than  the LOG target. This allows you to run ulogd (available from <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
- href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
+ href="shorewall_logging.html">to a separate log file</a>.</li>
        <li>If you are running a kernel that has a FORWARD chain in the mangle 
  table ("shorewall show mangle" will show you the chains in the mangle table), 
  you can set MARK_IN_FORWARD_CHAIN=Yes in <a
@ -269,7 +269,7 @@ refresh" would also fail.<br>
 rather than the LOG target. This allows you to run ulogd (available from
          <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) 
  and log all Shorewall messages <a
- href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
+ href="shorewall_logging.html">to a separate log file</a>.</li>
             <li>If you are running a kernel that has a FORWARD chain in
 the   mangle table ("shorewall show mangle" will show you the chains in the
 mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
--- a/Shorewall-docs/shorewall_logging.html
+++ b/Shorewall-docs/shorewall_logging.html
@ -0,0 +1,137 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <title>Shorewall Logging</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
                 <tbody>
                  <tr>
                   <td width="100%">                                    
      <h1 align="center"><font color="#ffffff">Logging</font></h1>
                   </td>
                 </tr>
  </tbody>              
 </table>
 <br>
 By default, Shorewall directs NetFilter to log using syslog (8). Syslog 
 classifies log messages by a <i>facility</i> and a <i>priority</i> (using
  the notation <i>facility.priority</i>). <br>
    <br>
    The facilities defined by syslog are <i>auth, authpriv, cron, daemon, 
 kern,  lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
 <i>local7</i>.<br>
    <br>
    Throughout the Shorewall documentation, I will use the term <i>level</i>
  rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
  The syslog documentation uses the term <i>priority</i>.<br>
 <h3>Syslog Levels<br>
      </h3>
      Syslog levels are a method of describing to syslog (8) the importance 
  of  a message and a number of Shorewall parameters have a syslog level as
  their  value.<br>
        <br>
        Valid levels are:<br>
        <br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 debug<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 info<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 notice<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 warning<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 err<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 crit<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 alert<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 emerg<br>
        <br>
        For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
    log messages are generated by NetFilter and are logged using the <i>kern</i> 
  facility  and the level that you specify. If you are unsure of the level 
  to choose,  6 (info) is a safe bet. You may specify levels by name or by 
 number.<br>
      <br>
      Syslogd writes log messages to files (typically in /var/log/*) based
 on  their facility and level. The mapping of these facility/level pairs
 to  log  files is done in /etc/syslog.conf (5). If you make changes to this
 file,  you must restart syslogd before the changes can take effect.<br>
 <h3>Configuring a Separate Log for Shorewall Messages</h3>
      There are a couple of limitations to syslogd-based logging:<br>
 <ol>
  <li>If you give, for example, kern.info it's own log destination then  
 that destination will also receive all kernel messages of levels 5 (notice)
   through 0 (emerg).</li>
  <li>All kernel.info messages will go to that destination and not just 
 those from NetFilter.<br>
        </li>
 </ol>
      Beginning with Shorewall version 1.3.12, if your kernel has ULOG target 
  support (and most vendor-supplied kernels do), you may also specify a log
 level of ULOG (must be all caps). When  ULOG is used, Shorewall will direct
 netfilter to log the related messages  via the ULOG target which will send
 them to a process called 'ulogd'. The  ulogd program is available from http://www.gnumonks.org/projects/ulogd
 and  can be configured to log all Shorewall message to their own log file.<br>
  <br>
  Download the ulod tar file and:<br>
 <ol>
  <li>cd /usr/local/src (or wherever you do your builds)</li>
  <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
  <li>cd ulogd-<i>version</i><br>
    </li>
  <li>./configure</li>
  <li>make</li>
  <li>make install<br>
    </li>
 </ol>
  If you are like me and don't have a development environment on your firewall,
 you can do the first five steps on another system then either NFS mount
 your  /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
 directory and move it to your firewall system.<br>
  <br>
  Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
 <ol>
  <li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
  <li>syslogsync 1</li>
 </ol>
  I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
 /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
 to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
 --level 3 ulogd on" starts ulogd during boot up. Your init system may need
 something else done to activate the script.<br>
  <br>
  Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
 that  you wish to log to&gt;</i>. This tells the /sbin/shorewall program
 where to look for the log when processing its "show log", "logwatch" and
 "monitor"  commands.<br>
 <p><font size="2">   Updated 12/29/2002 - <a
 href="file:///home/teastep/Shorewall-docs/support.htm">Tom  Eastep</a> 
         </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
          &copy; <font size="2">2001, 2002 Thomas M. Eastep</font></a></font><br>
   </p>
 <h2><br>
 </h2>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -32,8 +32,8 @@
  </tbody>             
 </table>
-<p align="center">With thanks to Richard who reminded me once again that
+<p align="center">With thanks to Richard who reminded me once again that we
-we must  all first walk before we can run.</p>
+must  all first walk before we can run.</p>
 <h2>The Guides</h2>
@ -47,8 +47,8 @@ we must  all first walk before we can run.</p>
                <li><a href="two-interface.htm">Two-interface</a> Linux System
   acting    as a    firewall/router for a small local network</li>
                <li><a href="three-interface.htm">Three-interface</a> Linux 
- System    acting  as a    firewall/router for a small local network and
+ System    acting  as a    firewall/router for a small local network and a
-a  DMZ.</li>
+ DMZ.</li>
 </ul>
@ -61,7 +61,8 @@ a  DMZ.</li>
  than   is  explained in the single-address guides above.</b></p>
 <ul>
-               <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
+                <li><a href="shorewall_setup_guide.htm#Introduction">1.0
 Introduction</a></li>
                <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
   Concepts</a></li>
                <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
@ -149,18 +150,25 @@ to use this    documentation directly.</p>
    file   features</a>                                                 
    <ul>
-                 <li>Comments in configuration files</li>
+                  <li><a href="configuration_file_basics.htm#Comments">Comments
-                 <li>Line Continuation</li>
+in configuration files</a></li>
-                 <li>Port Numbers/Service Names</li>
+                  <li><a
-                 <li>Port Ranges</li>
+ href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
-                 <li>Using Shell Variables</li>
+                  <li><a href="configuration_file_basics.htm#Ports">Port
-                 <li>Using DNS Names<br>
+Numbers/Service Names</a></li>
-            </li>
+                  <li><a href="configuration_file_basics.htm#Ranges">Port
-                 <li>Complementing an IP address or Subnet</li>
+Ranges</a></li>
-                 <li>Shorewall Configurations (making a test configuration)</li>
+                  <li><a href="configuration_file_basics.htm#Variables">Using
-                 <li>Using MAC Addresses in Shorewall</li>
+Shell Variables</a></li>
-      <li>Logging<br>
+                  <li><a href="configuration_file_basics.htm#dnsnames">Using
 DNS Names</a><br>
             </li>
                  <li><a href="configuration_file_basics.htm#Compliment">Complementing
 an IP address or Subnet</a></li>
                  <li><a href="configuration_file_basics.htm#Configs">Shorewall
 Configurations (making a test configuration)</a></li>
                  <li><a href="configuration_file_basics.htm#MAC">Using MAC
 Addresses in Shorewall</a></li>
    </ul>
@ -203,15 +211,17 @@ to use this    documentation directly.</p>
                </li>
                <li><a href="dhcp.htm">DHCP</a></li>
                <li><font color="#000099"><a
- href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>    (How
+ href="shorewall_extension_scripts.htm">Extension  Scripts</a></font>   
-to extend Shorewall without modifying Shorewall  code)</li>
+(How to extend Shorewall without modifying Shorewall  code)</li>
                <li><a href="fallback.htm">Fallback/Uninstall</a></li>
                <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
                <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
-  <li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
+   <li><a href="shorewall_logging.html">Logging</a><br>
   </li>
-               <li><a href="myfiles.htm">My  Configuration Files</a> (How 
+                <li><a href="MAC_Validation.html">MAC Verification</a><br>
-I  personally     use Shorewall)</li>
+  </li>
  <li><a href="myfiles.htm">My  Configuration Files</a> (How  I  personally
    use Shorewall)</li>
                <li><a href="ping.html">'Ping' Management</a><br>
    </li>
    <li><a href="ports.htm">Port Information</a>                        
@ -256,14 +266,9 @@ Creation</a></li>
 <p>If you use one of these guides and have a suggestion for improvement <a
 href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+<p><font size="2">Last modified 12/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a><br>
 </p>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@ -239,7 +239,7 @@ the  request  is first checked against the rules in /etc/shorewall/common.def.</
     <li>allow all connection requests from your local network to the internet</li>
     <li>drop (ignore) all connection requests from the internet to your
 firewall     or local network and log a message at the <i>info</i> level
-(<a href="configuration_file_basics.htm#Levels">here</a> is a description
+(<a href="shorewall_logging.html">here</a> is a description
 of log levels).</li>
     <li>reject all other connection requests and log a message at the <i>info</i>
    level. When a request is rejected, the firewall will return an RST (if
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -200,7 +200,7 @@ is  also added as a separate page in "shorewall monitor"</li>
 than  the LOG target. This allows you to run ulogd (available from <a
 href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
   and log all Shorewall messages <a
- href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
+ href="shorewall_logging.html">to a separate log file</a>.</li>
         <li>If you are running a kernel that has a FORWARD chain in the
 mangle    table ("shorewall show mangle" will show you the chains in the
 mangle table),    you can set MARK_IN_FORWARD_CHAIN=Yes in <a
@ -257,7 +257,7 @@ to start and "shorewall  refresh" would also fail.<br>
 rather than the LOG target. This allows you to run ulogd (available from 
         <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
   and log all Shorewall messages <a
- href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
+ href="shorewall_logging.html">to a separate log file</a>.</li>
              <li>If you are running a kernel that has a FORWARD chain in 
 the   mangle table ("shorewall show mangle" will show you the chains in the 
 mangle   table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. 
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -44,8 +44,8 @@
     <span style="font-weight: 400;"></span></p>
 <h2><big><font color="#ff0000"><b>I  don't look at problems sent to me directly 
- but I try  to spend some amount          of time each day responding to problems
+  but I try  to spend some amount          of time each day responding to 
- posted  on the Shorewall mailing list.</b></font></big></h2>
+problems  posted  on the Shorewall mailing list.</b></font></big></h2>
 <h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
@ -141,8 +141,8 @@ you  what that strange smell is?<br>
    <br>
    Now, all of us could do some wonderful guessing as to the smell and even
  what's causing it.  You would be absolutely amazed at the range and variety
- of smells we could come up with.  Even more amazing is that all of the explanations
+  of smells we could come up with.  Even more amazing is that all of the
- for the smells would be completely plausible."<br>
+explanations   for the smells would be completely plausible."<br>
    </i><br>
 <div align="center">   - Russell Mosemann<br>
@ -230,24 +230,26 @@ for    instructions).</b></h3>
 </ul>
 <h3>                                     </h3>
                                              <br>
 <h2>Please post in plain text</h2>
 <blockquote>      
-  <h3><b> While the list server here at shorewall.net accepts and distributes
+  <h3>  A growing number of MTAs serving list subscribers are rejecting all
-HTML posts, a growing number of MTAs serving list subscribers are rejecting
+HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
-this HTML list traffic. At least one MTA has gone so far as to blacklist
+"for continuous abuse" because it has been my policy to allow HTML in list
-shorewall.net "for continuous abuse"!!</b></h3>
+posts!!<br>
-  <h3><b> I think that blocking all HTML is a rather draconian way to control
+  <br>
-spam and that the unltimate loser here is not the spammers but the list subscribers 
+   I think that blocking all HTML is a Draconian way to control spam  and
-whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
+that the ultimate losers here are not the spammers but the list subscribers
-help by restricting your list posts to plain text.</b></h3>
+ whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
-  <h3><b> And as a bonus, subscribers who use email clients like pine and
+to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i> 
-mutt will be able to read your plain text posts whereas they are most likely
+life instead of trying to rid the planet of HTML based e-mail". Nevertheless, 
-simply ignoring your HTML posts.</b></h3>
+to allow subscribers to receive list posts as must as possible, I have now
-  <h3><b> A final bonus for the use of HTML is that it cuts down the size
+ configured the list server at shorewall.net to strip all HTML from outgoing 
-of messages by a large percentage -- that is important when the same message
+posts.<br>
-must be sent 500 times over the slow DSL line connecting the list server
+ </h3>
-to the internet.</b>   </h3>
+  <h3></h3>
 </blockquote>
 <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -258,6 +260,11 @@ to the internet.</b>   </h3>
 style="font-weight: 400;">please           post your question or problem 
  to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing 
  list</a>.</span></h4>
   <b>If you run Shorewall under MandrakeSoft Multi Network Firewall (MNF) 
 and you have not purchased an MNF license from MandrakeSoft then you can post
 non MNF-specific Shorewall questions to the </b><a
 href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
    <b>Do not expect to get free MNF support on the list.</b><br>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
@ -269,19 +276,15 @@ to the internet.</b>   </h3>
 <p>To Subscribe to the  mailing list go to <a
- href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
+ href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
                .</p>
-<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>